Discover and manage Microsoft Sentinel out-of-the-box content (Public preview)
The Microsoft Sentinel Content hub is your centralized location to discover and manage out-of-the-box (built-in) content. There you'll find packaged solutions for end-to-end products by domain or industry. You'll also have access to the vast number of standalone contributions hosted in our GitHub repository and feature blades.
Discover solutions and standalone content with a consistent set of filtering capabilities based on status, content type, support, provider and category.
Install content in your workspace all at once or individually.
View content in list view and quickly see which solutions have updates. Update solutions all at once while standalone content updates automatically.
Manage a solution to install its content types and get the latest changes.
Configure standalone content to create new active items based on the most up-to-date template.
If you're a partner who wants to create your own solution, see the Microsoft Sentinel Solutions Build Guide for solution authoring and publishing.
In order to install, update and delete standalone content or solutions in content hub, you need the Template Spec Contributor role at the resource group level. See Azure RBAC built in roles for details on this role.
This is in addition to Sentinel specific roles. For more information about other roles and permissions supported for Microsoft Sentinel, see Permissions in Microsoft Sentinel.
The content hub offers the best way to find new content or manage the solutions you already have installed.
From the Microsoft Sentinel navigation menu, under Content management, select Content hub (Preview).
The Content hub page displays a searchable grid or list of solutions and standalone content.
Filter the list displayed, either by selecting specific values from the filters, or entering any part of a content name or description in the Search field.
For more information, see Categories for Microsoft Sentinel out-of-the-box content and solutions.
If a solution that you've deployed has updates since you deployed it, the list view will have a blue up arrow in the status column, and will be included in the Updates blue up arrow count at the top of the page.
Each content item shows categories that apply to it, and solutions show the types of content included.
For example, in the following image, the Cisco Umbrella solution lists one of its categories as Security - Cloud Security, and indicates it includes a data connector, analytics rules, hunting queries, playbooks, and more.
Install or update content
Standalone content and solutions can be installed individually or all together in bulk. For more information on bulk operations, see Bulk install and update content in the next section. Here's an example showing the install of an individual solution.
In the content hub, select a solution to view more information on the right. Then select Install, or Update.
On the solution details page, select Create or Update to start the solution wizard. On the Basics tab, enter the subscription, resource group, and workspace to deploy the solution. For example:
Select Next to cycle through the remaining tabs (corresponding to the components included in the solution), where you can learn about, and in some cases configure, each of the content components.
The tabs displayed for you correspond with the content offered by the solution. Different solutions may have different types of content, so you may not see all the same tabs in every solution.
You may also be prompted to enter credentials to a third party service so that Microsoft Sentinel can authenticate to your systems. For example, with playbooks, you may want to take response actions as prescribed in your system.
Finally, in the Review + create tab, wait for the
Validation Passedmessage, then select Create or Update to deploy the solution. You can also select the Download a template for automation link to deploy the solution as code.
Each content type within the solution may require additional steps to configure. For more information, see Enable content items in a solution.
Bulk install and update content
Content hub supports a list view in addition to the default card view. Multiple solutions and standalone content can be selected with this view to install and update them all at once. Standalone content is kept up-to-date automatically. Any active or custom content created based on solutions or standalone content installed from content hub remains untouched.
To install and/or update items in bulk, change to the list view.
The content hub interface will indicate in progress for installs and updates. Azure notifications will also indicate the action taken. If a solution or standalone content that was already installed or updated was selected, no action will be taken on that item and it won't interfere with the update and install of the other items.
Check each installed solution's Manage view. Content types within the solution may require additional steps to configure. For more information, see Enable content items in a solution.
Enable content items in a solution
Centrally manage content items for installed solutions from the content hub.
In the content hub, select an installed solution where the version is 2.0.0 or higher.
On the solutions details page, select Manage.
Review the list of content items.
Select a content item to get started.
Management options for each content type
Below are some tips on how to interact with various content types when managing a solution.
Select Open connector page.
Complete the data connector configuration steps.
After you configure the data connector and logs are detected, the status will change to Connected.
View the template in the analytics template gallery.
If the template hasn't been used yet, select Open > Create rule and follow the steps to enable the analytics rule.
Once created, the number of active rules created from the template is shown in the Created content column.
Click the active rules link, in this example 2 items, to edit the existing rule.
To start searching right away, select Run query from the details page for quick results.
To customize your hunting query, select the link, in this case Common deployed resources, in the Content name column.
This brings you to the hunting gallery where you can create a clone of the read-only hunting query template by accessing the ellipses menu. Hunting queries created in this way will display as items in the content hub Created content column.
Select View template to open the workbook and see the visualizations.
To create an instance of the workbook template select Save.
View your saved customizable workbook by selecting View saved workbook.
From the content hub, select the 1 item link in the Created content column to manage the workbook.
When a solution is installed, any parsers included are added as workspace functions in Log Analytics.
Select Load the function code to open Log Analytics and view or run the function code.
Select Use in editor to open Log Analytics with the parser name ready to add to your custom query.
Select the Content name link of the playbook, in this example BatchImportToSentinel.
This playbook template will populate the search field. From the results choose the template and select Create playbook.
Once created, the active playbook is shown in the Created content column.
Click the active playbook 1 item link to manage the playbook.
Find the support model for your content
Each solution explains its support model on the solution's details pane, in the Support box, where either Microsoft or a partner's name is listed. For example:
When contacting support, you may need other details about your solution, such as a publisher, provider, and plan ID values. You can find each of these on the solution's details page, on the Usage information & support tab. For example:
In this document, you learned how to find and deploy built-in solutions and standalone content for Microsoft Sentinel.
- Learn more about Microsoft Sentinel solutions.
- See the full Microsoft Sentinel solutions catalog in the Azure Marketplace.
- Find domain specific solutions in the Microsoft Sentinel content hub catalog.
- Delete installed Microsoft Sentinel out-of-the-box content and solutions (public preview)
Many solutions include data connectors that you'll need to configure so that you can start ingesting your data into Microsoft Sentinel. Each data connector will have its own set of requirements, detailed on the data connector page in Microsoft Sentinel.
For more information, see Connect your data source.