In May Microsoft announced Azure Sentinel Solutions in public preview. That feature is a gallery powered by Azure Marketplace where partners can publish packages to easily integrate a product to Azure Sentinel. A package contains basically data connectors, workbooks, queries, and analytics rules templates.
For administrators, it is easy to add value to Azure Sentinel from solution gallery. They just have to select the solution, click on create and follow the wizard. When the creation is finished, data connectors are added, and you just have to configure it.
Currently all packages provided in the solution gallery are free. But I’m sure when Azure Sentinel solution will be GA, some solutions won’t be free.
Overview of Azure Sentinel Solutions
To open Azure Sentinel Solutions, navigate to Solutions as in the following screenshot:
As you can see in the below screenshot, there are several solutions already in the gallery (32 solutions announced by Microsoft).
Select the solution you want to open it.
Once you have selected a solution, you are on a panel equivalent to what you find in the Azure Marketplace. You get information about the solution, the plans (pricing) and support information. To deploy this solution just click on create.
Deploy a solution
First select a resource group and a log analytics workspace.
The wizard informs you that a connector will be created and a custom log table will be created in Log Analytics workspace.
Then specify configuration for workbooks such as the display name.
Next you get information about analytics rules template such as the name of rules and a description.
In the next pane, you get information about queries (name and description).
To finish the creation wizard, just click on create.
Once the solution is deployed, you can open Azure Sentinel and Data connectors. Then look for the solution you just deployed, and you should find a related data connector.
In Workbook you should also find related workbook.
Conclusion
Microsoft has developed a marketplace for Azure Sentinel. It is a good thing because that means that we will have more integration with partner products. If partners want an integration with Azure Sentinel, they “just” have to create a package containing rules, workbook, queries, data connector and publish it to Azure Sentinel Solutions. It will simplify the management for administrators because currently the only way to integrate third party solutions wthout data connectors is Syslog (or CEF).