You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/sentinel-content-centralize.md
+14-14Lines changed: 14 additions & 14 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,10 +6,10 @@ author: austinmccollum
6
6
ms.topic: conceptual
7
7
ms.date: 01/30/2023
8
8
ms.author: austinmc
9
-
#Customer intent: As a SIEM decision maker or implementer, I want to know about changes to out of the box content, and how to centralize the management, discovery and inventory of content in Sentinel.
9
+
#Customer intent: As a SIEM decision maker or implementer, I want to know about changes to out of the box content, and how to centralize the management, discovery and inventory of content in Microsoft Sentinel.
10
10
---
11
11
12
-
# Microsoft Sentinel OOTB content centralization changes
12
+
# Microsoft Sentinel out-of-the-box content centralization changes
13
13
14
14
Microsoft Sentinel Content hub enables discovery and on-demand installation of out-of-the-box (OOTB) content and solutions in a single step. Previously, some of this OOTB content only existed in various gallery sections of Sentinel. We're excited to announce *all* of the following gallery content templates are now available in content hub as standalone items or part of packaged solutions.
15
15
@@ -20,12 +20,12 @@ Microsoft Sentinel Content hub enables discovery and on-demand installation of o
20
20
-**Workbook templates**
21
21
22
22
## Content hub changes
23
-
In order to centralize all out-of-the-box content, we're planning to retire the gallery-only content templates. The legacy gallery content templates are no longer being updated, and the content hub is where OOTB content is kept up to date. Content hub also provides update workflows for solutions and automatic updates for standalone content. To facilitate this transition, we're going to publish a central tool to reinstate corresponding `IN USE` retired templates from the Content hub.
23
+
In order to centralize all out-of-the-box content, we're planning to retire the gallery-only content templates. The legacy gallery content templates are no longer being updated consistently, and the content hub is where OOTB content is kept up to date. Content hub also provides update workflows for solutions and automatic updates for standalone content. To facilitate this transition, we're going to publish a central tool to reinstate corresponding **IN USE** retired templates from the Content hub.
24
24
25
25
## Sentinel GitHub changes
26
26
Microsoft Sentinel has an official [GitHub repository](https://github.com/Azure/Azure-Sentinel) for community contributions vetted by Microsoft and the community. It is the source for most of the content items in Content hub. In order to enable consistent discovery of all this content, the OOTB content centralization changes have already been extended to the Microsoft Sentinel GitHub repo. With this change:
27
27
28
-
- All OOTB content packaged in solutions in content hub now show up under the [Solutions folder](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions) in the GitHub repository.
28
+
- All OOTB content packaged in solutions in content hub now shows up under the [Solutions folder](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions) in the GitHub repository.
29
29
- All standalone OOTB content will continue to remain in their respective locations.
30
30
31
31
Together, these changes will complete the journey towards centralizing Microsoft Sentinel content.
@@ -62,7 +62,7 @@ The active or custom items created in any manner (from templates or otherwise) a
62
62
Any OOTB content templates installed from content hub (identifiable as *Content source = Content hub*) are NOT affected by this change.
63
63
64
64
### What's changing?
65
-
All template galleries will display an in-product warning banner. This banner will contain a link to a tool that will run within the Microsoft Sentinel portal. Activating the tool will initiate a guided experience to reinstate the content templates for the `IN USE` retired templates from the Content hub. This tool only needs to be run once per workspace, so be sure to plan with your organization. Once the tool runs successfully, the warning banner will resolve and no longer be visible from the template galleries of that workspace.
65
+
All template galleries will display an in-product warning banner. This banner will contain a link to a tool that will run within the Microsoft Sentinel portal. Activating the tool will initiate a guided experience to reinstate the content templates for the **IN USE** retired templates from the Content hub. This tool only needs to be run once per workspace, so be sure to plan with your organization. Once the tool runs successfully, the warning banner will resolve and no longer be visible from the template galleries of that workspace.
66
66
67
67
Specific impact to the gallery content templates for each of these galleries are detailed in the following table. Expect these changes when the OOTB content centralization goes live.
68
68
@@ -76,27 +76,27 @@ Specific impact to the gallery content templates for each of these galleries are
76
76
77
77
Here's an example of an Analytics rule before and after the centralization changes and the tool has run.
78
78
- The active Analytics rule won't change at all. We can see it's based on an Analytics rule template that will be retired.
79
-
:::image type="content" source="media/sentinel-content-centralize/before-tool-analytic-rule-active.png" alt-text="This screenshot shows an active Analytics rule before centralization changes.":::
79
+
:::image type="content" source="media/sentinel-content-centralize/before-tool-analytic-rule-active-2.png" alt-text="This screenshot shows an active Analytics rule before centralization changes.":::
80
80
81
81
- This screenshot shows the Analytics rule template before the change that will be retired.
82
-
:::image type="content" source="media/sentinel-content-centralize/before-tool-analytic-rule-template.png" alt-text="This screenshot shows the Analytics rule template that will be retired.":::
82
+
:::image type="content" source="media/sentinel-content-centralize/before-tool-analytic-rule-template-2.png" alt-text="This screenshot shows the Analytics rule template that will be retired.":::
83
83
84
-
-Here is the Analytics rule template after the tool has been run to reinstate it.
85
-
:::image type="content" source="media/sentinel-content-centralize/after-tool-analytic-rule-template.png" alt-text="This screenshot shows the Analytics rule template after being reinstated.":::
84
+
-After the tool has been run to reinstate the Analytics rule template, the source changes to the solution it's reinstated from.
85
+
:::image type="content" source="media/sentinel-content-centralize/after-tool-analytic-rule-template-2.png" alt-text="This screenshot shows the Analytics rule template after being reinstated from the Content hub Azure Active Directory solution.":::
86
86
87
87
## Action needed
88
88
- Starting now, install new OOTB content from Content hub and update solutions as needed to have the latest version of the templates.
89
89
- For existing gallery content templates in use, get future updates by installing the respective solutions or standalone content items from Content hub. The gallery content in the feature galleries may be out-of-date.
90
90
- If you have applications or processes that directly get OOTB content from the Microsoft Sentinel GitHub repository, update the locations to include getting OOTB content from the solutions folder in addition to existing content folders.
91
-
- Plan with your organization who and when will run the tool when you see the warning banner and the change goes live in Q2 2023. The tool needs to be run once in a workspace to reinstate all `IN USE` retired templates from the Content hub.
91
+
- Plan with your organization who and when will run the tool when you see the warning banner and the change goes live in Q2 2023. The tool needs to be run once in a workspace to reinstate all **IN USE** retired templates from the Content hub.
92
92
- Review the FAQs section to learn more details that may be applicable to your environment.
93
93
94
94
## Content centralization FAQs
95
95
#### Will my SOC alert generation or incidents generation and management be impacted with this change?
96
96
No, there's no impact to active alert rules or detections, or active playbooks, or cloned hunting queries, or saved workbooks. The OOTB content centralization change won't impact your current incident generation and management processes.
97
97
98
-
#### Are there exceptions on impacts to some of the gallery content templates as part of this centralization?
99
-
Analytics rule templates of the following types won't be impacted by this change:
98
+
#### Are there any gallery content exceptions?
99
+
Yes, the following Analytics rule template types won't be impacted by this change.
100
100
101
101
- Fusion templates
102
102
- Anomalies templates
@@ -112,9 +112,9 @@ New content hub API operations will be available soon to enable OOTB content man
112
112
**Action needed:** Plan to update your applications and processes to utilize the new content hub OOTB content management APIs when those are available in Q2 2023.
113
113
114
114
#### How will the central tool identify my in-use OOTB content templates?
115
-
The tool will look for data connectors with "status = connected" to build a list of solutions and standalone content that you can review and install to get the content hub OOTB content templates in all the impacted feature galleries. There is a specific check for `IN USE` playbook templates. Since this process installs solutions, you might get more OOTB content items that match the connected data source than you might be actually using.
115
+
The tool will look for data connectors with "status = connected" to build a list of solutions and standalone content that you can review and install to get the content hub OOTB content templates in all the impacted feature galleries. There is a specific check for **IN USE** playbook templates. Since this process installs solutions, you might get more OOTB content items that match the connected data source than you might be actually using.
116
116
117
-
Please note that this central tool is a best-effort to get your `IN USE` OOTB content templates reinstated from content hub. You can get additional OOTB content or content might be missing that you can get directly by installing from content hub.
117
+
Please note that this central tool is a best-effort to get your **IN USE** OOTB content templates reinstated from content hub. You can get additional OOTB content or content might be missing that you can get directly by installing from content hub.
118
118
119
119
#### What if I am using APIs to connect data sources in my Microsoft Sentinel workspace?
120
120
Currently all the data connectors exist in the data connectors gallery so you can see the specific data connector show up as "status = Connected" if the specific data type matches with that referenced in the data connector. After the centralization experiences go live, the specific data connector needs to be installed from the respective solution to get the same behavior.
0 commit comments