<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>rss.livelink.threads-in-node</title>
    <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel/ct-p/microsoft-sentinel</link>
    <description>rss.livelink.threads-in-node</description>
    <pubDate>Wed, 01 Jul 2026 15:08:50 GMT</pubDate>
    <dc:creator>microsoft-sentinel</dc:creator>
    <dc:date>2026-07-01T15:08:50Z</dc:date>
    <item>
      <title>Behind the Build with Gigamon: Enriching Microsoft Sentinel with Network-Derived Telemetry</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/behind-the-build-with-gigamon-enriching-microsoft-sentinel-with/ba-p/4530360</link>
      <description>&lt;P class="lia-align-center"&gt;&lt;EM&gt;Behind the Build is an ongoing series spotlighting standout Microsoft partner collaborations. Each edition dives into the technical and strategic decisions that shape real-world integrations—highlighting engineering excellence, innovation, and the shared customer value created through partnership.&lt;/EM&gt;&lt;/P&gt;
&lt;P class="lia-align-left"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Security teams today operate across an expanding set of signals, spanning identity, endpoint, cloud and application environments. Yet many organizations still lack sufficient visibility into how systems communicate across their infrastructure, creating gaps in detection, investigation, and response.&lt;/P&gt;
&lt;P&gt;In this edition of &lt;EM&gt;Behind the Build&lt;/EM&gt;, I spoke with Srinivas Chakravarty, vice president, cloud ecosystems at Gigamon, about how Microsoft and Gigamon collaborated to bring network-derived telemetry into Microsoft Sentinel, helping customers enrich security investigations with deeper runtime context and AI-driven insights.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;The Evolution of Network Intelligence and Why It Matters&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;For more than twenty years, Gigamon has helped organizations access and operationalize network traffic across complex environments. Today, the Gigamon Deep Observability Pipeline, enables organizations to extract actionable network-derived telemetry across hybrid infrastructure, encrypted traffic, containers, and modern application environments.&lt;/P&gt;
&lt;P&gt;That foundation makes the Gigamon Deep Observability Pipeline a strong complement to Microsoft Sentinel. Microsoft Sentinel brings together security telemetry from across the enterprise—including identity, endpoint, cloud, application, and network data sources—while Gigamon contributes enriched network-derived telemetry that provides additional runtime context into how systems, applications, and services communicate. Together, these signals can help organizations gain deeper insight for threat detection, investigation, and response.&lt;/P&gt;
&lt;P&gt;As Srinivas put it: “You have logs, you have metrics, you have traces, but network telemetry completes the picture.” Together, these data sources provide deeper context for threat detection, investigation, and AI-driven analysis.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Gigamon and Microsoft partner to design end-to-end solutions for our shared customers, starting with how network traffic is captured, to how it is processed, and ultimately to how it is analyzed within Microsoft Sentinel. The first step in that pipeline is ensuring consistent, scalable visibility into traffic across environments.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Extending Visibility&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Gigamon has been working alongside Microsoft’s Azure network virtual access point team to expand how customers access network traffic across Azure and hybrid environments. Customers can leverage the virtual network TAP in Azure environments alongside Gigamon telemetry capabilities across on-premises, cloud, and hybrid deployments.&lt;/P&gt;
&lt;P&gt;This visibility layer is foundational to the broader architecture. The Gigamon Deep Observability Pipeline helps ensure organizations can access, optimize, and enrich network traffic before transforming it into actionable telemetry for downstream analysis in Microsoft Sentinel.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Turning Network Telemetry into Actionable Security Insights&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The integration between Gigamon and Microsoft Sentinel is designed to maximize both fidelity and operational efficiency. Gigamon deep packet inspection capabilities extract and enrich nearly 6,000 metadata attributes from network traffic, transforming raw packets into curated telemetry designed for downstream analysis.&lt;/P&gt;
&lt;P&gt;That telemetry is delivered into Microsoft Sentinel through a Codeless Connector Framework (CCF) push connector, where it can be correlated with identity, endpoint, and cloud telemetry. By bringing these signals together, organizations can more easily trace suspicious activity across their environments and investigate threats that span traditionally siloed domains.&lt;/P&gt;
&lt;P&gt;Rather than overwhelming analysts with raw network data, the integration prioritizes actionable metadata that can be correlated across traditionally siloed domains. &amp;nbsp;“When you bring this data into Sentinel, you’re no longer analyzing it in isolation, you’re correlating it across the entire estate,” said Srinivas.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Delivering Customer Value: A Unified Investigative Experience&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;While the technical architecture is important, the ultimate measure of success is the impact on customers. By combining Gigamon’s network intelligence with Microsoft Sentinel’s analytics and AI capabilities, organizations can gain a more complete view of their environments, one that reduces fragmentation and accelerates investigation.&lt;/P&gt;
&lt;P&gt;“Customers are looking for a single investigative plane,” Srinivas explained.&lt;BR /&gt;“When you bring all of this together, you can significantly reduce the time to detect and respond.”&lt;/P&gt;
&lt;P&gt;This manifests in four key outcomes:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Accelerated investigations &lt;/STRONG&gt;through correlation across network, identity, endpoint, and cloud telemetry&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Improved signal quality &lt;/STRONG&gt;through curated, high-value network-derived metadata&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Greater operational efficiency &lt;/STRONG&gt;through a unified investigation experience in Microsoft Sentinel&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Enhanced visibility &lt;/STRONG&gt;into encrypted, East-West, and hybrid cloud traffic activity that is often difficult to analyze through logs alone&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;By addressing gaps that exist when using network or log data in isolation, the combined Gigamon and Microsoft solution can help SOC teams move more quickly from signal to action.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;From Ingestion to Insight: Building with Agentic AI&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Bringing telemetry into Microsoft Sentinel was only the first step. A major area of collaboration between Microsoft and Gigamon focused on leveraging Sentinel's AI and data platform capabilities to enable agentic workflows that can reason over enriched network-derived telemetry alongside broader security data.&lt;/P&gt;
&lt;P&gt;“It’s truly working backwards from customers,” said Srinivas. “We are driven by what customers want and we help each other out, we unblock each other at every step of the way to make these joint solutions possible.”&lt;/P&gt;
&lt;P&gt;The result is Gigamon's &lt;A href="https://securitystore.microsoft.com/solutions/gigamon-inc.gigamon-security-posture-agent" target="_blank" rel="noopener"&gt;Security Posture Insight Agent&lt;/A&gt;, which leverages Microsoft Sentinel platform capabilities to enrich investigations with deep packet-derived evidence including JA4 fingerprints, decrypted TLS metadata, and lateral-movement flows. This gives analysts faster access to runtime evidence that might otherwise require manual packet analysis and correlation across tools.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Expanding the Possibilities of the Platform&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;As the collaboration evolves, both teams see opportunities to expand the role of network-derived telemetry across emerging AI and hybrid cloud security use cases. Areas of potential exploration include AI application visibility, expanded runtime intelligence, and deeper integration between observability, security analytics, and AI-driven workflows.&lt;/P&gt;
&lt;P&gt;“The platform approach will win, especially in an AI-driven world,” said Srinivas. “It’s about ecosystems coming together.”&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;That ecosystem mindset of bringing together best-in-class data, analytics, and AI is what enables organizations to stay ahead of increasingly complex threats.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Final Thoughts&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;This collaboration highlights what’s possible when strong engineering partnerships are grounded in customer outcomes. By combining network-derived telemetry from the Gigamon Deep Observability Pipeline with analytics and AI capabilities of Microsoft Sentinel, organizations can gain deeper runtime visibility, accelerate investigations, and improve AI-driven security operations.&lt;/P&gt;
&lt;P&gt;As the partnership continues to evolve, Microsoft and Gigamon are working together to help customers build more unified, intelligent SOC experiences across increasingly complex hybrid cloud environments.&lt;/P&gt;
&lt;P class="lia-align-left"&gt;For software companies building on Microsoft Sentinel, the Gigamon collaboration also demonstrates how partners can leverage Microsoft App Assure’s &lt;A href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/extending-app-assure%E2%80%99s-sentinel-promise-through-the-sentinel-advisory-service/4503045" target="_blank" rel="noopener"&gt;Sentinel Advisory Service&lt;/A&gt;, a no-cost program that helps partners design secure, high-performance solutions on Microsoft Sentinel while accelerating time to market. From development to deployment, App Assure ensures your solution meets Microsoft’s standards while accelerating time to market. Ready to get started building a Sentinel solution?&amp;nbsp;&lt;A href="https://aka.ms/appassurerequest" target="_blank" rel="noopener"&gt;Submit a request to App Assure.&lt;/A&gt;&lt;/P&gt;
&lt;P class="lia-align-left"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P class="lia-align-left"&gt;&amp;nbsp;&lt;U&gt;&lt;STRONG&gt;To read previous entries in our Behind the Build series, see below:&lt;/STRONG&gt;&lt;/U&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;
&lt;DIV class="lia-align-left"&gt;&lt;A class="lia-external-url" href="https://aka.ms/AppAssure_BehindtheBuild_Netskope" target="_blank"&gt;Behind the Build with Netskope: Engineering at the Edge for Strategic Impact&lt;/A&gt;&lt;/DIV&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;DIV class="lia-align-left"&gt;&lt;A class="lia-external-url" href="https://aka.ms/AppAssure_BehindtheBuild_RSA" target="_blank"&gt;Behind the Build with RSA: Identity Resilience in the Age of AI&lt;/A&gt;&lt;/DIV&gt;
&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Tue, 30 Jun 2026 16:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/behind-the-build-with-gigamon-enriching-microsoft-sentinel-with/ba-p/4530360</guid>
      <dc:creator>Natee_Pretikul</dc:creator>
      <dc:date>2026-06-30T16:00:00Z</dc:date>
    </item>
    <item>
      <title>The AI-first SOC: Copilot, UEBA, threat intelligence, and SOC optimization</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/the-ai-first-soc-copilot-ueba-threat-intelligence-and-soc/ba-p/4528609</link>
      <description>&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN data-teams="true"&gt;Co-authored with Lizet Pena, Caroline Mutua, Alvin Kua and Marco Sudahl&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;EM&gt;The portal change was the easy part. The real upside is the operating model it unlocks—generative AI in every workflow, behavioral analytics across hybrid and multi-cloud, native threat intelligence, and SOC optimization recommendations that tell you exactly where to invest next.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;If the first five parts of this series were about what changes and how to plan for it, this part is about what you get on the other side. Microsoft Defender is the only place where Security Copilot agents, the unified UEBA experience, native MDTI convergence, and the full SOC optimization recommendation engine come together—and each one moves a needle that classic Sentinel could not move alone.&lt;/P&gt;
&lt;P&gt;None of these capabilities require a forced cutover. Most of them light up the moment a workspace is connected. The story is not “give up Sentinel for Defender”—it is “your existing investment now compounds with capabilities you did not have before.”&lt;/P&gt;
&lt;H4&gt;What this post covers&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Security Copilot: embedded experience, standalone portal, and AI agents&lt;/LI&gt;
&lt;LI&gt;UEBA: same engine, unified entity pages, new data sources, unified IdentityInfo schema&lt;/LI&gt;
&lt;LI&gt;Threat intelligence: MDTI converged natively, richer STIX data model, actor-centric investigations&lt;/LI&gt;
&lt;LI&gt;SOC optimization: from manual workbooks to personalized, cross-service recommendations&lt;/LI&gt;
&lt;LI&gt;Persona implications, common misconceptions, a do-this-week checklist, and the series wrap-up&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Security Copilot in Defender&lt;/H4&gt;
&lt;P&gt;&lt;A href="https://learn.microsoft.com/en-us/copilot/security/" target="_blank" rel="noopener"&gt;Microsoft Security Copilot&lt;/A&gt; is a generative AI-powered security solution. Customers can interact with Security Copilot across their Sentinel and Defender data in Defender (embedded experience and agents) and the standalone copilot portal (&lt;A href="https://securitycopilot.microsoft.com" target="_blank" rel="noopener"&gt;securitycopilot.microsoft.com&lt;/A&gt;).&lt;/P&gt;
&lt;H5&gt;Core capabilities&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;Investigate and remediate threats; incident summarization, guided step-by-step response actions, triage complex alerts into actionable summaries&lt;/LI&gt;
&lt;LI&gt;Build KQL queries and analyze scripts; natural language → KQL in advanced hunting, reverse engineer suspicious PowerShell, batch, and bash scripts&lt;/LI&gt;
&lt;LI&gt;Understand risks and manage posture; prioritized risk insights, exposure context, and threat actor intelligence from Microsoft and open source&lt;/LI&gt;
&lt;LI&gt;Develop reports for stakeholders; generate incident reports in natural language, tailored to audience tone and language&lt;/LI&gt;
&lt;/UL&gt;
&lt;H5&gt;AI agents&lt;/H5&gt;
&lt;P&gt;Microsoft-built and partner-built agents are available through the Security Store in Defender, automating SOC tasks such as incident triage, access reviews, and vulnerability remediation. Custom agents can be built using agent builder, APIs, MCP, and Graph.&lt;/P&gt;
&lt;H5&gt;Transition considerations&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;The embedded experience of Security Copilot and agents are available in the &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/microsoft-sentinel-defender-portal" target="_blank" rel="noopener"&gt;Defender portal&lt;/A&gt; and not in the Azure portal.&lt;/LI&gt;
&lt;LI&gt;No configuration migration needed; available once licensed.&lt;/LI&gt;
&lt;LI&gt;Train SOC analysts on Security Copilot as part of Defender onboarding.&lt;/LI&gt;
&lt;/UL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;Generative AI is not bolted on to the side of the SOC—it is embedded in the surfaces where work already happens. Triage, KQL authoring, scripted-attack analysis, and stakeholder reporting each get a copilot, and the agent marketplace means the catalog grows without you writing more code.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;UEBA: Same engine, richer surface&lt;/H4&gt;
&lt;P&gt;Most User and Entity Behavior Analytics (&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/ueba-reference" target="_blank" rel="noopener"&gt;UEBA&lt;/A&gt;) functionality carries over to Defender with minimal disruption—anomaly detection, behavioral baselines, and investigation priority scoring all continue to work. However, there are meaningful differences in how UEBA surfaces within the unified experience that analysts and engineering teams should understand before transitioning.&lt;/P&gt;
&lt;P&gt;The Microsoft Sentinel UEBA behaviors layer transforms high-volume raw security logs into structured, plain-language behavioral summaries (“who did what to whom”), adding context such as MITRE ATT&amp;amp;CK mappings and entity relationships to improve investigation clarity and efficiency.&lt;/P&gt;
&lt;P&gt;These behaviors are neutral activity summaries (not alerts), aggregating and sequencing events to help analysts detect patterns, hunt threats, and build simpler detections, ultimately speeding up investigation and response without requiring deep knowledge of underlying log sources.&lt;/P&gt;
&lt;H4&gt;What changes in Defender&lt;/H4&gt;
&lt;P&gt;The standalone entity behavior blade from the Azure portal is no longer available. Instead, UEBA insights are integrated directly into the unified entity pages under assets (accounts, hosts, mailboxes) and evidence (IPs, files, URLs). Users flagged with behavioral anomalies are automatically tagged with a “UEBA anomalies” label on the user page, showing confidence scores and anomaly counts—making it easier to prioritize investigation without navigating to a separate blade. Additionally, the incident graph now supports a “Go hunt” action on user entities that surfaces all related anomalies, and advanced hunting queries against UEBA-related tables display contextual banners suggesting joins with the anomalies table for richer results. Also, in Defender, UEBA now has &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/entity-behaviors-layer" target="_blank" rel="noopener"&gt;behavior layers&lt;/A&gt;.&lt;/P&gt;
&lt;H5&gt;New data sources (Defender only)&lt;/H5&gt;
&lt;P&gt;After transitioning, UEBA gains access to additional data sources that are not available in the Azure portal: AAD managed identity sign-in logs, AAD service principal sign-in logs, AWS CloudTrail, device logon events, Okta single sign-on, and GCP audit logs. These expand behavioral baselines beyond traditional user sign-ins to cover service principals, multi-cloud activity, and device-level logon events—a significant uplift for organizations with hybrid or multi-cloud environments.&lt;/P&gt;
&lt;H5&gt;IdentityInfo table: Two flavors, now unified&lt;/H5&gt;
&lt;P&gt;The IdentityInfo table has historically existed in two separate versions: one populated by Microsoft Defender for identity (MDI) in advanced hunting, and another populated by Microsoft Sentinel’s UEBA engine in log analytics.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Important - Table-level RBAC on IdentityInfo:&amp;nbsp;&lt;/STRONG&gt;If Table-level RBAC has been delegated to the Sentinel IdentityInfo table, this permission model is not carried over to Defender. Table-level RBAC for the IdentityInfo table is not supported in the Defender portal. Review and update your workspace RBAC delegations before migrating to avoid unexpected access gaps. For details, see the&amp;nbsp;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/move-to-defender#investigate-with-ueba-in-the-defender-portal" target="_blank" rel="noopener"&gt;&lt;EM&gt;Investigate with UEBA in the Defender portal&lt;/EM&gt;&lt;/A&gt; section in the Microsoft documentation.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;&amp;nbsp;After onboarding to Defender, these merge into a &lt;A href="https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-identityinfo-table" target="_blank" rel="noopener"&gt;unified IdentityInfo table&lt;/A&gt; that includes fields from both sources. If UEBA is enabled, the UEBA-specific columns—such as BlastRadius, GroupMembership, CompanyName, DeletedDateTime, EmployeeId, OtherMailAddresses, State, and Tags—are automatically visible in the unified schema. Without UEBA enabled, these columns are not available.&lt;/P&gt;
