New Compliance Solutions in Microsoft Sentinel: HIPAA & GDPR Reports

What’s New?

GDPR Compliance & Data Security Solution (Preview)

• Helps organizations demonstrate compliance with the General Data Protection Regulation (GDPR) and protect personal data in cloud and hybrid environments.
• Consolidates data from Alerts, Incidents, Microsoft Purview, Azure SQL, Microsoft 365, UEBA, and Entra ID into a unified workbook.
• Monitors GDPR-related alerts, data classification, sensitive data queries, identity risks, and insider behaviours.
• Provides clear audit evidence and compliance reports, supporting proactive risk detection and regulatory accountability.

HIPAA Compliance Solution (Preview)

• Designed for healthcare organizations and business associates to meet HIPAA Security and Privacy Rules.
• Provides robust monitoring of Protected Health Information (PHI) across administrative, technical, and physical safeguards.
• Features integrated dashboards, analytics, and Azure-native security capabilities for audit readiness and operational efficiency.
• Includes pre-built workbook tabs for overview, attack range, audit trail reporting, and advanced analysis.
• Enables anomaly detection (e.g., ransomware, suspicious SQL procedures, password spray attempts) and forensic audit trails for incident investigations.

Below, you will find more detailed information about the HIPAA and GDPR connectors. First, we cover the features of the HIPAA connector, followed by the key aspects of the GDPR solution.

GDPR Compliance Solution

 

 

This solution provides a unified workbook that consolidates data from Alerts and Incidents, Microsoft Purview, Azure SQL Databases, Microsoft 365, User & Entity Behavior Analytics (UEBA), and Entra ID. With this workbook, you can:

• Monitor GDPR and data-theft related alerts and incidents across your Microsoft ecosystem.
• Gain visibility into data classification and sensitivity labelling with Microsoft Purview.
• Detect sensitive data queries, anomalous database activity, and unusual access patterns in Azure SQL.
• Investigate identity risks, anomalous sign-ins, and insider behaviours using Entra ID and UEBA.
• Provide clear audit evidence and compliance reports across Microsoft 365 and related services.

Key Capabilities

1. Security Alerts & Incidents

• Investigate security alerts and incidents from hosts and resources that store or process personal data.
• Track alerts mapped to MITRE ATT&CK® tactics and measure responsiveness for breach notification requirements.
• Focus on GDPR-relevant systems using customizable watchlists.

For the Security Alerts & Incidents section to function properly, you must create a watchlist containing servers that host personal data.

You must configure this watchlist in Sentinel and populate it with the names of your personal data hosting servers.

Sample Watchlist (GDPR_PersonalData_Assets)

 

2. Data Loss Prevention (DLP)

 

• Monitor sensitive data access, leaks, and geolocation-based usage.
• Detect potential leaks or unauthorized transfers of personal data.
• Track label-based access patterns and provide evidence of preventive controls.

 

3. Purview Logs

 

• Discover and classify assets, monitor sensitivity labelling, and track data governance.
• Assess the application of sensitivity labels and provide auditors with data inventory and classification coverage.

 

4. Azure SQL Databases

 

• Detect anomalies and monitor classified data queries.
• Track application and IP access to classified data for accountability and traceability.
• Provide auditors with proof of continuous monitoring of database activity.

 

5. Microsoft 365 Activity

 

• Monitor user and administrator activity across Exchange, SharePoint, OneDrive, and Teams.
• Detect risky behaviours such as external sharing, non-owner mailbox access, and unusual admin operations.
• Provide a comprehensive audit trail of data activity in Microsoft 365 services.

6. User & Entity Behavior Analytics (UEBA)

 

• Analyze anomalous user and entity behaviors to detect insider threats and compromised accounts.
• Correlate activities across multiple data sources and identify potential data exfiltration attempts.

 

7. Sign-Ins and Audit (Entra ID)

 

• Track risky sign-ins, brute-force attempts, and unusual geolocations.
• Investigate access patterns to applications and resources handling personal data.
• Monitor changes to users, groups, and applications for GDPR accountability.

References

The metrics and monitoring approaches used in the GDPR Compliance Solution are referenced from established workbooks and solutions, including:

1. Microsoft Purview: For data classification, sensitivity labelling, and governance metrics, leveraging Purview’s comprehensive data inventory and classification coverage.
2. Azure SQL Database Solution for Sentinel: For monitoring classified data queries, detecting anomalies, and providing continuous database activity auditing.
3. Microsoft Purview Insider Risk Management: For insights into M365 audits, identity risks, and anomalous activities, supporting proactive risk detection and regulatory accountability.

