You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/manage-content-microsoft-sentinel/includes/1-introduction.md
+4-15Lines changed: 4 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,28 +11,17 @@ Content in Microsoft Sentinel includes any of the following types:
11
11
-**Watchlists** support the ingestion of specific data for enhanced threat detection and reduced alert fatigue
12
12
-**Playbooks** and Azure Logic Apps custom connectors provide features for automated investigations, remediations, and response scenarios in Microsoft Sentinel
13
13
14
-
15
14
To maintain **content** in for Microsoft Sentinel use:
15
+
16
16
-**Content hub**: - Microsoft Sentinel **solutions** are packages of Microsoft Sentinel content or Microsoft Sentinel API integrations, which fulfill an end-to-end product, domain, or industry vertical scenario in Microsoft Sentinel.
17
17
-**Repositories**: - Repositories help you automate the deployment and management of your Microsoft Sentinel content through central repositories.
18
-
-**Community**: Onboard community content on-demand to enable your scenarios. The GitHub repo at https://github.com/Azure/Azure-Sentinel contains content by Microsoft and the community that is tested and available for you to implement in your Sentinel workspace.
19
-
20
-
21
-
You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You need to install connectors and analytical rules from a vendor. You also have created a library of hunting queries that need to be maintained across multiple environments.
18
+
-**Community**: Onboard community content on-demand to enable your scenarios. The GitHub repo at <https://github.com/Azure/Azure-Sentinel> contains content by Microsoft and the community that is tested and available for you to implement in your Sentinel workspace.
22
19
20
+
You're a Security Operations Analyst working at a company that implemented Microsoft Sentinel. You need to install connectors and analytical rules from a vendor. You also created a library of hunting queries that need to be maintained across multiple environments.
23
21
24
-
By the end of this module, you'll be able to manage *content* in Microsoft Sentinel.
22
+
By the end of this module, you are able to manage *content* in Microsoft Sentinel.
25
23
26
24
After completing this module, you'll be able to:
27
25
28
26
- Install a content hub solution in Microsoft Sentinel
29
27
- Connect a GitHub repository to Microsoft Sentinel
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/manage-content-microsoft-sentinel/includes/2-use-solutions-from-content-hub.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,8 +8,8 @@ Manage updates for out-of-the-box content via the Microsoft Sentinel Content hub
8
8
9
9
Customize out-of-the-box content for your own needs, or create custom content, including analytics rules, hunting queries, notebooks, workbooks, and more. Manage your custom content directly in your Microsoft Sentinel workspace, via the Microsoft Sentinel API, or in your own source control repository, via the Microsoft Sentinel Repositories page.
10
10
11
-
12
11
## Solutions
12
+
13
13
Microsoft Sentinel solutions are packaged content or integrations that deliver end-to-end product value for one or more domain or vertical scenarios.
14
14
15
15
The solutions experience is powered by Azure Marketplace for solutions’ discoverability and deployment.
@@ -37,12 +37,12 @@ Use the Content hub to centrally discover and deploy solutions and out-of-the-bo
37
37
38
38
For example, in the Cisco Umbrella solution shows a category of Security - Others, and that this solution includes 10 analytics rules, 11 hunting queries, a parser, three playbooks, and more.
39
39
40
+
## Install or update a solution
40
41
41
-
### Install or update a solution
42
42
- In the content hub, select a solution to view more information on the right. Then select Install, or Update, if you need updates. For example:
43
43
44
44
- On the solution details page, select Create or Update to start the solution wizard. On the wizard's Basics tab, enter the subscription, resource group, and workspace to which you want to deploy the solution.
45
45
46
46
- Select Next to cycle through the remaining tabs (corresponding to the components included in the solution), where you can learn about, and in some cases configure, each of the content components.
47
47
48
-
- Finally, in the Review + create tab, wait for the Validation Passed message, then select Create or Update to deploy the solution. You can also select the Download a template for automation link to deploy the solution as code.
48
+
- Finally, in the Review + create tab, wait for the Validation Passed message, then select Create or Update to deploy the solution. You can also select the Download a template for automation link to deploy the solution as code.
Copy file name to clipboardExpand all lines: learn-pr/wwl-sci/manage-content-microsoft-sentinel/includes/3-use-repositories-for-deployment.md
+13-15Lines changed: 13 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,7 +1,7 @@
1
1
When creating custom content, you can store and manage it in your own Microsoft Sentinel workspaces, or an external source control repository, including GitHub and Azure DevOps repositories. Managing your content in an external repository allows you to make updates to that content outside of Microsoft Sentinel, and have it automatically deployed to your workspaces.
2
2
3
-
4
3
## Prerequisites and scope
4
+
5
5
Before connecting your Microsoft Sentinel workspace to an external source control repository, make sure that you have:
6
6
7
7
- Access to a GitHub or Azure DevOps repository, with any custom content files you want to deploy to your workspaces, in relevant Azure Resource Manager (ARM) templates.
@@ -11,11 +11,13 @@ Before connecting your Microsoft Sentinel workspace to an external source contro
11
11
- An Owner role in the resource group that contains your Microsoft Sentinel workspace. This role is required to create the connection between Microsoft Sentinel and your source control repository. If you're unable to use the Owner role in your environment, you can instead use the combination of User Access Administrator and Sentinel Contributor roles to create the connection.
12
12
13
13
## Maximum connections and deployments
14
+
14
15
Each Microsoft Sentinel workspace is currently limited to five connections.
