Unify your security data and use AI to reason over your entire digital estate with Microsoft Sentinel. See how threats evolve in real time, map attack paths, and understand which assets are most at risk.
Visualize relationships across users, devices, and resources to pinpoint vulnerabilities and focus your response where it matters most. Using natural language, you can investigate faster. Ask questions, get context, and act on insights without writing complex queries. Build and extend your own identity graphs to include multicloud systems like Salesforce, enriching your view of risk.
Vandana Mahtani, Microsoft Sentinel Principal PM, shares how to detect, investigate, and disrupt threats in one connected experience with Microsoft Sentinel.
You can find more info on custom graphs: https://aka.ms/sentinel/graph/ignite and sign-up for preview at: https://aka.ms/sentinel/graph/customsignup
Understand and mitigate risks.
Connect the dots across users, devices, and resources with blast radius analysis in Sentinel graph. Take a look.
Ask questions in natural language.
Let the Sentinel MCP server analyze user activities across connected services. See it here.
Create custom identity graphs.
Map multicloud risk, detect high-risk users, and safeguard critical systems. Check out Microsoft Sentinel platform.
QUICK LINKS:
00:00 — Microsoft Sentinel SIEM and AI-ready security platform
01:37 — Blast radius integration
02:34 — Investigate using AI with the Sentinel MCP server
03:40 — Advanced hunting
04:53 — Custom graphs
07:07 — Build your own custom graph
08:51 — Wrap up
Link References
For more information, visit https://aka.ms/sentinelplatform
Custom graph public preview signup at https://aka.ms/sentinel/graph/customsignup
Unfamiliar with Microsoft Mechanics?
As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.
- Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries
- Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog
- Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast
Keep getting this insider knowledge, join us on social:
- Follow us on Twitter: https://twitter.com/MSFTMechanics
- Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/
- Enjoy us on Instagram: https://www.instagram.com/msftmechanics/
- Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics
Video Transcript:
-What if your security tools could not only detect threats, but understand them? What if they could reason over your entire digital estate, connect the dots between disconnected security signals, and predict where attackers might go next? All of this is now possible with Microsoft Sentinel, which is now more powerful, as it has evolved to be both a SIEM and an AI-ready security platform. Let’s break this down. At the foundation, Sentinel data lake unifies all your data in one place to enrich your investigations. Hundreds of available connectors help you bring in your security data wherever it resides. Risk signals contained in security data from different systems come together in the new Sentinel graph.
-Here, real-time threat intelligence, like suspicious sign-ins and risky network activity, is mapped with the relationships identified across entities, from your users, devices, and resources across your entire digital estate, to reveal the potential attack paths or overall blast radius and more, so that you can understand the risk posed to critical assets. And you can perform complex queries using natural language enabled by the Sentinel MCP server that serves as a powerful gateway for AI to retrieve structured context to reason over all of your security data: from tabular and relational, to graph-based and vector-based semantic data, ultimately helping you detect, investigate, and disrupt threats faster. Let me make this real by first showing you the transformed experience for incident investigation.
-The experience starts with Microsoft Defender, where you can easily access Microsoft Sentinel capabilities. I’m going to navigate to my active incidents. I’m interested in this multi-stage attack, and I can straight-away see that a user Mark Gafarova’s credentials have been compromised. In the past, figuring out where the attacker would go next would take a lot of extra hunting which you may not have the luxury of time for. With the new blast radius integration powered by Sentinel graph, we can quickly see the potential attack paths the attacker could take to get to critical assets, like the wg-prod key vault, which would escalate the severity of the attack by providing access to critical assets and data. As you saw, with Sentinel graph working behind the scenes, connecting the dots is faster when timing is critical. Now that we know the target of the attack and the potential assets at risk, we can customize our investigation using AI with the Sentinel MCP server.
-Here I have a chat agent that my company Zava has built using GitHub Copilot. It’s connected to the Sentinel MCP server. Even though we know this incident has flagged Mark as potentially being compromised, I want to understand more about Mark. In the past, I would have had to be competent in Kusto querying to start to build a picture, but I can now just pose a question in natural language and replace multiple queries with a single question. I’ll ask, “What do we know about user Mark Gafarova and his actions?” And as you can see, this agent first connects to the MCP server, then performs a series of semantic searches and Kusto queries, then reasons over the retrieved data to analyze the user’s activities and checks for risk events across connected services. And we can see it’s found all of Mark’s recent activities and we know more about his activities before we revoke his access to resources.
