Content Template - Install
Install a template.
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/contentTemplates/{templateId}?api-version=2025-03-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
resource
|
path | True |
string minLength: 1maxLength: 90 |
The name of the resource group. The name is case insensitive. |
|
subscription
|
path | True |
string (uuid) |
The ID of the target subscription. The value must be an UUID. |
|
template
|
path | True |
string |
template Id |
|
workspace
|
path | True |
string minLength: 1maxLength: 90 pattern: ^[A-Za-z0-9][A-Za-z0-9-]+[A-Za-z0-9]$ |
The name of the workspace. |
|
api-version
|
query | True |
string minLength: 1 |
The API version to use for this operation. |
Request Body
| Name | Required | Type | Description |
|---|---|---|---|
| properties.contentId | True |
string |
Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Dynamic for user-created. This is the resource name |
| properties.contentKind | True |
The kind of content the template is for. |
|
| properties.contentProductId | True |
string |
Unique ID for the content. It should be generated based on the contentId of the package, contentId of the template, contentKind of the template and the contentVersion of the template |
| properties.displayName | True |
string |
The display name of the template |
| properties.packageId | True |
string |
the package Id contains this template |
| properties.packageVersion | True |
string |
Version of the package. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM metadata best practices. Can also be any string, but then we cannot guarantee any version checks |
| properties.source | True |
Source of the content. This is where/how it was created. |
|
| properties.version | True |
string |
Version of the content. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM metadata best practices. Can also be any string, but then we cannot guarantee any version checks |
| etag |
string |
Etag of the azure resource |
|
| properties.author |
The creator of the content item. |
||
| properties.categories |
Categories for the item |
||
| properties.contentSchemaVersion |
string |
Schema version of the content. Can be used to distinguish between different flow based on the schema version |
|
| properties.customVersion |
string |
The custom version of the content. A optional free text |
|
| properties.dependencies |
Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex formats. |
||
| properties.firstPublishDate |
string (date) |
first publish date content item |
|
| properties.icon |
string |
the icon identifier. this id can later be fetched from the content metadata |
|
| properties.lastPublishDate |
string (date) |
last publish date for the content item |
|
| properties.mainTemplate |
object |
The JSON of the ARM template to deploy active content. Expandable. |
|
| properties.packageKind |
the packageKind of the package contains this template |
||
| properties.packageName |
string |
the name of the package contains this template |
|
| properties.previewImages |
string[] |
preview image file names. These will be taken from the solution artifacts |
|
| properties.previewImagesDark |
string[] |
preview image file names. These will be taken from the solution artifacts. used for dark theme support |
|
| properties.providers |
string[] |
Providers for the content item |
|
| properties.support |
Support information for the template - type, name, contact information |
||
| properties.threatAnalysisTactics |
string[] |
the tactics the resource covers |
|
| properties.threatAnalysisTechniques |
string[] |
the techniques the resource covers, these have to be aligned with the tactics being used |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
OK, a template is updated. |
|
| 201 Created |
Created |
|
| Other Status Codes |
Error response describing why the operation failed. |
Security
azure_auth
Azure Active Directory OAuth2 Flow
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| user_impersonation | impersonate your user account |
Examples
Get a template.
Sample request
PUT https://management.azure.com/subscriptions/d0cfeab2-9ae0-4464-9919-dccaee2e48f0/resourceGroups/myRg/providers/Microsoft.OperationalInsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/contentTemplates/str.azure-sentinel-solution-str?api-version=2025-03-01
{
"properties": {
"contentId": "8365ebfe-a381-45b7-ad08-7d818070e11f",
"contentProductId": "str.azure-sentinel-solution-str-ar-cbfe4fndz66bi",
"displayName": "API Protection workbook template",
"contentKind": "AnalyticsRule",
"version": "1.0.1",
"packageVersion": "1.0.0",
"packageId": "str.azure-sentinel-solution-str",
"packageName": "str",
"packageKind": "Solution",
"source": {
"kind": "Solution",
"name": "str",
"sourceId": "str.azure-sentinel-solution-str"
},
"author": {
"name": "Microsoft",
"email": "support@microsoft.com"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
},
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.1",
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
"name": "8365ebfe-a381-45b7-ad08-7d818070e11f",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
"properties": {
"description": "Creates an incident when a large number of Critical/High severity CrowdStrike Falcon sensor detections is triggered by a single user",
