We are excited to announce all Microsoft Sentinel out-of-the-box (OOTB) content and solutions are available in content hub allowing customers to easily discover and manage packaged solutions for end-to-end SOC use cases based on products, domains, or industry. With this, there are changes coming soon in Q2 FY23 to complete OOTB content centralization. The goal of these changes is to enable a consistent and a scenario-driven approach to onboarding OOTB content as per need. This article provides information on the changes with actions needed.
The Microsoft Sentinel content hub enables discovery and on-demand installation of OOTB content and solutions in a single step. Earlier, some of this OOTB content existed in various gallery sections of Microsoft Sentinel. Now, all the following gallery content templates are available in content hub as standalone items or as part of packaged solutions:
- Data connectors
- Analytics rule templates
- Hunting queries
- Playbook templates
- Workbook templates
For consistent discovery of content, the OOTB content centralization changes have already been extended to the Microsoft Sentinel GitHub repo. To learn more about the GitHub repo changes, see Out-of-the-box (OOTB) content centralization changes - Microsoft Sentinel | Microsoft Learn.
The changes to Microsoft Sentinel (coming soon) and the Microsoft Sentinel GitHub repo will complete the journey toward centralizing Microsoft Sentinel content.
Microsoft Sentinel Content hub
What’s changing in Microsoft Sentinel?
Starting Q2 2023 the gallery only content templates will be retired. The legacy gallery content templates will no longer be updated, and all OOTB content will be up to date on content hub. The content hub already provides update experience for solutions and automatic updates for standalone content templates.
To facilitate this transition, we will publish a central tool to reinstate IN USE retired templates from corresponding content hub solutions.
When is the change going live?
The centralization change in the Microsoft Sentinel portal is expected to go live in all Microsoft Sentinel workspaces in Q2 2023. The Microsoft Sentinel GitHub changes are completed. Standalone content is available in existing GitHub folders, and solution content has been moved to the Solutions folder.
What action should I take now?
- Install new OOTB content from the content hub and update solutions as needed to have the latest versions of templates.
- For existing gallery content templates in use, get future updates by installing the solutions or standalone content items from the content hub. The gallery content in the feature galleries might be out of date.
- If you have applications or processes that directly get OOTB content from the Microsoft Sentinel GitHub repository, update the locations to include getting OOTB content from the Solutions folder in addition to existing content folders.
- Plan with your organization who will run the tool, and when, after you see the warning banner and the change goes live in Q2 2023. The tool needs to run once in a workspace to reinstate all IN USE retired templates from the content hub.
Review the FAQs in the documentation to learn more details about specific scenarios that might apply to your environment.
Learn more about the OOTB content centralization changes, take necessary recommended actions, and install content on-demand for your needs from Microsoft Sentinel content hub going forward. Let us know your feedback using any of the channels listed in the questions or feedback section.