Edit

Share via


What's new in Microsoft Sentinel

This article lists recent features added for Microsoft Sentinel, and new features in related services that provide an enhanced user experience in Microsoft Sentinel. For new features related to unified security operations in the Defender portal, see the What's new for unified security operations?

The listed features were released in the last six months. For information about earlier features delivered, see our Tech Community blogs.

Note

For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.

July 2025

For new customers only: Automatic onboarding and redirection to the Microsoft Defender portal

For this update, new Microsoft Sentinel customers are customers who are onboarding the first workspace in their tenant to Microsoft Sentinel on or after July 1, 2025.

Starting July 1, 2025, such new customers who have the permissions of a subscription Owner or a User access administrator, and are also not Azure Lighthouse-delegated users, have their workspaces automatically onboarded to the Defender portal together with onboarding to Microsoft Sentinel. Users of such workspaces, who also aren't Azure Lighthouse-delegated users, see links in Microsoft Sentinel in the Azure portal that redirect them to the Defender portal. Such users use Microsoft Sentinel in the Defender portal only.

Screenshot of redirect links in the Azure portal to the Defender portal.

New customers who don't have relevant permissions aren't automatically onboarded to the Defender portal, but they do still see redirection links in the Azure portal, together with prompts to have a user with relevant permissions manually onboard the workspace to the Defender portal.

This change streamlines the onboarding process and ensures that new customers can immediately take advantage of unified security operations capabilities without the extra step of manually onboarding their workspaces.

For more information, see:

No limit on the number of workspaces you can onboard to the Defender portal

There is no longer any limit to the number of workspaces you can onboard to the Defender portal.

Limitations still apply to the number of workspaces you can include in a Log Analytics query, and in the number of workspaces you can or should include in a scheduled analytics rule.

For more information, see:

Microsoft Sentinel in the Azure portal to be retired July 2026

Microsoft Sentinel is generally available in the Microsoft Defender portal, including for customers without Microsoft Defender XDR or an E5 license. This means that you can use Microsoft Sentinel in the Defender portal even if you aren't using other Microsoft Defender services.

Starting in July 2026, Microsoft Sentinel will be supported in the Defender portal only, and any remaining customers using the Azure portal will be automatically redirected.

If you're currently using Microsoft Sentinel in the Azure portal, we recommend that you start planning your transition to the Defender portal now to ensure a smooth transition and take full advantage of the unified security operations experience offered by Microsoft Defender.

For more information, see:

June 2025

Codeless Connector Platform (CCP) renamed to Codeless Connector Framework (CCF)

The Microsoft Sentinel Codeless Connector Platform (CCP) has been renamed to Codeless Connector Framework (CCF). The new name reflects the platform's evolution and avoids confusion with other platform-oriented services, while still providing the same ease of use and flexibility that users have come to expect.

For more information, see Create a codeless connector for Microsoft Sentinel.

Consolidated Microsoft Sentinel data connector reference

We've consolidated the connector reference documentation, merging the separate connector articles into a single, comprehensive reference table.

You can find the new connector reference at Microsoft Sentinel data connectors. For more information, see Create a codeless connector and Unlock the potential of Microsoft Sentinel’s Codeless Connector Framework and do more with Microsoft Sentinel faster.

Summary rule templates now in public preview

You can now use summary rule templates to deploy pre-built summary rules tailored to common security scenarios. These templates help you aggregate and analyze large datasets efficiently, don't require deep expertise, reduce setup time, and ensure best practices. For more information, see Aggregate Microsoft Sentinel data with summary rules (Preview).

May 2025

All Microsoft Sentinel use cases generally available in the Defender portal

All Microsoft Sentinel use cases that are in general availability, including multitenant and multi-workspace capabilities and support for all government and commercial clouds, are now also supported for general availability in the Defender portal.

We recommend that you onboard your workspaces to the Defender portal to take advantage of unified security operations. For more information, see:

For more information, see:

Unified IdentityInfo table

Customers of Microsoft Sentinel in the Defender portal who have enabled UEBA can now take advantage of a new version of the IdentityInfo table, located in the Defender portal's Advanced hunting section, that includes the largest possible set of fields common to both the Defender and Azure portals. This unified table helps enrich your security investigations across the entire Defender portal.

For more information, see IdentityInfo table.

Additions to SOC optimization support (Preview)

SOC optimization support for:

  • AI MITRE ATT&CK tagging recommendations (Preview): Uses artificial intelligence to suggest tagging security detections with MITRE ATT&CK tactics and techniques.
  • Risk-based recommendations (Preview): Recommends implementing controls to address coverage gaps linked to use cases that may result in business risks or financial losses, including operational, financial, reputational, compliance, and legal risks.

For more information, see SOC optimization reference.

April 2025

Microsoft Sentinel solution for Microsoft Business Apps generally available in the Azure portal

The Microsoft Sentinel solution for Microsoft Business Apps is now generally available in the Azure portal.

Security Copilot generates incident summaries in Microsoft Sentinel in the Azure portal (Preview)

Microsoft Sentinel in the Azure portal now features (in Preview) incident summaries generated by Security Copilot, bringing it in line with the Defender portal. These summaries give your security analysts the up-front information they need to quickly understand, triage, and start investigating developing incidents.

For more information, see Summarize Microsoft Sentinel incidents with Security Copilot.

Multi workspace and multitenant support for Microsoft Sentinel in the Defender portal (Preview)

For preview, in the Defender portal, connect to one primary workspace and multiple secondary workspaces for Microsoft Sentinel. If you onboard Microsoft Sentinel with Defender XDR, a primary workspace's alerts are correlated with Defender XDR data. So incidents include alerts from Microsoft Sentinel's primary workspace and Defender XDR. All other onboarded workspaces are considered secondary workspaces. Incidents are created based on the workspace’s data and won't include Defender XDR data.

  • If you plan to use Microsoft Sentinel in the Defender portal without Defender XDR, you can manage multiple workspaces. But, the primary workspace doesn't include Defender XDR data and you won't have access to Defender XDR capabilities.
  • If you're working with multiple tenants and multiple workspaces per tenant, you can also use Microsoft Defender multitenant management to view incidents and alerts, and to hunt for data in Advanced hunting, across both multiple workspaces and tenants.

For more information, see the following articles:

Microsoft Sentinel now ingests all STIX objects and indicators into new threat intelligence tables (Preview)

Microsoft Sentinel now ingests STIX objects and indicators into the new threat intelligence tables, ThreatIntelIndicators and ThreatIntelObjects. The new tables support the new STIX 2.1 schema, which lets you ingest and query various threat intelligence objects, including identity, attack-pattern, threat-actor, and relationship.

Microsoft Sentinel will ingest all threat intelligence into the new ThreatIntelIndicators and ThreatIntelObjects tables, while continuing to ingest the same data into the legacy ThreatIntelligenceIndicator table until July 31, 2025.

Be sure to update your custom queries, analytics and detection rules, workbooks, and automation to use the new tables by July 31, 2025. After this date, Microsoft Sentinel will stop ingesting data to the legacy ThreatIntelligenceIndicator table. We're updating all out-of-the-box threat intelligence solutions in Content hub to leverage the new tables.

For more information, see the following articles:

SOC optimization support for unused columns (Preview)

To optimize your cost/security value ratio, SOC optimization surfaces hardly used data connectors or tables. SOC optimization now surfaces unused columns in your tables. For more information, see SOC optimization reference of recommendations.

March 2025

Agentless connection to SAP now in public preview

The Microsoft Sentinel agentless data connector for SAP and related security content is now included, as public preview, in the solution for SAP applications. This update also includes the following enhancements for the agentless data connector:

For more information, see:

January 2025

Optimize threat intelligence feeds with ingestion rules

Optimize threat intelligence feeds by filtering and enhancing objects before they're delivered to your workspace. Ingestion rules update threat intel object attributes, or filter objects out all together. Check out the blog announcement here!

For more information, see Understand threat intelligence ingestion rules.

Matching analytics rule now generally available (GA)

Microsoft provides access to its premium threat intelligence through the Defender Threat Intelligence analytics rule which is now generally available (GA). For more information on how to take advantage of this rule, which generates high-fidelity alerts and incidents, see Use matching analytics to detect threats.

Threat intelligence management interface has moved

Threat intelligence for Microsoft Sentinel in the Defender portal has changed! We've renamed the page Intel management and moved it with other threat intelligence workflows. There's no change for customers using Microsoft Sentinel in the Azure experience.

