| title | description | author | ms.author | ms.topic | ms.date | ms.custom |
|---|---|---|---|---|---|---|
Archive for What's new in Azure Sentinel |
A description of what's new and changed in Azure Sentinel from six months ago and earlier. |
batamig |
bagol |
conceptual |
11/22/2021 |
ignite-fall-2021 |
[!INCLUDE Banner for top of topics]
The primary What's new in Sentinel release notes page contains updates for the last six months, while this page contains older items.
For information about earlier features delivered, see our Tech Community blogs.
Noted features are currently in PREVIEW. The Azure Preview Supplemental Terms include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
Tip
Our threat hunting teams across Microsoft contribute queries, playbooks, workbooks, and notebooks to the Azure Sentinel Community, including specific hunting queries that your teams can adapt and use.
You can also contribute! Join us in the Azure Sentinel Threat Hunters GitHub community.
- Microsoft Threat Intelligence Matching Analytics (Public preview)
- Use Azure AD data with Azure Sentinel's IdentityInfo table (Public preview)
- Enrich Entities with geolocation data via API (Public preview)
- Support for ADX cross-resource queries (Public preview)
- Watchlists are in general availability
- Support for data residency in more geos
- Bidirectional sync in Azure Defender connector (Public preview)
Azure Sentinel now provides the built-in Microsoft Threat Intelligence Matching Analytics rule, which matches Microsoft-generated threat intelligence data with your logs. This rule generates high-fidelity alerts and incidents, with appropriate severities based on the context of the logs detected. After a match is detected, the indicator is also published to your Azure Sentinel threat intelligence repository.
The Microsoft Threat Intelligence Matching Analytics rule currently matches domain indicators against the following log sources:
For more information, see Detect threats using matching analytics (Public preview).
As attackers often use the organization's own user and service accounts, data about those user accounts, including the user identification and privileges, are crucial for the analysts in the process of an investigation.
Now, having UEBA enabled in your Azure Sentinel workspace also synchronizes Azure AD data into the new IdentityInfo table in Log Analytics. Synchronizations between your Azure AD and the IdentifyInfo table create a snapshot of your user profile data that includes user metadata, group information, and the Azure AD roles assigned to each user.
Use the IdentityInfo table during investigations and when fine-tuning analytics rules for your organization to reduce false positives.
For more information, see IdentityInfo table in the UEBA enrichments reference and Use UEBA data to analyze false positives.
Azure Sentinel now offers an API to enrich your data with geolocation information. Geolocation data can then be used to analyze and investigate security incidents.
For more information, see Enrich entities in Azure Sentinel with geolocation data via REST API (Public preview) and Classify and analyze data using entities in Azure Sentinel.
The hunting experience in Azure Sentinel now supports ADX cross-resource queries.
Although Log Analytics remains the primary data storage location for performing analysis with Azure Sentinel, there are cases where ADX is required to store data due to cost, retention periods, or other factors. This capability enables customers to hunt over a wider set of data and view the results in the Azure Sentinel hunting experiences, including hunting queries, livestream, and the Log Analytics search page.
To query data stored in ADX clusters, use the adx() function to specify the ADX cluster, database name, and desired table. You can then query the output as you would any other table. See more information in the pages linked above.
The watchlists feature is now generally available. Use watchlists to enrich alerts with business data, to create allowlists or blocklists against which to check access events, and to help investigate threats and reduce alert fatigue.
Azure Sentinel now supports full data residency in the following additional geos:
Brazil, Norway, South Africa, Korea, Germany, United Arab Emirates (UAE), and Switzerland.
See the complete list of supported geos for data residency.
The Azure Defender connector now supports bi-directional syncing of alerts' status between Defender and Azure Sentinel. When you close a Sentinel incident containing a Defender alert, the alert will automatically be closed in the Defender portal as well.
See this complete description of the updated Azure Defender connector.
- Upgrades for normalization and the Azure Sentinel Information Model
- Updated service-to-service connectors
- Export and import analytics rules (Public preview)
- Alert enrichment: alert details (Public preview)
- More help for playbooks!
- New documentation reorganization
The Azure Sentinel Information Model enables you to use and create source-agnostic content, simplifying your analysis of the data in your Azure Sentinel workspace.
In this month's update, we've enhanced our normalization documentation, providing new levels of detail and full DNS, process event, and authentication normalization schemas.
For more information, see:
- Normalization and the Azure Sentinel Information Model (ASIM) (updated)
- Azure Sentinel Authentication normalization schema reference (Public preview) (new!)
- Azure Sentinel data normalization schema reference
- Azure Sentinel DNS normalization schema reference (Public preview) (new!)
- Azure Sentinel Process Event normalization schema reference (Public preview) (new!)
- Azure Sentinel Registry Event normalization schema reference (Public preview) (new!)
Two of our most-used connectors have been the beneficiaries of major upgrades.
-
The Windows security events connector (Public preview) is now based on the new Azure Monitor Agent (AMA), allowing you far more flexibility in choosing which data to ingest, and giving you maximum visibility at minimum cost.
-
The Azure activity logs connector is now based on the diagnostics settings pipeline, giving you more complete data, greatly reduced ingestion lag, and better performance and reliability.
The upgrades are not automatic. Users of these connectors are encouraged to enable the new versions.
You can now export your analytics rules to JSON-format Azure Resource Manager (ARM) template files, and import rules from these files, as part of managing and controlling your Azure Sentinel deployments as code. Any type of analytics rule - not just Scheduled - can be exported to an ARM template. The template file includes all the rule's information, from its query to its assigned MITRE ATT&CK tactics.
For more information, see Export and import analytics rules to and from ARM templates.
In addition to enriching your alert content with entity mapping and custom details, you can now custom-tailor the way alerts - and by extension, incidents - are presented and displayed, based on their particular content. Like the other alert enrichment features, this is configurable in the analytics rule wizard.
For more information, see Customize alert details in Azure Sentinel.
Two new documents can help you get started or get more comfortable with creating and working with playbooks.
- Authenticate playbooks to Azure Sentinel helps you understand the different authentication methods by which Logic Apps-based playbooks can connect to and access information in Azure Sentinel, and when it's appropriate to use each one.
- Use triggers and actions in playbooks explains the difference between the incident trigger and the alert trigger and which to use when, and shows you some of the different actions you can take in playbooks in response to incidents, including how to access the information in custom details.
Playbook documentation also explicitly addresses the multi-tenant MSSP scenario.
This month we've reorganized our Azure Sentinel documentation, restructuring into intuitive categories that follow common customer journeys. Use the filtered docs search and updated landing page to navigate through Azure Sentinel docs.
:::image type="content" source="media/whats-new/new-docs.png" alt-text="New Azure Sentinel documentation reorganization." lightbox="media/whats-new/new-docs.png":::
- Azure Sentinel PowerShell module
- Alert grouping enhancements
- Azure Sentinel solutions (Public preview)
- Continuous Threat Monitoring for SAP solution (Public preview)
- Threat intelligence integrations (Public preview)
- Fusion over scheduled alerts (Public preview)
- SOC-ML anomalies (Public preview)
- IP Entity page (Public preview)
- Activity customization (Public preview)
- Hunting dashboard (Public preview)
- Incident teams - collaborate in Microsoft Teams (Public preview)
- Zero Trust (TIC3.0) workbook
The official Azure Sentinel PowerShell module to automate daily operational tasks has been released as GA!
You can download it here: PowerShell Gallery.
For more information, see the PowerShell documentation: Az.SecurityInsights
Now you can configure your analytics rule to group alerts into a single incident, not only when they match a specific entity type, but also when they match a specific alert name, severity, or other custom details for a configured entity.
In the Incidents settings tab of the analytics rule wizard, select to turn on alert grouping, and then select the Group alerts into a single incident if the selected entity types and details match option.
Then, select your entity type and the relevant details you want to match:
:::image type="content" source="media/whats-new/alert-grouping-details.png" alt-text="Group alerts by matching entity details.":::
For more information, see Alert grouping.
Azure Sentinel now offers packaged content solutions that include combinations of one or more data connectors, workbooks, analytics rules, playbooks, hunting queries, parsers, watchlists, and other components for Azure Sentinel.
Solutions provide improved in-product discoverability, single-step deployment, and end-to-end product scenarios. For more information, see Centrally discover and deploy built-in content and solutions.
Azure Sentinel solutions now includes Continuous Threat Monitoring for SAP, enabling you to monitor SAP systems for sophisticated threats within the business and application layers.
The SAP data connector streams a multitude of 14 application logs from the entire SAP system landscape, and collects logs from both Advanced Business Application Programming (ABAP) via NetWeaver RFC calls and file storage data via OSSAP Control interface. The SAP data connector adds to Azure Sentinels ability to monitor the SAP underlying infrastructure.
To ingest SAP logs into Azure Sentinel, you must have the Azure Sentinel SAP data connector installed on your SAP environment. After the SAP data connector is deployed, deploy the rich SAP solution security content to smoothly gain insight into your organization's SAP environment and improve any related security operation capabilities.
For more information, see Deploying SAP continuous threat monitoring.
Azure Sentinel gives you a few different ways to use threat intelligence feeds to enhance your security analysts' ability to detect and prioritize known threats.
You can now use one of many newly available integrated threat intelligence platform (TIP) products, connect to TAXII servers to take advantage of any STIX-compatible threat intelligence source, and make use of any custom solutions that can communicate directly with the Microsoft Graph Security tiIndicators API.
You can also connect to threat intelligence sources from playbooks, in order to enrich incidents with TI information that can help direct investigation and response actions.
For more information, see Threat intelligence integration in Azure Sentinel.
The Fusion machine-learning correlation engine can now detect multi-stage attacks using alerts generated by a set of scheduled analytics rules in its correlations, in addition to the alerts imported from other data sources.
For more information, see Advanced multistage attack detection in Azure Sentinel.
Azure Sentinel's SOC-ML machine learning-based anomalies can identify unusual behavior that might otherwise evade detection.
SOC-ML uses analytics rule templates that can be put to work right out of the box. While anomalies don't necessarily indicate malicious or even suspicious behavior by themselves, they can be used to improve the fidelity of detections, investigations, and threat hunting.
For more information, see Use SOC-ML anomalies to detect threats in Azure Sentinel.
Azure Sentinel now supports the IP address entity, and you can now view IP entity information in the new IP entity page.
Like the user and host entity pages, the IP page includes general information about the IP, a list of activities the IP has been found to be a part of, and more, giving you an ever-richer store of information to enhance your investigation of security incidents.
For more information, see Entity pages.
Speaking of entity pages, you can now create new custom-made activities for your entities, that will be tracked and displayed on their respective entity pages alongside the out-of-the-box activities you’ve seen there until now.
For more information, see Customize activities on entity page timelines.
The Hunting blade has gotten a refresh. The new dashboard lets you run all your queries, or a selected subset, in a single click.
Identify where to start hunting by looking at result count, spikes, or the change in result count over a 24-hour period. You can also sort and filter by favorites, data source, MITRE ATT&CK tactic and technique, results, or results delta. View the queries that do not yet have the necessary data sources connected, and get recommendations on how to enable these queries.
For more information, see Hunt for threats with Azure Sentinel.
Azure Sentinel now supports a direct integration with Microsoft Teams, enabling you to collaborate seamlessly across the organization and with external stakeholders.
Directly from the incident in Azure Sentinel, create a new incident team to use for central communication and coordination.
Incident teams are especially helpful when used as a dedicated conference bridge for high-severity, ongoing incidents. Organizations that already use Microsoft Teams for communication and collaboration can use the Azure Sentinel integration to bring security data directly into their conversations and daily work.
In Microsoft Teams, the new team's Incident page tab always has the most updated and recent data from Azure Sentinel, ensuring that your teams have the most relevant data right at hand.
For more information, see Collaborate in Microsoft Teams (Public preview).
The new, Azure Sentinel Zero Trust (TIC3.0) workbook provides an automated visualization of Zero Trust principles, cross-walked to the Trusted Internet Connections (TIC) framework.
We know that compliance isn’t just an annual requirement, and organizations must monitor configurations over time like a muscle. Azure Sentinel's Zero Trust workbook uses the full breadth of Microsoft security offerings across Azure, Office 365, Teams, Intune, Azure Virtual Desktop, and many more.
The Zero Trust workbook:
- Enables Implementers, SecOps Analysts, Assessors, Security and Compliance Decision Makers, MSSPs, and others to gain situational awareness for cloud workloads' security posture.
- Features over 75 control cards, aligned to the TIC 3.0 security capabilities, with selectable GUI buttons for navigation.
- Is designed to augment staffing through automation, artificial intelligence, machine learning, query/alerting generation, visualizations, tailored recommendations, and respective documentation references.
For more information, see Visualize and monitor your data.
Azure Policy allows you to apply a common set of diagnostics logs settings to all (current and future) resources of a particular type whose logs you want to ingest into Azure Sentinel.
Continuing our efforts to bring the power of Azure Policy to the task of data collection configuration, we are now offering another Azure Policy-enhanced data collector, for Azure Storage account resources, released to public preview.
Also, two of our in-preview connectors, for Azure Key Vault and Azure Kubernetes Service, have now been released to general availability (GA), joining our Azure SQL Databases connector.
The first tab on an incident details page is now the Timeline, which shows a timeline of alerts and bookmarks in the incident. An incident's timeline can help you understand the incident better and reconstruct the timeline of attacker activity across the related alerts and bookmarks.
- Select an item in the timeline to see its details, without leaving the incident context
- Filter the timeline content to show alerts or bookmarks only, or items of a specific severity or MITRE tactic.
- You can select the System alert ID link to view the entire record or the Events link to see the related events in the Logs area.
For example:
:::image type="content" source="media/investigate-cases/incident-timeline.png" alt-text="Incident timeline tab":::
For more information, see Tutorial: Investigate incidents with Azure Sentinel.
- Set workbooks to automatically refresh while in view mode
- New detections for Azure Firewall
- Automation rules and incident-triggered playbooks (Public preview) (including all-new playbook documentation)
- New alert enrichments: enhanced entity mapping and custom details (Public preview)
- Print your Azure Sentinel workbooks or save as PDF
- Incident filters and sort preferences now saved in your session (Public preview)
- Microsoft 365 Defender incident integration (Public preview)
- New Microsoft service connectors using Azure Policy
Azure Sentinel users can now use the new Azure Monitor ability to automatically refresh workbook data during a view session.
In each workbook or workbook template, select :::image type="icon" source="media/whats-new/auto-refresh-workbook.png" border="false"::: Auto refresh to display your interval options. Select the option you want to use for the current view session, and select Apply.
-
Supported refresh intervals range from 5 minutes to 1 day.
-
By default, auto refresh is turned off. To optimize performance, auto refresh is also turned off each time you close a workbook, and does not run in the background. Turn auto refresh back on as needed the next time you open the workbook.
-
Auto refresh is paused while you're editing a workbook, and auto refresh intervals are restarted each time you switch back to view mode from edit mode.
Intervals are also restarted if you manually refresh the workbook by selecting the :::image type="icon" source="media/whats-new/manual-refresh-button.png" border="false"::: Refresh button.
For more information, see Visualize and monitor your data and the Azure Monitor documentation.
Several out-of-the-box detections for Azure Firewall have been added to the Analytics area in Azure Sentinel. These new detections allow security teams to get alerts if machines on the internal network attempt to query or connect to internet domain names or IP addresses that are associated with known IOCs, as defined in the detection rule query.
