What's new in Microsoft Sentinel

This article lists recent features added for Microsoft Sentinel, and new features in related services that provide an enhanced user experience in Microsoft Sentinel.

The listed features were released in the last three months. For information about earlier features delivered, see our Tech Community blogs.

Tip

Get notified when this page is updated by copying and pasting the following URL into your feed reader:

https://aka.ms/sentinel/rss

Note

For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.

March 2024

Codeless connector builder (preview)

We now have a workbook to help navigate the complex JSON involved in deploying an ARM template for codeless connector platform (CCP) data connectors. Use the friendly interface of the codeless connector builder to simplify your development.

See our blog post for more details, Create Codeless Connectors with the Codeless Connector Builder (Preview).

For more information on the CCP, see Create a codeless connector for Microsoft Sentinel (Public preview).

SIEM migration experience (preview)

The new Microsoft Sentinel Migration experience helps customers and partners to automate the process of migrating their security monitoring use cases hosted in non-Microsoft products into Microsoft Sentinel.

  • This first version of the tool supports migrations from Splunk

For more information, see Migrate to Microsoft Sentinel with the SIEM migration experience

Data connectors for Syslog and CEF based on Azure Monitor Agent now generally available (GA)

Microsoft Sentinel has released two more data connectors based on the Azure Monitor Agent (AMA) to general availability. You can now use these connectors to deploy Data Collection Rules (DCRs) to Azure Monitor Agent-installed machines to collect Syslog messages, including those in Common Event Format (CEF).

To learn more about the Syslog and CEF connectors, see Ingest Syslog and CEF logs with the Azure Monitor Agent.

February 2024

Microsoft Sentinel solution for Microsoft Power Platform preview available

The Microsoft Sentinel solution for Power Platform (preview) allows you to monitor and detect suspicious or malicious activities in your Power Platform environment. The solution collects activity logs from different Power Platform components and inventory data. It analyzes those activity logs to detect threats and suspicious activities like the following activities:

  • Power Apps execution from unauthorized geographies
  • Suspicious data destruction by Power Apps
  • Mass deletion of Power Apps
  • Phishing attacks made possible through Power Apps
  • Power Automate flows activity by departing employees
  • Microsoft Power Platform connectors added to the environment
  • Update or removal of Microsoft Power Platform data loss prevention policies

Find this solution in the Microsoft Sentinel content hub.

For more information, see:

New Google Pub/Sub-based connector for ingesting Security Command Center findings (Preview)

You can now ingest logs from Google Security Command Center, using the new Google Cloud Platform (GCP) Pub/Sub-based connector (now in PREVIEW).

The Google Cloud Platform (GCP) Security Command Center is a robust security and risk management platform for Google Cloud. It provides features such as asset inventory and discovery, detection of vulnerabilities and threats, and risk mitigation and remediation. These capabilities help you gain insights into and control over your organization's security posture and data attack surface, and enhance your ability to efficiently handle tasks related to findings and assets.

The integration with Microsoft Sentinel allows you to have visibility and control over your entire multicloud environment from a "single pane of glass."

Incident tasks now generally available (GA)

Incident tasks, which help you standardize your incident investigation and response practices so you can more effectively manage incident workflow, are now generally available (GA) in Microsoft Sentinel.

AWS and GCP data connectors now support Azure Government clouds

Microsoft Sentinel data connectors for Amazon Web Services (AWS) and Google Cloud Platform (GCP) now include supporting configurations to ingest data into workspaces in Azure Government clouds.

The configurations for these connectors for Azure Government customers differ slightly from the public cloud configuration. See the relevant documentation for details:

Windows DNS Events via AMA connector now generally available (GA)

Windows DNS events can now be ingested to Microsoft Sentinel using the Azure Monitor Agent with the now generally available data connector. This connector allows you to define Data Collection Rules (DCRs) and powerful, complex filters so that you ingest only the specific DNS records and fields you need.

January 2024

Reduce false positives for SAP systems with analytics rules

Reduce false positives for SAP systems with analytics rules

Use analytics rules together with the Microsoft Sentinel solution for SAP® applications to lower the number of false positives triggered from your SAP® systems. The Microsoft Sentinel solution for SAP® applications now includes the following enhancements:

  • The SAPUsersGetVIP function now supports excluding users according to their SAP-given roles or profile.

  • The SAP_User_Config watchlist now supports using wildcards in the SAPUser field to exclude all users with a specific syntax.

For more information, see Microsoft Sentinel solution for SAP® applications data reference and Handle false positives in Microsoft Sentinel.