&lt;P&gt;The key action item here is that the unified schema introduces field name differences that can break existing queries.&lt;/P&gt;
&lt;P&gt;The following table maps old field names to the new unified schema:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Log analytics field&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Unified schema field&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;AccountCloudSID&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;CloudSid&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;AccountCreationTime&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;CreatedDateTime&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;AccountSID&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;OnPremSid&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;AccountUPN&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;AccountUpn&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;AdditionalMailAddresses&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;OtherMailAddresses&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;MailAddress&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;EmailAddress&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;OnPremisesDistinguishedName&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;DistinguishedName&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;RiskState&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;RiskStatus&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;SAMAccountName&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;AccountName&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;SourceSystem&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;IdentityEnvironment&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;StreetAddress&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Address&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;UserType&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;TenantMembershipType&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;Additionally, UserState and UserStateChangedOn no longer exist in the unified schema and must be removed from any queries that reference them.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Important caveat: &lt;/STRONG&gt;Existing Sentinel analytic rules and workbooks that query IdentityInfo via the log analytics API continue to hit the Sentinel table in log analytics—they are not automatically redirected to the advanced hunting table. However, any queries executed in advanced hunting in Defender use the unified table. Teams should verify both query paths during transition.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;The same UEBA engine you already trust, now embedded in entity pages where investigations actually happen, fed by additional multi-cloud and identity data sources that simply do not exist on the Azure portal side.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;Threat intelligence converged natively&lt;/H4&gt;
&lt;H5&gt;Azure portal versus Defender at a glance&lt;/H5&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Aspect&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Azure portal&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Defender&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Custom threat intelligence management&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Sentinel’s threat intelligence blade for ingesting, viewing, and managing custom indicators (IOCs). Threat intelligence analytics rule matches against data sources automatically.&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Defender’s threat intelligence blade is focused on Microsoft-curated intelligence integrated directly into the unified experience. Threat intelligence ingestion using STIX/TAXII is unchanged architecturally but is managed from the Defender UI rather than a standalone Sentinel experience. Customers can add/import their own threat intelligence using bulk file imports, or add new threat intelligence objects.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Microsoft threat intelligence&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Threat intelligence analytics rule provides high-fidelity alerts using Microsoft’s domain, IP, and URL threat indicators across CEF, Syslog, OfficeActivity, AzureActivity, DNS.&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Threat intelligence analytic rules are also present. &lt;A href="https://learn.microsoft.com/en-us/defender/threat-intelligence/what-is-microsoft-defender-threat-intelligence-defender-ti" target="_blank" rel="noopener"&gt;Microsoft Defender threat intelligence (MDTI)&lt;/A&gt; converged into a unified experience in Defender, where threat intelligence is now surfaced natively across Defender and Microsoft Sentinel through &lt;A href="https://learn.microsoft.com/en-us/defender-xdr/threat-analytics" target="_blank" rel="noopener"&gt;threat analytics&lt;/A&gt;, investigations, and hunting workflows.&lt;/P&gt;
&lt;P&gt;Microsoft Threat Intelligence insights are embedded directly into incidents to provide enriched context and can also be accessed seamlessly through Security Copilot prompts. Security Copilot leverages Microsoft threat intelligence and non-Microsoft plugins.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H5&gt;Transition considerations&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Continue managing custom threat intelligence feeds &lt;/STRONG&gt;using Sentinel connectors and the threat intelligence experience for TAXII/STIX feeds&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Keep the threat intelligence analytics rule enabled &lt;/STRONG&gt;for automated indicator matching; resulting alerts can still flow into Defender incidents&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Use MDTI context and Security Copilot prompts &lt;/STRONG&gt;to enrich investigations&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Threat intelligence is no longer Sentinel-only&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;In Defender, threat intelligence is:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Linked to &lt;STRONG&gt;Defender incidents&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Visible in &lt;STRONG&gt;threat analytics&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Usable in &lt;STRONG&gt;cross-product hunting&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This is not possible in the Azure portal experience, which is Sentinel-scoped only.&lt;/P&gt;
&lt;H5&gt;MDTI convergence (native, not a connector)&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;MDTI is converged directly into &lt;STRONG&gt;Defender + Sentinel&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Threat actor profiles, campaigns, and IOCs surface automatically&lt;/LI&gt;
&lt;LI&gt;No separate MDTI portal or workflow is required&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This convergence does not fully materialize in the Azure portal experience.&lt;/P&gt;
&lt;H5&gt;Richer STIX data model in Defender&lt;/H5&gt;
&lt;P&gt;Defender emphasizes richer relationships, such as:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;ThreatIntelIndicators&lt;/LI&gt;
&lt;LI&gt;ThreatIntelObjects&lt;/LI&gt;
&lt;LI&gt;Actor ↔ tool ↔ infrastructure relationships&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This enables &lt;STRONG&gt;actor-centric investigations&lt;/STRONG&gt;, not just IOC matching.&lt;/P&gt;
&lt;H5&gt;Better correlation and investigation&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;Threat intelligence automatically enriches &lt;STRONG&gt;unified incidents&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Indicators connect to affected endpoints, users, mail, and cloud workloads&lt;/LI&gt;
&lt;/UL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;Threat intelligence stops being a side-product. Microsoft-curated intelligence and your custom feeds both flow into the same incident view, surface in threat analytics, and become huntable across Defender + Sentinel—with Security Copilot in the loop for enrichment.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;SOC Optimization: From workbooks to recommendations&lt;/H4&gt;
&lt;H5&gt;Azure portal versus Defender&lt;/H5&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Portal&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;SOC optimization model&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Azure portal&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;No native SOC Optimization prior to May 2024. Customers used the MITRE ATT&amp;amp;CK coverage page (Preview) and community workbooks (Workspace Usage, Security Operations Efficiency) for manual, non-opinionated assessment&lt;/LI&gt;
&lt;LI&gt;No personalized recommendations; analysts had to interpret workbooks themselves&lt;/LI&gt;
&lt;LI&gt;Available in Azure portal (since May 2024 public preview)—same recommendation engine. However, the Azure portal provides Sentinel-only visibility and lags Defender in surfacing newer recommendation types and aggregation views, such as risk-based optimization and cross-service context&lt;/LI&gt;
&lt;LI&gt;Sunsets March 31, 2027, along with the rest of the Azure portal Sentinel UI&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Defender&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-access" target="_blank" rel="noopener"&gt;SOC optimization&lt;/A&gt; overview tile shows recent optimization activity, threat-based coverage tiers (low, medium, high), and ingestion trends&lt;/LI&gt;
&lt;LI&gt;Three GA recommendation types: data value (identify unused or low-value ingested data), threat-based coverage (close detection gaps against specific threats), and similar organizations (benchmarking)&lt;/LI&gt;
&lt;LI&gt;Preview capabilities: risk-based recommendations, AI-powered MITRE ATT&amp;amp;CK tagging, and unused columns detection&lt;/LI&gt;
&lt;LI&gt;Cross-service coverage: Unified view spans Sentinel + Defender workloads, not just Sentinel&lt;/LI&gt;
&lt;LI&gt;Recommendations API (Preview, 2024-01-01): GET/PATCH/triggerEvaluation for automation; scales for MSSPs.&lt;/LI&gt;
&lt;LI&gt;Permissions: Standard Sentinel RBAC (Reader to view, Contributor to action)&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H5&gt;Transition considerations&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Not Defender-exclusive: &lt;/STRONG&gt;Core recommendation engine runs in both portals—no functionality loss for customers who transition early&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Defender advantages: &lt;/STRONG&gt;Cross-service coverage (Sentinel + Defender), richer overview tile, and Preview-only risk-based recommendations are Defender exclusives&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Preview features evolving: &lt;/STRONG&gt;Risk-based, AI MITRE tagging, and unused columns remain in Preview—verify GA status against “What’s new in Sentinel” before relying on them&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Retire manual workbooks: &lt;/STRONG&gt;Phase out reliance on the Workspace Usage and Security Operations Efficiency workbooks; SOC optimization supersedes them with personalized, actionable recommendations&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Action tracking: &lt;/STRONG&gt;Use the recommendations API to track which optimizations your team actions over time—useful for MSSPs reporting SOC maturity to customers&lt;/LI&gt;
&lt;/UL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;You stop guessing what to improve. The engine tells you where coverage is weak, where ingestion is wasted, and how peer organizations are configured—and it does so across Sentinel + Defender, not just one product.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;Persona implications&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Persona&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What this part means for you&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;SOC analyst&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Security Copilot in-line for triage, incident summaries, KQL drafting, and script reverse-engineering. UEBA anomalies show up on the entity page itself, not a separate blade.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Threat hunter&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Unified IdentityInfo, multi-cloud UEBA data sources, MDTI-enriched investigations, and natural-language-to-KQL all in one surface.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Detection engineer&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Update IdentityInfo field names in existing queries; verify both log analytics and advanced hunting paths during transition.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;SOC manager&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;SOC optimization gives you a personalized, cross-service action list. Retire the manual workbooks; track action rate through the recommendations API.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;MSSP operator&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;SOC optimization recommendations API scales for MSSP reporting; agents from the Security Store help automate repetitive customer-facing SOC tasks.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H4&gt;Clearing up common misconceptions&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;“Security Copilot is only available in the standalone portal.” &lt;BR /&gt;&lt;/STRONG&gt;It’s not. The embedded experience and agents are available inside Defender once licensed—no configuration migration needed.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“UEBA loses functionality after the transition.” &lt;BR /&gt;&lt;/STRONG&gt;UEBA functionality remains. Anomaly detection, baselines, and priority scoring all carry over—and you gain multi-cloud and service-principal data sources that do not exist in the Azure portal experience.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“All my IdentityInfo queries will keep working unchanged.” &lt;BR /&gt;&lt;/STRONG&gt;Partially. Sentinel analytic rules and workbooks hitting log analytics still work; Advanced hunting queries use the unified table with new field names—verify both paths during transition.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“MDTI needs a separate portal or connector.” &lt;BR /&gt;&lt;/STRONG&gt;It doesn’t. MDTI is converged natively into Defender + Sentinel—threat actor profiles, campaigns, and IOCs surface automatically.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“SOC Optimization is Defender-only.” &lt;BR /&gt;&lt;/STRONG&gt;The core engine runs in both portals. Defender adds cross-service coverage, the richer overview tile, and Preview-only recommendation types.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“Community workbooks for usage and efficiency are still the recommended path.” &lt;BR /&gt;&lt;/STRONG&gt;Not anymore. SOC optimization supersedes them with personalized, actionable recommendations—phase the manual workbooks out.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Do this week&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Enable&lt;/STRONG&gt; the embedded experience in Defender and pilot incident summarization on one active incident if you are licensed for Security Copilot&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Walk through&lt;/STRONG&gt; the SOC optimization overview tile with your manager—pick one data-value and one threat-based recommendation to action this sprint&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Inventory&lt;/STRONG&gt; queries that reference the legacy log analytics IdentityInfo fields; map them against the unified schema field-name table and prioritize updates&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Confirm&lt;/STRONG&gt; UEBA is enabled where applicable so the additional unified-schema columns light up&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Open&lt;/STRONG&gt; the Defender threat intelligence pane and verify MDTI context is surfacing on at least one current incident&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Try&lt;/STRONG&gt; one natural-language-to-KQL prompt in advanced hunting via Security Copilot—a quick “aha” for the team&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Evaluate&lt;/STRONG&gt; at least one Microsoft-built or partner-built agent from the Security Store for a high-volume repetitive task if you are an MSSP&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Closing the series&lt;/H4&gt;
&lt;P&gt;Six parts in, the picture should be clear: the Microsoft Sentinel transition to Defender is not a forced UI swap. It is the consolidation of SIEM and XDR into a single operating model—one incident queue, one detection rules view, one hunting surface, one governance plane, and a single AI-first toolchain.&lt;/P&gt;
&lt;P&gt;Everything you have built carries forward. Analytics rules continue to fire. Playbooks continue to run. Workbooks continue to render. Your Azure RBAC continues to govern. And the new capabilities—XDR correlation, custom detections, Security Copilot, the data lake, UEBA on multi-cloud, MDTI convergence, SOC optimization—are the upside you collect for making the move.&lt;/P&gt;
&lt;P&gt;March 31, 2027 sets the deadline. The adoption helper sets the starting line. Everything in between is yours to design—and this series exists so you can design it with confidence.&lt;/P&gt;
&lt;H4&gt;Read the rest of the series&lt;/H4&gt;
&lt;P&gt;Each part in this series stands alone—pick the angle that matters most to you, or read them in order.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-1" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 1 – Beyond a portal move: The strategic shift to Defender&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;Why the transition matters at the architecture and program level—the executive framing, the deadline, and the analyst validation.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-2" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 2 – Anatomy of the change: Incidents, alerts, correlation, and data&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;The component-level mechanics: how the XDR correlation engine replaces Fusion, why incidents are no longer alert-centric, and what changes (and doesn’t) in your data architecture.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-3" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 3 – Detection and automation, reimagined&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;How analytics rules, playbooks, workbooks, and hunting evolve—and why the toolbelt doubled, not shrank.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-4" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 4 – The governance shift: RBAC, URBAC, data lake, and MSSP&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;The move from Azure RBAC to URBAC, the data lake operating model, and multi-tenant patterns.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-5" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 5 – Your readiness playbook: Adoption helper, costs, APIs, and the checklist&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;A practical plan: the Defender adoption helper, cost reality, API strategy, and the migration checklist.&lt;/P&gt;</description>
      <pubDate>Tue, 30 Jun 2026 16:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/the-ai-first-soc-copilot-ueba-threat-intelligence-and-soc/ba-p/4528609</guid>
      <dc:creator>Mohit_Kumar1</dc:creator>
      <dc:date>2026-06-30T16:00:00Z</dc:date>
    </item>
    <item>
      <title>What’s new in Microsoft Sentinel: June 2026</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-in-microsoft-sentinel-june-2026/ba-p/4531902</link>