-With more clues in hand, we can now move on to more advanced hunting using the new hunting graph. We just saw that the wg-prod key vault looked accessible by our attackers. In fact, this visual shows us other accounts that have access. Our high privilege account, Malin on the right, is well protected using phishing-resistant authentication, so they are more immune to an attacker. But Laura Hanak on the left and Alberto Polak on top are standard business users, so let’s find out first if Laura’s account was compromised. I’ll move back to our agent and prompt it with, “Show me the blast radius from Laura Hanak,” and it identifies all the resources that Laura’s account can access along with what is at risk, like our key vault production environment, security infrastructure, automation systems, and AI/ML platforms. It also presents recommendations of what to do to lock down these at-risk resources and monitor them. And I can keep going for more information. I’ll ask, “Why is this risky?” And it generates a detailed security analysis with different attack risks and their tactics, techniques and protocols for each. So, graphs are a powerful way to investigate risk in your environment. In some cases, you may want to use custom graphs enriched with specific data.
-For example, you might want to understand if attack risk from an incident extends to your CRM system, like Salesforce using your favorite opensource graph, or even build your own. Here we’ve ingested Salesforce data into Sentinel data lake via the available connector, which allows for higher fidelity relationship mapping to instantiate a custom multicloud identity graph, and that our agent is connected to.
-This time I’ll ask, “Can you analyze Alberto Polak using the custom identity graph. Is there risk to Salesforce?” And the agent uses the identity graph. It’s getting information to understand potential attack paths. Then it finds the blast radius specific to Alberto. Then it’s searching for Salesforce-specific connections and runs more queries in different ways against the data lake. You’ll see that it found Alberto to be high risk based on his access level. We can see clearly that Alberto is a Helpdesk Tier 1 admin with admin rights, who can delegate privileges to other accounts and even APIs and perform remote script execution. This goes beyond information that can be queried in Microsoft Entra ID. This could lead to privilege escalation and bulk data exfiltration via API data sync.
-Under Direct Salesforce Risk, it lists risky things that his account can do: managing users, modifying all data, and again the API privileges. Then it highlights attack scenarios with single sign-on compromise and the API. Lastly, it gives great immediate recommendations. These ones are at a critical level focused on reducing Alberto’s access levels, including his group memberships, enabling just-in-time elevation to limit standing privileges, and auditing connected apps to make sure they have not been compromised. Then in high priority recommendations, these themes are reiterated at a more zoomed-in level for specific parameters, activities, and assets.
-Next, let me show you more of the details behind building your own custom graph that works with your data in the Sentinel data lake. Here I’m in Visual Studio Code using the Microsoft Sentinel extension, and I’m building a graph similar to what we just saw with Salesforce data. This uses Spark SQL queries to create graph nodes and edges as entities to pull in. The graph assembly step connects everything together so that we can instantiate the graph itself, and after that we can query it. There’s an initial prerequisite and connection step to install the client, then connect and authenticate to our tenant.
-Then in step 1, we’re adding all of our relevant Microsoft and Azure nodes, like SQL instances, users, and groups. Below that, you’ll see our connections to Salesforce nodes, with tenant, user, and administrator details. Then we’re defining edges for each and mapping the different keys together to form the relationships and bring the data together first in Azure and Entra, then with the same types of information in Salesforce, as well as mapping Entra objects with Salesforce objects in the respective directories.
-Now that we’ve defined everything, the second step is to build the actual graph using the ingredients and relationships defined in the previous step, and finally instantiate our custom graph. And with everything built out, we can test it with a few queries from the notebook. Here, for example, we’re looking for shortest paths from a specific user to Salesforce privileged nodes. And in this case, we’re testing again with Alberto Polak, and from there, we’ve also run a few different types of queries. So with the graph tested, it’s ready to be used as a grounding source of data for our agent.
-With Microsoft Sentinel, you now have what you need to extend visibility across your environment and detect, investigate, understand, and disrupt active security threats faster from one single platform. To learn more, visit aka.ms/sentinelplatform, and keep watching Microsoft Mechanics for the latest tech updates. Thanks for watching!
