7.10 Content Hub and Solutions

Content Hub and Solutions

Introduction

Building every analytics rule, workbook, hunting query, and playbook from scratch is unnecessary. Microsoft and the security community have created hundreds of pre-built solutions for common data sources, attack scenarios, and compliance requirements. Content Hub is the marketplace where you discover, evaluate, and deploy these solutions into your Sentinel workspace.

Content Hub accelerates your time to detection value. Instead of spending weeks writing analytics rules for a data source, deploy a Content Hub solution that includes pre-built rules, a workbook for visibility, hunting queries for proactive investigation, and a playbook for automated response — all designed for that specific data source. Your job is to evaluate the quality, customise the rules for your environment, and maintain them over time.

What Content Hub solutions contain

A Content Hub solution is a package that can include any combination of the following components:

Data connectors — Configuration for ingesting data from a specific source. Some solutions include connectors that are not available elsewhere. Example: a Palo Alto Networks solution includes the data connector for ingesting Palo Alto firewall logs.

Analytics rules — Pre-built detection rules for common threats related to the data source. A Microsoft Entra ID solution includes rules for detecting impossible travel, MFA fraud, and suspicious application consent. A Defender for Endpoint solution includes rules for detecting credential dumping, lateral movement, and persistence techniques.

Workbooks — Visual dashboards built with KQL queries. A workbook for Entra ID sign-in analysis provides charts and tables showing sign-in volume, failure rates, geographic distribution, and MFA usage trends. Workbooks provide the at-a-glance visibility that analytics rules do not — analytics rules fire on specific threats, workbooks show the overall health and trends.

Hunting queries — Pre-built KQL queries for proactive threat hunting. Not automated like analytics rules — an analyst runs hunting queries manually during dedicated hunting sessions (Module 10). A solution might include 10-20 hunting queries that look for uncommon but potentially malicious patterns that do not warrant automated alerts but should be checked periodically.

Playbooks — Automation workflows triggered by incidents or automation rules. A phishing response playbook might: extract URLs from the email → check against threat intelligence → block the URL in Defender → send a notification to the user → create a ticket in ServiceNow.

Watchlist templates — Pre-defined watchlist structures for common use cases.

Parsers — KQL functions that normalise data from specific sources into a standard schema. Essential for third-party data sources that send data in non-standard formats.

Finding and evaluating solutions

Navigate to Microsoft Sentinel → Content Hub. The Content Hub shows all available solutions with filters for: content type (data connector, analytics rule, workbook, hunting query, playbook), provider (Microsoft, community partner), category (identity, endpoint, network, cloud, compliance), and status (installed, not installed, update available).

Evaluating solution quality. Not all solutions are equal. Before deploying, assess:

Provider: Microsoft solutions are well-maintained and tested. Community solutions vary in quality — some are excellent, others are abandoned.

Last updated: Solutions updated within the last 6 months are likely maintained. Solutions not updated in 18+ months may have stale rules, broken queries, or incompatible parsers.

Analytics rule quality: Open the analytics rule templates included in the solution. Read the KQL queries. Are they well-written? Do they use efficient operators? Do they have appropriate time windows and thresholds? A rule that scans 30 days of data every 5 minutes is expensive and likely poorly designed.

False positive rate: Check community feedback (if available) for the solution. Some solutions include rules that are known to be noisy in certain environments. You may need to tune thresholds or add watchlist exclusions after deployment.

Dependency on data: A solution is only useful if you have the data it queries. An Entra ID Protection solution is useless if you have not connected Entra ID. Check the data connector requirements before deploying.

Deploying a solution

Step 1: Select the solution in Content Hub → Install. This adds the solution’s components to your workspace but does not automatically enable analytics rules.

Step 2: Navigate to Analytics → Rule templates. The installed solution’s analytics rules appear as templates. Review each template before enabling: read the KQL query, understand the detection logic, check the rule frequency and lookback window, and assess whether the rule is appropriate for your environment.

Step 3: Enable the rules you want. You can enable as-is or clone and customise. Cloning creates a copy that you own and can modify — the original template remains unchanged. Recommended: clone rules that you intend to tune, so your customisations are not overwritten by solution updates.

Step 4: Deploy the workbook. Navigate to Workbooks → Templates → select the solution’s workbook → Save. The workbook is added to your saved workbooks for regular use.

Step 5: Review and save hunting queries. Navigate to Hunting → Queries. The solution’s hunting queries appear as templates. Save the ones relevant to your hunting programme.

Managing solution updates

Content Hub solutions receive updates when Microsoft or the community publisher improves analytics rules, adds new detections, or fixes issues. When an update is available, the solution shows “Update available” in Content Hub.