15
16
16
17
Each Azure resource group is limited to 800 deployments in its deployment history. If you have a high volume of ARM template deployments in your resource group(s), you may see a Deployment QuotaExceeded error.
17
18
18
19
## Validate your content
20
+
19
21
Deploying content to Microsoft Sentinel via a repository connection doesn't validate that content other than verifying that the data is in the correct ARM template format.
20
22
21
23
We recommend that you validate your content templates using your regular validation process. You can use the Microsoft Sentinel GitHub validation process and tools to set up your own validation process.
@@ -42,24 +44,23 @@ To create your connection:
42
44
43
45
- Enter your GitHub credentials when prompted.
44
46
45
-
The first time you add a connection, you'll see a new browser window or tab, prompting you to authorize the connection to Microsoft Sentinel. If you're already logged into your GitHub account on the same browser, your GitHub credentials will be auto-populated.
47
+
The first time you add a connection, you see a new browser window or tab, prompting you to authorize the connection to Microsoft Sentinel. If you're already logged into your GitHub account on the same browser, your GitHub credentials are auto-populated.
46
48
47
49
- A Repository area now shows on the Create a new connection page, where you can select an existing repository to connect to. Select your repository from the list, and then select Add repository.
48
50
49
-
The first time you connect to a specific repository, you'll see a new browser window or tab, prompting you to install the Azure-Sentinel app on your repository. If you have multiple repositories, select the ones where you want to install the Azure-Sentinel app, and install it.
51
+
The first time you connect to a specific repository, you see a new browser window or tab, prompting you to install the Azure-Sentinel app on your repository. If you have multiple repositories, select the ones where you want to install the Azure-Sentinel app, and install it.
50
52
51
-
You'll be directed to GitHub to continue the app installation.
53
+
You are directed to GitHub to continue the app installation.
52
54
53
55
- After the Azure-Sentinel app is installed in your repository, the Branch dropdown in the Create a new connection page is populated with your branches. Select the branch you want to connect to your Microsoft Sentinel workspace.
54
56
55
-
- From the Content Types dropdown, select the type of content you'll be deploying.
56
-
57
-
- Both parsers and hunting queries use the Saved Searches API to deploy content to Microsoft Sentinel. If you select one of these content types, and also have content of the other type in your branch, both content types are deployed.
57
+
- From the Content Types dropdown, select the type of content you are deploying.
58
58
59
-
- For all other content types, selecting a content type in the Create a new connection pane deploys only that content to Microsoft Sentinel. Content of other types isn't deployed.
59
+
- Both parsers and hunting queries use the Saved Searches API to deploy content to Microsoft Sentinel. If you select one of these content types, and also have content of the other type in your branch, both content types are deployed.
60
60
61
-
- Select Create to create your connection.
61
+
- For all other content types, selecting a content type in the Create a new connection pane deploys only that content to Microsoft Sentinel. Content of other types isn't deployed.
62
62
63
+
- Select Create to create your connection.
63
64
64
65
After the connection is created, a new workflow or pipeline is generated in your repository, and the content stored in your repository is deployed to your Microsoft Sentinel workspace.
65
66
@@ -71,15 +72,12 @@ The deployment time may vary depending on the volume of content that you're depl
71
72
72
73
- In Microsoft Sentinel, from the dropdown lists that appear, select your Organization, Project, Repository, Branch, and Content Types.
73
74
74
-
- Both parsers and hunting queries use the Saved Searches API to deploy content to Microsoft Sentinel. If you select one of these content types, and also have content of the other type in your branch, both content types are deployed.
75
+
- Both parsers and hunting queries use the Saved Searches API to deploy content to Microsoft Sentinel. If you select one of these content types, and also have content of the other type in your branch, both content types are deployed.
75
76
76
-
- For all other content types, selecting a content type in the Create a new connection pane deploys only that content to Microsoft Sentinel. Content of other types isn't deployed.
77
+
- For all other content types, selecting a content type in the Create a new connection pane deploys only that content to Microsoft Sentinel. Content of other types isn't deployed.
77
78
78
79
- Select Create to create your connection. For example:
79
80
80
-
81
-
82
-
83
81
After the connection is created, a new workflow or pipeline is generated in your repository, and the content stored in your repository is deployed to your Microsoft Sentinel workspace.
84
82
85
-
The deployment time may vary depending on the volume of content that you're deploying.
83
+
The deployment time may vary depending on the volume of content that you're deploying.
By the end of this module, you'll be able to manage *content* in Microsoft Sentinel.
2
+
By the end of this module, you're able to manage *content* in Microsoft Sentinel.
3
3
4
4
You should now be able to:
5
5
6
6
- Install a content hub solution in Microsoft Sentinel
7
7
- Connect a GitHub repository to Microsoft Sentinel
8
8
9
-
10
9
## Learn more
11
10
12
11
You can learn more by reviewing the following.
13
12
14
13
[Become a Microsoft Sentinel Ninja](https://techcommunity.microsoft.com/t5/azure-sentinel/become-an-azure-sentinel-ninja-the-complete-level-400-training/ba-p/1246310?azure-portal=true)
15
14
16
-
[Microsoft Tech Community Security Webinars](https://techcommunity.microsoft.com/t5/microsoft-security-and/security-community-webinars/ba-p/927888?azure-portal=true)
15
+
[Microsoft Tech Community Security Webinars](https://techcommunity.microsoft.com/t5/microsoft-security-and/security-community-webinars/ba-p/927888?azure-portal=true)
0 commit comments