      <description>&lt;P&gt;Welcome back to What's new in Microsoft Sentinel. In June, Sentinel SIEM’s Advanced Security Information Model (ASIM) broadens its normalization, so one analytic rule can reach more sources with less per-source work and, additionally, two new ASIM schemas can now bring asset inventory and AI agent telemetry into common form. In Microsoft Sentinel data lake, the Agent Identities Asset Connector adds the identity context behind your AI agents, helping you see who owns an agent and what permissions it holds. In Sentinel MCP, graph tools help security teams investigate threats and optimize security coverage by visualizing relationships across identities, devices, alerts, and signals in a unified graph experience.&lt;/P&gt;
&lt;P&gt;Read on for the details, and explore the resources at the end to go deeper.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Sentinel innovations:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A class="lia-internal-link" href="#community--1-SIEM" target="_blank" rel="noopener" data-lia-auto-title="Sentinel SIEM" data-lia-auto-title-active="0"&gt;Sentinel SIEM&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-internal-link" href="#community--1-Lake" target="_blank" rel="noopener" data-lia-auto-title="Sentinel data lake" data-lia-auto-title-active="0"&gt;Sentinel data lake&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-internal-link" href="#community--1-MCP" target="_blank" rel="noopener" data-lia-auto-title="Sentinel MCP" data-lia-auto-title-active="0"&gt;Sentinel MCP&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-internal-link" href="#community--1-Store" target="_blank" rel="noopener" data-lia-auto-title="Microsoft Security Store" data-lia-auto-title-active="0"&gt;Microsoft Security Store&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;&lt;a id="community--1-SIEM" class="lia-anchor"&gt;&lt;/a&gt;&lt;STRONG class="lia-linked-item"&gt;Sentinel SIEM&lt;/STRONG&gt;&lt;/H1&gt;
&lt;H4&gt;&lt;STRONG&gt;Advanced Security Information Model (ASIM) parsers and schemas [Generally available]&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;The Advanced Security Information Model (ASIM) in Sentinel normalizes logs into common schemas, so one analytic rule can cover many sources without managing each native schema. ASIM coverage has expanded across more Azure services, broader AWS CloudTrail activity, and a range of third-party firewall, identity, and proxy products, so your detections reach more of your environment with less per-source work. Two schemas also join ASIM: &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-asset" target="_blank" rel="noopener"&gt;Asset Entities&lt;/A&gt; normalizes asset inventory so you can correlate files and assets across investigations, and &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-agent" target="_blank" rel="noopener"&gt;AI Agent Events&lt;/A&gt; normalizes telemetry from AI-driven workflows and autonomous agents. Browse the &lt;A href="https://github.com/Azure/Azure-Sentinel/tree/master/Parsers" target="_blank" rel="noopener"&gt;ASIM parsers on GitHub&lt;/A&gt; to explore, file issues, or contribute. &lt;A href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/introducing-new-additions-to-microsoft-sentinel-normalization-and-asim/4524584" target="_blank" rel="noopener"&gt;Learn more in our blog.&lt;/A&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Sentinel transition to Defender &lt;/STRONG&gt;&lt;STRONG&gt;blog &lt;/STRONG&gt;&lt;STRONG&gt;series&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;By &lt;STRONG&gt;March 31, 2027&lt;/STRONG&gt;, all Microsoft Sentinel customers transition to Defender. This six-part series guides you through moving your Sentinel experience from the Azure portal to Defender, where SIEM, XDR, threat intelligence, AI, and automation come together in one experience. Your analytics rules, playbooks, workbooks, log analytics workspace, and access assignments all carry forward while the operational layer becomes more connected and intelligent. Starting early matters because you realize the benefits sooner, including a unified incident queue, cross-product correlation, Security Copilot, Sentinel data lake, and SOC optimization. Across the six-part blog series you get 1) the &lt;A href="https://aka.ms/usx-blog-1" target="_blank" rel="noopener"&gt;strategic shift&lt;/A&gt;, 2) the anatomy of &lt;A href="https://aka.ms/usx-blog-2" target="_blank" rel="noopener"&gt;incident and data changes&lt;/A&gt;, 3) &lt;A href="https://aka.ms/usx-blog-3" target="_blank" rel="noopener"&gt;detection and automation&lt;/A&gt;, 4) the &lt;A href="https://aka.ms/usx-blog-4" target="_blank" rel="noopener"&gt;governance shift&lt;/A&gt; across roles and access, 5) a &lt;A href="https://aka.ms/usx-blog-5" target="_blank" rel="noopener"&gt;readiness playbook&lt;/A&gt; with the adoption helper and cost guidance, and 6) a look at the &lt;A href="https://aka.ms/usx-blog-6" target="_blank" rel="noopener"&gt;AI-first SOC&lt;/A&gt;. Each part stands alone, so you can read in order or jump to what matters most to you.&lt;/P&gt;
&lt;H1&gt;&lt;a id="community--1-Lake" class="lia-anchor"&gt;&lt;/a&gt;&lt;STRONG class="lia-linked-item"&gt;Sentinel data lake&lt;/STRONG&gt;&lt;/H1&gt;
&lt;H4&gt;&lt;STRONG&gt;Agent Identities&lt;/STRONG&gt;&lt;STRONG&gt; Asset Connector&lt;/STRONG&gt;&lt;STRONG&gt; [Public preview]&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;The Agent Identities Asset Connector brings identity context for AI agents into Sentinel. Activity connectors like Agent 365 and Microsoft 365 Copilot already show you what AI agents do, but activity alone cannot tell you who owns an agent, what permissions it holds, or how it is governed. This connector fills that gap with four asset tables covering agent owners, agent identities, agent blueprints, and the service principals tied to those blueprints. Together they form a connected agent identity graph you can trace from owner to identity to blueprint to permissions to the resources an agent touches. Joining this asset data with activity data in Sentinel data lake lets you detect anomalous behavior relative to permissions, spot over-permissioned or misconfigured agents, and follow full execution chains for end-to-end traceability. To get started, install the Agent 365 and Microsoft 365 Copilot solutions in Content Hub and enable the asset and activity connectors. &lt;A href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/announcing-public-preview-agent-identities-asset-connector-for-microsoft-sentine/4527960" target="_blank" rel="noopener"&gt;Learn more.&lt;/A&gt;&lt;/P&gt;
&lt;H1&gt;&lt;a id="community--1-MCP" class="lia-anchor"&gt;&lt;/a&gt;&lt;STRONG class="lia-linked-item"&gt;Sentinel MCP&lt;/STRONG&gt;&lt;/H1&gt;
&lt;H4&gt;&lt;STRONG&gt;Sentinel MCP graph tools [Public preview]&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&lt;A href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/microsoft-sentinel-mcp-server---generally-available-with-exciting-new-capabiliti/4470125" target="_blank" rel="noopener"&gt;Microsoft Security Graph MCP tools, recently introduced in the Microsoft Sentinel MCP Server data exploration collection&lt;/A&gt; helps security teams investigate threats by exploring relationships between identities and device assets, and threat and activity signals ingested by data connectors and surfaced by analytic rules. Starting from an alert, analysts can follow the exposure path across connected entities — tracing lateral movement, understanding blast radius, and identifying configuration gaps — all from a single, interactive workspace. The tool provides a clear graph view that highlights dependencies and makes it easier to understand how content interacts across your environment. This helps security teams assess coverage, optimize content deployment, and identify areas that may need tuning or additional data sources. Executing graph queries via the MCP tools will trigger the graph meter. &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-data-exploration-tool#graph-tools-preview" target="_blank" rel="noopener"&gt;Learn more&lt;/A&gt;.&lt;/P&gt;
&lt;H1&gt;&lt;a id="community--1-Store" class="lia-anchor"&gt;&lt;/a&gt;&lt;STRONG class="lia-linked-item"&gt;Microsoft Security Store&lt;/STRONG&gt;&lt;/H1&gt;
&lt;H4&gt;&lt;STRONG&gt;Partner testimonials from Adaquest and Glueckkanja&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;For partners like Adaquest and Glueckkanja, the &lt;A href="https://securitymarketplace.microsoft.com" target="_blank" rel="noopener"&gt;Microsoft Security Store&lt;/A&gt; helps not only put their years of knowledge, understanding, and best practices into a scalable, packaged solution, it gives them the ability to democratize that expertise and take it to market globally. Security Store operationalizes their expertise as always-on defenses — discoverable, deployable, and driving real outcomes inside the tools that security teams rely on every day.&lt;/P&gt;
&lt;P&gt;See how the Security Store is helping security teams act on threats faster with the right solutions and to be ready when it matters most:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Watch: &lt;A href="https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/4015150-Security-Store-Partner-Testimonials" target="_blank" rel="noopener"&gt;Adaquest unlocks faster response times for customers (testimonial) &lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Watch: &lt;A href="https://cdn-dynmedia-1.microsoft.com/is/content/microsoftcorp/4015197-Security-Store-Partner-Testimonials" target="_blank" rel="noopener"&gt;Glueckkanja builds agents with purpose (testimonial) &lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;&lt;STRONG&gt;Additional resources&lt;/STRONG&gt;&lt;/H1&gt;
&lt;P&gt;Blogs and documentation:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-process-event" target="_blank" rel="noopener"&gt;The Advanced Security Information Model (ASIM) Process Event normalization schema reference&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://www.bluevoyant.com/blog/asim-first-threat-detection-microsoft-sentinel" target="_blank" rel="noopener"&gt;How BlueVoyant's ASIM-First Strategy Simplifies Threat Detection in Microsoft Sentinel&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/migrate-sentinel-to-defender---why-it-is-a-security-architecture-decision-not-ju/4513815" target="_blank" rel="noopener"&gt;Migrate Sentinel to Defender – Why It Is a Security Architecture Decision, Not Just a Portal Change&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/unified-secops/microsoft-sentinel-onboard" target="_blank" rel="noopener"&gt;Connect Microsoft Sentinel to the Microsoft Defender portal&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/agent-365-connector-monitor-hunt-and-investigate-ai-agent-activity-in-microsoft-/4520836" target="_blank" rel="noopener"&gt;Agent 365 connector: Monitor, hunt, and investigate AI agent activity in Microsoft Sentinel&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-get-started" target="_blank" rel="noopener"&gt;Get started with Microsoft Sentinel MCP server&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Upcoming webinars and events:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;July 15–16: &lt;A href="https://msevents.microsoft.com/event?id=2760893161" target="_blank" rel="noopener"&gt;Microsoft Virtual Training Day: Predict and Defend Against Cybersecurity Threats&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;July 22: &lt;A href="https://msevents.microsoft.com/event?id=3907033170" target="_blank" rel="noopener"&gt;Microsoft Security Immersion Event: Shadow Hunter&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;July 23-24: &lt;A href="https://msevents.microsoft.com/event?id=2567286143" target="_blank" rel="noopener"&gt;Microsoft Virtual Training Day: Introduction to Microsoft Security&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;July 28: &lt;A href="https://msevents.microsoft.com/event?id=3805883258" target="_blank" rel="noopener"&gt;Tech Brief: Modernize security operations with a unified platform&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;July 29: &lt;A href="https://msevents.microsoft.com/event?id=2157689843" target="_blank" rel="noopener"&gt;Security Immersion Event: Into the Breach&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;&lt;STRONG&gt;Stay connected&lt;/STRONG&gt;&lt;/H1&gt;
&lt;P&gt;Check back each month for the latest innovations, updates, and events to ensure you’re getting the most out of &lt;A href="https://aka.ms/microsoftsentinel" target="_blank" rel="noopener"&gt;Microsoft Sentinel&lt;/A&gt;. We’ll see you in the next edition!&lt;/P&gt;</description>
      <pubDate>Tue, 30 Jun 2026 16:43:18 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-in-microsoft-sentinel-june-2026/ba-p/4531902</guid>
      <dc:creator>TomerBrand</dc:creator>
      <dc:date>2026-06-30T16:43:18Z</dc:date>
    </item>
    <item>
      <title>Your readiness playbook: adoption helper, costs, APIs, and the checklist</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/your-readiness-playbook-adoption-helper-costs-apis-and-the/ba-p/4528608</link>
      <description>&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN data-teams="true"&gt;Co-authored with Lizet Pena, Caroline Mutua, Alvin Kua and Marco Sudahl&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;EM&gt;The transition is not a project—it is a sequence of small, ordered decisions. Here is the readiness tool that scores your environment in minutes, the cost story you can take to finance, the API strategy that future-proofs your integrations, and the FAQ list that answers the questions your team is already asking.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Most transition anxiety comes from not knowing what you do not know. The Defender transition is mature enough that Microsoft has packaged the readiness work into a script, the cost work into an estimator, and the API work into a clear migration story—and the most common questions are already answered.&lt;/P&gt;
&lt;P&gt;This part is the practical playbook. It does not introduce new architecture; it gives you the levers you can pull right now to know exactly where you stand, what it will cost, what to integrate with, and how to brief the people asking questions.&lt;/P&gt;
&lt;H4&gt;What this post covers&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Defender adoption helper: a free readiness assessment with a visual dashboard&lt;/LI&gt;
&lt;LI&gt;Cost story: identical Sentinel pricing, optional new capabilities, and the new estimator&lt;/LI&gt;
&lt;LI&gt;The API strategy: SecurityInsights for workspace, Defender APIs for SOC, Graph security for the long run&lt;/LI&gt;
&lt;LI&gt;FAQ list: the five questions every stakeholder asks, answered&lt;/LI&gt;
&lt;LI&gt;Persona implications, common misconceptions, and a do-this-week checklist&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Defender adoption helper&lt;/H4&gt;
&lt;H5&gt;Overview&lt;/H5&gt;
&lt;P&gt;The &lt;A href="https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Sentinel-Defender-Helper-Script" target="_blank" rel="noopener"&gt;Sentinel-Defender-helper-script&lt;/A&gt; is a PowerShell-based assessment tool designed to evaluate the readiness of Microsoft Sentinel workspaces before onboarding them into Microsoft Defender. It automates the discovery of potential compatibility issues, configuration gaps, and behavioral changes that organizations should address prior to the transition. The tool generates a structured CSV output that feeds an interactive HTML dashboard, providing security teams with a clear, visual summary of findings and actionable recommendations.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Important: &lt;/STRONG&gt;This script is not an official Microsoft product or supported solution. No Microsoft Customer Services &amp;amp; Support (CSS) ticket can be raised for issues related to this tool, and bug fixing is not guaranteed beyond the author's willingness to maintain it. No rights can be derived from this solution—incorrect or missing information generated by this script may lead to customer production disruption. Test it before using it in production environment.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H5&gt;How it works&lt;/H5&gt;
&lt;P&gt;The tool operates in three phases:&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Authentication&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;The operator authenticates against Microsoft Entra ID using one of two supported modes. In User mode, the script initiates an interactive device code flow through the browser, leveraging the well-known Azure PowerShell first-party client ID — no app registration is required. In app mode, a pre-configured service principal with a client secret is used for unattended execution. In both cases, the account must hold the Microsoft Sentinel Reader role on each target workspace.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Analysis&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;For each workspace defined in the sentinelEnvironments.json configuration file, the script calls the Azure Resource Manager REST APIs to inspect five areas:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Defender data &lt;/STRONG&gt;–&lt;STRONG&gt; &lt;/STRONG&gt;Queries the retention settings of 21 Defender tables (e.g., DeviceInfo, EmailEvents, IdentityLogonEvents). Tables with default 30-day retention do not need separate ingestion into Sentinel, whereas tables with extended retention (e.g., 730 days) must continue to be stored in the log analytics workspace.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Analytics rules &lt;/STRONG&gt;–&lt;STRONG&gt; &lt;/STRONG&gt;Examines every analytics rule for conditions that may cause issues after onboarding: Fusion engine enablement (Fusion is automatically disabled post-transition), rules that do not generate incidents (alerts become invisible in Defender), incident reopening settings (not supported in Defender—new incidents are created instead), custom alert grouping (overridden by the Defender XDR correlation engine), and Microsoft incident creation rules (deactivated after onboarding). Disabled rules are flagged as informational only.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Automation rules &lt;/STRONG&gt;–&lt;STRONG&gt; &lt;/STRONG&gt;Inspects automation rule triggers and conditions for deprecated or incompatible patterns: use of incident title instead of analytics rule name, use of incident provider instead of alert product name, dependencies on Fusion-generated incidents, reliance on the description field (removed from SecurityIncident after onboarding), the Updated By = Microsoft 365 Defender value (which becomes Other), and alert-based triggers (which will only fire for Sentinel-originated alerts post-transition).&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Data lake region &lt;/STRONG&gt;–&lt;STRONG&gt; &lt;/STRONG&gt;Verifies whether the workspace region supports the data lake (Auxiliary tier) capability, checking against the list of currently supported Azure regions.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Table tiers &lt;/STRONG&gt;–&lt;STRONG&gt; &lt;/STRONG&gt;Enumerates all tables in the workspace and flags those using the basic tier, which must be converted to analytics or auxiliary before onboarding. Tables already on the auxiliary tier are noted as future data lake tables.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Output&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;All findings are collected into a flat CSV file (results.csv) with a consistent schema containing the row type (env, check, or score), workspace name, section, severity status, a human-readable message, and an optional sub-item identifier for grouping (e.g., the rule name). Per-section scores and a final readiness percentage are calculated automatically. The data lake checks are reported separately and do not affect the final readiness score.&lt;/P&gt;
&lt;H5&gt;Severity classification&lt;/H5&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Status&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Meaning&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Ok&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;No action required—the configuration is compatible with Defender.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Warning&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Requires attention before onboarding—the configuration will cause a behavioral change or loss of functionality.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Informational&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;No action required and does not block migration (e.g., tables with default retention, disabled rules). Counts as passed in the final score.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H5&gt;Analyzing the findings&lt;/H5&gt;
&lt;P&gt;The generated CSV is loaded into the accompanying HTML dashboard (dashboard.html), which provides:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;A multi-workspace overview with readiness scores and pie charts for each environment&lt;/LI&gt;
&lt;LI&gt;Per-workspace detail panels that break down findings by section (Defender data, analytics, automation, data lake region, table tiers)&lt;/LI&gt;
&lt;LI&gt;Multi-select filters to isolate Ok (Passed), Warning, or Informational findings&lt;/LI&gt;
&lt;LI&gt;Grouped rule views—analytics and automation rules are grouped by name, with individual sub-checks shown underneath&lt;/LI&gt;
&lt;LI&gt;Items overview cards summarizing the count and distribution of findings per section&lt;/LI&gt;
&lt;LI&gt;Export to PDF—either per workspace or across all environments at once&lt;/LI&gt;
&lt;LI&gt;Direct Azure portal links for each section, allowing operators to navigate directly to the relevant blade&lt;/LI&gt;
&lt;LI&gt;A built-in knowledge base with recommendations mapped to official Microsoft documentation&lt;/LI&gt;
&lt;LI&gt;A multitenant guidance tab covering access models (GDAP, Azure Lighthouse, B2B collaboration), MSSP best practices, and known limitations&lt;/LI&gt;
&lt;/UL&gt;
&lt;H5&gt;Project contents&lt;/H5&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;File&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Description&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;DefenderAdoptionHelper.ps1&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Main PowerShell script that performs the assessment via Azure REST APIs and generates the CSV output&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;dashboard.html&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Self-contained interactive HTML dashboard that visualizes the CSV findings&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;sentinelEnvironments.json&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Configuration file listing the Sentinel workspaces (subscription ID, resource group, workspace name) to be analyzed&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;results.csv&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Generated output file consumed by the dashboard&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;You go from “I think we are ready” to a percentage score and a list of named items in under an hour—with a knowledge base that links each finding to documentation. The hardest part of any migration is no longer the hardest part.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;Cost story&lt;/H4&gt;
&lt;H5&gt;Cost model&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;The &lt;A href="https://www.microsoft.com/en-us/security/pricing/microsoft-sentinel/" target="_blank" rel="noopener"&gt;Microsoft Sentinel pricing&lt;/A&gt; remains same for analytics tier data. The cost advantage of Defender comes from &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/billing" target="_blank" rel="noopener"&gt;flexible billing&lt;/A&gt; and features (data lake, graph, MCP) that don’t exist in the Azure portal.&lt;/LI&gt;
&lt;LI&gt;Use the new &lt;A href="https://www.microsoft.com/en-us/security/pricing/microsoft-sentinel/cost-estimator" target="_blank" rel="noopener"&gt;Sentinel cost estimator&lt;/A&gt; to analyze your data ingestion and retention cost.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Sentinel data lake can introduce variable cost, but in most environments, it reduces overall cost meaningfully—by letting you keep long-tail data in a cheaper tier instead of paying analytics-tier rates for data you rarely query.&lt;/P&gt;
&lt;H5&gt;Reference SKU table&lt;/H5&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;SKU&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Meter type&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Price&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Data lake ingestion&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Data processed (GB)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;$0.05 USD&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Data processing&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Data processed (GB)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;$0.1 USD&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Data lake query&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Data analyzed (GB)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;$0.005 USD&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Advanced data insights&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;1 compute hour&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;$0.15 USD&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Data lake storage&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Data stored (GB/month)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;$0.026 USD&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Graph&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;1 compute hour&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;$3 USD&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;Same analytics tier price, plus new tiers and capabilities that let you do things you simply could not do before. Run the estimator before you guess—most teams find the data lake reduces total spend once long-retention data is moved off the analytics tier.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;The API strategy&lt;/H4&gt;
&lt;P&gt;The SecurityInsights API remains operational, but its coverage is scoped to &lt;STRONG&gt;Sentinel-specific resources and data&lt;/STRONG&gt;. It does not surface &lt;STRONG&gt;Defender XDR incidents, Advanced Hunting data, or unified SecOps capabilities &lt;/STRONG&gt;- meaning integrations built on it will lack access to the core unified experience.&lt;/P&gt;
&lt;P&gt;Organizations relying on the SecurityInsights API should plan to migrate to the Microsoft Graph Security API as soon as possible. The Graph API provides unified coverage across Defender XDR incidents, Advanced Hunting, cases, and all emerging SecOps capabilities—areas the legacy Sentinel-only API does not expose. Migrating now reduces integration debt as Sentinel capabilities continue to consolidate into the unified Defender portal.&lt;/P&gt;
&lt;H5&gt;Common tasks&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Create/update a Sentinel incident (workspace object): &lt;/STRONG&gt;&lt;A href="https://learn.microsoft.com/en-us/rest/api/securityinsights/" target="_blank" rel="noopener"&gt;SecurityInsights incidents&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;List/manage Sentinel analytics rules: &lt;/STRONG&gt;SecurityInsights alert rules&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Integrate with unified incidents: &lt;/STRONG&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-xdr/api-overview" target="_blank" rel="noopener"&gt;Defender incidents API&lt;/A&gt; and &lt;A href="https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview" target="_blank" rel="noopener"&gt;Graph security incidents&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Run Defender hunting programmatically: &lt;/STRONG&gt;&lt;A href="https://learn.microsoft.com/graph/api/security-security-runhuntingquery" target="_blank" rel="noopener"&gt;Graph security runHuntingQuery&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H5&gt;Sentinel versus Defender versus Microsoft Graph security&lt;/H5&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Dimension&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Microsoft Sentinel REST API (SecurityInsights)&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Microsoft Defender APIs&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Microsoft Graph security API&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;API surface&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Azure resource manager (ARM) API under Microsoft.SecurityInsights&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Product-specific REST APIs (/api/*) for Defender&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Unified Microsoft Graph endpoint (/security/*)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Primary purpose&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Workspace configuration and SIEM/SOAR management&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Operational SOC actions in Defender&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Unified security operations and automation across products&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Typical usage&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Infrastructure and content lifecycle management&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Incident, alert, and detection operations&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Cross-solution incident, alert, hunting, and threat intelligence integration&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Scope of data&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Sentinel-only (workspace-scoped)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Defender detections and signals&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Aggregated signals across Defender + Sentinel&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Incidents access&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Sentinel incidents (Azure portal model)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Defender incident model&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Unified incident model (Defender + Sentinel)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Alerts access&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Analytic rule-generated alerts&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Defender alerts&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Unified alerts across providers&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Detection management&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Yes (analytic rules; automation rules)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Yes (custom detection rules)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;No (read/act; no rule authoring)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Hunting&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Yes (KQL via log analytics)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Yes (Advanced hunting)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Yes (Advanced hunting through runHuntingQuery)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Threat intelligence (IOCs)&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Yes (TI CRUD; TAXII/STIX)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Limited&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Yes (unified threat intelligence submission and investigation)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Automation and SOAR&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Yes (logic apps playbooks; automation rules)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Limited native automation&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Yes (event-driven workflows via Graph+ logic apps)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Authentication and permissions&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Azure RBAC + Entra ID&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Entra app permissions (Defender scopes)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Entra app permissions (Graph; unified RBAC)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Portal alignment&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Azure portal (legacy Sentinel UX)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Microsoft Defender&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Microsoft Defender&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Multitenant/MSSP&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Azure-subscription centric&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Supported&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Best fit through Graph + GDAP / MTO models&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Strategic direction&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Configuration and management API&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Product API (still supported)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Strategic, long-term unified API&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;col style="width: 25.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H5&gt;Microsoft Graph security API – Overview&lt;/H5&gt;
&lt;P&gt;The &lt;A href="https://learn.microsoft.com/en-us/graph/api/resources/security-api-overview" target="_blank" rel="noopener"&gt;Microsoft Graph security API&lt;/A&gt; provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners; it federates queries to onboarded security providers and aggregates responses.&lt;/P&gt;
&lt;P&gt;What you use it for (common SOC/platform scenarios)&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Consolidate and correlate security alerts from multiple sources&lt;/LI&gt;
&lt;LI&gt;Pull and investigate incidents and alerts from services that are part of or integrated with Microsoft Defender&lt;/LI&gt;
&lt;LI&gt;Automate security tasks/workflows/reporting and send threat indicators (where applicable) into Microsoft products&lt;/LI&gt;
&lt;/UL&gt;
&lt;H5&gt;Advanced hunting through Graph (high-value capability)&lt;/H5&gt;
&lt;P&gt;Graph security supports advanced hunting through &lt;A href="https://learn.microsoft.com/graph/api/security-security-runhuntingquery" target="_blank" rel="noopener"&gt;runHuntingQuery&lt;/A&gt;, allowing you to run KQL on Microsoft 365 Defender advanced hunting tables and use results to enrich investigations.&lt;/P&gt;
&lt;H5&gt;Quotas/limits to keep in mind&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;Queries generally explore up to the past 30 days of data&lt;/LI&gt;
&lt;LI&gt;Results can return up to 100,000 rows&lt;/LI&gt;
&lt;LI&gt;You can make at least ~45 calls/min/tenant (varies by tenant size); requests can be throttled with HTTP 429 when resources are exhausted&lt;/LI&gt;
&lt;LI&gt;If a request runs longer than 3 minutes, it times out&lt;/LI&gt;
&lt;LI&gt;Query output has an overall 50 MB size limit&lt;/LI&gt;
&lt;/UL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;You do not have to rewrite anything urgently. Keep using SecurityInsights for Sentinel workspace work, layer Defender APIs for operational SOC actions, and treat Microsoft Graph security as the strategic direction for anything new—a single endpoint that already federates across products.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;FAQ list: Questions every stakeholder asks&lt;/H4&gt;
&lt;P&gt;&lt;STRONG&gt;“Is this transition mandatory?”&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Yes, but you have time. After March 31, 2027, Microsoft Sentinel will no longer be supported in the Azure portal and will be available only in Microsoft Defender. All customers will be redirected to Defender for Sentinel security operations.&lt;/P&gt;
&lt;P&gt;However, starting your transition now is strongly recommended to immediately access exclusive capabilities like Security Copilot, Sentinel data lake, and SOC optimization—features only available in Defender.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;“Do I need to migrate my workspace?”&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Workspace migration is not required. This is a common misconception. Your Sentinel workspace, log analytics workspace, and all data remain in their current Azure location. The transition is simply connecting your existing workspace to Defender for management.&lt;/P&gt;
&lt;P&gt;Nothing about your data storage, retention, or access changes. You are not moving data—you are adding a new portal interface to the same underlying workspace.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;“Will my costs change?”&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;There isn’t a cost change from the portal transition itself. Your Microsoft Sentinel pricing and billing model remains identical regardless of which portal you use. Data ingestion costs, commitment tiers, and log analytics charges all stay the same.&lt;/P&gt;
&lt;P&gt;The only new potential costs are optional features available exclusively in Defender:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Security Copilot: Requires separate licensing if you want AI-powered investigation assistance&lt;/LI&gt;
&lt;LI&gt;Sentinel data lake: Only incurs charges if you enable long-term retention beyond standard 90-day analytics tier&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Standard Sentinel operations (data connectors, analytics rules, automation, hunting) have zero cost change from transitioning.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;“Can I still use Azure portal?”&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Yes, until March 31, 2027. During the transition period, you can use both portals simultaneously:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Azure portal &lt;/STRONG&gt;for configuration management (data connectors, analytics rules, automation)&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Defender &lt;/STRONG&gt;for security operations (incidents, hunting, investigations)&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Many organizations adopt a hybrid approach during transition: security analysts work primarily in Defender for day-to-day operations, while SOC engineers use the Azure portal for configuration and rule development.&lt;/P&gt;
&lt;P&gt;After the March 2027 deadline, Sentinel security operations will only be available in Defender. However, the underlying Azure infrastructure (log analytics workspace, logic apps for playbooks) will remain accessible through the Azure portal for resource management.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;“What if I use multiple workspaces?”&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Multiple workspaces are fully supported.&lt;STRONG&gt; &lt;/STRONG&gt;Defender has robust multi-workspace capabilities:&lt;/P&gt;
&lt;P&gt;How it works:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Connect all your Sentinel workspaces to Defender (one-time setup per workspace)&lt;/LI&gt;
&lt;LI&gt;Designate a primary workspace that feeds the unified incident queue&lt;/LI&gt;
&lt;LI&gt;Use the workspace switcher in Defender to view or query other workspaces&lt;/LI&gt;
&lt;LI&gt;Advanced Hunting can query across multiple workspaces simultaneously using the workspace function&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;For MSSPs managing customer tenants:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;GDAP (granular delegated admin privileges) is now supported in Defender with MTO including Sentinel capabilities&lt;/LI&gt;
&lt;LI&gt;Azure Lighthouse continues supporting cross-tenant workspace management&lt;/LI&gt;
&lt;LI&gt;Each customer tenant’s workspaces can connect to Defender&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Considerations:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Only the primary workspace contributes to the unified incident queue&lt;/LI&gt;
&lt;LI&gt;Other workspaces are accessible for hunting, queries, and investigation but don’t merge incidents into the main queue&lt;/LI&gt;
&lt;LI&gt;This prevents overwhelming analysts with incidents from test/dev workspaces while maintaining access to all data&lt;/LI&gt;
