Rationale
While tailored SIEM implementations are immensely beneficial to an enterprise (and we continue to strive towards that), however there may be instances where an enterprise could be:
- New to SIEM and would like to know how to quickly extract value from data
- New to Azure Sentinel and would like to learn how to navigate within the product and assess its features
The intention of SOC in a Box is to provide guidance around what configurations can be made within Azure Sentinel, reducing the time to deploy and ensuring a structured outcome. The content packages outline which Connectors, Analytics Rules and Workbooks should be enabled - depending on the data sources an enterprise has, one or more content packages can be deployed.
| Content Package | Description |
|---|---|
| Azure | Common Azure services data (e.g. Azure Activity, Azure Security Center, Azure Firewall, etc.) |
| M365 | Common Microsoft suite data sources (e.g. AAD, Office 365, MTP solutions, etc.) |
| Infrastructure | Common infrastructure data sources (e.g. Windows Security Events, Syslog, etc.) |
| Non Billable Sources | Non billable data sources (e.g. Office 365, Azure Activity, etc.) |
In these content packages, only a subset of all the native Connectors / Analytics Rules / Workbooks are enabled, these are the typically essential ones (based on a generic enterprise profile) - the remainder can always be enabled if deemed relevant.
For content packages on more advanced use cases, refer to the Advanced Content section in the navigation bar on the left.
