You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
title: Microsoft essential solutions for Microsoft Sentinel
2
+
title: ASIM-based domain solutions - Essentials for Microsoft Sentinel
3
3
description: Learn about the Microsoft essential solutions for Microsoft Sentinel that span across different ASIM schemas like networks, DNS, and web sessions.
4
4
author: cwatson-cat
5
5
ms.topic: conceptual
@@ -8,26 +8,25 @@ ms.author: cwatson
8
8
#Customer intent: As a security engineer, I want to minimize the amount of solution content I have to deploy and manage by using Microsoft essential solutions for Microsoft Sentinel.
9
9
---
10
10
11
-
# Microsoft essential solutions for Microsoft Sentinel
11
+
# Microsoft essential solutions - Advanced Security Information Model (ASIM) based domain solutions for Microsoft Sentinel
12
12
13
-
Microsoft essential solutions are a collection of solutions that....provide centralized content for specific domain categories...? Essential solutions use the normalization technique Advanced Security Information Model (ASIM) to normalize the data at query time or ingestion time. The ingestion time normalization results can be ingested into following normalized table:
13
+
Microsoft essential solutions helps you reduce the amount of content you manage in Microsoft Sentinel for specific domains like Security - Network. Essential solutions use the normalization technique Advanced Security Information Model (ASIM) to normalize the data at query time or ingestion time.
14
14
15
-
-[ASimDnsActivityLogs](/azure/azure-monitor/reference/tables/asimdnsactivitylogs) for the DNS schema.
16
-
-[ASimNetworkSessionLogs](/azure/azure-monitor/reference/tables/asimnetworksessionlogs) for the Network Session schema
15
+
## Why use ASIM-based Microsoft essential solutions
17
16
18
-
For more information, see [Ingest time normalization](/azure/sentinel/normalization-ingest-time).
17
+
When multiple solutions in a domain category share similar detection patterns, it makes sense to have the data captured under a normalized schema like ASIM. Essential solutions makes use of this ASIM schema to detect threats at scale.
19
18
20
-
## Why Microsoft essential solutions
19
+
- A normalized schema makes it easier for you to query incident details. You don't have to remember different vendor syntax for similar log attributes.
20
+
- If you don't have to manage content for multiple solutions, it makes use case deployment and incident handling much easier.
21
+
- A consolidated workbook view gives you better environment visibility and possible query time parsing with high performing ASIM parsers.
21
22
22
-
Today, we have over 280 product solutions in the content hub. There are multiple product solutions for different domain categories like Security - Network. For example, Azure Firewall, Palo Alto Firewall, and Corelight have product solutions for the Security-Network domain category.
23
+
In the content hub, there are multiple product solutions for different domain categories like Security - Network. For example, Azure Firewall, Palo Alto Firewall, and Corelight have product solutions for the Security-Network domain category.
23
24
24
25
- These solutions have differing data ingest components by design. But there’s a certain pattern to the analytics, hunting, workbooks, and other content within the same domain category.
25
26
- Most of the major network products have a common basic set of firewall alerts that includes malicious threats coming from unusual IP addresses. The analytic rule template is, in general, duplicated for each of the Security - Network category of product solutions. If you're running multiple network products, you need to check and configure multiple analytic rules individually, which is inefficient. You'd also get alerts for each rule configured and might end up with alert fatigue.
26
27
27
28
If you have duplicative hunting queries, you might have less performant hunting experiences with the run-all mode of hunting. These duplicative hunting queries also introduce inefficiencies for threat hunters to select-run similar queries.
28
29
29
-
Microsoft essential solution reduces the amount of content you need to manage or provides efficiencies in....
30
-
31
30
## ASIM schemas supported
32
31
33
32
The essentials solutions are currently spanned across the following different ASIM schemas that Sentinel supports:
@@ -42,44 +41,23 @@ The essentials solutions are currently spanned across the following different AS
42
41
43
42
For more information, see [Advanced Security Information Model (ASIM) schemas](/azure/sentinel/normalization-about-schemas).
