Content hub
If you are new to Sentinel or are setting a new environment, chances are you will want to start here. The content hub is full of Microsoft created solutions and packages as well as community created solutions and packages. You can actually see all of this content on GitHub located here, accessing GitHub is not necessary but as you get more advanced with Sentinel, possible working in multiple workspaces you will likely want access to some of the data and files in here.
Installing content
Typically, when you install content off the content hub, it is typically a solution containing multiple components, but you can have individual pieces of content like workbooks and automations. Some of the components you will likely see include:
- Data connectors
- Parsers
- Analytic rules
- Workbooks
- Hunting queries
- Threat intelligence
You can install a solution individually or select multiple at a time and install them all at once.
Tip
As of February 2025, the Sentinel content hub was changed. This change made it easier to see the content of a solution without installing it and added AI to content searches.
It also has made it a bit harder to find the content you are looking for in my opinion. I have not found a great solution to this yet but when I do I will update this tip!
When you select content, a fly out window should come from the right-hand side giving you a brief description, who supports the solution, and what content is included. You will also likely see a field that says Pricing: Free. Note that this is the price to install the solution, not the price to ingest data if this is a data connector. Think of it like the app store on your phone, the solution is free to install but may include "in-app purchases".
Installing a solution will not start to ingest data automatically, so it is fine to install some content and then later choose to uninstall it.