Muokkaa

Jaa


About Microsoft Sentinel content and solutions

Microsoft Sentinel content is Security Information and Event Management (SIEM) solution components that enable customers to ingest data, monitor, alert, hunt, investigate, respond, and connect with different products, platforms, and services.

Content in Microsoft Sentinel includes any of the following types:

  • Data connectors provide log ingestion from different sources into Microsoft Sentinel
  • Parsers provide log formatting/transformation into Advanced Security Information Model (ASIM) formats, supporting usage across various Microsoft Sentinel content types and scenarios
  • Workbooks provide monitoring, visualization, and interactivity with data in Microsoft Sentinel, highlighting meaningful insights for users
  • Analytics rules provide alerts that point to relevant SOC actions via incidents
  • Hunting queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel
  • Notebooks help SOC teams use advanced hunting features in Jupyter and Azure Notebooks
  • Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue
  • Playbooks and Azure Logic Apps custom connectors provide features for automated investigation, remediation, and response scenarios in Microsoft Sentinel

Microsoft Sentinel offers these content types as solutions and standalone items. Solutions are packages of Microsoft Sentinel content or Microsoft Sentinel API integrations, which fulfill an end-to-end product, domain, or industry vertical scenario in Microsoft Sentinel. Both solutions and standalone items are discoverable and managed from the Content hub.

You can either customize out-of-the-box (OOTB) content for your own needs, or you can create your own solution with content to share with others in the community. For more information, see the Microsoft Sentinel Solutions Build Guide for solutions' authoring and publishing.

Important

Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. For more information, see Microsoft Sentinel in the Microsoft Defender portal.

Discover and manage Microsoft Sentinel content

Use the Microsoft Sentinel Content hub to centrally discover and install out-of-the-box (OOTB) content.

The Microsoft Sentinel Content hub provides in-product discoverability, single-step deployment, and enablement of end-to-end product, domain, and/or vertical OOTB solutions and content in Microsoft Sentinel.

  • Filter by categories and other parameters, or use the powerful text search, to find the content that works best for your organization's needs.

    The Content hub also indicates the support model applied to each piece of content, as some content is maintained by Microsoft and others are maintained by partners or the community.

  • Manage updates for out-of-the-box content in the Content hub. Or, for custom content, manage updates from the Repositories page. For more information, see Discover and manage Microsoft Sentinel out-of-the-box content.

  • Customize out-of-the-box content for your own needs, or create custom content, including analytics rules, hunting queries, notebooks, workbooks, and more.

    Manage your custom content directly in your Microsoft Sentinel workspace by using the Microsoft Sentinel API or from your own source control repository. For more information, see Microsoft Sentinel API and Deploy custom content from your repository.

Why content hub solutions?

Microsoft Sentinel solutions are packaged integrations that deliver end-to-end product value for one or more domain or vertical scenarios in the content hub.

The solutions experience, powered by Azure Marketplace, helps you discover and deploy the content you want. For more information on authoring and publishing solutions in the Azure Marketplace, see the Microsoft Sentinel Solutions Build Guide.

  • Packaged content are collections of one or more components of Microsoft Sentinel content, such as data connectors, workbooks, analytics rules, playbooks, hunting queries, watchlists, parsers, and more.

  • Integrations include services or tools built using Microsoft Sentinel or Azure Log Analytics APIs that support integrations between Azure and existing customer applications, or migrate data, queries, and more, from those applications into Microsoft Sentinel.

You can also use solutions to install packages of out-of-the-box (OOTB) content in a single step, where the content is often ready to use immediately. Providers and partners use Sentinel solutions to add value to their customers' investments by delivering combined product, domain, or vertical value.

Use the Content hub to centrally discover and deploy solutions and OOTB content in a scenario-driven manner.

For more information, see:

Categories for Microsoft Sentinel out-of-the-box content and solutions

Microsoft Sentinel out-of-the-box content can be applied with one or more of the following categories. In the Content hub, select the categories you want to view to change the content displayed. You can discover community delivered items centrally in Content hub as standalone content or solutions.

