What's new in Microsoft Sentinel
Note
Azure Sentinel is now called Microsoft Sentinel, and we’ll be updating these pages in the coming weeks. Learn more about recent Microsoft security enhancements.
This article lists recent features added for Microsoft Sentinel, and new features in related services that provide an enhanced user experience in Microsoft Sentinel.
If you're looking for items older than six months, you'll find them in the Archive for What's new in Sentinel. For information about earlier features delivered, see our Tech Community blogs.
Important
Noted features are currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Note
For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.
Tip
Our threat hunting teams across Microsoft contribute queries, playbooks, workbooks, and notebooks to the Microsoft Sentinel Community, including specific hunting queries that your teams can adapt and use.
You can also contribute! Join us in the Microsoft Sentinel Threat Hunters GitHub community.
December 2021
Ingest GitHub logs into your Microsoft Sentinel workspace
Use the new Continuous Threat Monitoring for GitHub solution and data connector to ingest your GitHub logs into your Microsoft Sentinel workspace.
The Continuous Threat Monitoring for GitHub solution includes a data connector, relevant analytics rules, and a workbook that you can use to visualize your log data.
For example, view the number of users that were added or removed from GitHub repositories, how many repositories were created, forked, or cloned, in the selected time frame.
Note
The Continuous Threat Monitoring for GitHub solution is supported for GitHub enterprise licenses only.
For more information, see Centrally discover and deploy Microsoft Sentinel out-of-the-box content and solutions (Public preview) and instructions for installing the GitHub data connector.
November 2021
- Incident advanced search now available in GA
- Amazon Web Services S3 connector now available (Public preview)
- Windows Forwarded Events connector now available (Public preview)
- Near-real-time (NRT) threat detection rules now available (Public preview)
- Fusion engine now detects emerging and unknown threats (Public preview)
- Get fine-tuning recommendations for your analytics rules (Public preview)
- Free trial updates
- Content hub and new solutions (Public preview)
- Enable continuous deployment from your content repositories (Public preview)
- Enriched threat intelligence with Geolocation and WhoIs data (Public preview)
- Use notebooks with Azure Synapse Analytics in Microsoft Sentinel (Public preview)
- Enhanced Notebooks area in Microsoft Sentinel
- Microsoft Sentinel renaming
- Deploy and monitor Azure Key Vault honeytokens with Azure Sentinel
Incident advanced search now available in GA
Searching for incidents using the advanced search functionality is now Generally Available.
The advanced incident search provides the ability to search across more data, including alert details, descriptions, entities, tactics, and more.
For more information, see Search for incidents.
Amazon Web Services S3 connector now available (Public preview)
You can now connect Microsoft Sentinel to your Amazon Web Services (AWS) S3 storage bucket, in order to ingest logs from a variety of AWS services.
For now, you can use this connection to ingest VPC Flow Logs and GuardDuty findings, as well as AWS CloudTrail.
For more information, see Connect Microsoft Sentinel to S3 Buckets to get Amazon Web Services (AWS) data.
Windows Forwarded Events connector now available (Public preview)
You can now stream event logs from Windows Servers connected to your Azure Sentinel workspace using Windows Event Collection/Windows Event Forwarding (WEC/WEF), thanks to this new data connector. The connector uses the new Azure Monitor Agent (AMA), which provides a number of advantages over the legacy Log Analytics agent (also known as the MMA):
Scalability: If you have enabled Windows Event Collection (WEC), you can install the Azure Monitor Agent (AMA) on the WEC machine to collect logs from many servers with a single connection point.
Speed: The AMA can send data at an improved rate of 5K EPS, allowing for faster data refresh.
Efficiency: The AMA allows you to design complex Data Collection Rules (DCR) to filter the logs at their source, choosing the exact events to stream to your workspace. DCRs help lower your network traffic and your ingestion costs by leaving out undesired events.
Coverage: WEC/WEF enables the collection of Windows Event logs from legacy (on-premises and physical) servers and also from high-usage or sensitive machines, such as domain controllers, where installing an agent is undesired.
We recommend using this connector with the Azure Sentinel Information Model (ASIM) parsers installed to ensure full support for data normalization.
Learn more about the Windows Forwarded Events connector.
Near-real-time (NRT) threat detection rules now available (Public preview)
When you're faced with security threats, time and speed are of the essence. You need to be aware of threats as they materialize so you can analyze and respond quickly to contain them. Microsoft Sentinel's near-real-time (NRT) analytics rules offer you faster threat detection - closer to that of an on-premises SIEM - and the ability to shorten response times in specific scenarios.
