What’s Next in Microsoft Sentinel?
Published Feb 23 2022 05:55 AM 14.8K Views

As the volume of security data continues to grow exponentially across increasing distributed digital estates, Microsoft is reinventing the economics of SIEM and delivering new ways to access and work with security data. We are making it easier than ever for your security analysts to access any data, over any timeframe to provide the most comprehensive and innovative threat hunting solution in the market.  


Search + Analytics Over Any Data

As the first step on that journey, we are introducing new Basic Logs, which enable lower-cost collection of voluminous data sets, such as verbose network flow logs, in Microsoft Sentinel. This data, historically stored outside of the SIEM, is now easily available to your security analysts for ad hoc threat hunting and investigation – saving valuable time and removing blind spots. Basic Logs complement existing Analytics Logs, which require continuous monitoring, correlation, and advanced analysis to detect threats proactively. 


In addition, we are adding an Archived Log option that enables you to store Basic and Analytics Logs at very low cost for up to 7 years. Retain more data for longer to enable threat hunting over greater timeframes and address increasing regulatory requirements for security log archiving.


To enable rapid threat hunting over your expanding security data set, we are also announcing a new experience that empowers analysts to easily search petabytes of security data (Basic, Analytics, Archived, and more coming soon) across long time horizons and delivers results within minutes. When relevant archived data is discovered, it can be easily restored to high performance cache to enable further analysis and investigation. Having this data at your fingertips is vital to combatting long running threats like Nobelium, which are becoming increasingly common. Our vision is to unify search across all security data stores, bringing together existing query support for Azure Data Explorer and searching across Azure Data Lake, as well as a broad set of data stores, including multi-cloud.


Beyond search, we are announcing general availability of Log Analytics workspace data export. Log Analytics data export enables continuous export of Microsoft Sentinel data to Azure Data Lake, making it possible for analysts to quickly and easily leverage massive security data sets to pinpoint security hot spots, breaches, and attacks. With data export, Microsoft Sentinel customers can leverage native integration with Azure Synapse, a high scale data warehouse run on the Azure cloud and combine Microsoft Sentinel data with multi-cloud datasets for endless number of data science driven SecOps scenarios. To get started, you can use the out-of-the-box notebook templates created by Microsoft security and data scientists. As an example, leverage Azure Synapse to hunt for anomalous behaviors, such as network beaconing patterns, building custom classifiers using your asset inventory to inform incident prioritization, develop custom baselines for threat detection, and much more.  Learn more.


Data Collection + Transformation

We continue to add new capabilities to streamline the collection of data in Microsoft Sentinel, and today we are announcing important new capabilities for data collection and transformation as well as additional connectors and solutions in our Content Hub.


Expanded data collection rules allow you to transform data as it is ingested into Microsoft Sentinel using a subset of the familiar KQL query language. This enables you to extract fields and parse complex logs to align with your custom schema or our Advanced Security Information Model (ASIM), which is now built-in to Microsoft Sentinel. You can also obfuscate sensitive data for privacy and compliance, filter out unneeded fields or entire events to reduce costs, and add enrichments. Learn more about ASIM and ingestion-time transformations.


A new Codeless Connector Platform was recently released to enable partners, advanced users, and developers to create custom connectors, connect their data sources, and ingest data to Microsoft Sentinel by polling REST APIs. The Codeless Connector Platform provides support for new data connectors via ARM templates, API, or via a solution in the Microsoft Sentinel content hub.


Together these innovations are game changing for security operations teams.  Security data is the backbone of intelligence for security operations and at Microsoft we are focused on tilting the scales towards the defenders.


Ongoing Innovation

In addition to our announcing our new, expanded approach to data, we continue to innovate on core threat hunting, detection, and incident response capabilities. New capabilities in these areas include:  

  • MITRE ATT@CK Framework. We expanded current support for MITRE tactics to also include MITRE techniques, enabling security analysts to more easily hunt for threats and respond to incidents. In addition, a new tab in Microsoft Sentinel leverages the MITRE ATT&CK framework to show the current coverage of all analytic rules and templates as well as hunting queries to help you identify gaps in coverage and prioritize adding new detections. 
  • Data Sensitivity Monitoring. A new solution is now available to integrate Azure Purview with Microsoft Sentinel, allowing you to gain visibility into the sensitivity of your data and analyze classifications and labels found. This integration ingests logs from Azure Purview, which monitors a broad set of data stores within Azure as well as Amazon resources, like Amazon S3. The integration enables data classifications and labels to be used for prioritizing and enriching investigation of incidents involving sensitive data. 
  • Unified Threat Hunting Community. We are also announcing our new unified GitHub community for Microsoft SIEM and XDR, enabling SOC teams to centrally discover the latest hunting queries and analytics for Microsoft Sentinel and Microsoft Defender. Furthermore, community contributors can expand their impact to multiple products with a single contribution. 
  • Security Monitoring for SAP. We are also announcing the public preview of SAP solutions User Master Data capability. Now you can store all user records in the SAP system, including master data for user Identity and user roles, groups and profiles. This enables you to get a full picture on your SAP users, define analytic rules and create workbooks that are based on the data from your users.


Getting Started

As always, we are thrilled to help secure more businesses around the world with Microsoft Sentinel. I would like to invite you to try Microsoft Sentinel with our free trial and benefit from our offers available for you today.  To learn more please visit our web page, read our documentation or reach us on Microsoft Sentinel Tech Community


To enable Basic Logs and data transformation, sign up for public preview here.

Version history
Last update:
‎Apr 12 2022 03:19 PM
Updated by: