Cases are now incidents: to better align with other Microsoft products; the term "cases" is changing to "incidents".
Incident comments: The comments feature enables customers to write multiple comments in the scope of an incident, and review them under the comments tab in the incident page.
We have removed the option for auto-deploying a CEF/Syslog connector VM. While a convenient function, we understood that it might present a security risk as this was not a managed VM, and users were in charge of securing the VM.
Edoardo Gerosa and Olaf Hartong have presented at DefCon the "Sentinel ATT&CK", which aims to simplify rapid deployment of a threat hunting capability that leverages Sysmon and MITRE ATT&CK on Azure Sentinel. Cool staff and tons of out of the box detections