The new detections include:
- Solorigate Network Beacon
- Known GALLIUM domains and hashes
- Known IRIDIUM IP
- Known Phosphorus group domains/IP
- THALLIUM domains included in DCU takedown
- Known ZINC related malware hash
- Known STRONTIUM group domains
- NOBELIUM - Domain and IP IOCs - March 2021
Detections for Azure Firewalls are continuously added to the built-in template gallery. To get the most recent detections for Azure Firewall, under Rule Templates, filter the Data Sources by Azure Firewall:
:::image type="content" source="media/whats-new/new-detections-analytics-efficiency-workbook.jpg" alt-text="New detections in the Analytics efficiency workbook":::
For more information, see New detections for Azure Firewall in Azure Sentinel.
Automation rules are a new concept in Azure Sentinel, allowing you to centrally manage the automation of incident handling. Besides letting you assign playbooks to incidents (not just to alerts as before), automation rules also allow you to automate responses for multiple analytics rules at once, automatically tag, assign, or close incidents without the need for playbooks, and control the order of actions that are executed. Automation rules will streamline automation use in Azure Sentinel and will enable you to simplify complex workflows for your incident orchestration processes.
Learn more with this complete explanation of automation rules.
As mentioned above, playbooks can now be activated with the incident trigger in addition to the alert trigger. The incident trigger provides your playbooks a bigger set of inputs to work with (since the incident includes all the alert and entity data as well), giving you even more power and flexibility in your response workflows. Incident-triggered playbooks are activated by being called from automation rules.
Learn more about playbooks' enhanced capabilities, and how to craft a response workflow using playbooks together with automation rules.
Enrich your alerts in two new ways to make them more usable and more informative.
Start by taking your entity mapping to the next level. You can now map almost 20 kinds of entities, from users, hosts, and IP addresses, to files and processes, to mailboxes, Azure resources, and IoT devices. You can also use multiple identifiers for each entity, to strengthen their unique identification. This gives you a much richer data set in your incidents, providing for broader correlation and more powerful investigation. Learn the new way to map entities in your alerts.
Read more about entities and see the full list of available entities and their identifiers.
Give your investigative and response capabilities an even greater boost by customizing your alerts to surface details from your raw events. Bring event content visibility into your incidents, giving you ever greater power and flexibility in responding to and investigating security threats. Learn how to surface custom details in your alerts.
Now you can print Azure Sentinel workbooks, which also enables you to export to them to PDFs and save locally or share.
In your workbook, select the options menu > :::image type="icon" source="media/whats-new/print-icon.png" border="false"::: Print content. Then select your printer, or select Save as PDF as needed.
:::image type="content" source="media/whats-new/print-workbook.png" alt-text="Print your workbook or save as PDF.":::
For more information, see Visualize and monitor your data.
Now your incident filters and sorting is saved throughout your Azure Sentinel session, even while navigating to other areas of the product. As long as you're still in the same session, navigating back to the Incidents area in Azure Sentinel shows your filters and sorting just as you left it.
Note
Incident filters and sorting are not saved after leaving Azure Sentinel or refreshing your browser.
Azure Sentinel's Microsoft 365 Defender (M365D) incident integration allows you to stream all M365D incidents into Azure Sentinel and keep them synchronized between both portals. Incidents from M365D (formerly known as Microsoft Threat Protection or MTP) include all associated alerts, entities, and relevant information, providing you with enough context to perform triage and preliminary investigation in Azure Sentinel. Once in Sentinel, Incidents will remain bi-directionally synced with M365D, allowing you to take advantage of the benefits of both portals in your incident investigation.
Using both Azure Sentinel and Microsoft 365 Defender together gives you the best of both worlds. You get the breadth of insight that a SIEM gives you across your organization's entire scope of information resources, and also the depth of customized and tailored investigative power that an XDR delivers to protect your Microsoft 365 resources, both of these coordinated and synchronized for seamless SOC operation.
For more information, see Microsoft 365 Defender integration with Azure Sentinel.
Azure Policy is an Azure service which allows you to use policies to enforce and control the properties of a resource. The use of policies ensures that resources stay compliant with your IT governance standards.
Among the properties of resources that can be controlled by policies are the creation and handling of diagnostics and auditing logs. Azure Sentinel now uses Azure Policy to allow you to apply a common set of diagnostics logs settings to all (current and future) resources of a particular type whose logs you want to ingest into Azure Sentinel. Thanks to Azure Policy, you'll no longer have to set diagnostics logs settings resource by resource.
Azure Policy-based connectors are now available for the following Azure services:
- Azure Key Vault (public preview)
- Azure Kubernetes Service (public preview)
- Azure SQL databases/servers (GA)
Customers will still be able to send the logs manually for specific instances and don’t have to use the policy engine.
- Cybersecurity Maturity Model Certification (CMMC) workbook
- Third-party data connectors
- UEBA insights in the entity page (Public preview)
- Improved incident search (Public preview)
The Azure Sentinel CMMC Workbook provides a mechanism for viewing log queries aligned to CMMC controls across the Microsoft portfolio, including Microsoft security offerings, Office 365, Teams, Intune, Azure Virtual Desktop and many more.
The CMMC workbook enables security architects, engineers, security operations analysts, managers, and IT professionals to gain situational awareness visibility for the security posture of cloud workloads. There are also recommendations for selecting, designing, deploying, and configuring Microsoft offerings for alignment with respective CMMC requirements and practices.
Even if you aren’t required to comply with CMMC, the CMMC workbook is helpful in building Security Operations Centers, developing alerts, visualizing threats, and providing situational awareness of workloads.
Access the CMMC workbook in the Azure Sentinel Workbooks area. Select Template, and then search for CMMC.
:::image type="content" source="media/whats-new/cmmc-guide-toggle.gif" alt-text="GIF recording of the C M M C workbook guide toggled on and off." lightbox="media/whats-new/cmmc-guide-toggle.gif":::
For more information, see:
- Azure Sentinel Cybersecurity Maturity Model Certification (CMMC) Workbook
- Visualize and monitor your data
Our collection of third-party integrations continues to grow, with thirty connectors being added in the last two months. Here's a list:
- Agari Phishing Defense and Brand Protection
- Akamai Security Events
- Alsid for Active Directory
- Apache HTTP Server
- Aruba ClearPass
- Blackberry CylancePROTECT
- Broadcom Symantec DLP
- Cisco Firepower eStreamer
- Cisco Meraki
- Cisco Umbrella
- Cisco Unified Computing System (UCS)
- ESET Enterprise Inspector
- ESET Security Management Center
- Google Workspace (formerly G Suite)
- Imperva WAF Gateway
- Juniper SRX
- Netskope
- NXLog DNS Logs
- NXLog Linux Audit
- Onapsis Platform
- Proofpoint On Demand Email Security (POD)
- Qualys Vulnerability Management Knowledge Base
- Salesforce Service Cloud
- SonicWall Firewall
- Sophos Cloud Optix
- Squid Proxy
- Symantec Endpoint Protection
- Thycotic Secret Server
- Trend Micro XDR
- VMware ESXi
The Azure Sentinel entity details pages provide an Insights pane, which displays behavioral insights on the entity and help to quickly identify anomalies and security threats.
If you have UEBA enabled, and have selected a timeframe of at least four days, this Insights pane will now also include the following new sections for UEBA insights:
| Section | Description |
|---|---|
| UEBA Insights | Summarizes anomalous user activities: - Across geographical locations, devices, and environments - Across time and frequency horizons, compared to user's own history - Compared to peers' behavior - Compared to the organization's behavior |
| User Peers Based on Security Group Membership | Lists the user's peers based on Azure AD Security Groups membership, providing security operations teams with a list of other users who share similar permissions. |
| User Access Permissions to Azure Subscription | Shows the user's access permissions to the Azure subscriptions accessible directly, or via Azure AD groups / service principals. |
| Threat Indicators Related to The User | Lists a collection of known threats relating to IP addresses represented in the user’s activities. Threats are listed by threat type and family, and are enriched by Microsoft’s threat intelligence service. |
We've improved the Azure Sentinel incident searching experience, enabling you to navigate faster through incidents as you investigate a specific threat.
When searching for incidents in Azure Sentinel, you're now able to search by the following incident details:
- ID
- Title
- Product
- Owner
- Tag
- Analytics rule wizard: Improved query editing experience (Public preview)
- Az.SecurityInsights PowerShell module (Public preview)
- SQL database connector
- Dynamics 365 connector (Public preview)
- Improved incident comments
- Dedicated Log Analytics clusters
- Logic apps managed identities
- Improved rule tuning with the analytics rule preview graphs
The Azure Sentinel Scheduled analytics rule wizard now provides the following enhancements for writing and editing queries:
- An expandable editing window, providing you with more screen space to view your query.
- Key word highlighting in your query code.
- Expanded autocomplete support.
- Real-time query validations. Errors in your query now show as a red block in the scroll bar, and as a red dot in the Set rule logic tab name. Additionally, a query with errors cannot be saved.
For more information, see Create custom analytics rules to detect threats.
Azure Sentinel now supports the new Az.SecurityInsights PowerShell module.
The Az.SecurityInsights module supports common Azure Sentinel use cases, like interacting with incidents to change statues, severity, owner, and so on, adding comments and labels to incidents, and creating bookmarks.
Although we recommend using Azure Resource Manager (ARM) templates for your CI/CD pipeline, the Az.SecurityInsights module is useful for post-deployment tasks, and is targeted for SOC automation. For example, your SOC automation might include steps to configure data connectors, create analytics rules, or add automation actions to analytics rules.
For more information, including a full list and description of the available cmdlets, parameter descriptions, and examples, see the Az.SecurityInsights PowerShell documentation.
Azure Sentinel now provides an Azure SQL database connector, which you to stream your databases' auditing and diagnostic logs into Azure Sentinel and continuously monitor activity in all your instances.
Azure SQL is a fully managed, Platform-as-a-Service (PaaS) database engine that handles most database management functions, such as upgrading, patching, backups, and monitoring, without user involvement.
For more information, see Connect Azure SQL database diagnostics and auditing logs.
Azure Sentinel now provides a connector for Microsoft Dynamics 365, which lets you collect your Dynamics 365 applications' user, admin, and support activity logs into Azure Sentinel. You can use this data to help you audit the entirety of data processing actions taking place and analyze it for possible security breaches.
For more information, see Connect Dynamics 365 activity logs to Azure Sentinel.
Analysts use incident comments to collaborate on incidents, documenting processes and steps manually or as part of a playbook.
Our improved incident commenting experience enables you to format your comments and edit or delete existing comments.
For more information, see Automatically create incidents from Microsoft security alerts.
Azure Sentinel now supports dedicated Log Analytics clusters as a deployment option. We recommend considering a dedicated cluster if you:
- Ingest over 1 Tb per day into your Azure Sentinel workspace
- Have multiple Azure Sentinel workspaces in your Azure enrollment
Dedicated clusters enable you to use features like customer-managed keys, lockbox, double encryption, and faster cross-workspace queries when you have multiple workspaces on the same cluster.
For more information, see Azure Monitor logs dedicated clusters.
Azure Sentinel now supports managed identities for the Azure Sentinel Logic Apps connector, enabling you to grant permissions directly to a specific playbook to operate on Azure Sentinel instead of creating extra identities.
-
Without a managed identity, the Logic Apps connector requires a separate identity with an Azure Sentinel RBAC role in order to run on Azure Sentinel. The separate identity can be an Azure AD user or a Service Principal, such as an Azure AD registered application.
