Merge pull request #238522 from cwatson-cat/5-17-23-ctn-hub-sol-inst

prmerger-automator[bot] · web-flow · commit b201f827bd22 · 2023-05-30T19:48:03.000Z
Sentinel - upd for content hub templt gallery chng
diff --git a/articles/sentinel/connect-aws.md b/articles/sentinel/connect-aws.md
@@ -91,19 +91,25 @@ The script takes the following actions:
 
 ### Prerequisites
 
-You must have PowerShell and the AWS CLI on your machine.
+- Install the Amazon Web Services solution from the **Content Hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content (Public preview)](sentinel-solutions-deploy.md).
+
+- You must have PowerShell and the AWS CLI on your machine.
+  - [Installation instructions for PowerShell](/powershell/scripting/install/installing-powershell)
+  - [Installation instructions for the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html)
+
 
-   - [Installation instructions for PowerShell](/powershell/scripting/install/installing-powershell)
-   - [Installation instructions for the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/install-cliv2.html)
 
 ### Instructions
 
 To run the script to set up the connector, use the following steps:
 
 1. From the Microsoft Sentinel navigation menu, select **Data connectors**.
 
-1. Select **Amazon Web Services S3** from the data connectors gallery, and in the details pane, select **Open connector page**.
+1. Select **Amazon Web Services S3** from the data connectors gallery.
+
+   If you don't see the connector, install the Amazon Web Services solution from the **Content Hub** in Microsoft Sentinel.
 
+1. In the details pane for the connector, select **Open connector page**.
 1. In the **Configuration** section, under **1. Set up your AWS environment**, expand **Setup with PowerShell script (recommended)**.
 
 1. Follow the on-screen instructions to download and extract the [AWS S3 Setup Script](https://github.com/Azure/Azure-Sentinel/blob/master/DataConnectors/AWS-S3/ConfigAwsS3DataConnectorScripts.zip?raw=true) (link downloads a zip file containing the main setup script and helper scripts) from the connector page.
@@ -141,6 +147,8 @@ Microsoft recommends using the automatic setup script to deploy this connector.
 
     - Create a [standard Simple Queue Service (SQS) queue](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-configure-create-queue.html) in AWS.
 
+- Install the Amazon Web Services solution from the **Content Hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
+
 ### Instructions
 
 The manual setup consists of the following steps:
@@ -152,8 +160,13 @@ The manual setup consists of the following steps:
 
 #### Create an AWS assumed role and grant access to the AWS Sentinel account
 
-1. In Microsoft Sentinel, select **Data connectors** and then select the **Amazon Web Services S3** line in the table and in the AWS pane to the right,  select **Open connector page**.
+1. In Microsoft Sentinel, select **Data connectors**.
+
+1. Select **Amazon Web Services S3** from the data connectors gallery.
 
+   If you don't see the connector, install the Amazon Web Services solution from the **Content Hub** in Microsoft Sentinel.
+
+1. In the details pane for the connector, select **Open connector page**.
 1. Under **Configuration**, copy the **External ID (Workspace ID)** and paste it aside.
  
 1. In your AWS management console, under **Security, Identity & Compliance**, select **IAM**.
@@ -261,14 +274,21 @@ Learn how to [troubleshoot Amazon Web Services S3 connector issues](aws-s3-troub
 
 ## Prerequisites
 
-You must have write permission on the Microsoft Sentinel workspace.
+- You must have write permission on the Microsoft Sentinel workspace.
+-  Install the Amazon Web Services solution from the Content Hub in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
 
 > [!NOTE]
 > Microsoft Sentinel collects CloudTrail management events from all regions. It is recommended that you do not stream events from one region to another.
 
 ## Connect AWS CloudTrail
 
-1. In Microsoft Sentinel, select **Data connectors** and then select the **Amazon Web Services** line in the table and in the AWS pane to the right,  select **Open connector page**.
+1. In Microsoft Sentinel, select **Data connectors**.
+
+1. Select **Amazon Web Services** from the data connectors gallery.
+
+   If you don't see the connector, install the Amazon Web Services solution from the **Content Hub** in Microsoft Sentinel.
+
+1. In the details pane for the connector, select **Open connector page**.
 
