You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/domain-based-essential-solutions.md
+13-12Lines changed: 13 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,27 +5,28 @@ author: cwatson-cat
5
5
ms.topic: conceptual
6
6
ms.date: 03/08/2023
7
7
ms.author: cwatson
8
-
#Customer intent: As a security engineer, I want to minimize the amount of solution content I have to deploy and manage by using Microsoft essential solutions for Microsoft Sentinel.
8
+
#Customer intent: As a security engineer, I want to learn how I can minimize the amount of solution content I have to deploy and manage by using Microsoft essential solutions for Microsoft Sentinel.
9
9
---
10
10
11
-
# Microsoft essential solutions - Advanced Security Information Model (ASIM) based domain solutions for Microsoft Sentinel
11
+
# Advanced Security Information Model (ASIM) based domain solutions for Microsoft Sentinel
12
12
13
-
Microsoft essential solutions helps you reduce the amount of content you manage in Microsoft Sentinel for specific domains like Security - Network. Essential solutions use the normalization technique Advanced Security Information Model (ASIM) to normalize the data at query time or ingestion time.
13
+
Microsoft essential solutions are solutions in Microsoft Sentinel that help you reduce the amount of content you manage for specific domains like "Security - Network". Essential solutions use the normalization technique Advanced Security Information Model (ASIM) to normalize the data at query time or ingestion time.
14
14
15
-
## Why use ASIM-based Microsoft essential solutions
15
+
## Why use ASIM-based Microsoft essential solutions?
16
16
17
-
When multiple solutions in a domain category share similar detection patterns, it makes sense to have the data captured under a normalized schema like ASIM. Essential solutions makes use of this ASIM schema to detect threats at scale.
17
+
When multiple solutions in a domain category share similar detection patterns, it makes sense to have the data captured under a normalized schema like ASIM. Essential solutions makes use of this ASIM schema to detect threats at scale.
18
18
19
-
- A normalized schema makes it easier for you to query incident details. You don't have to remember different vendor syntax for similar log attributes.
20
-
- If you don't have to manage content for multiple solutions, it makes use case deployment and incident handling much easier.
21
-
- A consolidated workbook view gives you better environment visibility and possible query time parsing with high performing ASIM parsers.
22
-
23
-
In the content hub, there are multiple product solutions for different domain categories like Security - Network. For example, Azure Firewall, Palo Alto Firewall, and Corelight have product solutions for the Security -Network domain category.
19
+
In the content hub, there are multiple product solutions for different domain categories like "Security - Network". For example, Azure Firewall, Palo Alto Firewall, and Corelight have product solutions for the "Security - Network" domain category.
24
20
25
21
- These solutions have differing data ingest components by design. But there’s a certain pattern to the analytics, hunting, workbooks, and other content within the same domain category.
26
-
- Most of the major network products have a common basic set of firewall alerts that includes malicious threats coming from unusual IP addresses. The analytic rule template is, in general, duplicated for each of the Security - Network category of product solutions. If you're running multiple network products, you need to check and configure multiple analytic rules individually, which is inefficient. You'd also get alerts for each rule configured and might end up with alert fatigue.
22
+
- Most of the major network products have a common basic set of firewall alerts that includes malicious threats coming from unusual IP addresses. The analytic rule template is, in general, duplicated for each of the "Security - Network" category of product solutions. If you're running multiple network products, you need to check and configure multiple analytic rules individually, which is inefficient. You'd also get alerts for each rule configured and might end up with alert fatigue.
23
+
- If you have duplicative hunting queries, you might have less performant hunting experiences with the run-all mode of hunting. These duplicative hunting queries also introduce inefficiencies for threat hunters to select and run similar queries.
27
24
28
-
If you have duplicative hunting queries, you might have less performant hunting experiences with the run-all mode of hunting. These duplicative hunting queries also introduce inefficiencies for threat hunters to select-run similar queries.
25
+
You might consider Microsoft essential solution for the following reasons:
26
+
27
+
- A normalized schema makes it easier for you to query incident details. You don't have to remember different vendor syntax for similar log attributes.
28
+
- If you don't have to manage content for multiple solutions, it makes use case deployment and incident handling much easier.
29
+
- A consolidated workbook view gives you better environment visibility and possible query time parsing with high performing ASIM parsers.
0 commit comments