|
| 1 | +--- |
| 2 | +title: Consolidate solution content by deploying Microsoft essential solutions for Microsoft Sentinel |
| 3 | +description: Learn about the Microsoft essential solutions for Microsoft Sentinel that span across different ASIM schemas like networks, DNS, and web sessions. |
| 4 | +author: cwatson-cat |
| 5 | +ms.topic: conceptual |
| 6 | +ms.date: 03/08/2023 |
| 7 | +ms.author: cwatson |
| 8 | +#Customer intent: As a security engineer, I want to minimize the amount of solution content I have to deploy and manage by using Microsoft essential solutions for Microsoft Sentinel. |
| 9 | +--- |
| 10 | + |
| 11 | +## Consolidate solution content by deploying Microsoft essential solutions for Microsoft Sentinel |
| 12 | + |
| 13 | +Microsoft essential solutions are a collection of solutions that....provide centralized content for specific domain categories...? Essential solutions use the normalization technique Advanced Security Information Model (ASIM) to normalize the data at query time or ingestion time. The ingestion time normalization results can be ingested into following normalized table: |
| 14 | + |
| 15 | +- [ASimDnsActivityLogs](/azure/azure-monitor/reference/tables/asimdnsactivitylogs) for the DNS schema. |
| 16 | +- [ASimNetworkSessionLogs](/azure/azure-monitor/reference/tables/asimnetworksessionlogs) for the Network Session schema |
| 17 | + |
| 18 | +For more information, see [Ingest time normalization](/azure/sentinel/normalization-ingest-time). |
| 19 | + |
| 20 | +## Why Microsoft essential solutions |
| 21 | + |
| 22 | +Today, we have over 280 product solutions in the content hub. There are multiple product solutions for different domain categories like Security - Network. For example, Azure Firewall, Palo Alto Firewall, and Corelight have product solutions for the Security-Network domain category. These solutions have differing data ingest components by design. But there’s a certain pattern to the analytics, hunting, workbooks, and other content within the same domain category. |
| 23 | + |
| 24 | +For example, most of the major network products have a common basic set of firewall alerts that includes malicious threats coming from unusual IP addresses. The analytic rule template is, in general, duplicated for each of the Security - Network category of product solutions. If you're running multiple network products, you need to check and configure multiple analytic rules individually, which is inefficient. You'd also get alerts for each rule configured and might end up with alert fatigue. |
| 25 | + |
| 26 | +If you have duplicative hunting queries, you might have less performant hunting experiences with the run-all mode of hunting. These duplicative hunting queries also introduce inefficiencies for threat hunters to select-run similar queries. |
| 27 | + |
| 28 | +Microsoft essential solution reduces the amount of content you need to manage or provides efficiencies in.... |
| 29 | + |
| 30 | +## ASIM schemas supported |
| 31 | + |
| 32 | +The essentials solutions are currently spanned across the following different ASIM schemas that Sentinel supports: |
| 33 | + |
| 34 | +- Audit event |
| 35 | +- Authentication event |
| 36 | +- DNS activity |
| 37 | +- File activity |
| 38 | +- Network session |
| 39 | +- Process event |
| 40 | +- Web session |
| 41 | + |
| 42 | +For more information, see [Advanced Security Information Model (ASIM) schemas](/azure/sentinel/normalization-about-schemas). |
| 43 | + |
| 44 | +## Connectors not included |
| 45 | + |
| 46 | +The essential solutions don't have a connector of their own. They depend on the source specific connectors to pull in the logs. Then the solutions use the ASIM parsers in their built in analytic rules, hunting queries, and workbooks to identify anomalies. The ASIM parsers provide a consolidated report or dashboard view for all the source specific solutions that were part of prerequisite lists. |
| 47 | + |
| 48 | +## Network session essentials |
| 49 | + |
| 50 | +One of the first solutions available in the essentials series is the network session essential solution. This solution doesn't have a connector of its own. Instead, it uses the ASIM parsers for query time parsing. This solution comes with 7 analytic rules, 4 hunting queries, 1 workbook, 1 playbook, and watchlists. |
| 51 | + |
| 52 | +Analytics rules included: |
| 53 | + |
| 54 | +- Network session traffic anomaly |
| 55 | +- Anomaly in port usage |
| 56 | +- More than defined port usage |
| 57 | +- Excessive number of failed connections from a Single source |
| 58 | +- Detect possible flooding |
| 59 | +- Possible external to internal port sweep |
| 60 | +- Possible port scan |
| 61 | +- Potential Beaconing activity |
| 62 | +- TI map IP entity to Network Session Events |
| 63 | + |
| 64 | +Hunting queries included: |
| 65 | + |
| 66 | +- Detect Anomaly in port usage |
| 67 | +- Detect More than defined port usage |
| 68 | +- Detect multiple users with same MAC address |
| 69 | +- Destination App and associated standard port mismatch |
| 70 | + |
| 71 | +Workbook: |
| 72 | +The workbook covers details for the following listed events. |
| 73 | + |
| 74 | +- Traffic visibility |
| 75 | +- Security visibility |
| 76 | +- Policy rule |
| 77 | +- Network security event viewer |
| 78 | + |
| 79 | +Playbook: Summarization playbook |
| 80 | + |
| 81 | +The playbook summarizes end point security events and stores them in a pre-defined table. This playbook is helpful where you have a high number of end points security events. For example, you might have a high number of events in a large organization where network traffic is being monitoring by multiple source specific network solutions. |
| 82 | + |
| 83 | +By default, this playbook is available as a template. If you have a high number of end point security events on your network and you notice a performance issue when loading the workbook, then enable the playbook template. |
| 84 | + |
0 commit comments