 1. Follow the instructions under **Configuration** using the following steps.
  
diff --git a/articles/sentinel/connect-azure-active-directory.md b/articles/sentinel/connect-azure-active-directory.md
@@ -10,11 +10,6 @@ ms.custom: ignite-fall-2021
 
 # Connect Azure Active Directory (Azure AD) data to Microsoft Sentinel
 
-> [!IMPORTANT]
-> As indicated below, some of the available log types are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-
-[!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
-
 You can use Microsoft Sentinel's built-in connector to collect data from [Azure Active Directory](../active-directory/fundamentals/active-directory-whatis.md) and stream it into Microsoft Sentinel. The connector allows you to stream the following log types:
 
 - [**Sign-in logs**](../active-directory/reports-monitoring/concept-all-sign-ins.md), which contain information about interactive user sign-ins where a user provides an authentication factor.
@@ -31,6 +26,10 @@ You can use Microsoft Sentinel's built-in connector to collect data from [Azure
 
 - [**Provisioning logs**](../active-directory/reports-monitoring/concept-provisioning-logs.md) (also in **PREVIEW**), which contain system activity information about users, groups, and roles provisioned by the Azure AD provisioning service. 
 
+> [!IMPORTANT]
+> Some of the available log types are currently in **PREVIEW**. See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+
+[!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 
 ## Prerequisites
 
@@ -41,6 +40,7 @@ You can use Microsoft Sentinel's built-in connector to collect data from [Azure
 - Your user must be assigned the [Global Administrator](../active-directory/roles/permissions-reference.md#global-administrator) or [Security Administrator](../active-directory/roles/permissions-reference.md#security-administrator) roles on the tenant you want to stream the logs from.
 
 - Your user must have read and write permissions to the Azure AD diagnostic settings in order to be able to see the connection status.
+- Install the solution for **Azure Active Directory** from the **Content Hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
 
 ## Connect to Azure Active Directory
 
diff --git a/articles/sentinel/connect-data-sources.md b/articles/sentinel/connect-data-sources.md
@@ -9,33 +9,36 @@ ms.author: yelevin
 
 # Microsoft Sentinel data connectors
 
-[!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
-
 After you onboard Microsoft Sentinel into your workspace, you can use data connectors to start ingesting your data into Microsoft Sentinel. Microsoft Sentinel comes with many out of the box connectors for Microsoft services, which you can integrate in real time. For example, the Microsoft 365 Defender connector is a [service-to-service connector](#service-to-service-integration-for-data-connectors) that integrates data from Office 365, Azure Active Directory (Azure AD), Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps.
 
 You can also enable built-in connectors to the broader security ecosystem for non-Microsoft products. For example, you can use [Syslog](#syslog), [Common Event Format (CEF)](#common-event-format-cef), or [REST APIs](#rest-api-integration-for-data-connectors) to connect your data sources with Microsoft Sentinel.
 
-Learn about [types of Microsoft Sentinel data connectors](data-connectors-reference.md) or learn about the [Microsoft Sentinel solutions catalog](sentinel-solutions-catalog.md).
-
-The Microsoft Sentinel **Data connectors** page shows the full list of connectors and their status in your workspace.
+The Microsoft Sentinel **Data connectors** page shows the list of connectors installed in your workspace and their status. 
 
 :::image type="content" source="media/collect-data/collect-data-page.png" alt-text="Screenshot of the data connectors gallery." lightbox="media/collect-data/collect-data-page.png":::
 
+For more data connectors, install the solution or standalone content items from the content hub. For more information, see the following articles:
+- [Find your Microsoft Sentinel data connector](data-connectors-reference.md)
+- [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md)
+- [Microsoft Sentinel content hub catalog](sentinel-solutions-catalog.md)
+
 <a name="agent-options"></a>
 <a name="data-connection-methods"></a>
 <a name="map-data-types-with-microsoft-sentinel-connection-options"></a>
 
+[!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
+
 ## Enable a data connector
 
-Select the connector you want to connect, and then select **Open connector page**.
+From the **Data connectors** page, select the active or custom connector you want to connect, and then select **Open connector page**. If you don't see the data connector you want, install the solution or standalone content items from the **Content Hub**. 
 
-- Once you fulfill all the prerequisites listed in the **Instructions** tab, the connector page describes how to ingest the data to Microsoft Sentinel. It may take some time for data to start arriving. After you connect, you see a summary of the data in the **Data received** graph, and the connectivity status of the data types.
+Once you fulfill all the prerequisites listed in the **Instructions** tab, the connector page describes how to ingest the data to Microsoft Sentinel. It may take some time for data to start arriving. After you connect, you see a summary of the data in the **Data received** graph, and the connectivity status of the data types.
         
