What's new in Azure Sentinel
This article lists recent features added for Azure Sentinel, and new features in related services that provide an enhanced user experience in Azure Sentinel.
Noted features are currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
For information about feature availability in US Government clouds, see the Azure Sentinel tables in Cloud feature availability for US Government customers.
Our threat hunting teams across Microsoft contribute queries, playbooks, workbooks, and notebooks to the Azure Sentinel Community, including specific hunting queries that your teams can adapt and use.
You can also contribute! Join us in the Azure Sentinel Threat Hunters GitHub community.
New in docs: scaling data connector documentation
As we continue to add more and more built-in data connectors for Azure Sentinel, we've reorganized our data connector documentation to reflect this scaling.
For most data connectors, we've replaced full articles that describe an individual connector with a series of generic procedures and a full reference of all currently supported connectors.
Check the Azure Sentinel data connectors reference for details about your connector, including references to the relevant generic procedure, as well as extra information and configurations required.
For more information, see:
Conceptual information: Connect data sources
Generic how-to articles:
- Connect to Azure, Windows, Microsoft, and Amazon services
- Connect your data source to Azure Sentinel's Data Collector API to ingest data
- Get CEF-formatted logs from your device or appliance into Azure Sentinel
- Collect data from Linux-based sources using Syslog
- Collect data in custom log formats to Azure Sentinel with the Log Analytics agent
- Use Azure Functions to connect your data source to Azure Sentinel
- Resources for creating Azure Sentinel custom connectors
Azure Storage account connector changes
Due to some changes made within the Azure Storage account resource configuration itself, the connector also needs to be reconfigured. The storage account (parent) resource has within it other (child) resources for each type of storage: files, tables, queues, and blobs.
When configuring diagnostics for a storage account, you must select and configure, in turn:
- The parent account resource, exporting the Transaction metric.
- Each of the child storage-type resources, exporting all the logs and metrics (see the table above).
You will only see the storage types that you actually have defined resources for.
- Advanced incident search (Public preview)
- Fusion detection for Ransomware (Public preview)
- Watchlist templates for UEBA data
- File event normalization schema (Public preview)
- New in docs: Best practice guidance
Advanced incident search (Public preview)
By default, incident searches run across the Incident ID, Title, Tags, Owner, and Product name values only. Azure Sentinel now provides advanced search options to search across more data, including alert details, descriptions, entities, tactics, and more.
For more information, see Search for incidents.
Fusion detection for Ransomware (Public preview)
Azure Sentinel now provides new Fusion detections for possible Ransomware activities, generating incidents titled as Multiple alerts possibly related to Ransomware activity detected.
Incidents are generated for alerts that are possibly associated with Ransomware activities, when they occur during a specific time-frame, and are associated with the Execution and Defense Evasion stages of an attack. You can use the alerts listed in the incident to analyze the techniques possibly used by attackers to compromise a host/device and to evade detection.
Supported data connectors include:
- Azure Defender (Azure Security Center)
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Cloud App Security
- Azure Sentinel scheduled analytics rules
For more information, see Multiple alerts possibly related to Ransomware activity detected.
Watchlist templates for UEBA data (Public preview)
Azure Sentinel now provides built-in watchlist templates for UEBA data, which you can customize for your environment and use during investigations.
After UEBA watchlists are populated with data, you can correlate that data with analytics rules, view it in the entity pages and investigation graphs as insights, create custom uses such as to track VIP or sensitive users, and more.
Watchlist templates currently include:
- VIP Users. A list of user accounts of employees that have high impact value in the organization.
- Terminated Employees. A list of user accounts of employees that have been, or are about to be, terminated.
- Service Accounts. A list of service accounts and their owners.
- Identity Correlation. A list of related user accounts that belong to the same person.
- High Value Assets. A list of devices, resources, or other assets that have critical value in the organization.
- Network Mapping. A list of IP subnets and their respective organizational contexts.
File Event normalization schema (Public preview)
The Azure Sentinel Information Model (ASIM) now supports a File Event normalization schema, which is used to describe file activity, such as creating, modifying, or deleting files or documents. File events are reported by operating systems, file storage systems such as Azure Files, and document management systems such as Microsoft SharePoint.
For more information, see:
- Azure Sentinel File Event normalization schema reference (Public preview)
- Normalization and the Azure Sentinel Information Model (ASIM)
New in docs: Best practice guidance
In response to multiple requests from customers and our support teams, we've added a series of best practice guidance to our documentation.