Update caution: If you enabled analytics rules from the original template (not cloned), updates may modify the rule logic. Review the update notes before applying. If you cloned and customised rules, the cloned copy is unaffected by updates — but you lose the benefit of improved detection logic unless you manually merge changes.

Recommended update workflow: Review update release notes → apply the update → compare updated rule templates with your customised rules → merge improvements into customised rules where appropriate → test in a low-traffic period.

Essential solutions to deploy first

MITRE ATT&CK coverage analysis with Content Hub

One of the most valuable outcomes of deploying Content Hub solutions is the ability to assess your detection coverage against the MITRE ATT&CK framework. Every well-built analytics rule template includes ATT&CK technique mappings — and Sentinel provides a MITRE ATT&CK coverage blade that visualises which techniques your active analytics rules detect.

Accessing the coverage view: Navigate to Sentinel → MITRE ATT&CK (preview). The matrix displays each ATT&CK technique as a cell. Cells are colour-coded: green indicates you have active rules detecting this technique, grey indicates no coverage. The coverage percentage across each tactic (Initial Access, Execution, Persistence, Privilege Escalation, etc.) shows where your detection is strong and where gaps exist.

Using coverage to prioritise rule activation: After deploying Content Hub solutions, you have dozens of rule templates available. Use the MITRE ATT&CK coverage view to prioritise which templates to activate. If your Initial Access coverage is 80% but your Persistence coverage is 20%, prioritise activating the Persistence detection templates. This transforms rule activation from “enable everything and hope for the best” into a strategic coverage-driven approach.

Identifying detection gaps. The MITRE ATT&CK view also reveals techniques where you have no detection — even after deploying Content Hub solutions. These gaps become the detection engineering backlog: custom analytics rules that your team writes to cover techniques not addressed by any available solution. Module 9 covers custom rule creation.

1
2
3
4
5
6
7
8

// Query to analyse MITRE ATT&CK coverage of your active rules
SecurityAlert
| where TimeGenerated > ago(90d)
| extend Tactics = tostring(parse_json(ExtendedProperties).Tactics)
| mv-expand Tactics to typeof(string)
| summarize AlertCount = count(), UniqueRules = dcount(AlertName)
    by Tactics
| order by AlertCount desc

This query shows which ATT&CK tactics your active rules have actually fired on in the last 90 days — providing real-world validation of your theoretical coverage. A rule can cover a technique in theory (it has the ATT&CK mapping) but never fire in practice (the technique does not occur in your environment, or the rule’s threshold is set too high).

Custom content packages

Beyond deploying Microsoft and third-party solutions, you can create and manage your own content packages. This is particularly useful for organisations that develop custom analytics rules, workbooks, and playbooks tailored to their specific environment.

Repositories integration. Sentinel supports connecting a Git repository (Azure DevOps or GitHub) as a content source. Your custom analytics rules, saved as ARM templates in the repository, are deployed to the workspace through CI/CD pipelines. This enables: version control for all custom content, peer review through pull requests, automated deployment across multiple workspaces, and rollback capability through Git revert.

Custom solution packaging. For organisations or MSSPs that want to distribute their detection content, Sentinel supports packaging custom content as solutions that can be shared through private Content Hub galleries. This is the mechanism MSSPs use to deploy standardised detection to all customer workspaces.

Managing solution updates and drift

Content Hub solutions are periodically updated by their publishers. Managing these updates is an operational discipline, not a one-time task.

Update notification. Sentinel displays a notification badge on Content Hub when updates are available for installed solutions. Review updates promptly — they may contain critical detection improvements or fixes for broken queries caused by schema changes.

Update impact assessment. Before applying an update, review the changelog (if available) and assess impact: does the update modify rules you have customised? Does it add new rule templates that should be reviewed? Does it deprecate rules you rely on? Does it change data connector requirements?

Template vs customised rule divergence. Over time, your active rules diverge from the original Content Hub templates as you tune thresholds, add watchlist exclusions, and modify entity mappings. When a solution update modifies the template, your customised rule is not automatically updated — the template and your active rule exist independently. Periodically review the template changes and decide whether to apply them to your customised rules.

Best practice: clone before customise. When you need to modify a Content Hub template rule, clone it as a custom rule with a distinct name (e.g., “CUSTOM - Entra ID - Sign-in from sanctioned country”). Apply your customisations to the clone. Leave the original template-created rule disabled but present. When the solution updates, you can compare the updated template against your custom clone and selectively merge improvements.

Knowledge check