Home / Explore our latest insights / Microsoft Sentinel Spotlight - August 2023

Published: 1st August 2023 | In: Tech Blog

In our third Microsoft Sentinel Spotlight, Solutions Director Clive Watson brings you up to date with some of the work we’ve been doing and shares a few updates from Microsoft.

Workbook deployment

We have had our first limited-production roll-out using Workspace Manager to deploy a Workbook into some customers. This technology now enables us to push approved capabilities to customers without having to create and maintain a solution. In short, we use the tool to create a Deployment group, adding the correct customers to that group, then adding the content we wish them to have – in the most recent case it was a specific Workbook. Then we simply press “Publish”. This doesn’t replace our Pipeline tool, it’s an alternative to address some other deployment ad-hoc use cases.
Next, we will be pushing out some Automation Rules using this tool for the new Microsoft 365 data connector.

You might recall that we mentioned this in the last newsletter – Manage multiple Microsoft Sentinel workspaces with workspace manager

RSS feeds

Remember RSS feeds? Well, they are back, and Microsoft have a few for you to consume. This is an easy way of subscribing to “what’s new” for some of their products.

Here’s the full list so far:

We’ll share more in future editions as they are rolled out.


Many organisations have policies against deploying anything that’s not production-ready, yet many of them miss out on current functionality because the stages aren’t clearly defined. A lot of organisations treat Public Preview like it is still a beta product when the only thing really missing is the service level agreement (SLA).

Here’s the best way to think about them:

  • Private Preview is feature complete, not publicly announced (unless you are under NDA), not recommended for production use, no SLA
  • Public Preview is feature complete, recommended for production use, but may not be available to all the customers in a region, excluded from SLA
  • GA (Generally Availability) is available to all customers in a region, starting to rollout to multiple regions, backed by the SLA.

Content Hub is now generally available

Along with the GA of content hub, the content hub centralization changes announced in February have also taken effect. For more information on these changes and their impact, including more details about the tool provided to reinstate IN USE gallery templates, see Out-of-the-box (OO TB) content centralization changes. As part of the deployment for GA, the default view of the content hub is now the List view. The install process is streamlined as well. When selecting Install or Install/Update, the experience behaves like bulk installation. Check out more information on the content hub GA, from Microsoft.

There is a nice third-party solution that helps you browse this library in more detail: SolutionKB.secopslab.fi.

Detection Engineering


We’ve mainly been looking at the “Doing things early” tasks in the past month. We call this task “adoption”. This is us looking at the demand and doing the work to predict what you may be requiring from your Detections and getting the code ready to be deployed in the pipeline. The Detections may just be informational until we can validate the use cases.

New products added (or updated):

  • Salesforce
  • CrowdStrike
  • Network Essentials – we’ve been working with Microsoft on a few of these; we have some new versions to test now, based on our feedback to them
  • Dynamics Customer Engagement (CE) rules – now ready.

Deprecated Analytic Rules

We have checked the recently Deprecated list from Microsoft and will retire those rules – these are mainly ones with an outdated indicator of compromise (IOC).