Introduction

  • 3 minutes

Microsoft Sentinel content is Security Information and Event Management (SIEM) content that enables customers to ingest data, monitor, alert, hunt, investigate, respond, and connect with different products, platforms, and services in Microsoft Sentinel.

Content in Microsoft Sentinel includes any of the following types:

  • Data connectors provide log ingestion from different sources into Microsoft Sentinel
  • Parsers provide log formatting/transformation into ASIM formats, supporting usage across various Microsoft Sentinel content types and scenarios
  • Workbooks provide monitoring, visualization, and interactivity with data in Microsoft Sentinel, highlighting meaningful insights for users
  • Analytics rules provide alerts that point to relevant SOC actions via incidents
  • Hunting queries are used by SOC teams to proactively hunt for threats in Microsoft Sentinel
  • Notebooks help SOC teams use advanced hunting features in Jupyter and Azure Notebooks
  • Watchlists support the ingestion of specific data for enhanced threat detection and reduced alert fatigue
  • Playbooks and Azure Logic Apps custom connectors provide features for automated investigations, remediations, and response scenarios in Microsoft Sentinel

To maintain content in for Microsoft Sentinel use:

  • Content hub: - Microsoft Sentinel solutions are packages of Microsoft Sentinel content or Microsoft Sentinel API integrations, which fulfill an end-to-end product, domain, or industry vertical scenario in Microsoft Sentinel.
  • Repositories: - Repositories help you automate the deployment and management of your Microsoft Sentinel content through central repositories.
  • Community: Onboard community content on-demand to enable your scenarios. The GitHub repo at https://github.com/Azure/Azure-Sentinel contains content by Microsoft and the community that is tested and available for you to implement in your Sentinel workspace.

You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You need to install connectors and analytical rules from a vendor. You also have created a library of hunting queries that need to be maintained across multiple environments.

By the end of this module, you'll be able to manage content in Microsoft Sentinel.

After completing this module, you'll be able to:

  • Install a content hub solution in Microsoft Sentinel
  • Connect a GitHub repository to Microsoft Sentinel