Azure Sentinel product updates


Changes and new features


  • Cases are now incidents: to better align with other Microsoft products; the term "cases" is changing to "incidents".


  • Incident comments: The comments feature enables customers to write multiple comments in the scope of an incident, and review them under the comments tab in the incident page.


  • We have removed the option for auto-deploying a CEF/Syslog connector VM. While a convenient function, we understood that it might present a security risk as this was not a managed VM, and users were in charge of securing the VM.

Blog posts




Edoardo Gerosa and Olaf Hartong have presented at DefCon the "Sentinel ATT&CK", which aims to simplify rapid deployment of a threat hunting capability that leverages Sysmon and MITRE ATT&CK on Azure Sentinel. Cool staff and tons of out of the box detections

1 Reply
Just a little late. Noticed this during a customer demo ;)