"displayName": "Critical or High Severity Detections by User",
"enabled": false,
"query": "...",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"severity": "High",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"status": "Available"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split([resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 8365ebfe-a381-45b7-ad08-7d818070e11f)],'/'))))]",
"properties": {
"description": "CrowdStrike Falcon Endpoint Protection Analytics Rule 1",
"parentId": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', 8365ebfe-a381-45b7-ad08-7d818070e11f)]",
"contentId": "4465ebde-b381-45f7-ad08-7d818070a11c",
"kind": "AnalyticsRule",
"version": "1.0.0",
"source": {
"kind": "Solution",
"name": "str",
"sourceId": "str.azure-sentinel-solution-str"
},
"author": {
"name": "Microsoft",
"email": "support@microsoft.com"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
}
}
}
]
}
},
"tags": {
"tag1": "str"
}
}
Sample response
{
"id": "/subscriptions/d0cfeab2-9ae0-4464-9919-dccaee2e48f0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/contentPackages/azuresentinel.azure-sentinel-solution-ciscoumbrella",
"name": "azuresentinel.azure-sentinel-solution-ciscoumbrella",
"type": "Microsoft.SecurityInsights/contenttemplates",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"contentId": "8365ebfe-a381-45b7-ad08-7d818070e11f",
"contentProductId": "str.azure-sentinel-solution-str-ar-cbfe4fndz66bi",
"packageKind": "Solution",
"packageId": "str.azure-sentinel-solution-str",
"packageVersion": "1.0.0",
"contentKind": "AnalyticsRule",
"version": "1.0.1",
"displayName": "API Protection workbook template",
"source": {
"kind": "Solution",
"name": "CiscoUmbrella",
"sourceId": "azuresentinel.azure-sentinel-solution-ciscoumbrella"
},
"author": {
"name": "Microsoft",
"email": "support@microsoft.com"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
},
"dependencies": {
"criteria": [
{
"contentId": "strDataConnector",
"kind": "DataConnector",
"version": "2.0.0"
},
{
"contentId": "str-Parser",
"kind": "Parser",
"version": "2.0.0"
}
],
"operator": "AND"
},
"providers": [
"Microsoft"
],
"categories": {
"domains": [
"Security - Cloud Security"
],
"verticals": null
},
"firstPublishDate": "2022-04-01"
},
"systemData": {
"createdBy": "string",
"createdByType": "User",
"createdAt": "2020-04-27T21:53:29.0928001Z",
"lastModifiedBy": "string",
"lastModifiedByType": "User",
"lastModifiedAt": "2020-04-27T21:53:29.0928001Z"
}
}{
"id": "/subscriptions/d0cfeab2-9ae0-4464-9919-dccaee2e48f0/resourceGroups/myRg/providers/Microsoft.OperationalIinsights/workspaces/myWorkspace/providers/Microsoft.SecurityInsights/contentPackages/azuresentinel.azure-sentinel-solution-ciscoumbrella",
"name": "azuresentinel.azure-sentinel-solution-ciscoumbrella",
"type": "Microsoft.SecurityInsights/contenttemplates",
"etag": "\"0300bf09-0000-0000-0000-5c37296e0000\"",
"properties": {
"contentId": "8365ebfe-a381-45b7-ad08-7d818070e11f",
"contentProductId": "str.azure-sentinel-solution-str-ar-cbfe4fndz66bi",
"packageKind": "Solution",
"packageId": "str.azure-sentinel-solution-str",
"packageVersion": "1.0.0",
"contentKind": "AnalyticsRule",
"version": "1.0.1",
"displayName": "API Protection workbook template",
"source": {
"kind": "Solution",
"name": "CiscoUmbrella",
"sourceId": "azuresentinel.azure-sentinel-solution-ciscoumbrella"
},
"author": {
"name": "Microsoft",
"email": "support@microsoft.com"
},
"support": {
"tier": "Microsoft",
"name": "Microsoft Corporation",
"email": "support@microsoft.com",
"link": "https://support.microsoft.com/"
},
"dependencies": {
"criteria": [
{
"contentId": "strDataConnector",
"kind": "DataConnector",
"version": "2.0.0"
},
{
"contentId": "str-Parser",
"kind": "Parser",
"version": "2.0.0"
}
],
"operator": "AND"
},
"providers": [
"Microsoft"
],
"categories": {
"domains": [
"Security - Cloud Security"
],
"verticals": null
},
"firstPublishDate": "2022-04-01"
},
"systemData": {
"createdBy": "string",
"createdByType": "User",
"createdAt": "2020-04-27T21:53:29.0928001Z",
"lastModifiedBy": "string",
"lastModifiedByType": "User",
"lastModifiedAt": "2020-04-27T21:53:29.0928001Z"
}
}Definitions
| Name | Description |
|---|---|
|
Cloud |
Error response structure. |
|
Cloud |
Error details. |
|
created |
The type of identity that created the resource. |
| flag |
Flag indicates if this template is deprecated |
| kind |
The kind of content the template is for. |
|
metadata |
Publisher or creator of the content item. |
|
metadata |
ies for the solution content item |
|
metadata |
Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex dependencies. |
|
metadata |
The original source of the content item, where it comes from. |
|
metadata |
Support information for the content item. |
| operator |
Operator used for list of dependencies in criteria array. |
|
package |
the packageKind of the package contains this template |
|
source |
Source type of the content |
|
support |
Type of support for content item |
|
system |
Metadata pertaining to creation and last modification of the resource. |
|
template |
Template resource definition. |
|
template |
Template property bag. |
CloudError
Error response structure.
