Plan your move to Defender today

Take advantage of the latest innovations in Microsoft Sentinel SIEM and platform by migrating from the Azure to Defender experience. Not sure where to begin? We’ve got you covered with a wealth of resources to guide you every step of the way.

• Documentation: Transition Your Microsoft Sentinel Environment to the Defender Portal | Microsoft Learn
• Ninja show: Transitioning the Sentinel SIEM experience from Azure to the Defender portal
• Playlist: Microsoft Sentinel is now in Defender - YouTube
• Upcoming webinar: Don’t Get Left Behind: Complete Your Sentinel Move to Defender  December 16, 9:00AM PST Register here

AI-powered SIEM migration experience

At Ignite, Microsoft announced a streamlined Sentinel SIEM migration experience, designed to simplify transitions from Splunk and QRadar (coming soon). The new approach offers guided workflows, automation, and integrated resources to reduce complexity and accelerate adoption, ensuring customers can modernize security operations with confidence. In addition, Microsoft offers migration support at no additional cost to customers through the Cloud Accelerate Factory program. For more details, contact your Microsoft representative or visit https://aka.ms/FactoryCustomerPortal  

AI-driven UEBA anomalies

We announced the introduction of AI-driven UEBA anomalies in September, and we are excited about an update- users can now find this feature in the   user side panel and user page (overview tab), showing the top 3 anomalies and total anomalies in the last month. This new section is available from any entry point to the user page. If the user has had anomalies in the last 30 days, a new tag will show as well.

• A new built-in “go hunt” query to show all the anomalies of the user in the context of the incident graph.
• A new recommendation in Advanced Hunting to enhance query/detection with Anomalies, when relevant.
• SOC optimization cards, recommending available tables to onboard into UEBA for better coverage and protection.
• New design for the UEBA settings page, with recommended settings and further enhancements, for seamless experience.

For a full walkthrough of UEBA capabilities, check out this webinar.

Microsoft Ignite 2025 rewind

Ignite 2025 showcased major advancements in security and AI-driven threat detection. New enhancements help customers to expand insight into their digital estate, get more out of the box value and transform their security operations center with AI. Catch up on all our Sentinel announcements below!

Expanding security insight

• Onboard the data you need – We are continuously growing Sentinel’s connector ecosystem, enabling seamless integration across cloud platforms, SaaS apps, and on-prem systems. New additions include AWS (Network Firewall, Route 53 DNS), GCP (Cloud Run, VPC Flow), Palo Alto Prisma, SAP ETD, and more—plus DSPM integrations with BigID, Cyera, Varonis, and OneTrust to strengthen multi-cloud risk posture. For the full list of connectors see our documentation here. If you have any new connectors you'd like to see, please reach out to our App Assure team. 

  To learn more, register here for an upcoming webinar on December 11, 9:00 AM PST. 

• Increase visibility with direct data lake ingestion – At Ignite we announced Microsoft Defender for Endpoint (MDE) data can now flow directly into the Sentinel data lake, with table settings managed in the Defender portal. MDO and MDA will be supported soon. This results in better visibility, historical analysis, lower TCO, and stronger security operations. You can also ingest Entra, Syslog, CEF, and CommonSecurityLog data for broader, cost-efficient coverage. For more details see Ignite blog.
• Unlock developer innovation with Sentinel data lake - Microsoft Sentinel is evolving rapidly, transforming to be both an industry-leading SIEM and an AI-ready platform that empowers agentic defense across the security ecosystem. This post summarizes the key takeaways and actionable insights for developers looking to harness the full power of Sentinel. Read and Watch Webinar: Unlocking developer innovation with Microsoft Sentinel data lake.
• Build custom graphs for advanced insights - We announced the public preview of custom graphs in Sentinel graph, which enables organizations to build tailored graph experiences for advanced analytics and security insights. This feature empowers teams to create custom visualizations and relationships across data sources for deeper threat detection and operational intelligence. Sign Up for Microsoft Sentinel graph public preview
• Integrate Sentinel graph across Defender and Purview - Bring robust graph capabilities natively into Microsoft security solutions and delivering unified visibility and enriched context for investigations. Security teams can now leverage graph-powered insights across Defender and Purview to accelerate incident response and improve SOC efficiency. Learn more about uncovering hidden security risks with Microsoft Sentinel graph.

