You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/essential-solutions.md
+14-13Lines changed: 14 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,5 +1,5 @@
1
1
---
2
-
title: Consolidate solution content by deploying Microsoft essential solutions for Microsoft Sentinel
2
+
title: Microsoft essential solutions for Microsoft Sentinel
3
3
description: Learn about the Microsoft essential solutions for Microsoft Sentinel that span across different ASIM schemas like networks, DNS, and web sessions.
4
4
author: cwatson-cat
5
5
ms.topic: conceptual
@@ -8,7 +8,7 @@ ms.author: cwatson
8
8
#Customer intent: As a security engineer, I want to minimize the amount of solution content I have to deploy and manage by using Microsoft essential solutions for Microsoft Sentinel.
9
9
---
10
10
11
-
## Consolidate solution content by deploying Microsoft essential solutions for Microsoft Sentinel
11
+
# Microsoft essential solutions for Microsoft Sentinel
12
12
13
13
Microsoft essential solutions are a collection of solutions that....provide centralized content for specific domain categories...? Essential solutions use the normalization technique Advanced Security Information Model (ASIM) to normalize the data at query time or ingestion time. The ingestion time normalization results can be ingested into following normalized table:
14
14
@@ -19,9 +19,10 @@ For more information, see [Ingest time normalization](/azure/sentinel/normalizat
19
19
20
20
## Why Microsoft essential solutions
21
21
22
-
Today, we have over 280 product solutions in the content hub. There are multiple product solutions for different domain categories like Security - Network. For example, Azure Firewall, Palo Alto Firewall, and Corelight have product solutions for the Security-Network domain category. These solutions have differing data ingest components by design. But there’s a certain pattern to the analytics, hunting, workbooks, and other content within the same domain category.
22
+
Today, we have over 280 product solutions in the content hub. There are multiple product solutions for different domain categories like Security - Network. For example, Azure Firewall, Palo Alto Firewall, and Corelight have product solutions for the Security-Network domain category.
23
23
24
-
For example, most of the major network products have a common basic set of firewall alerts that includes malicious threats coming from unusual IP addresses. The analytic rule template is, in general, duplicated for each of the Security - Network category of product solutions. If you're running multiple network products, you need to check and configure multiple analytic rules individually, which is inefficient. You'd also get alerts for each rule configured and might end up with alert fatigue.
24
+
- These solutions have differing data ingest components by design. But there’s a certain pattern to the analytics, hunting, workbooks, and other content within the same domain category.
25
+
- Most of the major network products have a common basic set of firewall alerts that includes malicious threats coming from unusual IP addresses. The analytic rule template is, in general, duplicated for each of the Security - Network category of product solutions. If you're running multiple network products, you need to check and configure multiple analytic rules individually, which is inefficient. You'd also get alerts for each rule configured and might end up with alert fatigue.
25
26
26
27
If you have duplicative hunting queries, you might have less performant hunting experiences with the run-all mode of hunting. These duplicative hunting queries also introduce inefficiencies for threat hunters to select-run similar queries.
27
28
@@ -45,9 +46,9 @@ For more information, see [Advanced Security Information Model (ASIM) schemas](/
45
46
46
47
The essential solutions don't have a connector of their own. They depend on the source specific connectors to pull in the logs. Then the solutions use the ASIM parsers in their built in analytic rules, hunting queries, and workbooks to identify anomalies. The ASIM parsers provide a consolidated report or dashboard view for all the source specific solutions that were part of prerequisite lists.
47
48
48
-
## Network session essentials
49
+
## Network session essentials solution
49
50
50
-
One of the first solutions available in the essentials series is the network session essential solution. This solution doesn't have a connector of its own. Instead, it uses the ASIM parsers for query time parsing. This solution comes with 7 analytic rules, 4 hunting queries, 1 workbook, 1 playbook, and watchlists.
51
+
One of the first solutions available in the essentials series is the network session essential solution. This solution doesn't have a connector of its own. Instead, it uses the ASIM parsers for query time parsing. This solution comes with seven analytic rules, four hunting queries, one playbook, one workbook, and watchlists.
51
52
52
53
Analytics rules included:
53
54
@@ -68,17 +69,17 @@ Hunting queries included:
68
69
- Detect multiple users with same MAC address
69
70
- Destination App and associated standard port mismatch
70
71
72
+
Playbook: Summarization playbook
73
+
74
+
- The playbook summarizes end point security events and stores them in a pre-defined table.
75
+
- This playbook is helpful where you have a high number of end points security events. For example, you might have a high number of events in a large organization where network traffic is being monitoring by multiple source specific network solutions.
76
+
77
+
- By default, this playbook is available as a template. If you have a high number of end point security events on your network and you notice a performance issue when loading the workbook, then enable the playbook template.
78
+
71
79
Workbook:
72
80
The workbook covers details for the following listed events.
73
81
74
82
- Traffic visibility
75
83
- Security visibility
76
84
- Policy rule
77
85
- Network security event viewer
78
-
79
-
Playbook: Summarization playbook
80
-
81
-
The playbook summarizes end point security events and stores them in a pre-defined table. This playbook is helpful where you have a high number of end points security events. For example, you might have a high number of events in a large organization where network traffic is being monitoring by multiple source specific network solutions.
82
-
83
-
By default, this playbook is available as a template. If you have a high number of end point security events on your network and you notice a performance issue when loading the workbook, then enable the playbook template.
0 commit comments