HIPAA Compliance Solution

The HIPAA Compliance Solution in Microsoft Sentinel—now available in preview—empowers security teams to validate compliance posture, detect anomalies, and respond swiftly to threats. With integrated dashboards, analytics, and Azure-native security capabilities, this solution helps you stay audit-ready while reducing operational complexity.

Getting Started: Two Key Steps

1. Connect Data Sources

To unlock the full potential of the HIPAA Compliance Solution, you need to integrate key data sources into Microsoft Sentinel. These connectors ensure comprehensive visibility across your HIPAA environment:

• AzureDiagnostics
  Collect logs from Azure services, firewalls, and network devices. This is critical for monitoring HIPAA-relevant infrastructure and network traffic anomalies.
  Recommended Solution: [Azure Firewall Solution in Sentinel Content Hub] for enriched firewall analytics.
• SecurityEvent
  Ingest Windows Server event logs to track login activity, access attempts, and policy changes.
  Recommended Solution: [Windows Security Events Solution] for prebuilt analytics and dashboards.
• SecurityAlert
  Pull in alerts from Microsoft Defender and other integrated security tools for anomaly and incident detection.
  Recommended Solution: [Microsoft Defender for Endpoint Solution] for advanced threat detection and correlation.
• AuditLogs
  Capture Azure AD sign-in logs, MFA status, and user activity to validate identity and access controls.
  Recommended Solution: [Azure Active Directory Solution] for identity governance and compliance insights.
• DeviceEvents / DeviceProcessEvents
  Gather endpoint telemetry and Defender for Endpoint alerts to monitor device health and detect compromise attempts.
  Recommended Solution: [Microsoft Defender for Endpoint Solution] for endpoint security posture.
• SQLSecurityAuditEvents
  Enable auditing for HIPAA-relevant databases to track CRUD operations, suspicious stored procedures, and integrity checks.
  Recommended Solution: [SQL Security Audit Solution] for database compliance and threat detection.

2. Define HIPAA Users and Assets

Use Watchlists to specify HIPAA-relevant users and assets within your compliance scope:

• HIPAA Users Details Watchlist
  Columns: UserName, TrainingStatus, AccessLevel
  Upload as CSV and configure in Sentinel under Configuration > Watchlist.
• HIPAA Assets Watchlist
  Columns: DeviceName, DeviceType
  Follow the same steps as above with appropriate naming conventions.

To learn more about how to create watchlists, see Create new watchlists - Microsoft Sentinel | Microsoft Learn

What’s Included in the Solution

Pre-Built Workbook Tabs

Overview Tab
Track user training status, asset health, login success/failure, MFA status, antivirus coverage, and incident trends.

 

 

Attack Range Tab
This tab focuses on real-time threat visibility and behavioral analytics, giving SOC teams the ability to detect and respond to active threats impacting HIPAA-regulated environments. It visualizes multiple high-risk indicators drawn from security logs, Defender telemetry, and database activity.

Key insights provided on this dashboard include:

• Macaw Ransomware Detection:
  Identifies endpoints exhibiting encryption-like behavior typical of the Macaw ransomware family, allowing the SOC team to act before patient health data is encrypted or lost.
• Suspicious SQL Stored Procedures:
  Flags execution of destructive or data-deletion commands from stored procedures initiated by untrained or unauthorized HIPAA users — a potential insider threat or misuse case.
• Password Spray Attempts:
  Detects repeated failed login attempts from a single IP within a short time frame, helping to identify brute-force or credential-stuffing activity targeting HIPAA accounts.
• Unusual SMB Activity:
  Surfaces abnormal file-sharing or data transfer patterns between internal servers, indicating potential lateral movement or data exfiltration attempts.

Audit Trail Reporting Tab
This Tab serves as the organization’s forensic and compliance backbone, enabling security and compliance teams to trace every critical activity within their HIPAA environment. It provides a detailed chronological record of user actions, system processes, and network communications — essential for both incident investigations and regulatory audits.

 

 

Further Analysis Tab
Export pre-written queries for advanced investigation and compliance reporting.