c50c6568dc
ProofpointTAP - Update Analytic rules |
||
|---|---|---|
| .. | ||
| 1Password | ||
| 42Crunch API Protection | ||
| AI Analyst Darktrace | ||
| AIShield AI Security Monitoring | ||
| ALC-WebCTRL | ||
| ARGOSCloudSecurity | ||
| AWS Systems Manager | ||
| AWSAthena | ||
| AWS_IAM | ||
| AbnormalSecurity | ||
| AbuseIPDB | ||
| Agari | ||
| AgileSec Analytics Connector | ||
| Akamai Security Events | ||
| Alibaba Cloud | ||
| Alsid For AD | ||
| Amazon Web Services | ||
| Apache Log4j Vulnerability Detection | ||
| ApacheHTTPServer | ||
| AristaAwakeSecurity | ||
| Armis | ||
| Armorblox | ||
| Aruba ClearPass | ||
| AtlassianConfluenceAudit | ||
| AtlassianJiraAudit | ||
| Attacker Tools Threat Protection Essentials | ||
| Australian Cyber Security Centre | ||
| Auth0 | ||
| Authomize | ||
| Azure Activity | ||
| Azure Batch Account | ||
| Azure Cloud NGFW by Palo Alto Networks | ||
| Azure Cognitive Search | ||
| Azure DDoS Protection | ||
| Azure Data Lake Storage Gen1 | ||
| Azure Event Hubs | ||
| Azure Firewall | ||
| Azure Key Vault | ||
| Azure Logic Apps | ||
| Azure Network Security Groups | ||
| Azure SQL Database solution for sentinel | ||
| Azure Service Bus | ||
| Azure Storage | ||
| Azure Stream Analytics | ||
| Azure Web Application Firewall (WAF) | ||
| Azure kubernetes Service | ||
| AzureDevOpsAuditing | ||
| AzureSecurityBenchmark | ||
| BETTER Mobile Threat Defense (MTD) | ||
| Barracuda CloudGen Firewall | ||
| Barracuda WAF | ||
| Beyond Security beSECURE | ||
| BitSight | ||
| Bitglass | ||
| Bitwarden | ||
| Blackberry CylancePROTECT | ||
| BloodHound Enterprise | ||
| Box | ||
| Broadcom SymantecDLP | ||
| Business Email Compromise - Financial Fraud | ||
| CTM360 | ||
| Check Point | ||
| CheckPhish by Bolster | ||
| Cisco ACI | ||
| Cisco ETD | ||
| Cisco Firepower EStreamer | ||
| Cisco ISE | ||
| Cisco Meraki Events via REST API | ||
| Cisco SD-WAN | ||
| Cisco Secure Cloud Analytics | ||
| Cisco Secure Endpoint | ||
| Cisco UCS | ||
| CiscoASA | ||
| CiscoDuoSecurity | ||
| CiscoMeraki | ||
| CiscoSEG | ||
| CiscoUmbrella | ||
| CiscoWSA | ||
| Citrix ADC | ||
| Citrix Analytics for Security | ||
| Citrix Web App Firewall | ||
| Claroty | ||
| Claroty xDome | ||
| Cloud Identity Threat Protection Essentials | ||
| Cloud Service Threat Protection Essentials | ||
| Cloudflare | ||
| CofenseIntelligence | ||
| CofenseTriage | ||
| Cognni | ||
| CognyteLuminar | ||
| CohesitySecurity | ||
| Common Event Format | ||
| Commvault Security IQ | ||
| ContinuousDiagnostics&Mitigation | ||
| Contrast Protect | ||
| Corelight | ||
| Cortex XDR | ||
| CrowdStrike Falcon Endpoint Protection | ||
| CyberArk Enterprise Password Vault (EPV) Events | ||
| CyberArkAudit | ||
| CyberArkEPM | ||
| CybersecurityMaturityModelCertification(CMMC)2.0 | ||
| Cybersixgill-Actionable-Alerts | ||
| Cyborg Security HUNTER | ||
| Cynerio | ||
| DEV-0537DetectionandHunting | ||
| DNS Essentials | ||
| Darktrace | ||
| Datalake2Sentinel | ||
| Dataminr Pulse | ||
| Delinea Secret Server | ||
| Dev 0270 Detection and Hunting | ||
| Digital Shadows | ||
| DigitalGuardianDLP | ||
| DomainTools | ||
| Dynamics 365 | ||
| Dynatrace | ||
| ESET Inspect | ||
| ESETPROTECT | ||
| EatonForeseer | ||
| EclecticIQ | ||
| Egress Defend | ||
| Egress Iris | ||
| Elastic Search | ||
| ElasticAgent | ||
| Endpoint Threat Protection Essentials | ||
| Entrust identity as Service | ||
| Ermes Browser Security | ||
| Eset Security Management Center | ||
| Exabeam Advanced Analytics | ||
| ExtraHop Reveal(x) | ||
| F5 BIG-IP | ||
| F5 Networks | ||
| FalconFriday | ||
| Farsight DNSDB/Playbooks | ||
| Feedly | ||
| FireEye Network Security | ||
| Flare | ||
| Forcepoint CASB | ||
| Forcepoint CSG | ||
| Forcepoint DLP | ||
| Forcepoint NGFW | ||
| Forescout (Legacy) | ||
| ForescoutHostPropertyMonitor | ||
| ForgeRock Common Audit for CEF | ||
| Fortinet FortiGate Next-Generation Firewall connector for Microsoft Sentinel | ||
| Fortinet FortiNDR Cloud | ||
| Fortinet FortiWeb Cloud WAF-as-a-Service connector for Microsoft Sentinel | ||
| Gigamon Connector | ||
| GitHub | ||
| GitLab | ||
| Google Apigee | ||
| Google Cloud Platform Audit Logs | ||
| Google Cloud Platform BigQuery | ||
| Google Cloud Platform Cloud Monitoring | ||
| Google Cloud Platform Security Command Center | ||
| GoogleCloudPlatformDNS | ||
| GoogleCloudPlatformIAM | ||
| GoogleDirectory/Playbooks | ||
| GoogleWorkspaceReports | ||
| GreyNoiseThreatIntelligence | ||
| Group-IB/Playbooks | ||
| HYAS | ||
| HYAS Protect | ||
| HolmSecurity | ||
| HoneyTokens | ||
| IONIX | ||
| IPQualityScore | ||
| ISC Bind | ||
| Illumio Core | ||
| IllumioSaaS | ||
| Illusive Active Defense | ||
| Illusive Platform | ||
| Images | ||
| Imperva WAF Gateway | ||
| ImpervaCloudWAF | ||
| Infoblox Cloud Data Connector | ||
| Infoblox NIOS | ||
| Infoblox SOC Insights | ||
| InsightVM/Package | ||
| Integration for Atlassian Beacon | ||
| Intel471 | ||
| IoTOTThreatMonitoringwithDefenderforIoT | ||
| IronNet IronDefense | ||
| Island | ||
| Ivanti Unified Endpoint Management | ||
| JBoss | ||
| Jamf Protect | ||
| Joshua-Cyberiskvision | ||
| Juniper SRX | ||
| JuniperIDP | ||
| KQL Training | ||
| KasperskySecurityCenter | ||
| LastPass | ||
| Legacy IOC based Threat Protection | ||
| Lookout | ||
| Lookout Cloud Security Platform for Microsoft Sentinel | ||
| MISP2Sentinel | ||
| MailGuard 365 | ||
| MailRisk | ||
| Malware Protection Essentials | ||
| MarkLogicAudit | ||
| MaturityModelForEventLogManagementM2131 | ||
| McAfee Network Security Platform | ||
| McAfee ePolicy Orchestrator | ||
| Microsoft 365 | ||
| Microsoft Defender For Identity | ||
| Microsoft Defender Threat Intelligence | ||
| Microsoft Defender XDR | ||
| Microsoft Defender for Cloud | ||
| Microsoft Defender for Cloud Apps | ||
| Microsoft Defender for Office 365 | ||
| Microsoft Entra ID | ||
| Microsoft Entra ID Protection | ||
| Microsoft Exchange Security - Exchange On-Premises | ||
| Microsoft Exchange Security - Exchange Online | ||
| Microsoft PowerBI | ||
| Microsoft Project | ||
| Microsoft Purview | ||
| Microsoft Purview Information Protection | ||
| Microsoft Sysmon For Linux | ||
| Microsoft Windows SQL Server Database Audit | ||
| MicrosoftDefenderForEndpoint | ||
| MicrosoftPurviewInsiderRiskManagement | ||
| MimecastAudit | ||
| MimecastSEG | ||
| MimecastTIRegional | ||
| MimecastTTP | ||
| Minemeld | ||
| MongoDBAudit | ||
| Morphisec | ||
| Mulesoft | ||
| Multi Cloud Attack Coverage Essentials - Resource Abuse | ||
| NGINX HTTP Server | ||
| NISTSP80053 | ||
| NXLog BSM macOS | ||
| NXLog FIM | ||
| NXLog LinuxAudit | ||
| NXLogAixAudit | ||
| NXLogDnsLogs | ||
| Nasuni | ||
| NetClean ProActive | ||
| Netskope | ||
| Netskopev2 | ||
| Network Session Essentials | ||
| Network Threat Protection Essentials | ||
| Netwrix Auditor | ||
| Neustar IP GeoPoint | ||
| NonameSecurity | ||
| NozomiNetworks | ||
| OSSEC | ||
| Okta Single Sign-On | ||
| Onapsis Platform | ||
| OneIdentity | ||
| OneLoginIAM | ||
| OpenCTI | ||
| OpenVPN | ||
| Oracle Cloud Infrastructure | ||
| OracleDatabaseAudit | ||
| OracleWebLogicServer | ||
| Orca Security Alerts | ||
| PCI DSS Compliance | ||
| PDNS Block Data Connector | ||
| Palo Alto - XDR (Cortex) | ||
| Palo Alto Prisma Cloud CWPP | ||
| PaloAlto-PAN-OS | ||
| PaloAltoCDL | ||
| PaloAltoPrismaCloud | ||
| Perimeter 81 | ||
| PingFederate | ||
| PostgreSQL | ||
| Prancer PenSuiteAI Integration | ||
| ProofPointTap | ||
| Proofpoint On demand(POD) Email Security | ||
| Pulse Connect Secure | ||
| Pure Storage | ||
| Qualys VM Knowledgebase | ||
| QualysVM | ||
| RSA SecurID | ||
| Radiflow | ||
| Rapid7InsightVM | ||
| Recorded Future | ||
| Recorded Future Identity | ||
| Red Canary | ||
| ReversingLabs | ||
| RidgeSecurity | ||
| RiskIQ | ||
| RubrikSecurityCloud | ||
| SAP | ||
| SAP BTP | ||
| SIGNL4 | ||
| SOC Handbook | ||
| SOC-Process-Framework | ||
| SailPointIdentityNow | ||
| SalemCyber | ||
| Salesforce Service Cloud | ||
| SecurityBridge App | ||
| SecurityScorecard Cybersecurity Ratings | ||
| SecurityThreatEssentialSolution | ||
| Semperis Directory Services Protector | ||
| SenservaPro | ||
| SentinelOne | ||
| SentinelSOARessentials | ||
| SeraphicSecurity | ||
| Servicenow | ||
| SevcoSecurity | ||
| ShadowByte Aria | ||
| Shodan | ||
| SlackAudit | ||
| SlashNext | ||
| SlashNext SIEM | ||
| Snowflake | ||
| SonicWall Firewall | ||
| SonraiSecurity | ||
| Sophos Cloud Optix | ||
| Sophos Endpoint Protection | ||
| Sophos XG Firewall | ||
| SpyCloud Enterprise Protection | ||
| Squadra Technologies SecRmm | ||
| SquidProxy | ||
| Symantec Endpoint Protection | ||
| Symantec Integrated Cyber Defense | ||
| Symantec VIP | ||
| SymantecProxySG | ||
| Synack | ||
| Syslog | ||
| Talon | ||
| Tanium | ||
| Teams | ||
| Templates | ||
| Tenable App | ||
| TenableAD | ||
| TenableIO | ||
| TheHive | ||
| Theom | ||
| Threat Intelligence | ||
| Threat Intelligence Solution for Azure Government | ||
| ThreatAnalysis&Response | ||
| ThreatConnect | ||
| ThreatXCloud | ||
| Tomcat | ||
| Training/Azure-Sentinel-Training-Lab | ||
| Trend Micro Apex One | ||
| Trend Micro Cloud App Security | ||
| Trend Micro Deep Security | ||
| Trend Micro TippingPoint | ||
| Trend Micro Vision One | ||
| UEBA Essentials | ||
| URLhaus | ||
| Ubiquiti UniFi | ||
| VMWareESXi | ||
| VMware Carbon Black Cloud | ||
| VMware SD-WAN and SASE | ||
| VMware vCenter | ||
| Valence Security | ||
| VaronisSaaS | ||
| Vectra AI Detect | ||
| Vectra AI Stream | ||
| Vectra XDR | ||
| Veritas NetBackup | ||
| VirusTotal | ||
| Votiro | ||
| Watchguard Firebox | ||
| Watchlists Utilities | ||
| Web Session Essentials | ||
| Web Shells Threat Protection | ||
| Windows Firewall | ||
| Windows Forwarded Events | ||
| Windows Security Events | ||
| Windows Server DNS | ||
| WireX Network Forensics Platform | ||
| WithSecureElementsViaConnector | ||
| WithSecureElementsViaFunction | ||
| Wiz | ||
| Workday | ||
| Workplace from Facebook | ||
| ZeroFox | ||
| ZeroNetworks | ||
| ZeroTrust(TIC3.0) | ||
| Zimperium Mobile Threat Defense | ||
| Zinc Open Source | ||
| ZoomReports | ||
| Zscaler Internet Access | ||
| Zscaler Private Access (ZPA) | ||
| archTIS | ||
| iboss | ||
| vArmour Application Controller | ||
| ContentHubCatalog.xlsx | ||
| ContentHubSolutionsCatalog.md | ||
| README.md | ||
| ReleaseNotesGuidance.md | ||
| ReleaseNotesSample.md | ||
| azuredeploy_parameters.json | ||
| known_issues.md | ||
README.md
Guide to building Microsoft Sentinel solutions
This guide provides an overview of Microsoft Sentinel solutions, and how to build and publish a solution for Microsoft Sentinel.
Microsoft Sentinel solutions provide an in-product experience for central discoverability, single-step deployment, and enablement of end-to-end product, domain, and/or vertical scenarios in Microsoft Sentinel. This experience is powered by:
- Azure Marketplace for solution discoverability, deployment, and enablement
- The Microsoft Partner Center for solution authoring and publishing
Providers and partners can deliver combined product, domain, or vertical value via solutions in Microsoft Sentinel in order to productize investments. More details are covered in the Microsoft Sentinel documentation. Review the catalog for complete list of out-of-the-box Microsoft Sentinel solutions.
Microsoft Sentinel solutions include packaged content, integrations, or service offerings for Microsoft Sentinel. This guide focuses on how to build packaged content into solutions, including combinations of data connectors, workbooks, analytic rules, playbooks, hunting queries, parsers, watchlists, and more for Microsoft Sentinel. Reach out to the Microsoft Sentinel Solutions Onboarding Team if you are planning or building another type of integration or service offering, or want to include other types of content in your solution that isn't listed here.