&lt;/UL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;Every objection your stakeholders raise has a clean, source-grounded answer—mandatory but with runway, no data move, no surprise cost, two portals during transition, and full multi-workspace support.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;Persona implications&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Persona&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What this part means for you&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;SOC manager&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Run the adoption helper across all workspaces and use the dashboard to brief leadership with a readiness score, not a hunch.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Architect&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Use the API comparison to plan your long-run integration story: SecurityInsights for workspace config, Defender APIs for SOC ops, Graph security as the strategic direction.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Finance/FinOps&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Run the Sentinel cost estimator with current ingestion and retention numbers. Model what moving long-retention data from analytics to data lake does to monthly spend.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Integration engineer&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Inventory existing SecurityInsights API consumers; decide which new integrations should be built on Graph security from the start.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Stakeholder/ Sponsor&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Use the FAQ list as a one-pager for executives and security leadership—the five questions everyone asks, with grounded answers.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;Clearing up common misconceptions&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;“This is a workspace migration.” &lt;BR /&gt;&lt;/STRONG&gt;It isn’t. Your Sentinel and log analytics workspaces stay where they are—you connect them to Defender.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“Costs will go up automatically.” &lt;BR /&gt;&lt;/STRONG&gt;Analytics tier pricing is unchanged. New cost only appears if you opt into Security Copilot or enable the data lake—and the lake often reduces total cost when long-retention data moves off the analytics tier.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“My API integrations will break on day one.” &lt;BR /&gt;&lt;/STRONG&gt;SecurityInsights remains the API for Sentinel workspace operations. Defender APIs and Graph security extend the surface area—they do not replace what you have.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“I have to pick one portal.” &lt;BR /&gt;&lt;/STRONG&gt;Until March 31, 2027, both portals are supported. Most teams run a hybrid model during transition.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“My multi-workspace setup will not work.” &lt;BR /&gt;&lt;/STRONG&gt;It will. Multi-workspace is fully supported. Designate a primary for the unified queue and use the workspace switcher for the rest.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“I need an app registration to run the adoption helper.” &lt;BR /&gt;&lt;/STRONG&gt;Not required. User mode uses the well-known Azure PowerShell first-party client ID through device code flow—no App Registration required. App mode is available for unattended runs.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Do this week&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Clone&lt;/STRONG&gt; the Defender adoption helper and run it across at least one production workspace; open the dashboard and walk the findings with your SOC team.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Take&lt;/STRONG&gt; the warnings the adoption helper surfaces and create one tracking item per warning (analytics rule cleanup, automation rule cleanup, table tier conversions).&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Run&lt;/STRONG&gt; the Sentinel cost estimator with your current ingestion + retention numbers—model the lake scenario for long-retention tables.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Inventory &lt;/STRONG&gt;which systems call the SecurityInsights APIs today; for any new integration starting this quarter, default to Microsoft Graph security.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Circulate&lt;/STRONG&gt; the FAQ list (or a one-pager version of it) to executives and security leadership before they ask.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Confirm&lt;/STRONG&gt; whether your primary workspace region supports the Sentinel data lake—it determines part of the tiering plan.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Calendar&lt;/STRONG&gt; a transition kickoff for the next two weeks—the readiness work above gives you exactly the right inputs.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Continue the series&lt;/H4&gt;
&lt;P&gt;Each part in this series stands alone—pick the angle that matters most to you or read them in order.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-1" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 1 – Beyond a portal move: The strategic shift to Defender&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;Why the transition matters at the architecture and program level—the executive framing, the deadline, and the analyst validation.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-2" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 2 – Anatomy of the change: Incidents, alerts, correlation, and data&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;The component-level mechanics: how the XDR correlation engine replaces Fusion, why incidents are no longer alert-centric, and what changes (and doesn’t) in your data architecture.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-3" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 3 – Detection and automation, reimagined&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;How analytics rules, playbooks, workbooks, and hunting evolve—and why the toolbelt doubled, not shrank.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-4" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 4 – The governance shift: RBAC, URBAC, data lake, and MSSP&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;The move from Azure RBAC to URBAC, the data lake operating model, and multitenant patterns.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-6" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 6 – The AI-first SOC: Copilot, UEBA, threat intelligence, and SOC optimization&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;The destination: how Security Copilot, UEBA, threat intelligence, and SOC optimization combine into a fundamentally different operating model.&lt;/P&gt;</description>
      <pubDate>Mon, 29 Jun 2026 16:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/your-readiness-playbook-adoption-helper-costs-apis-and-the/ba-p/4528608</guid>
      <dc:creator>Mohit_Kumar1</dc:creator>
      <dc:date>2026-06-29T16:00:00Z</dc:date>
    </item>
    <item>
      <title>The governance shift: RBAC, URBAC, data lake, and MSSP</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/the-governance-shift-rbac-urbac-data-lake-and-mssp/ba-p/4528607</link>
      <description>&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN data-teams="true"&gt;Co-authored with Lizet Pena, Caroline Mutua, Alvin Kua and Marco Sudahl&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;EM&gt;Governance is the silent dependency every transition trips on. Read about how roles, data tiering, and multi-tenant operations evolve in Defender, and why each change unlocks something your old model could not.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Detection engineers debate KQL. Architects debate roles. The Defender transition is interesting because it updates to simply both - but the governance changes are the ones that quietly determine whether your unified SOC actually works the way you designed it on the whiteboard.&lt;/P&gt;
&lt;P&gt;The good news: everything is normal on day one. Your existing Azure RBAC assignments keep functioning. Your Sentinel data stays where it is. Your MSSP delegations remain intact. What changes is what is now possible: data-scoped permissions that are not tied to a single workspace, a tiered data model that lets you keep years of history without keeping years of analytics-tier cost, and a multi-tenant view that spans up to 100 customer tenants with a single sign-in.&lt;/P&gt;
&lt;P&gt;This post walks through each governance shift, what carries forward, and what is genuinely new—from the perspective of the architect who has to sign off and the SOC lead who has to operate it.&lt;/P&gt;
&lt;H4&gt;What this post covers&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Roles and personas: who owns what after the transition&lt;/LI&gt;
&lt;LI&gt;From classic Azure RBAC to Unified RBAC (URBAC): coexistence, then convergence&lt;/LI&gt;
&lt;LI&gt;The data lake as a governance construct: tiering, retention, residency&lt;/LI&gt;
&lt;LI&gt;Multi-tenant management and the MSSP operating model&lt;/LI&gt;
&lt;LI&gt;Persona implications, common misconceptions, and a do-this-week checklist&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Roles and personas: nothing breaks on day one&lt;/H4&gt;
&lt;P&gt;Transitioning to Defender does not eliminate existing Azure RBAC assignments – all continue to function. Once &lt;A href="https://learn.microsoft.com/en-us/defender-xdr/manage-rbac" target="_blank" rel="noopener"&gt;URBAC&lt;/A&gt; is activated, it becomes the source of permissions/authorization. The unified platform introduces a new permissions model: &lt;STRONG&gt;Microsoft Defender XDR Unified RBAC (URBAC)&lt;/STRONG&gt;, which can coexist with or replace classic Azure RBAC for Sentinel access.&lt;/P&gt;
&lt;P&gt;Once URBAC is enabled in Defender, URBAC becomes the source of permissions and not Azure RBAC. It is preferred to migrate the classic Sentinel roles to URBAC ones after onboarding the log analytic workspaces.&lt;/P&gt;
&lt;P&gt;Before transitioning, SOC leads and identity administrators should review the full &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/roles" target="_blank" rel="noopener"&gt;role matrix and persona assignments&lt;/A&gt; and understand which personas require updated assignments. Customers can import roles using the import wizard; this way there is no need to create URBAC roles manually.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Why URBAC is the upgrade: &lt;/STRONG&gt;URBAC is data-scoped + cross-workspace, not tied to a single workspace boundary. Another benefit of migrating to URBAC is the use of Sentinel scoping with row-level RBAC. And finally, it allows you to manage all of your roles and permissions in a single holistic access management system.&lt;/P&gt;
&lt;H5&gt;Persona-by-persona view&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Security analysts &lt;/STRONG&gt;–&lt;STRONG&gt; &lt;/STRONG&gt;Triage and investigate incidents using the unified incident queue; require the Security Operator unified RBAC role. Entra global roles are not required for incident triage across Defender and Sentinel—a custom Defender unified RBAC role provides the necessary permissions with more granular scoping.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Security engineers &lt;/STRONG&gt;–&lt;STRONG&gt; &lt;/STRONG&gt;Build detections, manage content, and onboard data; require Sentinel Contributor (see mapping with URBAC). For SOAR tasks, roles such as logic app Contributor and Microsoft Sentinel automation Contributor can still be managed and assigned to Security engineers using Azure RBAC&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;SOC managers / architects &lt;/STRONG&gt;–&lt;STRONG&gt; &lt;/STRONG&gt;Plan RBAC strategy and map existing Azure RBAC to URBAC; govern least-privilege access across workspaces&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Automation &lt;/STRONG&gt;–&lt;STRONG&gt; &lt;/STRONG&gt;Execute playbooks and automation rules; the roles related to automation (Microsoft Sentinel automation Contributor, logic app Contributor, Microsoft Sentinel playbook Operator) post-transition are not yet supported through URBAC, but can still be managed using Azure RBAC&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Service principals &lt;/STRONG&gt;–&lt;STRONG&gt; &lt;/STRONG&gt;Service principals are currently not supported in URBAC; assigning permissions to a service principal or GDAP user group is planned to go public preview soon. Do not enable URBAC if service principals are in use in Microsoft Sentinel in the Azure portal.&lt;/LI&gt;
&lt;/UL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;Day One continuity for every existing role assignment, with a clear path to a more capable model. You choose when to flip URBAC on, the import wizard does the heavy lifting, and you get data-scoped, cross-workspace permissions you never had in classic Sentinel.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;Azure RBAC and URBAC: coexistence, then convergence&lt;/H4&gt;
&lt;P&gt;The transition does not force a permissions cutover. Sentinel permissions currently configured keep working exactly as they do today. You can also use URBAC for Sentinel permissions, ensuring you can manage your access management for Defender and Sentinel in a single holistic access management system. Once you turn URBAC on, it becomes the source of truth for permissions instead of Azure RBAC.&lt;/P&gt;
&lt;H5&gt;How they compare&lt;/H5&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Dimension&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Classic Azure RBAC (Sentinel)&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Unified RBAC (URBAC) in Defender&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Scope model&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Workspace-bound—a role grants access to one log analytics workspace at a time. In addition, you can configure row and table level conditions&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Workspace-bound and scoped; A role grants access to one or more log analytics workspaces at the time, while also providing row-level Sentinel scopes if desired&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Permissions surface&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Reader, Responder, Contributor (plus automation-specific roles like logic app Contributor, playbook Operator)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Reader, Responder, Contributor created through URBAC custom roles; classic roles map in through the import wizard&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Source of truth&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Source of permissions until URBAC is enabled&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Once enabled in Defender, URBAC becomes the source of permissions—not Azure RBAC&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Service principals&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Fully supported&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Not currently supported in URBAC—keep managing these through Azure RBAC, even when URBAC is enabled&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Automation roles&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Logic app Contributor, Microsoft Sentinel automation Contributor, playbook Operator&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Not currently supported in URBAC—keep managing these through Azure RBAC&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Row-level scoping&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Possible through log analytics row-level or table-level conditions, but this does not propagate to Sentinel experiences&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Sentinel scoping (row-level access) supported and propagates to experiences (alerts, hunting, incidents)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H5&gt;Transition considerations&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;Onboard the log analytics workspaces first, then move the classic Sentinel role assignments to URBAC&lt;/LI&gt;
&lt;LI&gt;Use the import wizard rather than re-creating URBAC roles manually—it preserves your existing assignment intent&lt;/LI&gt;
&lt;LI&gt;If you rely on service principals for any Sentinel access (CI/CD, automation, integrations), please be aware that these are not yet supported in URBAC. The import wizard will detect this and will import the roles, but not assign them to service principals. If the role only includes service principals in the assignment, it can't be imported. Track the URBAC roadmap and plan accordingly, this support will be available soon. You can continue to configure these in Azure RBAC for now, even when URBAC is enabled.&lt;/LI&gt;
&lt;LI&gt;Keep automation-related role assignments in Azure RBAC—they are not supported through URBAC today.&lt;/LI&gt;
&lt;LI&gt;When you enable URBAC and assign roles, they are synchronized back to Azure as well. For example, a Sentinel Reader role created in URBAC will also create the role in Azure RBAC. If you then change the role in Azure RBAC (instead of on URBAC), it can create a sync issue. Disabling and enabling the workspace on URBAC will resolve the issue. This does not affect scenarios where Azure RBAC is the only source of permissions (logic apps for example), but it is something to be aware of.&lt;/LI&gt;
&lt;LI&gt;Take advantage of &lt;A href="https://learn.microsoft.com/en-us/defender-xdr/scoping" target="_blank" rel="noopener"&gt;row-level RBAC and cross-workspace scoping&lt;/A&gt; where you previously had to compromise.&lt;/LI&gt;
&lt;/UL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;You get a more capable permissions model without a forced cutover. Classic roles keep working, the import wizard handles the migration, and the new data-scoped model finally matches the way modern SOCs think about access.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;Sentinel data lake as a governance construct&lt;/H4&gt;
&lt;P&gt;All data ingested into the analytics tier (log analytics workspace) is automatically mirrored into the &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-overview" target="_blank" rel="noopener"&gt;Sentinel data lake&lt;/A&gt; tier when Sentinel data lake is enabled, ensuring a single authoritative copy of security data that can be queried using KQL, notebooks, and advanced hunting tools without duplicating ingestion pipelines.&lt;/P&gt;
&lt;P&gt;Security architects should use Sentinel data lake for historical threat hunting, retroactive IOC matching, compliance retention, and AI-assisted investigations, while keeping latency-sensitive detections and alerts in the analytics tier. Use the &lt;A href="https://www.microsoft.com/en-us/security/pricing/microsoft-sentinel/cost-estimator?msockid=30bfcca2d3e36dc228aedab6d2a66c1e" target="_blank" rel="noopener"&gt;Sentinel cost estimator&lt;/A&gt; to calculate your environment’s need and refer to the pricing table to know more.&lt;/P&gt;
&lt;H5&gt;What the data lake gives you&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;Supports interactive and async KQL queries across all connected Sentinel workspaces.&lt;/LI&gt;
&lt;LI&gt;Query external data sources without moving data (Public Preview), including Microsoft Fabric, Azure Databricks, and Azure Data Lake Storage Gen2.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H5&gt;Transition considerations&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;Sentinel data lake must be provisioned in the same Azure region as the primary Sentinel workspace and is not available in all regions—check the latest &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/geographical-availability-data-residency" target="_blank" rel="noopener"&gt;geographical availability and data residency&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;When Sentinel is accessed through Defender, processed and configuration data may follow Defender regional processing, which can differ from the log analytics workspace region.&lt;/LI&gt;
&lt;LI&gt;Customer-managed keys (CMKs) are not supported for data stored in the Sentinel data lake; Microsoft-managed keys are used.&lt;/LI&gt;
&lt;LI&gt;Compare the analytics tier and data lake tier when sizing your retention strategy.&lt;/LI&gt;