Screenshot showing new menu placement for Microsoft Sentinel threat intelligence.

Enhancements to threat intelligence capabilities are available for customers using both Microsoft Sentinel experiences. The management interface streamlines the creation and curation of threat intel with these key features:

  • Define relationships as you create new STIX objects.
  • Curate existing threat intelligence with the new relationship builder.
  • Create multiple objects quickly by copying common metadata from a new or existing TI object using a duplication feature.
  • Use advanced search to sort and filter your threat intelligence objects without even writing a Log Analytics query.

For more information, see the following articles:

Unlock advanced hunting with new STIX objects by opting in to new threat intelligence tables

Tables supporting the new STIX object schema aren't available publicly. In order to query threat intelligence for STIX objects with KQL and unlock the hunting model that uses them, request to opt in with this form. Ingest your threat intelligence into the new tables, ThreatIntelIndicators and ThreatIntelObjects alongside with or instead of the current table, ThreatIntelligenceIndicator, with this opt-in process.

For more information, see the blog announcement New STIX objects in Microsoft Sentinel.

Threat intelligence upload API now supports more STIX objects

Make the most of your threat intelligence platforms when you connect them to Microsoft Sentinel with the upload API. Now you can ingest more objects than just indicators, reflecting the varied threat intelligence available. The upload API supports the following STIX objects:

  • indicator
  • attack-pattern
  • identity
  • threat-actor
  • relationship

For more information, see the following articles:

Microsoft Defender Threat Intelligence data connectors now generally available (GA)

Both premium and standard Microsoft Defender Threat Intelligence data connectors are now generally available (GA) in content hub. For more information, see the following articles:

Bicep file support for repositories (Preview)

Use Bicep files alongside or as a replacement of ARM JSON templates in Microsoft Sentinel repositories. Bicep provides an intuitive way to create templates of Azure resources and Microsoft Sentinel content items. Not only is it easier to develop new content items, Bicep makes reviewing and updating content easier for anyone that's a part of the continuous integration and delivery of your Microsoft Sentinel content.

For more information, see Plan your repository content.

SOC optimization updates for unified coverage management

In workspaces onboarded to the Defender portal, SOC optimizations now support both SIEM and XDR data, with detection coverage from across Microsoft Defender services.

In the Defender portal, the SOC optimizations and MITRE ATT&CK pages also now provide extra functionality for threat-based coverage optimizations to help you understand the impact of the recommendations on your environment and help you prioritize which to implement first.

Enhancements include:

Area Details
SOC optimizations Overview page - A High, Medium, or Low score for your current detection coverage. This sort of scoring can help you decide which recommendations to prioritize at a glance.

- An indication of the number of active Microsoft Defender products (services) out of all available products. This helps you understand whether there's a whole product that you're missing in your environment.
Optimization details side pane,
shown when you drill down to a specific optimization
- Detailed coverage analysis, including the number of user-defined detections, response actions, and products you have active.

- Detailed spider charts that show your coverage across different threat categories, for both user-defined and out-of-the-box detections.

- An option to jump to the specific threat scenario in the MITRE ATT&CK page instead of viewing MITRE ATT&CK coverage only in the side pane.

- An option to View full threat scenario to drill down to even further details about the security products and detections available to provide security coverage in your environment.
MITRE ATT&CK page - A new toggle to view coverage by threat scenario. If you've jumped to the MITRE ATT&CK page from either a recommendation details side pane or from the View full threat scenario page, the MITRE ATT&CK page is pre-filtered for your threat scenario.

- The technique details pane, shown on the side when you select a specific MITRE ATT&CK technique, now shows the number of active detections out of all available detections for that technique.

For more information, see Optimize your security operations and Understand security coverage by the MITRE ATT&CK framework.

View granular solution content in the Microsoft Sentinel content hub

Now you can view the individual content available in a specific solution directly from the Content hub, even before you've installed the solution. This new visibility helps you understand the content available to you, and more easily identify, plan, and install the specific solutions you need.

Expand each solution in the Content hub to view included security content. For example:

Screenshot of showing granular content.

The granular solution content updates also include a generative AI-based search engine that helps you run more robust searches, diving deep into the solution content and returning results for similar terms.

For more information, see Discover content.

Next steps