November 2023

Take advantage of Microsoft Defender for Cloud integration with Microsoft Defender XDR (Preview)

Microsoft Defender for Cloud is now integrated with Microsoft Defender XDR, formerly known as Microsoft 365 Defender. This integration, currently in Preview, allows Defender XDR to collect alerts from Defender for Cloud and create Defender XDR incidents from them.

Thanks to this integration, Microsoft Sentinel customers who have enabled Defender XDR incident integration will now be able to ingest and synchronize Defender for Cloud incidents, with all their alerts, through Microsoft Defender XDR.

To support this integration, Microsoft has added a new Tenant-based Microsoft Defender for Cloud (Preview) connector. This connector will allow Microsoft Sentinel customers to receive Defender for Cloud alerts and incidents across their entire tenants, without having to monitor and maintain the connector's enrollment to all their Defender for Cloud subscriptions.

This connector can be used to ingest Defender for Cloud alerts, regardless of whether you have Defender XDR incident integration enabled.

Near-real-time rules now generally available

Microsoft Sentinel’s near-real-time analytics rules are now generally available (GA). These highly responsive rules provide up-to-the-minute threat detection by running their queries at intervals just one minute apart.

Elevate your cybersecurity intelligence with enrichment widgets (Preview)

Enrichment widgets in Microsoft Sentinel are dynamic components designed to provide you with in-depth, actionable intelligence about entities. They integrate external and internal content and data from various sources, offering a comprehensive understanding of potential security threats. These widgets serve as a powerful enhancement to your cybersecurity toolkit, offering both depth and breadth in information analysis.

Widgets are already available in Microsoft Sentinel today (in Preview). They currently appear for IP entities, both on their full entity pages and on their entity info panels that appear in Incident pages. These widgets show you valuable information about the entities, from both internal and third-party sources.

What makes widgets essential in Microsoft Sentinel?

  • Real-time updates: In the ever-evolving cybersecurity landscape, real-time data is of paramount importance. Widgets provide live updates, ensuring that your analysts are always looking at the most recent data.

  • Integration: Widgets are seamlessly integrated into Microsoft Sentinel data sources, drawing from their vast reservoir of logs, alerts, and intelligence. This integration means that the visual insights presented by widgets are backed by the robust analytical power of Microsoft Sentinel.

In essence, widgets are more than just visual aids. They are powerful analytical tools that, when used effectively, can greatly enhance the speed and efficiency of threat detection, investigation, and response.

October 2023

Microsoft Applied Skill available for Microsoft Sentinel

This month Microsoft Worldwide Learning announced Applied Skills to help you acquire the technical skills you need to reach your full potential. Microsoft Sentinel is included in the initial set of credentials offered! This credential is based on the learning path with the same name.

Changes to the documentation table of contents

We've made some significant changes in how the Microsoft Sentinel documentation is organized in the table of contents on the left-hand side of the library. Two important things to know:

  • Bookmarked links persist. Unless we retire an article, your saved and shared links to Microsoft Sentinel articles still work.
  • Articles used to be divided by concepts, how-tos, and tutorials. Now, the articles are organized by lifecycle or scenario with the related concepts, how-tos, and tutorials in those buckets.

We hope these changes to the organization makes your exploration of Microsoft Sentinel documentation more intuitive!

September 2023

Improve SOX compliance with new workbook for SAP

The SAP Audit Controls workbook is now provided to you as part of the Microsoft Sentinel solution for SAP® applications.

This workbook helps you check your SAP® environment's security controls for compliance with your chosen control framework, be it SOX, NIST, or a custom framework of your choice.

The workbook provides tools for you to assign analytics rules in your environment to specific security controls and control families, monitor and categorize the incidents generated by the SAP solution-based analytics rules, and report on your compliance.

Learn more about the SAP Audit Controls workbook.

August 2023

New incident investigation experience is now GA

Microsoft Sentinel's comprehensive incident investigation and case management experience is now generally available in both commercial and government clouds. This experience includes the revamped incident page, which itself includes displays of the incident's entities, insights, and similar incidents for comparison. The new experience also includes an incident log history and a task list.

Also generally available are the similar incidents widget and the ability to add entities to your threat intelligence list of indicators of compromise (IoCs).

Updated MISP2Sentinel solution

The open source threat intelligence sharing platform, MISP, has an updated solution to push indicators to Microsoft Sentinel. This notable solution utilizes the new upload indicators API to take advantage of workspace granularity and align the MISP ingested TI to STIX-based properties.

Learn more about the implementation details from the MISP blog entry for MISP2Sentinel.

New and improved entity pages

Microsoft Sentinel now provides you enhanced and enriched entity pages and panels, giving you more security information on user accounts, full entity data to enrich your incident context, and a reduction in latency for a faster, smoother experience.

Next steps