&lt;/UL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Region availability note: &lt;/STRONG&gt;Sentinel data lake is not available in all Azure regions. Validate availability for your primary workspace region before planning enablement—the &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/geographical-availability-data-residency" target="_blank" rel="noopener"&gt;supported regions list&lt;/A&gt; is the authoritative reference and is updated as new regions come online.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;You finally separate “hot” detection data from “warm/cold” investigation data without rebuilding pipelines. One copy of the truth, two tiers, KQL across both—and a clear regional/governance story you can take to your data protection officer.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;Multitenant management and the MSSP operating model&lt;/H4&gt;
&lt;P&gt;MSSPs and large multitenant enterprises have always had to stitch together Lighthouse, GDAP, and per-workspace navigation. Defender does not eliminate those building blocks—but it does add a unified cross-tenant view that genuinely simplifies day-to-day operations.&lt;/P&gt;
&lt;H5&gt;Azure portal versus Defender for multitenant&lt;/H5&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Portal&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Multi-tenant model&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Azure portal&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/lighthouse/overview" target="_blank" rel="noopener"&gt;Azure Lighthouse&lt;/A&gt; for cross-tenant visibility through ARM delegation&lt;/LI&gt;
&lt;LI&gt;Multi-workspace incident view; analysts pivot between workspaces for deep investigation&lt;/LI&gt;
&lt;LI&gt;Cross-workspace KQL through workspace operator (recommended to limit up to 10 workspaces to avoid latency and timeout)&lt;/LI&gt;
&lt;LI&gt;Per-workspace Azure RBAC; no centralized cross-tenant role management&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Defender&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-xdr/mto-overview" target="_blank" rel="noopener"&gt;Multitenant management (MTO)&lt;/A&gt; unified view across up to 100 tenants with single sign-in&lt;/LI&gt;
&lt;LI&gt;Unified incident queue, cross-tenant advanced hunting (SIEM + XDR), and content distribution profiles&lt;/LI&gt;
&lt;LI&gt;Dual RBAC: Azure RBAC for data + unified RBAC (URBAC) for portal access, currently with B2B, with centralized management&lt;/LI&gt;
&lt;LI&gt;Critical: MTO does not replace Lighthouse—Lighthouse is still required to access Azure resources such as Azure policy and function apps&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/partner-center/customers/gdap-introduction" target="_blank" rel="noopener"&gt;GDAP&lt;/A&gt; for Sentinel in Public Preview&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H5&gt;Transition considerations&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Maintain Lighthouse: &lt;/STRONG&gt;Do not remove existing delegations—Lighthouse is still required to access Azure resources such as Azure policy and function apps.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;100-tenant limit: &lt;/STRONG&gt;Large MSSPs may need multiple MTO configurations or prioritize active tenants. MSSPs can also leverage tenant groups to organize tenants collectively and switch multitenant view between groups. Microsoft hasn't published a timeline for raising this ceiling—monitor the Defender XDR release notes for updates&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Tenant-boundary isolation: &lt;/STRONG&gt;Correlation engine operates within tenant boundaries—incidents never merged across tenants.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Playbook distribution gap: &lt;/STRONG&gt;Automation rules and playbooks (logic apps) are not currently supported as distributable artifacts through MTO content distribution profiles, but you do have the ability to run logic apps hosted on “home tenant” to run on “target tenant” without deploying the artifact.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H5&gt;Where partners and MSSPs add value&lt;/H5&gt;
&lt;P&gt;Managed security service providers (MSSPs) and Microsoft partners bring specialized expertise in planning and executing Sentinel transitions to Defender. Partners accelerate your transition timeline, reduce operational risk, and ensure your team maximizes the value of unified security operations from Day One.&lt;/P&gt;
&lt;P&gt;Key advantages of working with a partner:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Transition expertise: &lt;/STRONG&gt;Partners have hands-on experience transitioning multiple customer environments and can anticipate challenges specific to your industry, architecture, and security maturity level.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Multi-tenant complexity: &lt;/STRONG&gt;MSSPs managing Sentinel for multiple customers can navigate enhanced GDAP delegation, Azure Lighthouse configurations, and cross-tenant workspace management.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Accelerated onboarding: &lt;/STRONG&gt;Partners provide structured onboarding programs combining technical setup, SOC analyst training, and workflow optimization to minimize time to value.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Custom automation development: &lt;/STRONG&gt;Partners can develop logic apps playbooks, custom analytics rules, and hunting queries tailored to your environment and threat landscape.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Ongoing optimization: &lt;/STRONG&gt;Post-transition, partners offer SOC optimization services leveraging the enhanced capabilities in Defender including AI-powered recommendations, cost management, and detection coverage gap analysis.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;To find Microsoft partners specialized in Sentinel and Defender, visit &lt;A href="https://partner.microsoft.com/" target="_blank" rel="noopener"&gt;partner.microsoft.com&lt;/A&gt; or consult your Microsoft account team for recommendations.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;A single cross-tenant view that does not force you to abandon what you have. Lighthouse + GDAP + MTO each do a different job, and the unified incident queue across tenants is the kind of capability MSSPs have been asking for.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;Persona implications&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Persona&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What changes for you&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;SOC analyst&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Single security Operator URBAC role across workspaces; the day-to-day triage experience does not require knowing which workspace an alert came from.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Security engineer&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Sentinel Contributor maps into URBAC for SIEM content; keep logic app Contributor and automation Contributor in Azure RBAC for SOAR work.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;SOC manager/ architect&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;You own the URBAC migration plan, the tier-versus-lake retention strategy, and the multi-tenant access model. Use the import wizard to preserve existing intent.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Data protection officer&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The data lake adds a tier with its own residency and encryption story (Microsoft-managed keys, regional availability). Document it as part of your data flow inventory.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;MSSP operator&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Unified incident queue across up to 100 tenants; Lighthouse, GDAP, and B2B each remain in the picture but for different purposes. Plan tenant groups and content distribution profiles early.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;Clearing up common misconceptions&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;“Turning on URBAC breaks my existing Azure RBAC assignments.” &lt;BR /&gt;&lt;/STRONG&gt;No. Classic Sentinel roles continue to function. URBAC becomes the source of permissions once enabled, but it can be migrated from your existing assignments using the import wizard.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“I have to move my Sentinel data into the data lake.” &lt;BR /&gt;&lt;/STRONG&gt;No. Data ingested into the analytics tier is automatically mirrored into the data lake when the lake is enabled—a single authoritative copy, no duplicate ingestion.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“MTO replaces Azure Lighthouse for MSSPs.” &lt;BR /&gt;&lt;/STRONG&gt;No. MTO and Lighthouse coexist—Lighthouse is still required for Azure resource access (Azure policy, function apps); MTO provides the unified cross-tenant SOC view.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“If I enable URBAC, my logic apps playbooks break.” &lt;BR /&gt;&lt;/STRONG&gt;No. Automation-related roles (logic app Contributor, automation Contributor, playbook Operator) keep working under Azure RBAC.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“Data lake is available everywhere Sentinel is.” &lt;BR /&gt;&lt;/STRONG&gt;No. The data lake must be in the same Azure region as the primary Sentinel workspace and is not available in all regions—always check the geographical availability list before planning.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“MTO will merge incidents across tenants.” &lt;BR /&gt;&lt;/STRONG&gt;No. The correlation engine operates within tenant boundaries—incidents are never merged across tenants. MTO provides visibility and operational consistency, not cross-tenant correlation.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Do this week&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Inventory &lt;/STRONG&gt;who holds which classic Sentinel role (Reader, Responder, Contributor, Automation roles) and which identities are service principals.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Defer&lt;/STRONG&gt; URBAC enablement and document the dependency if any service principals hold Sentinel access.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Stand up&lt;/STRONG&gt; a test URBAC scope using the import wizard—validate that analyst, engineer, and architect personas see what you expect.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Confirm&lt;/STRONG&gt; your primary Sentinel workspace region is on the Sentinel data lake supported regions list.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Decide&lt;/STRONG&gt; the analytics tier versus data lake tier split: which tables you want hot for detection and which you want warm for hunting/compliance.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Map&lt;/STRONG&gt; your existing Lighthouse + GDAP footprint to the MTO model if you operate multi-tenant, and identify tenants for an initial MTO configuration (under the 100-tenant cap).&lt;/LI&gt;
&lt;LI&gt;Schedule the transition planning session now if you work with an MSSP or Microsoft partner to compress weeks of work and surface issues you would otherwise find in production.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Continue the series&lt;/H4&gt;
&lt;P&gt;Each part of this series stands alone—pick the angle that matters most to you or read them in order.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-1" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 1 – Beyond a portal move: The strategic shift to Defender&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;Why the transition matters at the architecture and program level—the executive framing, the deadline, and the analyst validation.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-2" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 2 – Anatomy of the change: Incidents, alerts, correlation, and data&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;The component-level mechanics: how the XDR correlation engine replaces Fusion, why incidents are no longer alert-centric, and what changes (and doesn’t) in your data architecture.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-3" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 3 – Detection and automation, reimagined&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;How analytics rules, playbooks, workbooks, and hunting evolve—and why the toolbelt doubled, not shrank.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-5" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 5 – Your readiness playbook: Adoption helper, costs, APIs, and the checklist&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;A practical plan: the Defender adoption helper, cost reality, API strategy, and the migration checklist.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-6" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 6 – The AI-first SOC: Copilot, UEBA, threat intelligence, and SOC optimization&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;The destination: how Security Copilot, UEBA, threat intelligence, and SOC optimization combine into a fundamentally different operating model.&lt;/P&gt;</description>
      <pubDate>Thu, 25 Jun 2026 20:11:19 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/the-governance-shift-rbac-urbac-data-lake-and-mssp/ba-p/4528607</guid>
      <dc:creator>Mohit_Kumar1</dc:creator>
      <dc:date>2026-06-25T20:11:19Z</dc:date>
    </item>
    <item>
      <title>A guide to innovating threat hunting with Microsoft Sentinel custom graph</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/a-guide-to-innovating-threat-hunting-with-microsoft-sentinel/ba-p/4530287</link>
      <description>&lt;P&gt;Microsoft Sentinel platform offers a growing list of tools and features, with graph being a cornerstone capability.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://learn.microsoft.com/azure/sentinel/datalake/sentinel-graph-overview?tabs=defender" target="_blank" rel="noopener"&gt;Sentinel graph&lt;/A&gt; is a relationship-first method for organizing and querying data within Microsoft Sentinel data lake. Activities amongst entities (users, devices, emails, IPs, applications, etc.) become a navigable structure that avoids a complex table structure. Rather than stitching together data and evidence via complex joins, users can follow multi-hop connections in order to understand insights such as blast radius, unseen pivots in malicious behavior, and investigative details that may not be as obvious within regular logs, all while visualizing these paths to assist in communicating evidence and findings.&lt;/P&gt;
&lt;P&gt;This blog will walk through how to &lt;A href="https://learn.microsoft.com/azure/sentinel/datalake/custom-graphs-overview" target="_blank" rel="noopener"&gt;create custom graphs&lt;/A&gt; using GitHub Copilot chat experiences in Sentinel VS Code. And how to leverage out-of-the-box graph samples to build custom graphs addressing security outcomes. Custom graphs are available in public preview.&lt;/P&gt;
&lt;H3&gt;Prerequisites and Tooling&lt;/H3&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/azure/sentinel/datalake/sentinel-lake-onboarding" target="_blank" rel="noopener"&gt;Sentinel data lake&lt;/A&gt; enabled in the tenant, this is where the data for the graph will be stored.&lt;/LI&gt;
&lt;LI&gt;Users will need &lt;A href="https://learn.microsoft.com/azure/sentinel/roles#microsoft-sentinel-data-lake-write-permissions" target="_blank" rel="noopener"&gt;read/write permissions&lt;/A&gt; on Sentinel data lake data. And either&lt;A href="https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#security-operator" target="_blank" rel="noopener"&gt; security operator&lt;/A&gt; or &lt;A href="https://learn.microsoft.com/entra/identity/role-based-access-control/permissions-reference#security-administrator" target="_blank" rel="noopener"&gt;security admin&lt;/A&gt; permissions to save a custom graph in the tenant.&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://code.visualstudio.com/docs/?dv=win" target="_blank" rel="noopener"&gt;Visual Studio Code (VS Code)&lt;/A&gt; will need to be installed, as it is essential for building and saving graphs.&lt;/LI&gt;
&lt;LI&gt;The Jupyter notebook extension, Microsoft Sentinel extension, and GitHub Copilot extension will need to be installed from within VS Code. These are key pieces for configuring and managing graphs.&lt;/LI&gt;
&lt;LI&gt;(Optional) &lt;A href="https://learn.microsoft.com/azure/sentinel/datalake/sentinel-mcp-overview" target="_blank" rel="noopener"&gt;Microsoft Sentinel MCP server&lt;/A&gt; if using MCP tools like the data exploration tool.&lt;/LI&gt;
&lt;/OL&gt;
&lt;H2&gt;Building a new custom graph&lt;/H2&gt;
&lt;P&gt;The starting point is within Visual Studio Code (VS Code), where the custom graph will be built via GitHub Copilot and the Sentinel graph authoring tool. Make sure to have a GitHub account logged in within VS Code, then start a chat with Copilot via &lt;STRONG&gt;&lt;EM&gt;View &amp;gt; Chat&lt;/EM&gt;&lt;/STRONG&gt;&lt;EM&gt;.&lt;/EM&gt; This will open a chat window on the right side of the screen.&lt;/P&gt;
&lt;img /&gt;
&lt;H3&gt;Determining security telemetry for investigation&lt;/H3&gt;
&lt;P&gt;If unsure about which tables are available within the environment or the columns to focus on for hunting/investigations, turn to the Sentinel MCP server. With the &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-overview" target="_blank" rel="noopener"&gt;Sentinel MCP server&lt;/A&gt;, users can explore the threat landscape within their environment as well as see which data sources currently exist within the Sentinel data lake. This process can be done using natural language with Copilot to obtain the information needed to perform the task at hand.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;“List the most important tables within my Microsoft Sentinel data lake environment that would build a blast radius for a compromised user account. List the best columns to use for this scenario. Format the response as a table”&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;img /&gt;
&lt;P&gt;The tables and columns that can be used are now known. The next step is to use these tables to construct a custom graph with help from GitHub Copilot. For this example, a blast radius graph will be built to assist in reviewing the impact of compromised accounts within the environment:&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;“List the top 5 compromised or targeted accounts within my environment. List which types of attacks are involved with those accounts. Summarize the information into a simple to read table”&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;img /&gt;
&lt;P&gt;Given this response, there are a few options for going forward:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Return to the Microsoft Defender portal and attempt threat hunting/review this with other analysts&lt;/LI&gt;
&lt;LI&gt;Ask Copilot to provide threat hunting queries or perform incident investigations for the top users who are most targeted&lt;/LI&gt;
&lt;LI&gt;Build custom graphs to visualize threat data around the most targeted accounts&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;For this example, we will use option 3.&lt;/P&gt;
&lt;H3&gt;Building graph mappings with GitHub Copilot&lt;/H3&gt;
&lt;P&gt;To begin building a custom graph from scratch, a new prompt is submitted, this time tagging the Sentinel extension’s graph authoring tool. An example of the type of prompt to use is below:&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;“@Sentinel /graph-authoring I want to investigate the blast radius of a compromised user and what systems/ app/ devices that they accessed based on users authentication activity. Please use at least SignInLogs, NonInteractivelogs, DeviceLogon, Onprem AD logs, IdentityInfo, and AADRiskyUsers.&lt;/P&gt;
&lt;P&gt;The graph should help investigate the following security outcomes:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;What is the user's current risk level and risk score from Identity Protection?&lt;/LI&gt;
&lt;LI&gt;Which applications and resources did a user authenticate to?&lt;/LI&gt;
&lt;LI&gt;Are there sign-ins from risky IP addresses, Tor exit nodes, or anonymizers?&lt;/LI&gt;