Domain categories

Category name Description
Application Web, server-based, SaaS, database, communications, or productivity workload
Cloud Provider Cloud service
Compliance Compliance product, services, and protocols
DevOps Development operations tools and services
Identity Identity service providers and integrations
Internet of Things (IoT) IoT, operational technology (OT) devices, and infrastructure, industrial control services
IT Operations Products and services managing IT
Migration Migration enablement products, services, and
Networking Network products, services, and tools
Platform Microsoft Sentinel generic or framework components, Cloud infrastructure, and platform
Security - Others Other security products and services with no other clear category
Security - Threat Intelligence Threat intelligence platforms, feeds, products, and services
Security - Threat Protection Threat protection, email protection, extended detection and response (XDR), and endpoint protection products and services
Security - 0-day Vulnerability Specialized solutions for zero-day vulnerability attacks like Nobelium
Security - Automation (SOAR) Security automations, SOAR (Security Operations and Automated Responses), security operations, and incident response products and services.
Security - Cloud Security CASB (Cloud Access Service Broker), CWPP (Cloud workload protection platforms), CSPM (Cloud security posture management and other Cloud Security products and services
Security - Information Protection Information protection and document protection products and services
Security - Insider Threat Insider threat and user and entity behavioral analytics (UEBA) for security products and services
Security - Network Security network devices, firewall, NDR (network detection and response), NIDP (network intrusion and detection prevention), and network packet capture
Security - Vulnerability Management Vulnerability management products and services
Storage File stores and file sharing products and services
Training and Tutorials Training, tutorials, and onboarding assets
User Behavior (UEBA) User behavior analytics products and services

Industry vertical categories

Category name Description
Aeronautics Products, services, and content specific for the aeronautics industry
Education Products, services, and content specific for the education industry
Finance Products, services, and content specific for the finance industry
Healthcare Products, services, and content specific for the healthcare industry
Manufacturing Products, services, and content specific for the manufacturing industry
Retail Products, services, and content specific for the retail industry

Support models for Microsoft Sentinel out-of-the-box content and solutions

Both Microsoft and other organizations author Microsoft Sentinel out-of-the-box content and solutions. Each piece of out-of-the-box content or solution has one of the following support types:

Support model Description
Microsoft-supported Applies to:
- Content/solutions where Microsoft is the data provider, where relevant, and author.
- Some Microsoft-authored content/solutions for non-Microsoft data sources.

Microsoft supports and maintains content/solutions in this support model in accordance with Microsoft Azure Support Plans.
Partners or the Community support content or solutions authored by any party other than Microsoft.
Partner-supported Applies to content/solutions authored by parties other than Microsoft.

The partner company provides support or maintenance for these pieces of content/solutions. The partner company can be an Independent Software Vendor, a Managed Service Provider (MSP/MSSP), a Systems Integrator (SI), or any organization whose contact information is provided on the Microsoft Sentinel page for the selected content/solutions.

For any issues with a partner-supported solution, contact the specified support contact.
Community-supported Applies to content or solutions authored by Microsoft or partner developers without listed contacts for support and maintenance in Microsoft Sentinel.

For questions or issues with these solutions, file an issue in the Microsoft Sentinel GitHub community.

Content sources for Microsoft Sentinel content and solutions

Each piece of content or solution has one of the following content sources:

Content source Description
Content hub Solutions deployed by the Content hub that support lifecycle management
Standalone Standalone content deployed by the Content hub that is automatically kept up-to-date
Custom Content or solutions you customized in your workspace
Gallery content Content from the feature galleries that don't support lifecycle management. This content source is retiring soon. For more information, see OOTB content centralization changes.
Repositories Content or solutions from a repository connected to your workspace

Next steps

Discover and install solutions and standalone content from the Content hub in your Microsoft Sentinel workspace.

For more information, see: