Microsoft Sentinel Content Pack Overview

Updated on 23 Jun 2023
1 Minute to read

Print
Dark

Light

Article Summary

Share feedback

Thanks for sharing your feedback!

Overview

Microsoft Sentinel™ is a cloud-based security information and event management (SIEM) solution focused on delivering timely, comprehensive security information to an organization. Major use cases for Microsoft Sentinel include detecting, investigating, and responding to threats. ThreatConnect^® offers a Content Pack that supports the following use cases for managing incidents and alerts in Microsoft Sentinel and importing them into ThreatConnect for further analysis and investigation:

Using the ThreatConnect TAXII™ 2.1 server to bulk import Indicators from ThreatConnect into Microsoft Sentinel
Using Microsoft^® Kusto Query Language (KQL) queries to import incidents and alerts from Microsoft Sentinel into ThreatConnect
Retrieving incidents from Microsoft Sentinel and creating Incident Groups in ThreatConnect
Retrieving incidents from Microsoft Sentinel and creating Workflow Cases in ThreatConnect

Before You Start

Minimum Role(s)	Organization role of Ready Only User (for importing Playbook Templates as Playbooks) Organization role of Standard User (for activating, executing, and modifying Playbooks) Organization role of Organization Administrator (for creating a TAXII™ user account) System role of Administrator (for installing the Microsoft Sentinel Content Pack on the TC Exchange™ Settings screen, and for installing, configuring, and activating the TAXII 2.1 Server Service)
Prerequisites	Playbooks and Workflow enabled by a System Administrator Permissions to register an app, and an Azure Active Directory™ (AD) tenant created, in the Azure^® portal Access to a Microsoft Sentinel instance

Minimum Role(s)

Organization role of Ready Only User (for importing Playbook Templates as Playbooks)
Organization role of Standard User (for activating, executing, and modifying Playbooks)
Organization role of Organization Administrator (for creating a TAXII™ user account)
System role of Administrator (for installing the Microsoft Sentinel Content Pack on the TC Exchange™ Settings screen, and for installing, configuring, and activating the TAXII 2.1 Server Service)

Prerequisites

Playbooks and Workflow enabled by a System Administrator
Permissions to register an app, and an Azure Active Directory™ (AD) tenant created, in the Azure^® portal
Access to a Microsoft Sentinel instance

Additional Resources

ThreatConnect^® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.
Azure^® and Microsoft^® are registered trademarks, and Active Directory™ and Microsoft Sentinel™ are trademarks, of Microsoft Corporation.
TAXII™ is a trademark of The MITRE Corporation.

20153-01 v.01.A

Was this article helpful?

What's Next

Installing and Configuring the Microsoft Sentinel Content Pack

Table of contents

Overview
Before You Start
Additional Resources