-
Turning on managed identity support in your Logic App registers the Logic App with Azure AD and provides an object ID. Use the object ID in Azure Sentinel to assign the Logic App with an Azure RBAC role in your Azure Sentinel workspace.
For more information, see:
- Authenticating with Managed Identity in Azure Logic Apps
- Azure Sentinel Logic Apps connector documentation
Azure Sentinel now helps you better tune your analytics rules, helping you to increase their accuracy and decrease noise.
After editing an analytics rule on the Set rule logic tab, find the Results simulation area on the right.
Select Test with current data to have Azure Sentinel run a simulation of the last 50 runs of your analytics rule. A graph is generated to show the average number of alerts that the rule would have generated, based on the raw event data evaluated.
For more information, see Define the rule query logic and configure settings.
Azure Sentinel's built-in hunting queries empower SOC analysts to reduce gaps in current detection coverage and ignite new hunting leads.
This update for Azure Sentinel includes new hunting queries that provide coverage across the MITRE ATT&CK framework matrix:
- Collection
- Command and Control
- Credential Access
- Discovery
- Execution
- Exfiltration
- Impact
- Initial Access
- Persistence
- Privilege Escalation
The added hunting queries are designed to help you find suspicious activity in your environment. While they may return legitimate activity and potentially malicious activity, they can be useful in guiding your hunting.
If after running these queries, you are confident with the results, you may want to convert them to analytics rules or add hunting results to existing or new incidents.
All of the added queries are available via the Azure Sentinel Hunting page. For more information, see Hunt for threats with Azure Sentinel.
Azure Sentinel users benefit from the following Log Analytics agent improvements:
- Support for more operating systems, including CentOS 8, RedHat 8, and SUSE Linux 15.
- Support for Python 3 in addition to Python 2
Azure Sentinel uses the Log Analytics agent to sent events to your workspace, including Windows Security events, Syslog events, CEF logs, and more.
Note
The Log Analytics agent is sometimes referred to as the OMS Agent or the Microsoft Monitoring Agent (MMA).
For more information, see the Log Analytics documentation and the Log Analytics agent release notes.
Azure Sentinel playbooks are based on workflows built in Azure Log Apps, a cloud service that helps you schedule, automate, and orchestrate tasks, business processes, and workflows. Playbooks can be automatically invoked when an incident is created, or when triaging and working with incidents.
To provide insights into the health, performance, and usage of your playbooks, we've added a workbook named Playbooks health monitoring.
Use the Playbooks health monitoring workbook to monitor the health of your playbooks, or look for anomalies in the amount of succeeded or failed runs.
The Playbooks health monitoring workbook is now available in the Azure Sentinel Templates gallery:
:::image type="content" source="media/whats-new/playbook-monitoring-workbook.gif" alt-text="Sample Playbooks health monitoring workbook":::
For more information, see:
The Microsoft 365 Defender connector for Azure Sentinel enables you to stream advanced hunting logs (a type of raw event data) from Microsoft 365 Defender into Azure Sentinel.
With the integration of Microsoft Defender for Endpoint (MDATP) into the Microsoft 365 Defender security umbrella, you can now collect your Microsoft Defender for Endpoint advanced hunting events using the Microsoft 365 Defender connector, and stream them straight into new purpose-built tables in your Azure Sentinel workspace.
The Azure Sentinel tables are built on the same schema that's used in the Microsoft 365 Defender portal, and provide you with complete access to the full set of advanced hunting logs.
For more information, see Connect data from Microsoft 365 Defender to Azure Sentinel.
Note
Microsoft 365 Defender was formerly known as Microsoft Threat Protection or MTP. Microsoft Defender for Endpoint was formerly known as Microsoft Defender Advanced Threat Protection or MDATP.
[!div class="nextstepaction"] On-board Azure Sentinel
[!div class="nextstepaction"] Get visibility into alerts