44
43
45
-
## Connectors not included
46
-
47
-
The essential solutions don't have a connector of their own. They depend on the source specific connectors to pull in the logs. Then the solutions use the ASIM parsers in their built in analytic rules, hunting queries, and workbooks to identify anomalies. The ASIM parsers provide a consolidated report or dashboard view for all the source specific solutions that were part of prerequisite lists.
48
-
49
-
## Network session essentials solution
50
-
51
-
One of the first solutions available in the essentials series is the network session essential solution. This solution doesn't have a connector of its own. Instead, it uses the ASIM parsers for query time parsing. This solution comes with seven analytic rules, four hunting queries, one playbook, one workbook, and watchlists.
44
+
## Ingestion time normalization
52
45
53
-
Analytics rules included:
46
+
The ingestion time normalization results can be ingested into following normalized table:
54
47
55
-
- Network session traffic anomaly
56
-
- Anomaly in port usage
57
-
- More than defined port usage
58
-
- Excessive number of failed connections from a Single source
59
-
- Detect possible flooding
60
-
- Possible external to internal port sweep
61
-
- Possible port scan
62
-
- Potential Beaconing activity
63
-
- TI map IP entity to Network Session Events
48
+
-[ASimDnsActivityLogs](/azure/azure-monitor/reference/tables/asimdnsactivitylogs) for the DNS schema.
49
+
-[ASimNetworkSessionLogs](/azure/azure-monitor/reference/tables/asimnetworksessionlogs) for the Network Session schema
64
50
65
-
Hunting queries included:
51
+
For more information, see [Ingest time normalization](/azure/sentinel/normalization-ingest-time).
66
52
67
-
- Detect Anomaly in port usage
68
-
- Detect More than defined port usage
69
-
- Detect multiple users with same MAC address
70
-
- Destination App and associated standard port mismatch
53
+
## Connectors not included
71
54
72
-
Playbook: Summarization playbook
55
+
The essential solutions don't have a connector of their own. They depend on the source specific connectors to pull in the logs. Then the solutions use the ASIM parsers in their built in analytic rules, hunting queries, and workbooks to identify anomalies. The ASIM parsers provide a consolidated report or dashboard view for all the source specific solutions that were part of prerequisite lists.
73
56
74
-
- The playbook summarizes end point security events and stores them in a pre-defined table.
75
-
- This playbook is helpful where you have a high number of end points security events. For example, you might have a high number of events in a large organization where network traffic is being monitoring by multiple source specific network solutions.
57
+
## Network session essentials solution
76
58
77
-
- By default, this playbook is available as a template. If you have a high number of end point security events on your network and you notice a performance issue when loading the workbook, then enable the playbook template.
59
+
One of the first solutions available in the essentials series is the network session essential solution. This solution doesn't have a connector of its own. Instead, it uses the ASIM parsers for query time parsing. For more information about this solution, see (Marketplace listing)
78
60
79
-
Workbook:
80
-
The workbook covers details for the following listed events.
61
+
## Next steps
81
62
82
-
- Traffic visibility
83
-
- Security visibility
84
-
- Policy rule
85
-
- Network security event viewer
63
+
-[Using the Advanced Security Information Model (ASIM)](/azure/sentinel/normalization-about-parsers)
Copy file name to clipboardExpand all lines: articles/sentinel/sentinel-solutions-catalog.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -30,7 +30,7 @@ When you deploy a solution, the security content included with the solution, suc
30
30
|**[Microsoft Defender for IoT](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-unifiedmicrosoftsocforot?tab=Overview)**|[Analytics rules, playbooks, workbook](iot-advanced-threat-monitoring.md)| Internet of Things (IoT), Security - Threat Protection | Microsoft |
31
31
|**[Maturity Model for Event Log Management M2131](https://azuremarketplace.microsoft.com/marketplace/apps/azuresentinel.azure-sentinel-solution-maturitymodelforeventlogma?tab=Overview)**|[Analytics rules, hunting queries, playbooks, workbook](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/modernize-log-management-with-the-maturity-model-for-event-log/ba-p/3072842)| Compliance | Microsoft|
0 commit comments