-    :::image type="content" source="media/collect-data/opened-connector-page.png" alt-text="Screenshot showing how to configure data connectors." border="false":::   
+  :::image type="content" source="media/collect-data/opened-connector-page.png" alt-text="Screenshot showing how to configure data connectors." border="false":::   
  
-- In the **Next steps** tab, you'll see more content for the specific data type: Sample queries, visualization workbooks, and analytics rule templates to help you detect and investigate threats.
+In the **Next steps** tab, you'll see more content for the specific data type: Sample queries, visualization workbooks, and analytics rule templates to help you detect and investigate threats.
 
-    :::image type="content" source="media/collect-data/data-insights.png" alt-text="Screenshot showing the data connecter Next steps tab." border="false":::    
+  :::image type="content" source="media/collect-data/data-insights.png" alt-text="Screenshot showing the data connecter Next steps tab." border="false":::    
 
 Learn about your specific data connector in the [data connectors reference](data-connectors-reference.md).
 
diff --git a/articles/sentinel/connect-defender-for-cloud.md b/articles/sentinel/connect-defender-for-cloud.md
@@ -10,29 +10,26 @@ ms.custom: ignite-fall-2021
 
 # Connect Microsoft Defender for Cloud alerts to Microsoft Sentinel
 
-## Background
-
-> [!NOTE]
-> - Microsoft Defender for Cloud was formerly known as Azure Security Center.
-> - Defender for Cloud's enhanced security features were formerly known collectively as Azure Defender.
-
 [Microsoft Defender for Cloud](../defender-for-cloud/index.yml)'s integrated cloud workload protections allow you to detect and quickly respond to threats across hybrid and multi-cloud workloads.
 
 This connector allows you to stream [security alerts from Defender for Cloud](../defender-for-cloud/alerts-reference.md) into Microsoft Sentinel, so you can view, analyze, and respond to Defender alerts, and the incidents they generate, in a broader organizational threat context.
 
 As [Microsoft Defender for Cloud Defender plans](../defender-for-cloud/defender-for-cloud-introduction.md#protect-cloud-workloads) are enabled per subscription, this data connector is also enabled or disabled separately for each subscription.
 
+Microsoft Defender for Cloud was formerly known as Azure Security Center. Defender for Cloud's enhanced security features were formerly known collectively as Azure Defender.
+
+
 [!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 
-### Alert synchronization
+## Alert synchronization
 
 - When you connect Microsoft Defender for Cloud to Microsoft Sentinel, the status of security alerts that get ingested into Microsoft Sentinel is synchronized between the two services. So, for example, when an alert is closed in Defender for Cloud, that alert will display as closed in Microsoft Sentinel as well.
 
 - Changing the status of an alert in Defender for Cloud will *not* affect the status of any Microsoft Sentinel **incidents** that contain the Microsoft Sentinel alert, only that of the alert itself.
 
-### Bi-directional alert synchronization
+## Bi-directional alert synchronization
 
-- Enabling **bi-directional sync** will automatically sync the status of original security alerts with that of the Microsoft Sentinel incidents that contain those alerts. So, for example, when a Microsoft Sentinel incident containing a security alerts is closed, the corresponding original alert will be closed in Microsoft Defender for Cloud automatically.
+Enabling **bi-directional sync** will automatically sync the status of original security alerts with that of the Microsoft Sentinel incidents that contain those alerts. So, for example, when a Microsoft Sentinel incident containing a security alerts is closed, the corresponding original alert will be closed in Microsoft Defender for Cloud automatically.
 
 ## Prerequisites
 
@@ -45,6 +42,7 @@ As [Microsoft Defender for Cloud Defender plans](../defender-for-cloud/defender-
 - You will need the `SecurityInsights` resource provider to be registered for each subscription where you want to enable the connector. Review the guidance on the [resource provider registration status](../azure-resource-manager/management/resource-providers-and-types.md#register-resource-provider) and the ways to register it.
 
 - To enable bi-directional sync, you must have the **Contributor** or **Security Admin** role on the relevant subscription.
+- Install the solution for **Microsoft Defender for Cloud** from the **Content Hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
 
 ## Connect to Microsoft Defender for Cloud
 
diff --git a/articles/sentinel/connect-log-forwarder.md b/articles/sentinel/connect-log-forwarder.md
@@ -30,6 +30,8 @@ Using the link provided below, you will run a script on the designated machine t
 
 [!INCLUDE [data-connector-prereq](includes/data-connector-prereq.md)]
 
+Install the product solution from the **Content Hub** in Microsoft Sentinel. If the product isn't listed, install the solution for **Common Event Format**. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
+
 Your machine must meet the following requirements:
 
 - **Hardware (physical/virtual)**
@@ -78,8 +80,9 @@ If your devices are sending Syslog and CEF logs over TLS (because, for example,
 
 ## Run the deployment script
  
-1. From the Microsoft Sentinel navigation menu, select **Data connectors**. Select the connector for your product from the connectors gallery (or the **Common Event Format (CEF)** if your product isn't listed), and then the **Open connector page** button on the lower right. 
-
+1. In Microsoft Sentinel, select **Data connectors**. 
+1. Select the connector for your product from the connectors gallery. If your product isn't listed, select **Common Event Format (CEF)**.
+1. In the details pane for the connector, select **Open connector page**.
 1. On the connector page, in the instructions under **1.2 Install the CEF collector on the Linux machine**, copy the link provided under **Run the following script to install and apply the CEF collector**.  
 If you don't have access to that page, copy the link from the text below (copying and pasting the **Workspace ID** and **Primary Key** from above in place of the placeholders):
 
diff --git a/articles/sentinel/connect-microsoft-365-defender.md b/articles/sentinel/connect-microsoft-365-defender.md
@@ -9,18 +9,15 @@ ms.date: 02/01/2023
 
 # Connect data from Microsoft 365 Defender to Microsoft Sentinel
 
-[!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
-
 Microsoft Sentinel's [Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection) connector with incident integration allows you to stream all Microsoft 365 Defender incidents and alerts into Microsoft Sentinel, and keeps the incidents synchronized between both portals. Microsoft 365 Defender incidents include all their alerts, entities, and other relevant information, and they group together, and are enriched by, alerts from Microsoft 365 Defender's component services **Microsoft Defender for Endpoint**, **Microsoft Defender for Identity**, **Microsoft Defender for Office 365**, and **Microsoft Defender for Cloud Apps**, as well as alerts from other services such as **Microsoft Purview Data Loss Prevention (DLP)** and **Azure Active Directory Identity Protection (AADIP)**.
 
 The connector also lets you stream **advanced hunting** events from *all* of the above Defender components into Microsoft Sentinel, allowing you to copy those Defender components' advanced hunting queries into Microsoft Sentinel, enrich Sentinel alerts with the Defender components' raw event data to provide additional insights, and store the logs with increased retention in Log Analytics.
 
 For more information about incident integration and advanced hunting event collection, see [Microsoft 365 Defender integration with Microsoft Sentinel](microsoft-365-defender-sentinel-integration.md#advanced-hunting-event-collection).
 
-> [!IMPORTANT]
->
-> The Microsoft 365 Defender connector is now generally available!
+ The Microsoft 365 Defender connector is now generally available.
 
+[!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 ## Prerequisites
 
 - You must have a valid license for Microsoft 365 Defender, as described in [Microsoft 365 Defender prerequisites](/microsoft-365/security/mtp/prerequisites). 
@@ -30,6 +27,7 @@ For more information about incident integration and advanced hunting event colle
 - Your user must have read and write permissions on your Microsoft Sentinel workspace.
 
 - To make any changes to the connector settings, your user must be a member of the same Azure Active Directory tenant with which your Microsoft Sentinel workspace is associated.
+- Install the solution for **Microsoft 365 Defender** from the **Content Hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
 
 ### Prerequisites for Active Directory sync via MDI
 
diff --git a/articles/sentinel/connect-syslog.md b/articles/sentinel/connect-syslog.md
@@ -44,6 +44,10 @@ There are three steps to configuring Syslog collection:
 
 - **Configure the Log Analytics agent itself**. This is done from within Microsoft Sentinel, and the configuration is sent to all installed agents.
 
+## Prerequisites
+
+Before you begin, install the solution for **Syslog** from the **Content Hub** in Microsoft Sentinel. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](sentinel-solutions-deploy.md).
+
 ## Configure your Linux machine or appliance
 
 1. From the Microsoft Sentinel navigation menu, select **Data connectors**.
