What's new in Microsoft Sentinel
This article lists recent features added for Microsoft Sentinel, and new features in related services that provide an enhanced user experience in Microsoft Sentinel.
The listed features were released in the last three months. For information about earlier features delivered, see our Tech Community blogs.
Get notified when this page is updated by copying and pasting the following URL into your feed reader:
For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.
- Incident tasks now generally available (GA)
- AWS and GCP data connectors now support Azure Government clouds
- Windows DNS Events via AMA connector now generally available (GA)
Incident tasks now generally available (GA)
Incident tasks, which help you standardize your incident investigation and response practices so you can more effectively manage incident workflow, are now generally available (GA) in Microsoft Sentinel.
Learn more about incident tasks in the Microsoft Sentinel documentation:
See this blog post by Benji Kovacevic that shows how you can use incident tasks in combination with watchlists, automation rules, and playbooks to build a task management solution with two parts:
- A repository of incident tasks.
- A mechanism that automatically attaches tasks to newly created incidents, according to the incident title, and assigns them to the proper personnel.
AWS and GCP data connectors now support Azure Government clouds
Microsoft Sentinel data connectors for Amazon Web Services (AWS) and Google Cloud Platform (GCP) now include supporting configurations to ingest data into workspaces in Azure Government clouds.
The configurations for these connectors for Azure Government customers differs slightly from the public cloud configuration. See the relevant documentation for details:
- Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data
- Ingest Google Cloud Platform log data into Microsoft Sentinel
Windows DNS Events via AMA connector now generally available (GA)
Windows DNS events can now be ingested to Microsoft Sentinel using the Azure Monitor Agent with the now generally available data connector. This connector allows you to define Data Collection Rules (DCRs) and powerful, complex filters so that you ingest only the specific DNS records and fields you need.
- For more information, see Stream and filter data from Windows DNS servers with the AMA connector.
Reduce false positives for SAP systems with analytics rules
Use analytics rules together with the Microsoft Sentinel solution for SAP® applications to lower the number of false positives triggered from your SAP® systems. The Microsoft Sentinel solution for SAP® applications now includes the following enhancements:
The SAPUsersGetVIP function now supports excluding users according to their SAP-given roles or profile.
The SAP_User_Config watchlist now supports using wildcards in the SAPUser field to exclude all users with a specific syntax.
For more information, see Microsoft Sentinel solution for SAP® applications data reference and Handle false positives in Microsoft Sentinel.
- Take advantage of Microsoft Defender for Cloud integration with Microsoft Defender XDR (Preview)
- Near-real-time rules now generally available
- Elevate your cybersecurity intelligence with enrichment widgets (Preview)
Take advantage of Microsoft Defender for Cloud integration with Microsoft Defender XDR (Preview)
Microsoft Defender for Cloud is now integrated with Microsoft Defender XDR, formerly known as Microsoft 365 Defender. This integration, currently in Preview, allows Defender XDR to collect alerts from Defender for Cloud and create Defender XDR incidents from them.
Thanks to this integration, Microsoft Sentinel customers who have enabled Defender XDR incident integration will now be able to ingest and synchronize Defender for Cloud incidents, with all their alerts, through Microsoft Defender XDR.
To support this integration, Microsoft has added a new Tenant-based Microsoft Defender for Cloud (Preview) connector. This connector will allow Microsoft Sentinel customers to receive Defender for Cloud alerts and incidents across their entire tenants, without having to monitor and maintain the connector's enrollment to all their Defender for Cloud subscriptions.
This connector can be used to ingest Defender for Cloud alerts, regardless of whether you have Defender XDR incident integration enabled.
- Learn more about Microsoft Defender for Cloud integration with Microsoft Defender XDR.
- Learn more about ingesting Defender for Cloud incidents into Microsoft Sentinel.
Near-real-time rules now generally available
Microsoft Sentinel’s near-real-time analytics rules are now generally available (GA). These highly responsive rules provide up-to-the-minute threat detection by running their queries at intervals just one minute apart.
Elevate your cybersecurity intelligence with enrichment widgets (Preview)
Enrichment widgets in Microsoft Sentinel are dynamic components designed to provide you with in-depth, actionable intelligence about entities. They integrate external and internal content and data from various sources, offering a comprehensive understanding of potential security threats. These widgets serve as a powerful enhancement to your cybersecurity toolkit, offering both depth and breadth in information analysis.
Widgets are already available in Microsoft Sentinel today (in Preview). They currently appear for IP entities, both on their full entity pages and on their entity info panels that appear in Incident pages. These widgets show you valuable information about the entities, from both internal and third-party sources.
What makes widgets essential in Microsoft Sentinel?
Real-time updates: In the ever-evolving cybersecurity landscape, real-time data is of paramount importance. Widgets provide live updates, ensuring that your analysts are always looking at the most recent data.
Integration: Widgets are seamlessly integrated into Microsoft Sentinel data sources, drawing from their vast reservoir of logs, alerts, and intelligence. This integration means that the visual insights presented by widgets are backed by the robust analytical power of Microsoft Sentinel.
In essence, widgets are more than just visual aids. They are powerful analytical tools that, when used effectively, can greatly enhance the speed and efficiency of threat detection, investigation, and response.
- Microsoft Applied Skill - Configure SIEM security operations using Microsoft Sentinel
- Changes to the documentation table of contents
Microsoft Applied Skill available for Microsoft Sentinel
This month Microsoft Worldwide Learning announced Applied Skills to help you acquire the technical skills you need to reach your full potential. Microsoft Sentinel is included in the initial set of credentials offered! This credential is based on the learning path with the same name.
- Learning path - Configure SIEM security operations using Microsoft Sentinel
Learn at your own pace, and the modules require you to have your own Azure subscription.
- Applied Skill - Configure SIEM security operations using Microsoft Sentinel
A 2 hour assessment is contained in a sandbox virtual desktop. You are provided an Azure subscription with some features already configured.
Changes to the documentation table of contents
We've made some significant changes in how the Microsoft Sentinel documentation is organized in the table of contents on the left-hand side of the library. Two important things to know:
- Bookmarked links persist. Unless we retire an article, your saved and shared links to Microsoft Sentinel articles still work.
- Articles used to be divided by concepts, how-tos, and tutorials. Now, the articles are organized by lifecycle or scenario with the related concepts, how-tos, and tutorials in those buckets.
We hope these changes to the organization makes your exploration of Microsoft Sentinel documentation more intuitive!
Improve SOX compliance with new workbook for SAP
The SAP Audit Controls workbook is now provided to you as part of the Microsoft Sentinel solution for SAP® applications.
The workbook provides tools for you to assign analytics rules in your environment to specific security controls and control families, monitor and categorize the incidents generated by the SAP solution-based analytics rules, and report on your compliance.
Learn more about the SAP Audit Controls workbook.
- New incident investigation experience is now GA
- Updated MISP2Sentinel solution utilizes the new upload indicators API.
- New and improved entity pages
New incident investigation experience is now GA
Microsoft Sentinel's comprehensive incident investigation and case management experience is now generally available in both commercial and government clouds. This experience includes the revamped incident page, which itself includes displays of the incident's entities, insights, and similar incidents for comparison. The new experience also includes an incident log history and a task list.
Also generally available are the similar incidents widget and the ability to add entities to your threat intelligence list of indicators of compromise (IoCs).
- Learn more about investigating incidents in Microsoft Sentinel.
Updated MISP2Sentinel solution
The open source threat intelligence sharing platform, MISP, has an updated solution to push indicators to Microsoft Sentinel. This notable solution utilizes the new upload indicators API to take advantage of workspace granularity and align the MISP ingested TI to STIX-based properties.
Learn more about the implementation details from the MISP blog entry for MISP2Sentinel.
New and improved entity pages
Microsoft Sentinel now provides you enhanced and enriched entity pages and panels, giving you more security information on user accounts, full entity data to enrich your incident context, and a reduction in latency for a faster, smoother experience.
Read more about these changes in this blog post: Taking Entity Investigation to the Next Level: Microsoft Sentinel’s Upgraded Entity Pages.
Learn more about entities in Microsoft Sentinel.