Announcing Unified SOX & DORA Compliance Solutions in Microsoft Sentinel

Empowering Financial Institutions to Meet Modern Regulatory Demands 

As financial organizations navigate increasingly complex regulatory landscapes, two frameworks stand out for their impact and rigor: the Sarbanes-Oxley Act (SOX) and the Digital Operational Resilience Act (DORA). Microsoft Sentinel now offers dedicated solutions for both, enabling security and compliance teams to achieve continuous, audit-ready compliance across cloud and enterprise environments. 

SOX IT Compliance Solution (Preview)

The SOX IT Compliance solution in Microsoft Sentinel delivers a workbook-driven experience mapped directly to SOX ITGC domains. It consolidates telemetry from Microsoft Entra ID, Azure Activity Logs, Defender signals, Microsoft 365 audit logs, and more. 

Ensuring compliance with the SarbanesOxley Act (SOX) is a critical responsibility for organizations that handle financial reporting systems. Beyond financial controls, SOX places strong requirements on IT General Controls (ITGCs) - covering who can access systems, how changes are made, and how data integrity is maintained. 

To help security and compliance teams operationalize these requirements, Microsoft Sentinel provides a SOX IT Compliance solution that enables continuous monitoring, audit evidence generation, and investigation across cloud and enterprise environments. 

SOX IT Compliance in Microsoft Sentinel 

The SOX IT Compliance solution for Microsoft Sentinel delivers a unified, workbook driven experience that aligns directly with SOX IT General Control areas and continuously monitors them using telemetry from Microsoft and third-party sources.  

 

The solution consolidates data from: 

 

• Microsoft Entra ID (signins, role changes, directory audits) 

• Azure Activity Logs (resource and configuration changes) 

• Microsoft Defender signals (privileged access and behavior anomalies) 

• Microsoft 365 audit logs 

• Windows and Linux security events 

• Database and application audit logs 

This data is presented through a structured workbook that maps directly to SOX IT control domains. 

Key SOX IT Control Areas Covered 

1. Access Management Controls

SOX requires that only authorized individuals can access systems involved in financial reporting. 

 

 

 

The solution continuously monitors: 

• User signins to financial and ERP systems 

• Privileged role assignments and removals 

• Administrative actions performed outside approved access lists 

• Anomalous or high-risk access behaviour using UEBA signals 

By correlating identity logs with a dedicated SOX watchlist of approved users and systems, teams can quickly identify unauthorized access attempts and produce clear audit evidence.  

2. Change Management Controls

Unauthorized or untracked system changes can directly impact financial accuracy and reporting integrity. 

 

 

 

The Sentinel solution provides visibility into: 

• Configuration and policy changes across Azure and onpremises systems 

• Privileged administrative actions affecting financial applications 

• Operating system, registry, file, and database schema changes 

• Correlation of changes across Windows, Linux, and thirdparty sources 

This enables organizations to demonstrate controlled change processes and quickly investigate suspicious or unapproved modifications.  

3. Data Integrity and Audit Trail Controls

To meet SOX requirements, organizations must ensure financial data is protected from tampering and that audit trails are intact. 

 

 

 

The solution helps teams: 

• Detect audit log clearing or logging stoppages 

• Identify gaps in log collection from critical systems 

• Monitor file integrity events affecting financial data 

• Detect unexpected database or schema modifications 

• Identify anomalous drops or spikes in log volume that may indicate suppression or tampering 

These checks provide continuous assurance that financial data remains complete, accurate, and traceable.  

Getting Started 

To deploy the SOX IT Compliance solution: 

1. Enable the required data connectors in Microsoft Sentinel 

1. Define a SOX watchlist that maps authorized users, roles, and financial systems 

1. Use the built-in workbook to monitor compliance across Access Management, Change Management, and Data Integrity 

1. Customize queries and thresholds to match your organization’s policies 

The solution is designed to be extensible, allowing organizations to adapt it to different financial systems and regulatory expectations over time.