| Name | Type | Description |
|---|---|---|
| error |
Error data |
CloudErrorBody
Error details.
| Name | Type | Description |
|---|---|---|
| code |
string |
An identifier for the error. Codes are invariant and are intended to be consumed programmatically. |
| message |
string |
A message describing the error, intended to be suitable for display in a user interface. |
createdByType
The type of identity that created the resource.
| Value | Description |
|---|---|
| Application | |
| Key | |
| ManagedIdentity | |
| User |
flag
Flag indicates if this template is deprecated
| Value | Description |
|---|---|
| false | |
| true |
kind
The kind of content the template is for.
| Value | Description |
|---|---|
| AnalyticsRule | |
| AnalyticsRuleTemplate | |
| AutomationRule | |
| AzureFunction | |
| DataConnector | |
| DataType | |
| HuntingQuery | |
| InvestigationQuery | |
| LogicAppsCustomConnector | |
| Notebook |
Jupyter Notebooks |
| Parser | |
| Playbook | |
| PlaybookTemplate | |
| ResourcesDataConnector |
The Codeless Connector Platform (CCP) Connectors |
| Solution | |
| Standalone |
one-off / standalone content contributed by community contributors |
| SummaryRule |
Summary rules perform batch processing directly in your Log Analytics workspace. |
| Watchlist | |
| WatchlistTemplate | |
| Workbook | |
| WorkbookTemplate |
metadataAuthor
Publisher or creator of the content item.
| Name | Type | Description |
|---|---|---|
|
string |
Email of author contact |
|
| link |
string |
Link for author/vendor page |
| name |
string |
Name of the author. Company or person. |
metadataCategories
ies for the solution content item
| Name | Type | Description |
|---|---|---|
| domains |
string[] |
domain for the solution content item |
| verticals |
string[] |
Industry verticals for the solution content item |
metadataDependencies
Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex dependencies.
| Name | Type | Description |
|---|---|---|
| contentId |
string |
Id of the content item we depend on |
| criteria |
This is the list of dependencies we must fulfill, according to the AND/OR operator |
|
| kind |
Type of the content item we depend on |
|
| name |
string |
Name of the content item |
| operator |
Operator used for list of dependencies in criteria array. |
|
| version |
string |
Version of the the content item we depend on. Can be blank, * or missing to indicate any version fulfills the dependency. If version does not match our defined numeric format then an exact match is required. |
metadataSource
The original source of the content item, where it comes from.
| Name | Type | Description |
|---|---|---|
| kind |
Source type of the content |
|
| name |
string |
Name of the content source. The repo name, solution name, LA workspace name etc. |
| sourceId |
string |
ID of the content source. The solution ID, workspace ID, etc |
metadataSupport
Support information for the content item.
| Name | Type | Description |
|---|---|---|
|
string |
Email of support contact |
|
| link |
string |
Link for support help, like to support page to open a ticket etc. |
| name |
string |
Name of the support contact. Company or person. |
| tier |
Type of support for content item |
operator
Operator used for list of dependencies in criteria array.
| Value | Description |
|---|---|
| AND | |
| OR |
packageKind
the packageKind of the package contains this template
| Value | Description |
|---|---|
| Solution | |
| Standalone |
sourceKind
Source type of the content
| Value | Description |
|---|---|
| Community | |
| LocalWorkspace | |
| Solution | |
| SourceRepository |
supportTier
Type of support for content item
| Value | Description |
|---|---|
| Community | |
| Microsoft | |
| Partner |
systemData
Metadata pertaining to creation and last modification of the resource.
| Name | Type | Description |
|---|---|---|
| createdAt |
string (date-time) |
The timestamp of resource creation (UTC). |
| createdBy |
string |
The identity that created the resource. |
| createdByType |
The type of identity that created the resource. |
|
| lastModifiedAt |
string (date-time) |
The timestamp of resource last modification (UTC) |
| lastModifiedBy |
string |
The identity that last modified the resource. |
| lastModifiedByType |
The type of identity that last modified the resource. |
templateModel
Template resource definition.
