5.8 Content Hub and Solutions
Content Hub and Solutions
By the end of this subsection, you will know how to find, install, and manage pre-built detection content from the Sentinel Content Hub.
You do not need to build every detection rule from scratch. The Content Hub is a marketplace of pre-built solutions — analytics rules, workbooks, hunting queries, playbooks, and data connectors packaged by Microsoft and the security community.
What a solution contains
A typical solution includes multiple components installed together:
| Component | What it provides |
|---|---|
| Analytics rules | Pre-built detection logic (KQL queries on a schedule) |
| Workbooks | Interactive dashboards for monitoring and reporting |
| Hunting queries | Pre-built KQL queries for proactive threat hunting |
| Playbooks | Automation workflows (Logic Apps) for response actions |
| Data connector | Configuration for the data source the solution detects against |
| Watchlists | Reference lists (VIP users, known-good IPs, threat intelligence) |
Installing your first solutions
Navigate to Sentinel → Content Hub. The hub lists hundreds of solutions. Start with these:
Microsoft Defender XDR solution: Installs analytics rules for Defender alerts, entity mapping, and incident enrichment. This is the bridge between the Defender connector (5.6) and Sentinel’s detection engine.
Microsoft Entra ID solution: Installs analytics rules for sign-in anomalies, conditional access changes, privileged role assignments, and risky user detections. Directly uses the data from your Entra connector (5.7).
UEBA (User and Entity Behavior Analytics): Not a traditional solution — this is a Sentinel feature you enable. It builds behavioral profiles for users and entities, detecting anomalies like impossible travel, unusual resource access, and abnormal activity volume.
For each solution: click the solution name → Review details → Install. Solutions install in seconds. After installation, navigate to Analytics → Rule templates to see the newly available rules.
Solutions install rule templates, not active rules. You must manually create active rules from the templates. This is intentional — it prevents a new solution from immediately flooding your incident queue with untested detections. Review each template, tune it for your environment, then activate.
Evaluating a rule template before activation
Before activating any pre-built rule, check:
Query validity: Open the rule template, copy the KQL query, and run it in Logs. Does it return results? If it returns zero results, either the data source is not connected or the detection logic does not apply to your environment.
Volume: How many events would this rule generate per day? A rule that fires 200 times daily is useless — it drowns real alerts in noise. Adjust thresholds before activating.
Entity mapping: Does the rule correctly map entities (user accounts, IP addresses, hosts)? Entity mapping enables Sentinel’s correlation engine to group related alerts into incidents.
Severity: Is the default severity appropriate for your environment? “High severity” for a rule that detects admin role changes may be correct in a small org but excessive in an org where admin changes happen daily.
Try it yourself
In a developer tenant with limited activity, most sign-in anomaly rules return zero results — there is not enough data to trigger anomaly thresholds. This is expected. The exercise confirms: (1) you can find and inspect rule templates, (2) you understand that templates need data to work, and (3) you know to test before activating.
Check your understanding
1. You install the Entra ID solution. Do its analytics rules start detecting immediately?