The following image shows the steps in the solution building process, including content creation, packaging, and publishing:
Step 1 – Create your content
Start with the Get started documentation on the Microsoft Sentinel GitHub Wiki to identify the content types you plan to include in your solution package. For example, supported content types include data connectors, workbooks, analytic rules, playbooks, hunting queries, and more. Each content type has its own contribution guidance for development and validation.
The guidance for each content type in the Wiki describes how to contribute individual pieces of content. However, you want to contribute your content in a packaged solution. Therefore, hold off on submitting your content to the relevant folders as described in the Wiki guidance, and instead place your content in the Solutions folder of the Microsoft Sentinel GitHub repo.
Use the following steps to create your content structure:
-
In the Microsoft Sentinel Solutions folder, create a new folder with your solution name.
-
In your solution folder, create a blank folder structure as follows to store the content you've developed:
- Data Connectors – the data connector json files or Azure Functions, etc. goes in this folder.
- Workbooks – workbook json files and black and white preview images of the workbook goes here.
- Analytic Rules – yaml file templates of analytic rules goes in this folder.
- Hunting queries – yaml file templates of hunting queries goes in this folder.
- Playbooks – json playbook and Azure Logic Apps custom connectors can go in this folder.
- Parser – yaml file for Kusto Functions or Parsers can go in this folder. Use this as reference.
For example, see the folder structure for our Cisco ISE solution.
-
Store your logo, in SVG format, in the central Logos folder.
-
Store sample data in the sample data folder, within the relevant content type folder, depending on your data connector type.
-
Submit a PR with all of your solution content. The PR will go through automated GitHub validation. Address potential errors as needed.
After your content has been succesfully validated, the Microsoft Sentinel team will review your PR and reply with any feedback as needed. You can expect an initial response within five business days.
The PR will be approved and merged after any feedback has been incorportated and the full review is successful.
Step 2 – Package your content
The solution content package is called a solution template, and has the following files:
-
mainTemplate.json: The Azure Resource Manager (ARM) template that includes the resources offered by the solution. Each piece of content that you want to package in your solution must first be converted to ARM format. The
mainTemplatefile is the overall ARM template file that combines each invididual ARM content file. -
createUIDefinition.json: The deployment experience definition provided to customers installing your solution. This is a step-by-step wizard experience.
For more information, see the solution template documentation (deployment package).
After creating both the mainTemplate.json and the createUIDefinition.json files, validate them, and package them into a .zip file that you can upload as part of the publishing process (Step 3).
Use the package creation tool to help you create and validate the package, following the solutions packaging tool guidance to use the tool and package your content.
Updating your solution
If you already have an Microsoft Sentinel solution and want to update your package, use the package creation tool with updated content to create a new version of the package.
For your solution's versioning format, always use {Major}.{Minor}.{Revision} syntax, such as 1.0.1, to align with the Azure Marketplace recommendation and versioning support.
When updating your package, make sure to raise the version value, regardless of how small or trivial the change is, including typo fixes in a content or solution definition file.
For example, if your original package version is 1.0.1, you might update your versions as follows:
- Major updates have a new version of 2.0.0 - this is usually reserved for major tooling or package level changes
- Minor updates, for changes in content of the package, might have a new version of
1.1.0 - Revisions, such as those scoped to a single piece of content or just metadata or text updates, might have a new version of
1.0.2
Since solutions use ARM templates, you can customize the solution text as well as tabs as needed to cater to specific scenarios.
Step 3 – Publish your solution
The Microsoft Sentinel solution publishing experience is powered by the Microsoft Partner Center.
Registration (one-time)
If you or your company is a first-time app publisher on Azure Marketplace, follow the steps to register and create a Commercial Marketplace account in Partner Center. This process provides you with a unique Publisher ID and access to the Commercial Marketplace authoring and publishing experience, where you'll create, certify, and publish your solution.
Author and publish a solution offer
The following steps reference the Partner Center's more detailed documentation.
- Create an Azure application type offer and configure the offer setup details as per the relevant guidance.
Ensure that the OfferID contains the keyword "sentinel". Consider using the format:
microsoft-sentinel-solution-<productname>
-
Configure the Offer properties.
-
Configure the Offer listing details, including the title, description, pictures, videos, support information, and so on.
- As one of your search keywords, add
f1de974b-f438-4719-b423-8bf704ba2aefto have your solution appear in the Microsoft Sentinel content hub. - Ensure to provide CSP (Cloud Solution Provider) Program contact and relevant CSP information as requested. This will enable you to offer the solution to CSP subscriptions and increased visibility and adoption of your solution. Refer to the CSP FAQs for further details on why this is recommended for Microsoft Sentinel solutions.
- If you want to start your solution in Preview (Public Preview), you can do so by appending "(Preview)" in the solution / offer title. This will ensure your offer gets tagged with Preview tag in Microsoft Sentinel Content hub.
- As one of your search keywords, add
-
Create a plan and select Solution Template as the plan type.
- If your offer needs to be available for customers from U.S. federal, state, local, or tribal entities, follow the steps to select the Azure Government check box and subsquent guidance.
-
Configure the Solutions template plan. This is where you’ll upload the zip file that you'd created in step two and set a version for your package. Make sure to follow the versioning guidance described in step 2, above.
-
Enable CSP for your offer by going to the Resell through CSPs tab in Partner Center and selecting Any partner in the CSP program. This will enable you to offer the solution to CSP subscriptions and increased visibility and adoption of your solution. Refer to the CSP FAQs for further details on why this is recommended for Microsoft Sentinel solutions.
-
Validate and test your solution offer.
-
After the validation passes, publish the offer live. This will trigger the certification process, which can take up to 3 business days.
Note: You must make the offer public in order for it to show up in the Microsoft Sentinel content hub so that customers can find it.
Feedback
Email Azure Sentinel Solutions Onboarding Team with any feedback on this process, for new scenarios not covered in this guide, or with any constraints you may encounter.
FAQs
CSP (Cloud Solution Provider)
What is CSP?
Microsoft Azure Customers may purchase their Azure Subscriptions either directly from Microsoft, or via an Azure Reseller who is part of the Microsoft Cloud Solution Provider (CSP) program. Microsoft Sentinel Solutions are valid for both subscription purchase paths.
Why is there a “CSP Opt-in” option on Microsoft Sentinel solution offers?
“CSP Opt-in” is a general feature of the Azure Marketplace and applies to multiple offer types, including the Azure App offer type used by Microsoft Sentinel solutions. For some publishers, there is occasionally a desire to restrict individual offers to only be deployable in subscriptions that were purchased directly through Microsoft. This is controllable via the “CSP opt-in” flag for each individual offer.
Is Microsoft Sentinel available to customers who purchased their Azure subscription from a CSP Reseller partner?
Yes. There are many customers purchasing directly from Microsoft, via a CSP Reseller and even some who purchase Azure via both programs.
What happens when you enable “CSP opt-in” for your Microsoft Sentinel Solution offer?
Quite simply, it permits your Microsoft Sentinel solution to be deployed into Microsoft Sentinel Workspaces regardless of how the customer acquired it. It is more of a pro-active stance to eliminate an message for your customers who are trying to deploy your Microsoft Sentinel Solution into a CSP purchase subscription.
What does not happen when you enable “CSP opt-in” for your Microsoft Sentinel solution offer?
You are not joining the CSP program. Each offer is individually enabled or disabled for deployability in CSP sourced subscriptions, and setting this flag for your Microsoft Sentinel solution does not affect any other offer in your Marketplace publishing account.
What will happen if you do not enable “CSP opt-in” for your Microsoft Sentinel solution offer?
If the customer who wants to deploy your solution offer, purchased their subscription from a CSP Reseller partner, the solution will not deploy and the customer will get an error message about why.