--- title: "Microsoft Sentinel Content Pack Overview | ThreatConnect" slug: "microsoft-sentinel-content-pack-overview" description: "This article provides an overview of the Microsoft Sentinel Content Pack in ThreatConnect, the corresponding minimum roles and prerequisites needed to use it, and additional Microsoft Sentinel resources." updated: 2023-06-23T16:42:21Z published: 2023-06-23T16:42:21Z canonical: "knowledge.threatconnect.com/microsoft-sentinel-content-pack-overview" --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # Microsoft Sentinel Content Pack Overview ## Overview Microsoft Sentinel™ is a cloud-based security information and event management (SIEM) solution focused on delivering timely, comprehensive security information to an organization. Major use cases for Microsoft Sentinel include detecting, investigating, and responding to threats. ThreatConnect® offers a Content Pack that supports the following use cases for managing incidents and alerts in Microsoft Sentinel and importing them into ThreatConnect for further analysis and investigation: - Using the [ThreatConnect TAXII™ 2.1 server](https://knowledge.threatconnect.com/docs/taxii-21-server) to bulk import Indicators from ThreatConnect into Microsoft Sentinel - Using Microsoft® [Kusto Query Language (KQL)](https://learn.microsoft.com/en-us/azure/sentinel/kusto-overview) queries to import incidents and alerts from Microsoft Sentinel into ThreatConnect - Retrieving incidents from Microsoft Sentinel and creating Incident Groups in ThreatConnect - Retrieving incidents from Microsoft Sentinel and creating [Workflow Cases](https://knowledge.threatconnect.com/docs/workflow-cases) in ThreatConnect ## Before You Start | Minimum Role(s) | - Organization role of Ready Only User (for importing [Playbook Templates](https://knowledge.threatconnect.com/docs/playbook-templates) as [Playbooks](https://knowledge.threatconnect.com/docs/playbooks)) - Organization role of Standard User (for activating, executing, and modifying Playbooks) - Organization role of Organization Administrator (for creating a TAXII™ user account) - System role of Administrator (for installing the Microsoft Sentinel Content Pack on the **TC Exchange™ Settings**screen, and for installing, configuring, and activating the TAXII 2.1 Server Service) | | --- | --- | | Prerequisites | - Playbooks and Workflow enabled by a System Administrator - Permissions to register an app, and an Azure Active Directory™ (AD) tenant created, in the Azure® portal - Access to a Microsoft Sentinel instance | ## Additional Resources - [Microsoft Sentinel API Versions](https://learn.microsoft.com/en-us/rest/api/securityinsights/api-versions) - [Microsoft Sentinel Entity Types Reference](https://learn.microsoft.com/en-us/azure/sentinel/entities-reference) - [Microsoft Sentinel Incidents API Reference](https://learn.microsoft.com/en-us/rest/api/securityinsights/preview/incidents) --- *ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc. Azure® and Microsoft® are registered trademarks, and Active Directory™ and Microsoft Sentinel™ are trademarks, of Microsoft Corporation. TAXII™ is a trademark of The MITRE Corporation.* 20153-01 v.01.A