| Name | Type | Description |
|---|---|---|
| etag |
string |
Etag of the azure resource |
| id |
string (arm-id) |
Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}" |
| name |
string |
The name of the resource |
| properties.author |
The creator of the content item. |
|
| properties.categories |
Categories for the item |
|
| properties.contentId |
string |
Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Dynamic for user-created. This is the resource name |
| properties.contentKind |
The kind of content the template is for. |
|
| properties.contentProductId |
string |
Unique ID for the content. It should be generated based on the contentId of the package, contentId of the template, contentKind of the template and the contentVersion of the template |
| properties.contentSchemaVersion |
string |
Schema version of the content. Can be used to distinguish between different flow based on the schema version |
| properties.customVersion |
string |
The custom version of the content. A optional free text |
| properties.dependantTemplates |
Dependant templates. Expandable. |
|
| properties.dependencies |
Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex formats. |
|
| properties.displayName |
string |
The display name of the template |
| properties.firstPublishDate |
string (date) |
first publish date content item |
| properties.icon |
string |
the icon identifier. this id can later be fetched from the content metadata |
| properties.isDeprecated |
Flag indicates if this template is deprecated |
|
| properties.lastPublishDate |
string (date) |
last publish date for the content item |
| properties.mainTemplate |
object |
The JSON of the ARM template to deploy active content. Expandable. |
| properties.packageId |
string |
the package Id contains this template |
| properties.packageKind |
the packageKind of the package contains this template |
|
| properties.packageName |
string |
the name of the package contains this template |
| properties.packageVersion |
string |
Version of the package. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM metadata best practices. Can also be any string, but then we cannot guarantee any version checks |
| properties.previewImages |
string[] |
preview image file names. These will be taken from the solution artifacts |
| properties.previewImagesDark |
string[] |
preview image file names. These will be taken from the solution artifacts. used for dark theme support |
| properties.providers |
string[] |
Providers for the content item |
| properties.source |
Source of the content. This is where/how it was created. |
|
| properties.support |
Support information for the template - type, name, contact information |
|
| properties.threatAnalysisTactics |
string[] |
the tactics the resource covers |
| properties.threatAnalysisTechniques |
string[] |
the techniques the resource covers, these have to be aligned with the tactics being used |
| properties.version |
string |
Version of the content. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM metadata best practices. Can also be any string, but then we cannot guarantee any version checks |
| systemData |
Azure Resource Manager metadata containing createdBy and modifiedBy information. |
|
| type |
string |
The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts" |
templateProperties
Template property bag.
| Name | Type | Description |
|---|---|---|
| author |
The creator of the content item. |
|
| categories |
Categories for the item |
|
| contentId |
string |
Static ID for the content. Used to identify dependencies and content from solutions or community. Hard-coded/static for out of the box content and solutions. Dynamic for user-created. This is the resource name |
| contentKind |
The kind of content the template is for. |
|
| contentProductId |
string |
Unique ID for the content. It should be generated based on the contentId of the package, contentId of the template, contentKind of the template and the contentVersion of the template |
| contentSchemaVersion |
string |
Schema version of the content. Can be used to distinguish between different flow based on the schema version |
| customVersion |
string |
The custom version of the content. A optional free text |
| dependantTemplates |
Dependant templates. Expandable. |
|
| dependencies |
Dependencies for the content item, what other content items it requires to work. Can describe more complex dependencies using a recursive/nested structure. For a single dependency an id/kind/version can be supplied or operator/criteria for complex formats. |
|
| displayName |
string |
The display name of the template |
| firstPublishDate |
string (date) |
first publish date content item |
| icon |
string |
the icon identifier. this id can later be fetched from the content metadata |
| isDeprecated |
Flag indicates if this template is deprecated |
|
| lastPublishDate |
string (date) |
last publish date for the content item |
| mainTemplate |
object |
The JSON of the ARM template to deploy active content. Expandable. |
| packageId |
string |
the package Id contains this template |
| packageKind |
the packageKind of the package contains this template |
|
| packageName |
string |
the name of the package contains this template |
| packageVersion |
string |
Version of the package. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM metadata best practices. Can also be any string, but then we cannot guarantee any version checks |
| previewImages |
string[] |
preview image file names. These will be taken from the solution artifacts |
| previewImagesDark |
string[] |
preview image file names. These will be taken from the solution artifacts. used for dark theme support |
| providers |
string[] |
Providers for the content item |
| source |
Source of the content. This is where/how it was created. |
|
| support |
Support information for the template - type, name, contact information |
|
| threatAnalysisTactics |
string[] |
the tactics the resource covers |
| threatAnalysisTechniques |
string[] |
the techniques the resource covers, these have to be aligned with the tactics being used |
| version |
string |
Version of the content. Default and recommended format is numeric (e.g. 1, 1.0, 1.0.0, 1.0.0.0), following ARM metadata best practices. Can also be any string, but then we cannot guarantee any version checks |