Azure Sentinel product updates

Changes and new features

• Cases are now incidents: to better align with other Microsoft products; the term "cases" is changing to "incidents".

• Incident comments: The comments feature enables customers to write multiple comments in the scope of an incident, and review them under the comments tab in the incident page.

• We have removed the option for auto-deploying a CEF/Syslog connector VM. While a convenient function, we understood that it might present a security risk as this was not a managed VM, and users were in charge of securing the VM.

Blog posts

• Azure Sentinel Agent: Collecting telemetry from on-prem and IaaS server
• Azure Sentinel: The Syslog and CEF source configuration grand list
• Collecting Azure PaaS services logs in Azure Sentinel

Other

Edoardo Gerosa and Olaf Hartong have presented at DefCon the "Sentinel ATT&CK", which aims to simplify rapid deployment of a threat hunting capability that leverages Sysmon and MITRE ATT&CK on Azure Sentinel. Cool staff and tons of out of the box detections