Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides recommendations for managing detections and other content types in Microsoft Sentinel. Use these recommendations to identiy the right approach, depending on your organization's scale, complexity, and tooling preferences.
Choose your capability
The following table summarizes the recommended capability based on your customer type and needs. There are three possible setups, see the table and explanations to choose the right fit.
| Customer type | Scalable, structured change management | Simple UI, low complexity | Custom/external tooling or high automation |
|---|---|---|---|
| Single tenant | Content as code (repositories) | Portal | APIs / Terraform |
| Multitenant | Content as code (repositories; best for scalability) | Content distribution (via portal) | APIs / Terraform |
Content as code with repositories
For most Microsoft Sentinel customers, we recommend leveraging content as code with repositories. Repositories come with all the right versioning, approvals, workflows, and rollbacks for managing detections.
For multitenant customers, repositories provide a scalable way to manage your setup across multiple tenants.
Repositories are available only to Microsoft Sentinel customers.
For more information, see Deploy content as code from your repository.
Portal and content distribution
If content as code is too complex, the portal and content distribution are helpful alternatives.
- The portal lets you create and manage detections directly. You can also deploy out-of-the-box detections from the content hub.
- For multitenant customers, content distribution can help manage content across multiple workspaces or tenants.
This is a good option for XDR-only customers who don't have access to repositories.
For more information, see Content distribution in multitenant management.
APIs
If you use external tools, custom pipelines, or other forms of managing content, APIs are the right solution — especially if you don't use the portal and need more flexibility.
For more information, see Microsoft Sentinel REST API.
Capabilities feature coverage
The following table shows the feature coverage for each capability.
| Capabilities (for content) | Portal | Content distribution | Repositories | Content Hub | APIs | Terraform |
|---|---|---|---|---|---|---|
| Create/edit | Yes | Yes | Yes | Yes | Yes | Yes |
| Delete | Yes | Yes | Yes | Yes | Yes | Yes |
| List/inventory | Yes | Yes | No | Yes | Yes | No |
| Change history | Yes | No | Yes | Yes | No | Yes |
| Rollbacks | No | No | Yes | No | No | Yes |
| Approvals | No | No | Yes | No | No | Yes |
| Automatic sync | No | No | Yes | No | No | Yes |
| Drift prevention | No | No | No | No | No | No |
| Drift visibility | No | No | No | Yes | No | No |
Capabilities content coverage
The following table shows the content types supported by each capability.
| Content type | Portal | Content distribution | Repositories | Content Hub | APIs | Terraform |
|---|---|---|---|---|---|---|
| Custom detection rules | Yes | Yes | No | No | Yes | No |
| Analytics rules | Yes | Yes | Yes | Yes | Yes | Yes |
| Playbooks | Yes | Yes | Yes | Yes | Yes | Yes |
| Workbooks | Yes | Yes | Yes | Yes | Yes | Yes |
| Automation rules | Yes | Yes | Yes | Yes | Yes | Yes |
| Parsers | Yes | No | Yes | Yes | Yes | Yes |
| Connectors | Yes | No | No | Yes | Yes | Yes |
| Hunting queries | Yes | No | Yes | Yes | Yes | Yes |
| Watchlists | Yes | No | No | Yes | Yes | Yes |
| Summary rules | Yes | No | No | Yes | Yes | Yes |
| Notebooks | Yes | No | No | No | Yes | No |
| Endpoint security policies | Yes | Yes | No | No | No | No |
| Defender settings | Yes | No | No | No | No | No |
| URBAC roles | Yes | No | No | No | Yes | No |
| Agents | Yes | No | No | No | No | No |
| Unified connectors | Yes | No | No | No | No | No |