Microsoft Sentinel Content Hub GA and OOTB Content Centralization

Today, we are announcing general availability (GA) of Microsoft Sentinel Content hub. With this, Out-of-the-box (OOTB) content centralization experiences are available too, per the ‘coming soon' announcement earlier. The goal of these changes is to enable a consistent and a scenario-driven approach to onboarding OOTB content as per need. Content hub, with a growing set of ~300 solutions and 270+ standalone content, goes beyond making it easy to discover, deploy and manage content. This is achieved by organizing solutions into packages that include data connectors, analytics rules, hunting queries, parsers, playbooks, workbooks and/or watchlists. These solutions help enterprise security operations (SecOps) teams manage their business from ingesting data, to monitoring security, to detecting issues, to hunting threats, and responding to breaches in a scenario-driven mode with filters to discover content easily for domain categories, content type, support and more. The following diagram depicts the Microsoft Sentinel ecosystem powered by content from not only Microsoft and Microsoft Security Research, but also from partners and a growing community of 350+ security experts.  

Microsoft Sentinel Content ValueMicrosoft Sentinel Content ValueNew content experiences

Content hub GA includes new experiences as described below.

OOTB content centralization

We've completed the journey to centralize discovery, installation on-demand and management of OOTB content in content hub integrating with existing template gallery experiences. Please note, this does NOT impact any of the custom or active content that you've created leveraging templates or directly. As an example, with this change, you will NOT see changes to your enabled or disable alerts (custom/active) or incidents ensuing from those.

Earlier, some of the OOTB content existed in various gallery sections of Microsoft Sentinel. Now, all the following gallery content templates are available in content hub as standalone items or as part of packaged solutions and the OOTB content templates in the following galleries are retired:

  • Data connectors
  • Analytics rule templates
  • Hunting queries
  • Playbook templates
  • Workbook templates

You can reinstate the in-use OOTB content templates from content hub by following the guided centralization tool flow illustrated below. This guided flow is accessible with from any of the warning banners in the galleries listed above and needs to be run just once to centrally reinstate in-use OOTB templates.

OOTB Content Centralization ToolOOTB Content Centralization Tool

 To learn more about the GitHub repo and content hub centralization and actions with FAQs, see Out-of-the-box (OOTB) content centralization changes – Microsoft Sentinel | Microsoft Learn.

List view as default view

List view is displayed as the default view upon accessing content hub. This view enables viewing more solutions and standalone content in a single page and install and update these in bulk too! You can easily switch over to the tile view by clicking the selector button circled in the diagram below.

Content HubContent Hub

Consistent Installation flow

The installation experiences are now also consistent with a single button click either accessible via ‘Install/Update' button in the header or with the ‘Install' button at the bottom of the solution / standalone side panel. Both of these enable quick installation of the solution or standalone content per the product documentation. You can select ‘View details' next to the solution ‘Install' button on the side panel to view the offer plan and other details on Azure Marketplace.

Simplified solutions permissions

Earlier, solutions installation required the TemplateSpec contributor permissions in addition to Microsoft Sentinel Contributor permissions. This has now been simplified to just the Microsoft Sentinel Contributor permissions to install solutions through the consistent installation flow outlined above, making it easier to install solutions of your choice.

New featured solutions

Check out the updated set of featured solutions and standalone OOTB content in content hub that offers core product-, threat- and domain-centric solution value.  

  • Product centric: This includes OOTB content and solutions for security products and services for categories like cloud, identity, security, , compliance, , productivity workloads, , IOT/OT and more. Additionally, Microsoft Sentinel product specific content also includes SOAR playbooks and SOAR connectors. A few examples include solutions for Azure, AWS, GCP, Salesforce, Vectra, Cisco, ZScaler, ServiceNow, SAP, and more. You can use these solutions to ingest data from the respective providers and leverage analytics, hunting queries, etc. for and response (TDR) scenarios with the relevant products in Microsoft Sentinel. Check out the featured Sentinel SOAR Essentials solution to leverage common playbooks to enhance security response outcomes.
  • Threat centric: This includes offerings to protect against specific attacks like Log4J, Typhoon (was Nobelium) or Aqua Blizzard (was Actinium) or monitor attack methods across the MITRE framework. This includes a curated set of OOTB content put together by the Microsoft Security researchers to enable you to protect against different threats immediately. Microsoft Security Threat Essentials solution includes a generic set of OOTB detections and hunting queries that helps protect against common threat vectors. 
  • Domain centric: This includes featured solutions for different domain categories like , web sessions, audit, user management and more. These domain solutions are product agnostic, hence do not include any data connectors. The OOTB content included in these solutions is built leveraging the Advanced Security Information Model (ASIM) schema. With ASIM, customers can leverage one piece of content for coverage across multiple products that share the same domain to reduce content management efforts. See Microsoft Sentinel domain-centric solutions to learn more. Microsoft Essentials and DNS essentials are a few examples.  

Building OOTB content and solutions

Technology partners or community members can get started with building their own Microsoft Sentinel solution and delivering in Content hub and Azure Marketplace. This is by following 3-key steps: building OOTB content, packaging content, and publishing the solution. Refer to the Microsoft Sentinel solutions build guide for further details on this 3-step process and get started now!

Closing

Continue to discover, install on-demand and manage OOTB content and solutions for your specific scenarios from Content hub. Learn more about the OOTB content centralization changes and take necessary recommended actions. Let us know your feedback using any of the channels listed in the questions or feedback section.

 

This article was originally published by Microsoft's Sentinel Blog. You can find the original article here.