&lt;LI&gt;Are there non-interactive sign-ins from unexpected locations or devices?&lt;/LI&gt;
&lt;LI&gt;Which machines did a user log on to locally/remotely (RDP)?&lt;/LI&gt;
&lt;LI&gt;Which user accounts have been active on a compromised device?&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;A few guidance for data ingestion:&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;UL&gt;
&lt;LI&gt;
&lt;BLOCKQUOTE&gt;Ensure to filter out any data that has NULL or empty values for key Nodes and Edges&lt;/BLOCKQUOTE&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;BLOCKQUOTE&gt;Filter all data for last 14 days&lt;/BLOCKQUOTE&gt;
&lt;/LI&gt;
&lt;LI&gt;
&lt;BLOCKQUOTE&gt;Do not map json arrays as Keys in Nodes or Edges”&lt;/BLOCKQUOTE&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;EM&gt;Note: To ensure that the graph that is written matches the desired scenario, it helps to provide outcomes or guidance to the graph authoring tool.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;BR /&gt;If a Juypter notebook is not already open within the VS Code, Copilot will build a new notebook based on the prompt given. Once Copilot is done, select a kernel to run the notebook. This can be done from the top right of the Notebook:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Click on &lt;STRONG&gt;&lt;EM&gt;Select Kernel&lt;/EM&gt;&lt;/STRONG&gt;&lt;EM&gt;.&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;Click on &lt;STRONG&gt;&lt;EM&gt;Microsoft Sentinel&lt;/EM&gt;&lt;/STRONG&gt;&lt;EM&gt;.&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;Choose a pool option for the compute cluster.&lt;/LI&gt;
&lt;LI&gt;Once a pool is picked, click on the run button next to one of the code cells to boot up the compute pool (this can take up to 5 minutes)&lt;/LI&gt;
&lt;LI&gt;Once connected, users can either go through and click the run button next to the code cell to run the code or click the &lt;STRONG&gt;&lt;EM&gt;Run All&lt;/EM&gt;&lt;/STRONG&gt; button at the top of the Notebook.&lt;/LI&gt;
&lt;/OL&gt;
&lt;img /&gt;
&lt;P&gt;For each cell in the Notebook:&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;Cell 2&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;This section of the notebook is for mporting the sentinel_graph library and configures Spark settings. This is essentially setting up the notebook environment for executing the rest of the code.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from sentinel_graph import notebook notebook.requires(sentinel_graph="0.3.8") spark.conf.set("spark.sql.parquet.datetimeRebaseModeInRead", "CORRECTED")&lt;/LI-CODE&gt;
&lt;P&gt;&lt;EM&gt;Cell 3&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;This section is performing more Sentinel specific configurations by defining which Sentinel workspace to use, which timerange to use, which tables to use, etc. This is defining which data sources should be considered when building the graph.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;from pyspark.sql import functions as F from sentinel_lake.providers import MicrosoftSentinelProvider lake_provider = MicrosoftSentinelProvider(spark=spark) LOG_ANALYTICS_WORKSPACE = "Woodgrove-LogAnalyiticsWorkspace" # Auto-detected from the Microsoft Sentinel extension TARGET_USER = "ram723@int.zava-private.com" # Time filter — 7 days for broader blast radius context time_filter = F.col("TimeGenerated") &amp;gt;= F.expr("current_timestamp() - INTERVAL 7 DAYS") # --- IdentityInfo: user profile, roles, group memberships, risk --- df_identity_info = ( lake_provider.read_table("IdentityInfo", LOG_ANALYTICS_WORKSPACE) .filter(time_filter) .filter(F.lower(F.col("AccountUPN")) == TARGET_USER.lower()) ) # --- SigninLogs: interactive sign-ins to resources --- df_signins = ( lake_provider.read_table("SigninLogs", LOG_ANALYTICS_WORKSPACE) .filter(time_filter) .filter( (F.lower(F.col("UserPrincipalName")) == TARGET_USER.lower()) &amp;amp; (F.col("ResultType") == "0") # successful sign-ins ) )&lt;/LI-CODE&gt;
&lt;P&gt;&lt;EM&gt;Cell 4&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;This section is defining and building the nodes that will be used in the graph. The definitions include what events look like, which entities are involved, and how they are considered for each node type.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;# 1. User node (the target user) user_nodes = ( df_identity_info .select( F.col("AccountUPN"), F.col("AccountDisplayName"), F.col("RiskLevel"), F.col("RiskState"), F.col("AssignedRoles"), F.col("GroupMembership"), F.col("BlastRadius"), F.col("Department"), F.col("JobTitle"), F.col("IsMFARegistered"), F.col("IsAccountEnabled") ) .distinct() .withColumn("AccountUPN", F.lower(F.col("AccountUPN"))) )&lt;/LI-CODE&gt;
&lt;P&gt;&lt;EM&gt;Cell 5&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;This section is building out the schema for the graph. The schema for a graph is taking the columns and details from the tables in cell 3 while also tying them to the nodes and edges built in cell 4.&lt;/P&gt;
&lt;LI-CODE lang="python"&gt;# Build nodes first builder = ( GraphSpecBuilder.start() # === NODES === .add_node("User") .from_dataframe(user_nodes) .with_columns("AccountUPN", "AccountDisplayName", "RiskLevel", "RiskState", "AssignedRoles", "GroupMembership", "BlastRadius", "Department", "JobTitle", "IsMFARegistered", "IsAccountEnabled", key="AccountUPN", display="AccountUPN") # Then add edges and finalise into a GraphSpec spec = ( builder # === EDGES === .add_edge("AccessedInteractive") .from_dataframe(edge_user_resource_interactive) .source(id_column="UserUPN", node_type="User") .target(id_column="ResourceName", node_type="Resource") .with_columns("AppDisplayName", "TimeGenerated", "IPAddress", "ConditionalAccessStatus", "AccessType", "EdgeKey", key="EdgeKey", display="AccessType")&lt;/LI-CODE&gt;
&lt;P&gt;&lt;EM&gt;Cell 6&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;This cell will take the schema from cell 5 and will load it into the graph visual builder. This will give a sample of what the graphs made with this Notebook will look like. These samples are fully interactive and will give an example of how it will look within the Defender portal. For example:&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;EM&gt;Please note that the Authoring Agent may provide a different looking schema if following along with this example. The schema above is just meant to provide an example of what one will look like within a Notebook.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;Cell 7&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;This cell is taking each of the following steps performed and is going to compile and build the graph based on the data from the Sentinel data lake. This may take a few minutes to perform.&lt;/P&gt;
&lt;P&gt;With the custom graph built, the next step is to create a Graph Job to save the custom graph in the tenant for persistent use. If necessary, users can go back into the notebook to refine, expand, and improve the custom graph.&lt;/P&gt;
&lt;H3&gt;Publishing graph&lt;/H3&gt;
&lt;P&gt;Publishing a graph is the process of saving the graph in a tenant, allowing for the graph to be scheduled for recurring refreshes or as needed. This process saves the graph to the tenant and enables other SOC members to access this graph from within the Defender portal.&lt;/P&gt;
&lt;P&gt;To publish a custom graph, this must go through a Graph Job. This option is available within the Notebook experience as a button near the top:&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;Clicking on the&amp;nbsp;&lt;EM&gt;Create Scheduled Job &lt;/EM&gt;button will open a new tab within VS Code with the jobs settings and the option to publish:&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;There are two types of job schedules:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;On Demand: Saves the custom graph to the tenant and will persist the custom graph for 30 days. After 30 days, the graph will be auto deleted.&lt;/LI&gt;
&lt;LI&gt;Scheduled: Saves the custom graph to the tenant and will rebuild with new security telemetry based on a user defined schedule.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;Once everything is prepped, the custom graph can be published to the tenant by hitting the &lt;EM&gt;Submit&lt;/EM&gt; button. Users can view and monitor the creation progress by finding the graph within the Sentinel extension navigation as it shows the graphs available for the environment:&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;Finding and selecting the custom graph will open up a new tab that shows details around the graph. This includes details around the name, creation status (creating, ready, etc), author, and publishing date.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;Near the top, there are tabs for Job Details and Graph Query. These options allow the user to review the current Graph Job, make changes to the Graph Job, or query the graph within the notebook.&lt;/P&gt;
&lt;H3&gt;Querying the graph in Defender&lt;/H3&gt;
&lt;P&gt;Once the custom graph has been published and the creation status is Ready, users can query the new graph in the Defender Portal:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;Expand the &lt;EM&gt;Microsoft Sentinel &lt;/EM&gt;navigation.&lt;/LI&gt;
&lt;LI&gt;Select &lt;EM&gt;Graphs.&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;Either find the card with the graph title or search for it within the menu.&lt;img /&gt;&lt;/LI&gt;
&lt;LI&gt;Once found, click &lt;EM&gt;Query Graph&lt;/EM&gt; to open it.&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;The graph will open in the &lt;EM&gt;schema &lt;/EM&gt;view. The schema here is a visual representation of which nodes, edges, and relations are part of the graph. This is what was built in the notebook. To query it, a user can write GQL queries or use ones that are provided. For this example, a query provided in the &lt;EM&gt;Getting Started &lt;/EM&gt;tab will be used. This is a generic query that will show everything in a graph:&lt;/P&gt;
&lt;LI-CODE lang="graphql"&gt;// Visualize any graph MATCH (x)-[y]-&amp;gt;(z) RETURN * LIMIT 100&lt;/LI-CODE&gt;&lt;img /&gt;
&lt;P&gt;More focused queries will yield more focused results. For example:&lt;/P&gt;
&lt;LI-CODE lang="graphql"&gt;MATCH (n_user:User)-[e_ip:SignedInFrom]-&amp;gt;(n_ip:IPAddress) MATCH (n_user)-[e_signin:InteractiveSignIn]-&amp;gt;(n_app:Application) WHERE n_user.UserPrincipalName = 'ENTERUSERNAMHERE' AND n_ip.IPAddress = 'IPADDRESSHERE' RETURN n_user, e_ip, n_ip, e_signin, n_app&lt;/LI-CODE&gt;&lt;img /&gt;&lt;LI-CODE lang="graphql"&gt;MATCH (n_user)-[x]-&amp;gt;() MATCH (n_user)-[e_signin:InteractiveSignIn]-&amp;gt;(n_app:Application) WHERE n_user.UserPrincipalName = 'ENTERUSERNAMEHERE' RETURN *&lt;/LI-CODE&gt;&lt;img /&gt;
&lt;P&gt;From here, a user can continue the hunt, remediate the concerns, escalate this for further attention and remediation, or refine the graph as needed.&lt;/P&gt;
&lt;H3&gt;Refining Graphs&lt;/H3&gt;
&lt;P&gt;Throughout the process, the custom graph may need to be updated for various reasons, including:&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;The scope of the hunt/investigation has expanded due to new information or the hypothesis being updated based on findings&lt;/LI&gt;
&lt;LI&gt;The original hypothesis of the hunt was incorrect or needs to be changed&lt;/LI&gt;
&lt;LI&gt;Important nodes are missing from the graph and need to be added&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;To achieve this, return to VS Code and use the GitHub Copilot chat experience to add new telemetry, nodes, edges, or properties in the existing graph.&lt;/P&gt;
&lt;P&gt;The below example illustrates adding Azure resources as new assets by prompting the Sentinel graph authoring tool and instructing it on what needs to be added.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;Running the cells of the Notebook will yield an updated graph that includes the new changes:&lt;/P&gt;
&lt;img /&gt;
&lt;H3&gt;Graph samples in the Sentinel VS Code extension&lt;/H3&gt;
&lt;P&gt;To help with learning, building, and using Sentinel graph, there are 5 graph samples included in the Sentinel extension within VS Code. &lt;BR /&gt;&lt;BR /&gt;These can be found by clicking on the Sentinel extension and looking under &lt;EM&gt;Notebook Samples &amp;gt; Graphs&lt;/EM&gt;. Each graph included contains a Jupyter notebook containing the graph schema and mappings, as well as graph queries which can be run against the graph.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;These graphs ingest certain security telemetry and expect them to already exist within the Sentinel lake instance that is being used. If needed, the graph mapping can be updated to include/ exclude security telemetry as needed. These graph samples are also located within the Sentinel GitHub repository.&lt;/P&gt;
&lt;P&gt;Let’s look at one of the sample graphs – Phishing Email Killchain to understand how it can help during a security investigation.&lt;/P&gt;
&lt;H2&gt;Using a graph: phishing email kill chain scenario&lt;/H2&gt;
&lt;P&gt;Phishing is the number one initial access vector, yet investigating a phishing campaign requires correlating data across multiple Sentinel tables: EmailEvents, EmailUrlInfo, UrlClickEvents, EmailAttachmentInfo, DeviceFileEvents, and DeviceProcessEvents. Each table uses a different join key (NetworkMessageId, AccountUpn, SHA256, DeviceName), and analysts must stitch results together manually across several Defender portals.&lt;/P&gt;
&lt;P&gt;The core question every SOC analyst needs to answer is: “Who received the email, clicked the URL, downloaded the attachment, and executed it on their device?” In KQL, answering this requires 5+ sequential queries and 30–60 minutes of manual correlation. The Phishing Email Kill Chain graph fuses all of these tables into a single connected structure with 10 node types and 12 edge types, making it possible to answer that question in seconds with a single GQL traversal. SOC teams can create this graph in their tenant and start investigating phishing campaigns using graph-powered insights.&lt;/P&gt;
&lt;H3&gt;Investigation with the Phishing Email Killchain graph&lt;/H3&gt;
&lt;P&gt;&lt;STRONG&gt;Multi-hop traversal. &lt;/STRONG&gt;The full kill chain from email to endpoint execution is a 4-hop path: Email → Attachment → Process → Device. In KQL, each hop is a separate join with a different key column. In the graph, it’s one MATCH clause.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Structural detection. &lt;/STRONG&gt;Campaign topology is visible as the graph’s shape — senders fanning out to emails, emails fanning out to users, shared URLs converging into hubs. These patterns are structural properties requiring no aggregation queries.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Click-exposure overlay. &lt;/STRONG&gt;The graph overlays email delivery and URL click paths in a single view. An analyst instantly sees which users received a phishing email AND clicked the embedded URL — no separate UrlClickEvents join needed.&lt;/P&gt;
&lt;H3&gt;Example queries&lt;/H3&gt;
&lt;P&gt;Below are three queries from the published phishing_email_killchain graph that demonstrate these capabilities. Each query is a single GQL statement that replaces multiple KQL joins.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Query 1: Full Kill Chain — Email to Endpoint&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;This query traces the complete attack path: phishing email → malicious attachment → process execution → endpoint device. In KQL, this requires joining 4 tables with different keys and temporal proximity filtering.&lt;/P&gt;
&lt;LI-CODE lang="graphql"&gt;MATCH (e:Email)-[ha:HasAttachment]-&amp;gt;(att:Attachment) -[tp:TriggeredProcess]-&amp;gt;(p:Process)-[od:OnDevice]-&amp;gt;(d:Device) RETURN e, ha, att, tp, p, od, d LIMIT 10&lt;/LI-CODE&gt;&lt;img /&gt;
&lt;P&gt;&lt;EM&gt;Figure 1: Two complete kill chains — Invoice_Q3.xlsm → EXCEL.EXE → DESKTOP-FIN01 and DocuSign_Contract.pdf.exe → cmd.exe → DESKTOP-SALES02. Each path is one traversal replacing 4+ KQL joins.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Query 2: Campaign Topology — Sender to Email to User to URL&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;This query visualizes the full campaign structure: which senders sent which emails, who received them, and what URLs were embedded. The graph’s fan-out shape immediately reveals the blast radius and shared infrastructure.&lt;/P&gt;
&lt;LI-CODE lang="graphql"&gt;MATCH (s:Sender)-[se:Sent]-&amp;gt;(e:Email)-[re:ReceivedEmail]-&amp;gt;(u:User), (e)-[cu:ContainsUrl]-&amp;gt;(url:Url) RETURN s, se, e, re, u, cu, url LIMIT 10&lt;/LI-CODE&gt;&lt;img /&gt;
&lt;P&gt;&lt;EM&gt;Figure 2: Campaign topology — 2 senders, 2 emails fanning out to 9 users and 2 URLs. The shared URL node (c0ntoso-share...) receiving edges from both emails reveals coordinated campaign infrastructure.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Query 3: URL Click Exposure — Who Clicked the Phishing Links&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;This query shows which emails contained URLs and which users clicked them. The Email → URL → User click chain is a single traversal that replaces joining EmailUrlInfo with UrlClickEvents.&lt;/P&gt;
&lt;LI-CODE lang="graphql"&gt;MATCH (e:Email)-[cu:ContainsUrl]-&amp;gt;(url:Url)&amp;lt;-[cl:ClickedUrl]-(u:User) RETURN e, cu, url, cl, u LIMIT 10&lt;/LI-CODE&gt;&lt;img /&gt;
&lt;P&gt;&lt;EM&gt;Figure 3: Click exposure — 3 users clicked phishing URLs from 3 different emails. Each cluster shows Email → URL → User, instantly identifying click-through victims.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;These are just 3 examples of what is possible when using GQL on a graph. Users can author their own GQL queries to run on this graph to show other possibilities.&lt;/P&gt;
&lt;H3&gt;Additional graph samples&lt;/H3&gt;
&lt;P&gt;As mentioned, the Phishing Email Killchain graph is one of five graph samples that are available today for use within the VS Code Sentinel Extension. The remaining graphs are:&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;Behavioral Attack Chain&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Ingests data from the SentinelBehaviorInfo, SentinelBehaviorEntities, AlertInfo, AlertEvidence, ThreatIntelIndicators, and BehaviorAnalytics tables to model the relationships between different detections, MITRE tactics/techniques, entities, and threat intel to high different traversals that are difficult to do with just KQL alone.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;EM&gt;Databricks Outbound Exfiltration&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Ingests data from the DatabricksNotebook, DatabricksSecrets, DatabricksDBFS, DatabricksClusters, DatabricksJobs, DatabricksSQLPermissions, IdentityInfo, AADUserRiskEvents, and BehaviorAnalytics tables to map Databricks notebook and cluster activities to the identities used in order to enable detections of unusual outbound data movement, privilege escalation, and data exfiltration patterns.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;EM&gt;DNS C2 Beaconing&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Ingests data from the DeviceNetworkEvents, DeviceInfo, and ThreatIntelIndicators to model DNS resolution patterns to detect C2 beaconing and other malicious patterns.&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;EM&gt;OAuth Privilege Escalation&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;Ingests data from the EntraServicePrincipals, AADRiskyServicePrincipals, and AADServicePrincipalSignInLogs tables to trace OAuth consent chains, credential abuse, and privilege escalation paths to identify hub users, over-permissions identities, and backdoor patterns that may exist.&lt;/P&gt;
&lt;img /&gt;
&lt;H2&gt;Closing&lt;/H2&gt;
&lt;P&gt;This blog showcased an example of how a custom graph can be made with data within Microsoft Sentinel data lake and the help of GitHub Copilot, investigating a phishing email kill chain situation, and how to leverage the several graph templates that are provided in Sentinel.&lt;/P&gt;
&lt;P&gt;Get started today by using one of the template graphs, building your own graph, or by checking out the public documentation for Sentinel graph.&lt;/P&gt;
