Introducing the SolutionKB

I am building something new - a searchable database for Microsoft Sentinel Content Hub Solutions.

A quick update on my latest project, before I start my summer holidays. ☀️

You might be aware that Content Hub has a lot of templates for different kinds of Microsoft Sentinel content: Analytics Rules, Hunting Queries, Workbooks, Playbooks, Data Connectors…

However, Microsoft does not provide an easy way to browse and search this data.

The solutions can be found in the Sentinel UI and Azure Marketplace, but neither actually show what specific content items a Solution includes. The source data is in GitHub but it’s difficult to search and view as a whole.

Without deploying the Solution to Sentinel, there is no way to see or search the actual content, for example to list all Analytics Rules in a Solution, or search for rule templates that query specific datatypes.

I am building something to address this need. The first step is now done enough to go live.

You can access the first version of my SolutionKB at https://solutionkb.secopslab.fi.

In this first step, I have imported the Analytics Rule templates to a simple web-based database that allows for searching.

For example, in the screenshot below, you can see all rule templates that match search “DeviceProcessEvents”.

What’s next?

I already know a few specific development items that I want to implement after the summer:

• Add Rule Descriptions. Likely as a collapsible column, as the data can be very long.

• Add a search and filter functionality for individual columns.

• Add other content types in Content Hub. Likely Playbooks or Hunting Queries next.

Hope you like it!

Let me know if you have comments of development ideas.