Microsoft Sentinel’s near-real-time analytics rules provide up-to-the-minute threat detection out-of-the-box. This type of rule was designed to be highly responsive by running its query at intervals just one minute apart.
Learn more about NRT rules and how to use them.
Fusion engine now detects emerging and unknown threats (Public preview)
In addition to detecting attacks based on predefined scenarios, Microsoft Sentinel's ML-powered Fusion engine can help you find the emerging and unknown threats in your environment by applying extended ML analysis and by correlating a broader scope of anomalous signals, while keeping the alert fatigue low.
The Fusion engine's ML algorithms constantly learn from existing attacks and apply analysis based on how security analysts think. It can therefore discover previously undetected threats from millions of anomalous behaviors across the kill-chain throughout your environment, which helps you stay one step ahead of the attackers.
Learn more about Fusion for emerging threats.
Also, the Fusion analytics rule is now more configurable, reflecting its increased functionality.
Get fine-tuning recommendations for your analytics rules (Public preview)
Fine-tuning threat detection rules in your SIEM can be a difficult, delicate, and continuous process of balancing between maximizing your threat detection coverage and minimizing false positive rates. Microsoft Sentinel simplifies and streamlines this process by using machine learning to analyze billions of signals from your data sources as well as your responses to incidents over time, deducing patterns and providing you with actionable recommendations and insights that can significantly lower your tuning overhead and allow you to focus on detecting and responding to actual threats.
Tuning recommendations and insights are now built in to your analytics rules.
Free trial updates
Microsoft Sentinel's free trial continues to support new or existing Log Analytics workspaces at no additional cost for the first 31 days. We are evolving our current free trial experience to include the following updates:
New Log Analytics workspaces can ingest up to 10 GB/day of log data for the first 31-days at no cost. New workspaces include workspaces that are less than three days old.
Both Log Analytics data ingestion and Microsoft Sentinel charges are waived during the 31-day trial period. This free trial is subject to a 20 workspace limit per Azure tenant.
Existing Log Analytics workspaces can enable Microsoft Sentinel at no additional cost. Existing workspaces include any workspaces created more than three days ago.
Only the Microsoft Sentinel charges are waived during the 31-day trial period.
Usage beyond these limits will be charged per the pricing listed on the Microsoft Sentinel pricing page. Charges related to additional capabilities for automation and bring your own machine learning are still applicable during the free trial.
Tip
During your free trial, find resources for cost management, training, and more on the News & guides > Free trial tab in Microsoft Sentinel. This tab also displays details about the dates of your free trial, and how many days you have left until it expires.
For more information, see Plan and manage costs for Microsoft Sentinel.
Content hub and new solutions (Public preview)
Microsoft Sentinel now provides a Content hub, a centralized location to find and deploy Microsoft Sentinel out-of-the-box (built-in) content and solutions to your Microsoft Sentinel workspace. Find the content you need by filtering for content type, support models, categories and more, or use the powerful text search.
Under Content management, select Content hub. Select a solution to view more details on the right, and then click Install to install it in your workspace.
The following list includes highlights of new, out-of-the-box solutions added to the Content hub:
- Microsoft Sentinel Training Lab
- Cisco ASA
- Cisco Duo Security
- Cisco Meraki
- Cisco StealthWatch
- Digital Guardian
- 365 Dynamics
- GCP Cloud DNS
- GCP CloudMonitor
- GCP Identity and Access Management
- FalconForce
- FireEye NX
- Flare Systems Firework
- Forescout
- Fortinet Fortigate
- Imperva Cloud FAW
- Insiders Risk Management
- IronNet CyberSecurity Iron Defense
- Lookout
- McAfee Network Security Platform
- Microsoft MITRE ATT&CK Solution for Cloud
- Palo Alto PAN-OS
- Rapid7 Nexpose / Insight VM
- ReversingLabs
- RSA SecurID
- Semperis
- Tenable Nessus Scanner
- Vectra Stream
- Zero Trust
For more information, see:
- About Microsoft Sentinel solutions
- Discover and deploy Microsoft Sentinel solutions
- Microsoft Sentinel solutions catalog
Enable continuous deployment from your content repositories (Public preview)
The new Microsoft Sentinel Repositories page provides the ability to manage and deploy your custom content from GitHub or Azure DevOps repositories, as an alternative to managing them in the Azure portal. This capability introduces a more streamlined and automated approach for managing and deploying content across Microsoft Sentinel workspaces.
If you store your custom content in an external repository in order to maintain it outside of Microsoft Sentinel, now you can connect that repository to your Microsoft Sentinel workspace. Content you add, create, or edit in your repository is automatically deployed to your Microsoft Sentinel workspaces, and will be visible from the various Microsoft Sentinel galleries, such as the Analytics, Hunting, or Workbooks pages.
For more information, see Deploy custom content from your repository.
Enriched threat intelligence with Geolocation and WhoIs data (Public preview)
Now, any threat intelligence data that you bring in to Microsoft Sentinel via data connectors and logic app playbooks, or create in Microsoft Sentinel, is automatically enriched with GeoLocation and WhoIs information.
GeoLocation and WhoIs data can provide more context for investigations where the selected indicator of compromise (IOC) is found.
For example, use GeoLocation data to find details like Organization or Country for the indicator, and WhoIs data to find data like Registrar and Record creation data.
You can view GeoLocation and WhoIs data on the Threat Intelligence pane for each indicator of compromise that you've imported into Microsoft Sentinel. Details for the indicator are shown on the right, including any Geolocation and WhoIs data available.
For example:
Tip
The Geolocation and WhoIs information come from the Microsoft Threat Intelligence service, which you can also access via API. For more information, see Enrich entities with geolocation data via API.
For more information, see:
- Understand threat intelligence in Microsoft Sentinel
- Threat intelligence integrations
- Work with threat indicators in Microsoft Sentinel
- Connect threat intelligence platforms
Use notebooks with Azure Synapse Analytics in Microsoft Sentinel (Public preview)
Microsoft Sentinel now integrates Jupyter notebooks with Azure Synapse for large-scale security analytics scenarios.
Until now, Jupyter notebooks in Microsoft Sentinel have been integrated with Azure Machine Learning. This functionality supports users who want to incorporate notebooks, popular open-source machine learning toolkits, and libraries such as TensorFlow, as well as their own custom models, into security workflows.
The new Azure Synapse integration provides extra analytic horsepower, such as:
Security big data analytics, using cost-optimized, fully-managed Azure Synapse Apache Spark compute pool.
Cost-effective Data Lake access to build analytics on historical data via Azure Data Lake Storage Gen2, which is a set of capabilities dedicated to big data analytics, built on top of Azure Blob Storage.
Flexibility to integrate data sources into security operation workflows from multiple sources and formats.
PySpark, a Python-based API for using the Spark framework in combination with Python, reducing the need to learn a new programming language if you're already familiar with Python.
To support this integration, we've added the ability to create and launch an Azure Synapse workspace directly from Microsoft Sentinel. We also added new, sample notebooks to guide you through configuring the Azure Synapse environment, setting up a continuous data export pipeline from Log Analytics into Azure Data Lake Storage, and then hunting on that data at scale.
For more information, see Integrate notebooks with Azure Synapse.
Enhanced Notebooks area in Microsoft Sentinel
The Notebooks area in Microsoft Sentinel also now has an Overview tab, where you can find basic information about notebooks, and a new Notebook types column in the Templates tab to indicate the type of each notebook displayed. For example, notebooks might have types of Getting started, Configuration, Hunting, and now Synapse.
For example:
For more information, see Use Jupyter notebooks to hunt for security threats.
Microsoft Sentinel renaming
Starting in November 2021, Azure Sentinel is being renamed to Microsoft Sentinel, and you'll see upcoming updates in the portal, documentation, and other resources in parallel.
Earlier entries in this article and the older Archive for What's new in Sentinel continue to use the name Azure Sentinel, as that was the service name when those features were new.
For more information, see our blog on recent security enhancements.
Deploy and monitor Azure Key Vault honeytokens with Azure Sentinel
The new Azure Sentinel Deception solution helps you watch for malicious activity in your key vaults by helping you to deploy decoy keys and secrets, called honeytokens, to selected Azure key vaults.
Once deployed, any access or operation with the honeytoken keys and secrets generate incidents that you can investigate in Azure Sentinel.
Since there's no reason to actually use honeytoken keys and secrets, any similar activity in your workspace may be malicious and should be investigated.
The Azure Sentinel Deception solution includes a workbook to help you deploy the honeytokens, either at scale or one at a time, watchlists to track the honeytokens created, and analytics rules to generate incidents as needed.
For more information, see Deploy and monitor Azure Key Vault honeytokens with Azure Sentinel (Public preview).
October 2021
- Windows Security Events connector using Azure Monitor Agent now in GA
- Defender for Office 365 events now available in the Microsoft 365 Defender connector (Public preview)
- Playbook templates and gallery now available (Public preview)
- Manage template versions for your scheduled analytics rules (Public preview)
- DHCP normalization schema (Public preview)
Windows Security Events connector using Azure Monitor Agent now in GA
The new version of the Windows Security Events connector, based on the Azure Monitor Agent, is now generally available! See Connect to Windows servers to collect security events for more information.
Defender for Office 365 events now available in the Microsoft 365 Defender connector (Public preview)
In addition to those from Microsoft Defender for Endpoint, you can now ingest raw advanced hunting events from Microsoft Defender for Office 365 through the Microsoft 365 Defender connector. Learn more.
Playbook templates and gallery now available (Public preview)
A playbook template is a pre-built, tested, and ready-to-use workflow that can be customized to meet your needs. Templates can also serve as a reference for best practices when developing playbooks from scratch, or as inspiration for new automation scenarios.
Playbook templates have been developed by the Sentinel community, independent software vendors (ISVs), and Microsoft's own experts, and you can find them in the Playbook templates tab (under Automation), as part of an Azure Sentinel solution, or in the Azure Sentinel GitHub repository.
For more information, see Create and customize playbooks from built-in templates.
Manage template versions for your scheduled analytics rules (Public preview)
When you create analytics rules from built-in Azure Sentinel rule templates, you effectively create a copy of the template. Past that point, the active rule is not dynamically updated to match any changes that get made to the originating template.
However, rules created from templates do remember which templates they came from, which allows you two advantages:
If you made changes to a rule when creating it from a template (or at any time after that), you can always revert the rule back to its original version (as a copy of the template).
You can get notified when a template is updated, and you'll have the choice to update your rules to the new version of their templates or leave them as they are.
Learn how to manage these tasks, and what to keep in mind. These procedures apply to any Scheduled analytics rules created from templates.
DHCP normalization schema (Public preview)
The Advanced SIEM Information Model (ASIM) now supports a DHCP normalization schema, which is used to describe events reported by a DHCP server and is used by Azure Sentinel to enable source-agnostic analytics.
Events described in the DHCP normalization schema include serving requests for DHCP IP address leased from client systems and updating a DNS server with the leases granted.
For more information, see:
- Azure Sentinel DHCP normalization schema reference (Public preview)
- Normalization and the Azure Sentinel Information Model (ASIM)
September 2021
New in docs: scaling data connector documentation
As we continue to add more and more built-in data connectors for Azure Sentinel, we've reorganized our data connector documentation to reflect this scaling.
For most data connectors, we've replaced full articles that describe an individual connector with a series of generic procedures and a full reference of all currently supported connectors.
Check the Azure Sentinel data connectors reference for details about your connector, including references to the relevant generic procedure, as well as extra information and configurations required.
For more information, see:
Conceptual information: Connect data sources
Generic how-to articles:
- Connect to Azure, Windows, Microsoft, and Amazon services
- Connect your data source to the Azure Sentinel Data Collector API to ingest data
- Get CEF-formatted logs from your device or appliance into Azure Sentinel
- Collect data from Linux-based sources using Syslog
- Collect data in custom log formats to Azure Sentinel with the Log Analytics agent
- Use Azure Functions to connect your data source to Azure Sentinel
- Resources for creating Azure Sentinel custom connectors
Azure Storage account connector changes
Due to some changes made within the Azure Storage account resource configuration itself, the connector also needs to be reconfigured. The storage account (parent) resource has within it other (child) resources for each type of storage: files, tables, queues, and blobs.
When configuring diagnostics for a storage account, you must select and configure, in turn:
- The parent account resource, exporting the Transaction metric.
- Each of the child storage-type resources, exporting all the logs and metrics (see the table above).
You will only see the storage types that you actually have defined resources for.
August 2021
- Advanced incident search (Public preview)
- Fusion detection for Ransomware (Public preview)
- Watchlist templates for UEBA data
- File event normalization schema (Public preview)
- New in docs: Best practice guidance
Advanced incident search (Public preview)
By default, incident searches run across the Incident ID, Title, Tags, Owner, and Product name values only. Azure Sentinel now provides advanced search options to search across more data, including alert details, descriptions, entities, tactics, and more.
For example:
For more information, see Search for incidents.
Fusion detection for Ransomware (Public preview)
Azure Sentinel now provides new Fusion detections for possible Ransomware activities, generating incidents titled as Multiple alerts possibly related to Ransomware activity detected.
Incidents are generated for alerts that are possibly associated with Ransomware activities, when they occur during a specific time-frame, and are associated with the Execution and Defense Evasion stages of an attack. You can use the alerts listed in the incident to analyze the techniques possibly used by attackers to compromise a host/device and to evade detection.
Supported data connectors include:
- Azure Defender (Azure Security Center)
- Microsoft Defender for Endpoint
- Microsoft Defender for Identity
- Microsoft Cloud App Security
- Azure Sentinel scheduled analytics rules
For more information, see Multiple alerts possibly related to Ransomware activity detected.
Watchlist templates for UEBA data (Public preview)
Azure Sentinel now provides built-in watchlist templates for UEBA data, which you can customize for your environment and use during investigations.
After UEBA watchlists are populated with data, you can correlate that data with analytics rules, view it in the entity pages and investigation graphs as insights, create custom uses such as to track VIP or sensitive users, and more.
Watchlist templates currently include:
- VIP Users. A list of user accounts of employees that have high impact value in the organization.
- Terminated Employees. A list of user accounts of employees that have been, or are about to be, terminated.
- Service Accounts. A list of service accounts and their owners.
- Identity Correlation. A list of related user accounts that belong to the same person.
- High Value Assets. A list of devices, resources, or other assets that have critical value in the organization.
- Network Mapping. A list of IP subnets and their respective organizational contexts.
For more information, see Create a new watchlist using a template and Built-in watchlist schemas.
File Event normalization schema (Public preview)
The Azure Sentinel Information Model (ASIM) now supports a File Event normalization schema, which is used to describe file activity, such as creating, modifying, or deleting files or documents. File events are reported by operating systems, file storage systems such as Azure Files, and document management systems such as Microsoft SharePoint.
For more information, see:
- Azure Sentinel File Event normalization schema reference (Public preview)
- Normalization and the Azure Sentinel Information Model (ASIM)
New in docs: Best practice guidance
In response to multiple requests from customers and our support teams, we've added a series of best practice guidance to our documentation.
For more information, see:
- Prerequisites for deploying Azure Sentinel
- Best practices for Azure Sentinel
- Azure Sentinel workspace architecture best practices
- Design your Azure Sentinel workspace architecture
- Azure Sentinel sample workspace designs
- Data collection best practices
Tip
You can find more guidance added across our documentation in relevant conceptual and how-to articles. For more information, see Best practice references.
July 2021
- Microsoft Threat Intelligence Matching Analytics (Public preview)
- Use Azure AD data with Azure Sentinel's IdentityInfo table (Public preview)
- Enrich Entities with geolocation data via API (Public preview)
- Support for ADX cross-resource queries (Public preview)
- Watchlists are in general availability
- Support for data residency in more geos
- Bidirectional sync in Azure Defender connector (Public preview)
Microsoft Threat Intelligence Matching Analytics (Public preview)
Azure Sentinel now provides the built-in Microsoft Threat Intelligence Matching Analytics rule, which matches Microsoft-generated threat intelligence data with your logs. This rule generates high-fidelity alerts and incidents, with appropriate severities based on the context of the logs detected. After a match is detected, the indicator is also published to your Azure Sentinel threat intelligence repository.
The Microsoft Threat Intelligence Matching Analytics rule currently matches domain indicators against the following log sources:
For more information, see Detect threats using matching analytics (Public preview).
Use Azure AD data with Azure Sentinel's IdentityInfo table (Public preview)
As attackers often use the organization's own user and service accounts, data about those user accounts, including the user identification and privileges, are crucial for the analysts in the process of an investigation.
Now, having UEBA enabled in your Azure Sentinel workspace also synchronizes Azure AD data into the new IdentityInfo table in Log Analytics. Synchronizations between your Azure AD and the IdentifyInfo table create a snapshot of your user profile data that includes user metadata, group information, and the Azure AD roles assigned to each user.
Use the IdentityInfo table during investigations and when fine-tuning analytics rules for your organization to reduce false positives.
For more information, see IdentityInfo table in the UEBA enrichments reference and Use UEBA data to analyze false positives.
Enrich entities with geolocation data via API (Public preview)
Azure Sentinel now offers an API to enrich your data with geolocation information. Geolocation data can then be used to analyze and investigate security incidents.
For more information, see Enrich entities in Azure Sentinel with geolocation data via REST API (Public preview) and Classify and analyze data using entities in Azure Sentinel.
Support for ADX cross-resource queries (Public preview)
The hunting experience in Azure Sentinel now supports ADX cross-resource queries.
Although Log Analytics remains the primary data storage location for performing analysis with Azure Sentinel, there are cases where ADX is required to store data due to cost, retention periods, or other factors. This capability enables customers to hunt over a wider set of data and view the results in the Azure Sentinel hunting experiences, including hunting queries, livestream, and the Log Analytics search page.
To query data stored in ADX clusters, use the adx() function to specify the ADX cluster, database name, and desired table. You can then query the output as you would any other table. See more information in the pages linked above.
Watchlists are in general availability
The watchlists feature is now generally available. Use watchlists to enrich alerts with business data, to create allowlists or blocklists against which to check access events, and to help investigate threats and reduce alert fatigue.
Support for data residency in more geos
Azure Sentinel now supports full data residency in the following additional geos:
Brazil, Norway, South Africa, Korea, Germany, United Arab Emirates (UAE), and Switzerland.
See the complete list of supported geos for data residency.
Bidirectional sync in Azure Defender connector (Public preview)
The Azure Defender connector now supports bi-directional syncing of alerts' status between Defender and Azure Sentinel. When you close a Sentinel incident containing a Defender alert, the alert will automatically be closed in the Defender portal as well.
See this complete description of the updated Azure Defender connector.
June 2021
- Upgrades for normalization and the Azure Sentinel Information Model
- Updated service-to-service connectors
- Export and import analytics rules (Public preview)
- Alert enrichment: alert details (Public preview)
- More help for playbooks!
- New documentation reorganization
Upgrades for normalization and the Azure Sentinel Information Model
The Azure Sentinel Information Model enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
In this month's update, we've enhanced our normalization documentation, providing new levels of detail and full DNS, process event, and authentication normalization schemas.
For more information, see:
- Normalization and the Azure Sentinel Information Model (ASIM) (updated)
- Azure Sentinel Authentication normalization schema reference (Public preview) (new!)
- Azure Sentinel data normalization schema reference
- Azure Sentinel DNS normalization schema reference (Public preview) (new!)
- Azure Sentinel Process Event normalization schema reference (Public preview) (new!)
- Azure Sentinel Registry Event normalization schema reference (Public preview) (new!)
Updated service-to-service connectors
Two of our most-used connectors have been the beneficiaries of major upgrades.
The Windows security events connector (Public preview) is now based on the new Azure Monitor Agent (AMA), allowing you far more flexibility in choosing which data to ingest, and giving you maximum visibility at minimum cost.
The Azure activity logs connector is now based on the diagnostics settings pipeline, giving you more complete data, greatly reduced ingestion lag, and better performance and reliability.
The upgrades are not automatic. Users of these connectors are encouraged to enable the new versions.
Export and import analytics rules (Public preview)
You can now export your analytics rules to JSON-format Azure Resource Manager (ARM) template files, and import rules from these files, as part of managing and controlling your Azure Sentinel deployments as code. Any type of analytics rule - not just Scheduled - can be exported to an ARM template. The template file includes all the rule's information, from its query to its assigned MITRE ATT&CK tactics.
For more information, see Export and import analytics rules to and from ARM templates.
Alert enrichment: alert details (Public preview)
In addition to enriching your alert content with entity mapping and custom details, you can now custom-tailor the way alerts - and by extension, incidents - are presented and displayed, based on their particular content. Like the other alert enrichment features, this is configurable in the analytics rule wizard.
For more information, see Customize alert details in Azure Sentinel.
More help for playbooks!
Two new documents can help you get started or get more comfortable with creating and working with playbooks.
- Authenticate playbooks to Azure Sentinel helps you understand the different authentication methods by which Logic Apps-based playbooks can connect to and access information in Azure Sentinel, and when it's appropriate to use each one.
- Use triggers and actions in playbooks explains the difference between the incident trigger and the alert trigger and which to use when, and shows you some of the different actions you can take in playbooks in response to incidents, including how to access the information in custom details.
Playbook documentation also explicitly addresses the multi-tenant MSSP scenario.
New documentation reorganization
This month we've reorganized our Azure Sentinel documentation, restructuring into intuitive categories that follow common customer journeys. Use the filtered docs search and updated landing page to navigate through Azure Sentinel docs.