For more information, see:
- Prerequisites for deploying Azure Sentinel
- Best practices for Azure Sentinel
- Azure Sentinel workspace architecture best practices
- Design your Azure Sentinel workspace architecture
- Azure Sentinel sample workspace designs
- Data collection best practices
You can find more guidance added across our documentation in relevant conceptual and how-to articles. For more information, see Additional best practice references.
- Microsoft Threat Intelligence Matching Analytics (Public preview)
- Use Azure AD data with Azure Sentinel's IdentityInfo table (Public preview)
- Enrich Entities with geolocation data via API (Public preview)
- Support for ADX cross-resource queries (Public preview)
- Watchlists are in general availability
- Support for data residency in more geos
- Bidirectional sync in Azure Defender connector (Public preview)
Microsoft Threat Intelligence Matching Analytics (Public preview)
Azure Sentinel now provides the built-in Microsoft Threat Intelligence Matching Analytics rule, which matches Microsoft-generated threat intelligence data with your logs. This rule generates high-fidelity alerts and incidents, with appropriate severities based on the context of the logs detected. After a match is detected, the indicator is also published to your Azure Sentinel threat intelligence repository.
The Microsoft Threat Intelligence Matching Analytics rule currently matches domain indicators against the following log sources:
For more information, see Detect threats using matching analytics (Public preview).
Use Azure AD data with Azure Sentinel's IdentityInfo table (Public preview)
As attackers often use the organization's own user and service accounts, data about those user accounts, including the user identification and privileges, are crucial for the analysts in the process of an investigation.
Now, having UEBA enabled in your Azure Sentinel workspace also synchronizes Azure AD data into the new IdentityInfo table in Log Analytics. Synchronizations between your Azure AD and the IdentifyInfo table create a snapshot of your user profile data that includes user metadata, group information, and the Azure AD roles assigned to each user.
Use the IdentityInfo table during investigations and when fine-tuning analytics rules for your organization to reduce false positives.
Enrich entities with geolocation data via API (Public preview)
Azure Sentinel now offers an API to enrich your data with geolocation information. Geolocation data can then be used to analyze and investigate security incidents.
Support for ADX cross-resource queries (Public preview)
The hunting experience in Azure Sentinel now supports ADX cross-resource queries.
Although Log Analytics remains the primary data storage location for performing analysis with Azure Sentinel, there are cases where ADX is required to store data due to cost, retention periods, or other factors. This capability enables customers to hunt over a wider set of data and view the results in the Azure Sentinel hunting experiences, including hunting queries, livestream, and the Log Analytics search page.
To query data stored in ADX clusters, use the adx() function to specify the ADX cluster, database name, and desired table. You can then query the output as you would any other table. See more information in the pages linked above.
Watchlists are in general availability
The watchlists feature is now generally available. Use watchlists to enrich alerts with business data, to create allowlists or blocklists against which to check access events, and to help investigate threats and reduce alert fatigue.
Support for data residency in more geos
Azure Sentinel now supports full data residency in the following additional geos:
Brazil, Norway, South Africa, Korea, Germany, United Arab Emirates (UAE), and Switzerland.
See the complete list of supported geos for data residency.
Bidirectional sync in Azure Defender connector (Public preview)
The Azure Defender connector now supports bi-directional syncing of alerts' status between Defender and Azure Sentinel. When you close a Sentinel incident containing a Defender alert, the alert will automatically be closed in the Defender portal as well.
- Upgrades for normalization and the Azure Sentinel Information Model
- Updated service-to-service connectors
- Export and import analytics rules (Public preview)
- Alert enrichment: alert details (Public preview)
- More help for playbooks!
- New documentation reorganization
Upgrades for normalization and the Azure Sentinel Information Model
The Azure Sentinel Information Model enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
In this month's update, we've enhanced our normalization documentation, providing new levels of detail and full DNS, process event, and authentication normalization schemas.
For more information, see:
- Normalization and the Azure Sentinel Information Model (ASIM) (updated)
- Azure Sentinel Authentication normalization schema reference (Public preview) (new!)
- Azure Sentinel data normalization schema reference
- Azure Sentinel DNS normalization schema reference (Public preview) (new!)
- Azure Sentinel Process Event normalization schema reference (Public preview) (new!)
- Azure Sentinel Registry Event normalization schema reference (Public preview) (new!)
Updated service-to-service connectors
Two of our most-used connectors have been the beneficiaries of major upgrades.
The Windows security events connector (Public preview) is now based on the new Azure Monitor Agent (AMA), allowing you far more flexibility in choosing which data to ingest, and giving you maximum visibility at minimum cost.
The Azure activity logs connector is now based on the diagnostics settings pipeline, giving you more complete data, greatly reduced ingestion lag, and better performance and reliability.
The upgrades are not automatic. Users of these connectors are encouraged to enable the new versions.
Export and import analytics rules (Public preview)
You can now export your analytics rules to JSON-format Azure Resource Manager (ARM) template files, and import rules from these files, as part of managing and controlling your Azure Sentinel deployments as code. Any type of analytics rule - not just Scheduled - can be exported to an ARM template. The template file includes all the rule's information, from its query to its assigned MITRE ATT&CK tactics.
For more information, see Export and import analytics rules to and from ARM templates.
Alert enrichment: alert details (Public preview)
In addition to enriching your alert content with entity mapping and custom details, you can now custom-tailor the way alerts - and by extension, incidents - are presented and displayed, based on their particular content. Like the other alert enrichment features, this is configurable in the analytics rule wizard.
For more information, see Customize alert details in Azure Sentinel.
More help for playbooks!
Two new documents can help you get started or get more comfortable with creating and working with playbooks.
- Authenticate playbooks to Azure Sentinel helps you understand the different authentication methods by which Logic Apps-based playbooks can connect to and access information in Azure Sentinel, and when it's appropriate to use each one.
- Use triggers and actions in playbooks explains the difference between the incident trigger and the alert trigger and which to use when, and shows you some of the different actions you can take in playbooks in response to incidents, including how to access the information in custom details.
Playbook documentation also explicitly addresses the multi-tenant MSSP scenario.
New documentation reorganization
This month we've reorganized our Azure Sentinel documentation, restructuring into intuitive categories that follow common customer journeys. Use the filtered docs search and updated landing page to navigate through Azure Sentinel docs.
- Azure Sentinel PowerShell module
- Alert grouping enhancements
- Azure Sentinel solutions (Public preview)
- Continuous Threat Monitoring for SAP solution (Public preview)
- Threat intelligence integrations (Public preview)
- Fusion over scheduled alerts (Public preview)
- SOC-ML anomalies (Public preview)
- IP Entity page (Public preview)
- Activity customization (Public preview)
- Hunting dashboard (Public preview)
- Incident teams - collaborate in Microsoft Teams (Public preview)
- Zero Trust (TIC3.0) workbook
Azure Sentinel PowerShell module
The official Azure Sentinel PowerShell module to automate daily operational tasks has been released as GA!
You can download it here: PowerShell Gallery.
For more information, see the PowerShell documentation: Az.SecurityInsights
Alert grouping enhancements
Now you can configure your analytics rule to group alerts into a single incident, not only when they match a specific entity type, but also when they match a specific alert name, severity, or other custom details for a configured entity.
In the Incidents settings tab of the analytics rule wizard, select to turn on alert grouping, and then select the Group alerts into a single incident if the selected entity types and details match option.
Then, select your entity type and the relevant details you want to match:
For more information, see Alert grouping.
Azure Sentinel solutions (Public preview)
Azure Sentinel now offers packaged content solutions that include combinations of one or more data connectors, workbooks, analytics rules, playbooks, hunting queries, parsers, watchlists, and other components for Azure Sentinel.
Solutions provide improved in-product discoverability, single-step deployment, and end-to-end product scenarios. For more information, see Discover and deploy Azure Sentinel solutions.
Continuous Threat Monitoring for SAP solution (Public preview)
Azure Sentinel solutions now includes Continuous Threat Monitoring for SAP, enabling you to monitor SAP systems for sophisticated threats within the business and application layers.
The SAP data connector streams a multitude of 14 application logs from the entire SAP system landscape, and collects logs from both Advanced Business Application Programming (ABAP) via NetWeaver RFC calls and file storage data via OSSAP Control interface. The SAP data connector adds to Azure Sentinels ability to monitor the SAP underlying infrastructure.
To ingest SAP logs into Azure Sentinel, you must have the Azure Sentinel SAP data connector installed on your SAP environment. After the SAP data connector is deployed, deploy the rich SAP solution security content to smoothly gain insight into your organization's SAP environment and improve any related security operation capabilities.
For more information, see Tutorial: Deploy the Azure Sentinel solution for SAP (public preview).
Threat intelligence integrations (Public preview)
Azure Sentinel gives you a few different ways to use threat intelligence feeds to enhance your security analysts' ability to detect and prioritize known threats.
You can now use one of many newly available integrated threat intelligence platform (TIP) products, connect to TAXII servers to take advantage of any STIX-compatible threat intelligence source, and make use of any custom solutions that can communicate directly with the Microsoft Graph Security tiIndicators API.
You can also connect to threat intelligence sources from playbooks, in order to enrich incidents with TI information that can help direct investigation and response actions.
For more information, see Threat intelligence integration in Azure Sentinel.
Fusion over scheduled alerts (Public preview)
The Fusion machine-learning correlation engine can now detect multi-stage attacks using alerts generated by a set of scheduled analytics rules in its correlations, in addition to the alerts imported from other data sources.
For more information, see Advanced multistage attack detection in Azure Sentinel.
SOC-ML anomalies (Public preview)
Azure Sentinel's SOC-ML machine learning-based anomalies can identify unusual behavior that might otherwise evade detection.
SOC-ML uses analytics rule templates that can be put to work right out of the box. While anomalies don't necessarily indicate malicious or even suspicious behavior by themselves, they can be used to improve the fidelity of detections, investigations, and threat hunting.
For more information, see Use SOC-ML anomalies to detect threats in Azure Sentinel.
IP Entity page (Public preview)
Azure Sentinel now supports the IP address entity, and you can now view IP entity information in the new IP entity page.
Like the user and host entity pages, the IP page includes general information about the IP, a list of activities the IP has been found to be a part of, and more, giving you an ever-richer store of information to enhance your investigation of security incidents.
For more information, see Entity pages.
Activity customization (Public preview)
Speaking of entity pages, you can now create new custom-made activities for your entities, that will be tracked and displayed on their respective entity pages alongside the out-of-the-box activities you’ve seen there until now.
For more information, see Customize activities on entity page timelines.
Hunting dashboard (Public preview)
The Hunting blade has gotten a refresh. The new dashboard lets you run all your queries, or a selected subset, in a single click.
Identify where to start hunting by looking at result count, spikes, or the change in result count over a 24-hour period. You can also sort and filter by favorites, data source, MITRE ATT&CK tactic and technique, results, or results delta. View the queries that do not yet have the necessary data sources connected, and get recommendations on how to enable these queries.
For more information, see Hunt for threats with Azure Sentinel.
Azure Sentinel incident team - collaborate in Microsoft Teams (public preview)
Azure Sentinel now supports a direct integration with Microsoft Teams, enabling you to collaborate seamlessly across the organization and with external stakeholders.
Directly from the incident in Azure Sentinel, create a new incident team to use for central communication and coordination.
Incident teams are especially helpful when used as a dedicated conference bridge for high-severity, ongoing incidents. Organizations that already use Microsoft Teams for communication and collaboration can use the Azure Sentinel integration to bring security data directly into their conversations and daily work.
In Microsoft Teams, the new team's Incident page tab always has the most updated and recent data from Azure Sentinel, ensuring that your teams have the most relevant data right at hand.
For more information, see Collaborate in Microsoft Teams (Public preview).
Zero Trust (TIC3.0) workbook
We know that compliance isn’t just an annual requirement, and organizations must monitor configurations over time like a muscle. Azure Sentinel's Zero Trust workbook uses the full breadth of Microsoft security offerings across Azure, Office 365, Teams, Intune, Windows Virtual Desktop, and many more.
The Zero Trust workbook:
- Enables Implementers, SecOps Analysts, Assessors, Security and Compliance Decision Makers, MSSPs, and others to gain situational awareness for cloud workloads' security posture.
- Features over 75 control cards, aligned to the TIC 3.0 security capabilities, with selectable GUI buttons for navigation.
- Is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, visualizations, tailored recommendations, and respective documentation references.
For more information, see Visualize and monitor your data.
Azure Policy-based data connectors
Azure Policy allows you to apply a common set of diagnostics logs settings to all (current and future) resources of a particular type whose logs you want to ingest into Azure Sentinel.
Continuing our efforts to bring the power of Azure Policy to the task of data collection configuration, we are now offering another Azure Policy-enhanced data collector, for Azure Storage account resources, released to public preview.
Incident timeline (Public preview)
The first tab on an incident details page is now the Timeline, which shows a timeline of alerts and bookmarks in the incident. An incident's timeline can help you understand the incident better and reconstruct the timeline of attacker activity across the related alerts and bookmarks.
- Select an item in the timeline to see its details, without leaving the incident context
- Filter the timeline content to show alerts or bookmarks only, or items of a specific severity or MITRE tactic.
- You can select the System alert ID link to view the entire record or the Events link to see the related events in the Logs area.
For more information, see Tutorial: Investigate incidents with Azure Sentinel.