Enabling teams to do more, out of the box

• Track compliance with new reports: Introducing two new out-of-the-box compliance solutions in public preview, helping customers adhere to industry requirements, without significant configuration for  HIPAA and GDPR, available in the Sentinel content hub.

• Discover new agents in the Security Store – A centralized marketplace for security solutions and integrations. Now in GA, the Security Store includes enhanced experiences within Microsoft Defender and Microsoft Entra, making it easier to discover, deploy, and manage security apps and connectors. Read more about Microsoft Security Store.

Transforming the SOC with AI and automation

• Automatically disrupt in progress attacks, now available for Sentinel data  - Automatic Attack Disruption now integrates telemetry from AWS, Proofpoint, and Okta via Microsoft Sentinel. Using extensive Microsoft Threat Intelligence and AI, it helps detect sophisticated threats like phishing, business email compromise, and identity attacks across various accounts and cloud platforms. If an attack is spotted, compromised resources are quickly isolated, minimizing damage and downtime. By combining signals from different sources, security teams can shift from simply reacting to threats to proactively defending against them, making security management easier and improving protection overall. Learn more: Automatic attack disruption in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn
• Develop custom agents using the Sentinel MCP server- Give AI agents standardized, natural language access to your complete security context across tabular and graph data, delivered as a fully managed service with enterprise-grade performance and scalability. Beyond Security Copilot and VSCode, MCP server is now available in Github Copilot, Copilot Studio, and Microsoft Foundry – and even ChatGPT – agent building experiences.  Read more about Microsoft Sentinel MCP server.
• Discover Security Copilot Agents built for SecOps: Enhance SOC efficiency with agentic assistance. New  agents enable faster, smarter threat detection and response for SecOps teams. For more information see: Read more: Security Copilot for SOC: bringing agentic AI to every defender | Microsoft Community Hub New agents include:
  • Threat Hunting Agent for natural language-driven investigations with actionable insights.
  • Threat Intelligence Briefing Agent to quickly generate tailored threat briefings using global and Microsoft intelligence.
  • Dynamic Threat Detection Agent to uncover blind spots, validate security, and detect missed threats.

• Uplevel the SOC with new Copilot skills:
  • Streamline Investigations with AI-Powered Analyst Notes For customers that opt in, Copilot can automatically capture every step of your investigation—reviewing alerts, pivoting across entities, collecting evidence, and running queries—turning activities into structured notes to track everything you've done. With investigation “memory” running in the background, you can work multiple incidents in parallel without losing context. When you’re ready, simply ask Copilot to prepare your analyst notes for a complete, time-saving summary. Learn more here
  • Accelerate response with more guidance: Standard Operating Procedures (SOPs) for guided responseallows organizations to upload their own procedures so Security Copilot can align its recommendations with established guidebooks and compliance requirements. Guided response offers one-click actions across triage, containment, investigation and remediation that teams can take immediately .Learn more here
  • AI-powered incident experience: The Defender incident queue now offers an AI-powered experience in public preview, helping SOC analysts prioritize critical threats with transparent risk scoring and actionable insights for faster, more confident triage

Explore our post-event content to get caught up:

• On-Demand Sessions: Revisit Sentinel deep dives, demos, and best practices: https://ignite.microsoft.com/en-US/home (search for Microsoft Sentinel)
• Book of News: Get the full rundown of security announcements, including Sentinel integrations and AI-powered features: https://news.microsoft.com/ignite-2025-book-of-news/
• Skilling Resources: Sharpen your Sentinel expertise with hands-on labs and certifications: https://learn.microsoft.com/en-us/training/topics/ignite/skilling-resource

Additional resources

• Blogs: Simplify security data management with Microsoft Sentinel, Automating IOC hunts in Microsoft Sentinel data lake, Microsoft Sentinel solution for SAP agentless connector GA
• Ninja training: Microsoft Sentinel data lake FAQ
• Microsoft Sentinel benefit for E5 customers: Microsoft 365 E5 benefit offer with Microsoft Sentinel | Microsoft Azure
• Learn about Security Copilot inclusion in E5: Agents built into your workflow: Get Security Copilot with Microsoft 365 E5 | Microsoft Security Blog

Stay Connected

Check back each month for the latest innovations, updates, and events to ensure you’re getting the most out of Microsoft Sentinel. We’ll see you in the new year!

 

 

 

 

 

 

 

 

 

 

efore posting