Rod’s Blog

Share this post

Rod’s Blog
Rod’s Blog
Microsoft Sentinel Content Hub Changes
Copy link
Facebook
Email
Notes
More

Microsoft Sentinel Content Hub Changes

If you blink you'll miss it

Rod Trent
Jun 15, 2023
2

Share this post

Rod’s Blog
Rod’s Blog
Microsoft Sentinel Content Hub Changes
Copy link
Facebook
Email
Notes
More
1
Share

A colleague and I were just discussing some recent changes in how the Solutions in the Microsoft Sentinel Content Hub install and how the Content Hub view itself has been refreshed.

The changes happened overnight and were unannounced, where literally on Tuesday things worked the old way and by Wednesday afternoon they did something new. Unannounced changes to the way things work sometimes lead customers to think something is amiss and that there’s a potential bug. That’s not the case here. Here’s what’s changed.

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

First off, the Content Hub default view is now List Mode. You can switch it back to the old Card View, but as soon as you move from the Content Hub and back again, it defaults back to List Mode.

I don’t mind this change at all. The Card View took up more space and you could actually see less at one time. But I rarely peruse the Solutions like a catalog anyway. I tend to use the search function instead. But the true beauty of this view is that you can select multiple solutions using the checkbox to install more than one at once.

Secondly, there’s no longer a step-through wizard for installing some (only some) Solutions. Instead you have two options: Install and View Results.

Once you click the Install button, one of the affected Solutions just starts installing - immediately. Using the old (pre-Wednesday) method, you would step through to review the supplied content prior to finalizing your decision to install the Solution. Now, if you want to see the supplied content (rules, connectors, queries, Workbooks), click the View Details link.

You can tell the difference between the ones that have the wizard installation and the ones that don’t. The ones that have the wizard-driven installation don’t have the View Details link option.

These are small changes, but it’s continuing proof that an investment in Microsoft Sentinel as your organization’s SIEM means you have the most current version of the product every time you open it. And that’s a good thing. Remember the old days when you had to take down the SIEM (leaving a gap in coverage) just to update the SIEM?

[Want to discuss this further? Hit me up on Twitter or LinkedIn]

[Subscribe to the RSS feed for this blog]

[Subscribe to the Weekly Microsoft Sentinel Newsletter]

[Subscribe to the Weekly Microsoft Defender Newsletter]

[Learn KQL with the Must Learn KQL series and book]

Rod’s Blog is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.

2

Share this post

Rod’s Blog
Rod’s Blog
Microsoft Sentinel Content Hub Changes
Copy link
Facebook
Email
Notes
More
1
Share

Discussion about this post

No posts

Ready for more?

© 2025 Rod Trent
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More