DORA Compliance solution (Preview)

The Digital Operational Resilience Act (DORA) introduces a unified, stringent regulatory framework that requires financial institutions and ICT providers in the EU to demonstrate strong operational resilience, robust risk management, consistent incident reporting, and proven continuity measures. As organizations prepare for the 2025 enforcement timelines, security and compliance teams need clearer visibility into their digital operations, streamlined evidence collection, and actionable insights into their ICT risk posture.

Today, we are excited to announce the public preview of the Microsoft Sentinel Solution for DORA Compliance - a purpose‑built workbook that provides centralized, real‑time visibility into your organization’s ICT risks, incidents, threat exposure, and overall resilience posture mapped directly to DORA requirements.

Why this solution matters

The DORA Compliance Workbook is designed for Compliance Officers, Risk Managers, Security Architects, SOC Analysts, and IT Administrators who need a single, integrated view across operational resilience controls. The solution simplifies how organizations:

• Monitor resilience across critical applications and infrastructure
• Map security events and incidents to DORA Articles
• Demonstrate compliance through quantifiable evidence
• Strengthen ICT risk management and continuity planning
• Prepare for audits with exportable, regulator‑friendly views

With pre‑built KQL queries, visualizations, and control mappings, the solution enables both high‑level oversight and deep, technical investigation capability.

The solution spans four purpose‑built tabs, each aligning to core DORA requirements.

1. Incident Management & Reporting

A comprehensive overview of operational disruptions and security events impacting your resilience posture.
This tab enables you to:

• Track Mean Time to Resolve (MTTR) to measure operational efficiency
• View incidents by severity across High, Medium, and Low categories
• Identify operational bottlenecks with open incidents by owner
• Review top incident categories such as malware, phishing, identity compromise, and misconfiguration
• Flag delays with a view of incidents unresolved beyond 72 hours (SLA breach)
• Detect trends in investigation delays or anomalous resolution times

These insights help institutions demonstrate compliance with DORA’s ICT incident handling and reporting requirements.

 

 

2. Threat Intelligence & Detection

A unified threat intelligence lens that correlates indicators, alerts, and adversary behaviour.

Key capabilities include:

• Active IOC Hits — surfacing which endpoints or services matched malicious IPs/domains
• Alerts mapped to MITRE ATT&CK techniques for visibility into attacker tactics
• Blocked or failed attack attempts, showing where controls prevented harm
• Malicious file/URL insights from Defender and other threat protection solutions
• High‑confidence, high‑activity indicators to prioritize threats that matter

This directly strengthens compliance with DORA’s emphasis on threat‑led risk management and proactive defence.

 

 

3. Business Continuity & Recovery

Monitor the operational health of critical assets and continuity dependencies.

You can easily visualize:

• Inactive or unreachable servers/devices, helping identify resilience gaps
• Failover trends, cluster switches, and backup site activations
• Differentiation between planned maintenance and unexpected disruptions

This provides the operational evidence needed to validate continuity, redundancy, and disaster recovery requirements under DORA.

 

 

4. Compliance Mapping & Evidence

A dedicated space to connect operational signals to regulatory controls.

This includes:

• Alerts mapped to DORA Articles to help measure control coverage
• Monthly compliance summaries for trend‑based reporting
• Threat‑type mappings from TI reports to DORA obligations
• Control-by-control evidence views for audits and assessor walkthroughs

These views significantly reduce manual effort and accelerate audit readiness.

 

 

Getting Started in Three Steps

1. Connect data sources

Before using the workbook, connect relevant security data sources such as:

• Security Alerts, Security Incidents, Security Events
• Defender for Cloud, Defender XDR, Defender for Endpoint, Defender for Office 365
• Windows Security Events via AMA
• Threat Intelligence indicators

These pre‑requisites ensure the workbook populates with full, correlated context.

2. Define DORA Assets

You can specify which devices or systems fall under DORA scope by uploading a DORA Assets Watchlist containing:

DeviceName, DeviceType (Column names)

This helps the dashboards filter and focus on regulated assets.

3. Explore and customize

All workbook queries are fully editable. Extend them to:

• Add organization‑specific mappings
• Integrate with custom logs
• Automate evidence collection workflows
• Build richer operational dashboards