Microsoft Ignite 2021: What's New in Azure Sentinel
Published Mar 02 2021 06:00 AM 25.1K Views

Welcome to Microsoft Ignite 2021! While I hope that next time we meet, we can do it in person, I’m glad that we have this opportunity to share our new innovations and our vision for the future.


This past year has been tough, but it has also taught us a lot about security. It’s clear that the age of distributed environments is here to stay, demanding broad visibility and deep context across many data sources. Increasingly advanced attacks have demonstrated the importance of using AI and analytics to turn that visibility into actionable insight. And as security operations teams are tasked with protecting these sprawling environments, it’s more important than ever that they have integrated solutions and sophisticated automation so they can respond faster.    


These needs are at the forefront of our minds as we continue to improve Azure Sentinel. Today, we are announcing that Azure Sentinel is now more deeply integrated with Microsoft 365 Defender, so you can investigate and respond to complex threats faster with the breadth of a SIEM combined with the depth of XDR. Azure Sentinel’s extensive connector portfolio has significantly expanded, to help you streamline data collection no matter the source, and we’re introducing new automation features and improvements, making it easier for you to focus on what matters most.


Across all of these new innovations, our mission remains to the same: to empower security operations to efficiently and effectively stay ahead of evolving threats.


Harness the breadth and depth of integrated SIEM and XDR with new Microsoft 365 integration

Last Ignite, we shared our vision for a modernized approach to threat protection with integrated SIEM and XDR. Now, we’re building upon that vision with deeper integration between Azure Sentinel and Microsoft 365 Defender, making it easier than ever harness the breadth of SIEM alongside the depth of XDR.



 Above: An incident from Microsoft 365 Defender, displaying new incident synchronization.


Microsoft 365 Defender incidents are now fully integrated with Azure Sentinel, providing a seamless experience for responding to security threats. With one click, incidents from Microsoft 365 Defender, including all related alerts and entities, will automatically appear in the incident queue in Azure Sentinel and can be triaged and enriched with other data and insights.


You can now drill into deeper context in Microsoft 365 Defender with direct links in Azure Sentinel so you can investigate across the two products seamlessly, using your same credentials. Incident status and assignments are kept in sync between both systems, allowing you to manage all your incidents in Azure Sentinel, and update them in either solution. 


Streamline data collection with new connectors

Azure Sentinel offers a growing catalog of more than 100 built-in connectors for Microsoft 365, Azure and other clouds, endpoints, networks, users, and much more. Just this week, we released more than 30 new data connectors, including highly-requested connectors for Cisco Umbrella, Cisco Meraki, Salesforce Cloud, and many more. You can learn more and view the full list of new connectors here.



Above: A few of the new connectors recently released to Public Preview, including Cisco Umbrella.


We are also releasing several new Azure connectors for a deeper, more seamless data collection experience across your Azure workloads. These connectors, now in Public Preview, include Azure Storage, Azure SQL, Azure Kubernetes Service, and Azure Key Vault.


Respond faster with incident response and automation improvements

Automation is key to improving the speed and efficiency of incident response, empowering analysts to act quickly in response to threats. At Ignite, we are announcing new capabilities that simplify automation of common incident response actions, as well as additional advanced automation workflows.





Above: New automation rules in Azure Sentinel, providing a new way to automate common tasks.


New automation rules make it easy to apply a series of common actions and playbooks to security incidents. You can specify conditions for when the rule will be applied, and select one or more pre-defined actions (e.g. assign to a user, or change severity) and Logic App playbooks to run in sequence. You can also run multiple automation rules in sequence. For example, you might set an automation rule to remediate certain types of incidents (e.g. resetting a user’s password) and then close the incident, lookup the next analyst in rotation then assign them the incident, enrich incidents with TI and then use this information to increase or decrease the severity of an incident, or any number of other single or multi-step actions.  


In addition to the powerful new capabilities noted above, we continue to grow the number of built-in Logic Apps connectors and automated playbooks. New connectors for Azure Networking solutions are now available. We have also released new playbooks that enable automation workflows such as blocking a suspicious IP addresses with Azure Firewall, isolating endpoint devices with Microsoft Defender for Endpoints, or updating risk state of a user with Azure Active Directory Identity Protection.


Analyze your security data with Notebooks, now in General Availability

At Ignite last September, we showcased a redesigned Notebooks experience in Azure Sentinel, powered by Azure Machine Learning. This Ignite, we are announcing general availability of Notebooks in Azure Sentinel, which provides a highly-customizable Jupyter notebook experience for analyzing security data, all within a secure Azure cloud environment. Azure Machine Learning offers Intellisense for ease of use and support for existing Jupyter and JupyterLab experiences, as well as point-in-time notebook snapshots and  a notebook file explorer for easy collaboration.


In addition, we added a new notebook machine learning template to help make machine learning more accessible for a broad range of users. This notebook template guides you through using time series analysis to detect anomalous network activity, clustering to highlight unusual logon sessions, and Markov Chain analysis to identify anomalous sequences in events.


Get started with next steps

Ready to dig deeper? All of these new capabilities and features are available in Azure Sentinel today. To see them in action for yourself, all you have to do is start a trial.


If you would like to learn more about these new announcements and about Azure Sentinel in general, I also encourage you to attend our Microsoft Ignite sessions. There, you can see demos of new features, watch a deep-dive of an attack scenario in action, ask Azure Sentinel experts questions in a live Q&A, and more.



Version history
Last update:
‎Nov 02 2021 06:37 PM
Updated by: