The content hub in Microsoft Sentinel is the centralized location to discover and manage out-of-the-box content including data connectors.
Microsoft Sentinel content is Security Information and Event Management (SIEM) content that enables customers to ingest data, monitor, alert, hunt, investigate, respond, and connect with different products, platforms, and services in Microsoft Sentinel. Microsoft Sentinel solutions are packages of content like data connectors, workbooks, analytic rules, playbooks, etc., or API integrations, that fulfill an end-to-end product, domain, or industry vertical scenario in Microsoft Sentinel. In terms of out-of-the-box content, these 90+ solutions in the Content hub, comprise over 60 data connectors, 250 analytic rules, 100 playbooks, 150 hunting queries, and about 40 workbooks.
Use cases for the Content hub are as follows:
- Discover solutions for your scenarios by leveraging enhanced search capabilities. Filter by specific domain or vertical categories, other parameters like content type or provider, or use the powerful text search, to find the content that works best for your organization's needs.
- Install a solution in a single step to get out-of-the-box content to immediately unlock your end-to-end use cases.
- Manage updates for out-of-the-box content easily and get visibility on which solutions carry new updates.
- Get clarity on the support model for each solution.
In this article, I will be showing you how to:
a. Install the following solutions:
Windows Security Events.
Azure Activity connector.
Microsoft Defender for Cloud.
b. Configure the data connector for Azure Activity to apply all new and existing resources in the subscription.
c. Configure the data connector for Microsoft Defender for Cloud to connect to the Azure subscription and ensure that only bi-directional sync is enabled.
d. Enable an analytics rule based on the Suspicious number of resource creation or deployment activities template. The rule should run every hour and only look up data for that last hour.
e. Ensure that the Azure Activity workbook is available in My workbooks.
Task 1 - Deploy a Microsoft Sentinel Content Hub solution
Deploy a Content Hub solution and configure Data connectors.
- In Microsoft Sentinel, go to the Content Management menu section and select Content Hub.
- Search for and select Windows Security Events
- Select the link to View details
- Select Windows Security Events plan, and select Create
- Select the resource group that includes the Microsoft Sentinel workspace, and select the Workspace.
- Select Next to the Data Connectors tab (solution will deploy 2 data connectors)
- Select Next to the Workbooks tab (solution installs workbooks)
- Select Next to the Analytics tab (solutions installs analytics rules)
- Select Next to the Hunting queries tab (solution installs hunting queries)
- Select Review + create
- Select Create
- Repeat these steps for the Azure Activity and the Microsoft Defender for Cloud solutions.
Task 2 - Set up the data connector for Azure Activity
Configure the data connector for Azure Activity to apply all new and existing resources in the subscription.
- In Microsoft Sentinel, go to the Content Management menu section and select Content Hub.
- In the Content hub, filter Status for Installed Solutions.
- Select the Azure Activity solution and select Manage.
- Select the Azure Activity Data connector and select the Open connector page.
- In the Configuration area under the Instructions tab, scroll down to 2. Connect your subscriptions..., and select Launch Azure Policy Assignment Wizard>.
- In the Basics tab, select the ellipsis button (…) under Scope and select your subscription from the drop-down list, and click Select.
- Select the Parameters tab, and choose your workspace from the Primary Log Analytics workspace drop-down list.
- Select the Remediation tab and select the Create a remediation task checkbox.
- Select the Review + Create button to review the configuration.
- Select Create to finish.
Task 3 - Set up the Defender for Cloud data connector
Configure the data connector for Microsoft Defender for Cloud and ensure that only incident management is configured.
- In Microsoft Sentinel, go to the Content Management menu section and select Content Hub.
- In the Content hub, filter Status for Installed Solutions.
- Select the Microsoft Defender for Cloud solution and select Manage.
- Select the Subscription-based Microsoft Defender for Cloud (Legacy) Data connector and select Open connector page
- In the Configuration area under the Instructions tab, scroll down to your subscription and move the slider in the Status column to Connected.
- Make sure Bi-directional sync is Enabled.
Task 4 - Create an analytics rule
Create an analytic rule based on the Suspicious number of resource creation or deployment activities template. The rule should run every hour and only look up data for that last hour.
- In Microsoft Sentinel, go to the Configuration menu section and select Analytics.
- In the Rule templates tab, search for Suspicious number of resource creation or deployment activities.
- Select the Suspicious number of resource creation or deployment activities, and select Create rule.
- Leave the defaults on the General tab and select Next: Set rule logic >.
- Leave the default Rule query and configure Query scheduling using the table:
Setting Value
Run query every 1 Hour
Lookup data from the last 1 Hour
- Select Next: Incident settings >.
- Leave the defaults and select Next: Automated response >.
- Leave the defaults and select Next: Review and create >.
- Select Save.
Task 5 - Ensure that the Azure Activity workbook is available in My workbooks
- In Microsoft Sentinel, go to the Content Management menu section and select Content Hub.
- In the Content hub, filter Status for Installed Solutions.
- Select the Azure Activity solution and select Manage.
- Select the Azure Activity workbook checkbox, and then select Configuration.
- Select the Azure Activity workbook and select Save.
- Choose the Azure Region for your Microsoft Sentinel workspace.
Top comments (0)