&lt;P&gt;Note: Custom graph API usage for creating graph and querying graph will be billed according to the Sentinel graph meter.&lt;/P&gt;
&lt;P&gt;Public Documentation: &lt;A href="https://learn.microsoft.com/azure/sentinel/datalake/sentinel-graph-overview#" target="_blank" rel="noopener"&gt;https://learn.microsoft.com/azure/sentinel/datalake/sentinel-graph-overview&lt;/A&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;GQL Reference: &lt;A href="https://learn.microsoft.com/azure/sentinel/datalake/gql-reference-for-sentinel-custom-graph" target="_blank" rel="noopener"&gt;Graph Query Language (GQL) reference for Microsoft Sentinel graph (Preview) | Microsoft Learn&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;Planning graph Costs: &lt;A href="https://learn.microsoft.com/azure/sentinel/billing?tabs=simplified%2Ccommitment-tiers#microsoft-sentinel-graph" target="_blank" rel="noopener"&gt;Plan costs and understand pricing and billing - Microsoft Sentinel | Microsoft Learn&lt;/A&gt;&lt;/P&gt;</description>
      <pubDate>Wed, 24 Jun 2026 18:06:41 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/a-guide-to-innovating-threat-hunting-with-microsoft-sentinel/ba-p/4530287</guid>
      <dc:creator>Matt_Lowe</dc:creator>
      <dc:date>2026-06-24T18:06:41Z</dc:date>
    </item>
    <item>
      <title>Reminder: Next Tuesday 6/23 at 9AM PST we will be hosting an 'Ask Microsoft Anything' session on Tech Community for the Sentinel SIEM Migration Experience!</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel/reminder-next-tuesday-6-23-at-9am-pst-we-will-be-hosting-an-ask/m-p/4529360#M12943</link>
      <description>&lt;P&gt;&lt;STRONG&gt;&lt;SPAN data-teams="true"&gt;Join us for a live demo and AMA on the Microsoft Sentinel SIEM migration experience. We’ll show how the experience helps teams move from legacy SIEMs like Splunk and QRadar into Microsoft Sentinel with a more guided, lower-friction path. We’ll cover what it does today, how it works, and the questions customers ask most, then open it up for live Q&amp;amp;A.&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Link here: &lt;A href="https://techcommunity.microsoft.com/event/microsoft-security-events/ask-microsoft-anything-the-microsoft-sentinel-siem-migration-experience/4521635" target="_blank"&gt;Ask Microsoft Anything: The Microsoft Sentinel SIEM Migration Experience&lt;/A&gt;&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&lt;STRONG&gt;Hope to see you there!&lt;/STRONG&gt;&lt;/P&gt;</description>
      <pubDate>Thu, 18 Jun 2026 22:25:31 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel/reminder-next-tuesday-6-23-at-9am-pst-we-will-be-hosting-an-ask/m-p/4529360#M12943</guid>
      <dc:creator>Trevor_Rusher</dc:creator>
      <dc:date>2026-06-18T22:25:31Z</dc:date>
    </item>
    <item>
      <title>Detection and automation, reimagined</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detection-and-automation-reimagined/ba-p/4527933</link>
      <description>&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN data-teams="true"&gt;Co-authored with Lizet Pena, Caroline Mutua, Alvin Kua and Marco Sudahl&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;&lt;EM&gt;How analytics rules, playbooks, workbooks, and hunting evolve in Defender—and why the new toolbelt makes detection engineering faster, automation richer, and hunting genuinely cross-platform.&lt;/EM&gt;&lt;/P&gt;
&lt;P&gt;If you build detections for a living, the move to Defender is one of the most meaningful shifts to your workflow in years—and for most teams, it’s a welcome one. Your existing analytics rules don’t disappear. Your playbooks don’t need to be rewritten. Your workbooks continue to function exactly as they do today. What changes is the scope of what you can detect, automate, and investigate from a single experience.&lt;/P&gt;
&lt;P&gt;That scope now includes endpoint, identity, email, cloud apps, and Sentinel data together—enabling analysts to query across data sources in a single KQL experience, investigate from one incident queue, and automate with richer response actions. Custom detections introduce near-real-time detections with native Defender response actions. Security Copilot can help generate playbooks from natural language prompts. Advanced hunting now spans Defender and Sentinel data together, dramatically expanding what hunters can pivot across. Conduct end-to-end threat hunting with &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/hunts" target="_blank" rel="noopener"&gt;hunts&lt;/A&gt;. The result isn’t a smaller toolset or a forced replacement of what exists today. It’s an expanded one.&lt;/P&gt;
&lt;P&gt;In this post, we’ll walk through the major shifts across detection engineering, automation, hunting, workbooks, and case management—including where existing investments carry forward unchanged, where the experience improves, and how to choose the right tool for the right scenario moving forward.&lt;/P&gt;
&lt;H4&gt;What this post covers&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Detection: analytics rules and custom detections converge into a shared experience&lt;/LI&gt;
&lt;LI&gt;Automation : playbooks are enhanced&lt;/LI&gt;
&lt;LI&gt;Workbooks: same canvas, richer investigative context&lt;/LI&gt;
&lt;LI&gt;Hunting: from Sentinel-focused hunting to cross-platform advanced hunting&lt;/LI&gt;
&lt;LI&gt;Case management: investigations finally get a durable workspace&lt;/LI&gt;
&lt;LI&gt;A quick note on watchlists&lt;/LI&gt;
&lt;LI&gt;Persona implications, common misconceptions, and a practical “do this week” checklist&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Detection: Analytics rules and custom detections converge&lt;/H4&gt;
&lt;P&gt;Detection engineering is more flexible in Defender.&lt;/P&gt;
&lt;P&gt;Teams still have access to familiar scheduled analytics rules and SIEM-style detections and now gain access to custom detections—a faster, more modern detection model designed for Defender telemetry and near-real-time response.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Sentinel rule types:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Scheduled query rules&lt;/STRONG&gt; – traditional KQL-based detections that run on a schedule&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Microsoft security rules&lt;/STRONG&gt; – Microsoft-managed detections for Defender services and other Microsoft security products&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Anomaly rules&lt;/STRONG&gt; – ML-driven behavioral detections&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Threat intelligence rules&lt;/STRONG&gt; – detections powered by indicator matching&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Custom detections&lt;/STRONG&gt; – modern detections powered by advanced hunting queries with near-real-time execution and native response actions&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;One of the biggest architectural shifts is the retirement of the Fusion analytic rule in favor of the Defender correlation engine. Instead of managing Fusion separately, analysts now benefit from correlation directly within Defender incident processing.&lt;/P&gt;
&lt;P&gt;At the same time, the rules experience becomes simpler. Defender surfaces both Sentinel analytics rules and custom detections together in a single rules view.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;What changes after onboarding to Defender&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Several important operational changes happen automatically:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Fusion is replaced by the Defender correlation engine&lt;/LI&gt;
&lt;LI&gt;Microsoft incident creation rules tied to Defender products are no longer surfaced separately&lt;/LI&gt;
&lt;LI&gt;Related alerts are consolidated into richer incidents within Defender&lt;/LI&gt;
&lt;LI&gt;Analytics rules and custom detections appear together in one experience&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;This also changes how organizations should think about detections moving forward.&lt;/P&gt;
&lt;P&gt;Historically, Microsoft security alerts often flowed into Sentinel as individual security alerts generated by Microsoft products. In Defender, those alerts are correlated natively into a single incident queue, reducing duplicate incidents and simplifying investigations.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Why custom detections matter long term&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;Custom detections unlock new capabilities for detection engineering in Defender. They provide:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Faster, near-real-time streaming detections&lt;/LI&gt;
&lt;LI&gt;Built-in response actions&lt;/LI&gt;
&lt;LI&gt;Cross-platform visibility&lt;/LI&gt;
&lt;LI&gt;Cost efficiencies for Defender telemetry&lt;/LI&gt;
&lt;LI&gt;A streamlined authoring experience integrated with advanced hunting&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;As feature parity continues to improve, most organizations building new detections on Defender telemetry will likely standardize on custom detections moving forward.&lt;/P&gt;
&lt;P&gt;That doesn’t mean analytics rules disappear. They remain critical for:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Cross-vendor SIEM use cases&lt;/LI&gt;
&lt;LI&gt;Firewall and network telemetry&lt;/LI&gt;
&lt;LI&gt;OT environments&lt;/LI&gt;
&lt;LI&gt;SaaS and custom log scenarios&lt;/LI&gt;
&lt;LI&gt;Broad correlation across non-Defender sources&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;The outcome is practical flexibility: your existing analytics rules and detections keep running in one rule interface that spans both worlds, so you can reach for the best engine for the data source and use case you’re solving.&lt;/P&gt;
&lt;H4&gt;What changes after Defender onboarding&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Change&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Detail&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Fusion disabled&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The advanced multistage attack detection (Fusion) rule is no longer supported. Its functions are replaced by the &lt;A href="https://learn.microsoft.com/en-us/defender-xdr/alerts-incidents-correlation" target="_blank" rel="noopener"&gt;Defender correlation engine&lt;/A&gt;. Similar to the Fusion rule (advanced multistage attack detection), Defender correlation is also available in secondary workspaces, but only in the scope of Sentinel data in those workspaces.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Microsoft incident creation rules&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Microsoft Security alert rules are no longer displayed. In Microsoft Sentinel in the Azure portal, security alerts are individual detections generated when Sentinel or integrated Microsoft security services identify suspicious or malicious activity in your environment.&lt;/P&gt;
&lt;P&gt;When Microsoft Defender products are connected to Sentinel in the Azure portal, their alerts flow into Sentinel as security alerts.&lt;/P&gt;
&lt;P&gt;These alerts are produced by Microsoft-managed detection logic and surfaced in Sentinel for unified triage.&lt;/P&gt;
&lt;P&gt;After enabling Sentinel in Defender, analytic rules do not trigger alerts. These security alerts can be seen and queried on the SecurityAlert table. The analytic rules that previously triggered the security alerts in the Azure portal won’t be visible in Defender.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Unified rules view&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The custom detection rules blade under Advance Hunting in Defender displays both Sentinel analytics rules and custom detections in a single view.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;Transition considerations&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Once Fusion is automatically disabled, verify that XDR correlation is generating multi-stage incidents in Defender with alerts from several sources, and stop relying on Fusion-specific customizations or automation tied to Fusion incidents.&lt;/LI&gt;
&lt;LI&gt;The XDR Correlation engine is not limited to Defender and Sentinel data sources.&lt;/LI&gt;
&lt;LI&gt;Strengthen entity mappings (accounts, hosts, IPs) on your analytics rules to maximize correlation quality, and monitor post-transition incident volume for fewer, but richer, consolidated incidents.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;When Defender connector is enabled in Sentinel (Azure portal), connector automatically replaces those rules and providing two-way integration. You can still use an automation rule with the product name that generated the alert.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well:&lt;/STRONG&gt;&lt;STRONG&gt; &lt;/STRONG&gt;Two detection models, one rules view. You don’t pick a side, instead you reach for the right tool: custom detections for Defender-native signals with near-real-time response and analytics rules for cross-vendor SIEM use cases. The convergence is on the roadmap, not a forced cutover.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;Custom detections versus analytics rules&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Use when…&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Custom detections (Defender)&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Analytics rules (Sentinel)&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Data source&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Defender telemetry (endpoint, identity, email, cloud apps) in addition to Sentinel tables&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Non-Defender, cross-vendor, and custom logs ingested to Sentinel&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Speed/workflow&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Faster, near real-time detections with native response actions. See &lt;A href="https://learn.microsoft.com/en-us/defender-xdr/custom-detection-rules" target="_blank" rel="noopener"&gt;custom detection rules&lt;/A&gt;.&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;SIEM detections after ingestion, automation through playbooks/automation rules&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Detection logic&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;KQL, within Defender schema limits&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;KQL with full Sentinel flexibility&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;When custom detections fit best&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Your detection is based on Defender signals (endpoint/identity/email/cloud)&lt;/LI&gt;
&lt;LI&gt;You want faster detections and built-in XDR response actions&lt;/LI&gt;
&lt;LI&gt;You operate primarily in Defender&lt;/LI&gt;
&lt;LI&gt;Recommended as the default detection across Defender and Sentinel signals&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;When Sentinel analytics rules fit best&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;You need non-Defender data (firewalls, SaaS, OT, custom logs)&lt;/LI&gt;
&lt;LI&gt;You need cross-source/cross-vendor KQL correlation in SIEM&lt;/LI&gt;
&lt;LI&gt;You’re building classic SIEM use cases&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Automation and SOAR: playbooks enhanced, not retired&lt;/H4&gt;
&lt;P&gt;In Azure Sentinel (legacy portal), &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks" target="_blank" rel="noopener"&gt;playbooks are logic apps&lt;/A&gt; that automate response actions, typically triggered by &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules" target="_blank" rel="noopener"&gt;automation rules&lt;/A&gt; on incident or alert creation. This provides robust SOAR (Security Orchestration, Automation, and Response) capabilities but requires analysts to manage playbook triggers and execution from the Azure interface.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Defender changes: &lt;/STRONG&gt;In Defender, playbook usage is enhanced and slightly redefined ( &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/automation/generate-playbook" target="_blank" rel="noopener"&gt;Generate playbooks using AI in Microsoft Sentinel | Microsoft Learn&lt;/A&gt;).&lt;/P&gt;
&lt;H4&gt;Comparison&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 833px; border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Capability&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Azure portal&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Defender&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Manual triggers&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Playbooks can be run manually on incidents, alerts, and entities from the Sentinel incident page&lt;/LI&gt;
&lt;LI&gt;Manual execution is a common way to test or perform analyst-driven remediation&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Playbooks can run manually on incidents and &lt;A class="lia-external-url" href="https://learn.microsoft.com/en-us/azure/sentinel/automation/playbook-triggers-actions" target="_blank"&gt;alerts&lt;/A&gt; surfaced in the Defender incident queue&lt;/LI&gt;
&lt;LI&gt;Manual execution remains supported, but some entity-level manual actions are increasingly handled through native Defender experiences&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Built-in response actions&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Limited native actions&lt;/LI&gt;
&lt;LI&gt;Remediation typically relies on playbooks (logic apps) to perform actions such as isolating devices, disabling users, opening ITSM tickets, or sending notifications&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Rich built-in Defender response actions available directly in the incident (e.g., device isolation, user containment, attack disruption)&lt;/LI&gt;
&lt;LI&gt;Reduces the need for custom playbooks for common containment scenarios; playbooks are used for orchestration and cross-tool workflows&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Automation rule compatibility&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Automation rules trigger playbooks on incident creation/update or alert creation&lt;/LI&gt;
&lt;LI&gt;Clear separation between Sentinel alerts and incidents&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Incident-triggered automation rules apply to unified incidents (Sentinel + Defender)&lt;/LI&gt;
&lt;LI&gt;Alert-triggered rules act only on Sentinel-origin alerts&lt;/LI&gt;
&lt;LI&gt;The “analytic rule name” condition is key to scoping rules to Sentinel-specific detections in a unified incident model&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;AI and automation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;No native Security Copilot experience&lt;/LI&gt;
&lt;LI&gt;Playbook logic is authored manually in logic apps&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Security Copilot augments investigations and response – see&amp;nbsp;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/sentinel-security-copilot" target="_blank" rel="noopener"&gt;Security Copilot with Microsoft Sentinel&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Playbook generator (preview) enables AI-assisted creation of playbooks from natural language prompts&lt;/LI&gt;
&lt;LI&gt;AI summaries and guided response reduce the need for bespoke enrichment-only playbooks&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;Key transition considerations&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Review and adjust automation rules&lt;/LI&gt;
&lt;LI&gt;Leverage built-in actions&lt;/LI&gt;
&lt;LI&gt;Playbook testing&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/automation/automation" target="_blank" rel="noopener"&gt;Slight delay in automation&lt;/A&gt; (up to ~5-10 minutes between incident creation and automation rule execution)&lt;/LI&gt;
&lt;LI&gt;Dual automation strategy&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Summary&lt;/H4&gt;
&lt;P&gt;All existing playbooks continue to run on Azure logic apps infrastructure (the playbook definition itself is not migrated). Defender surfaces these playbooks and allows triggering them, but you’ll still design and edit playbooks in the Azure portal’s logic apps designer—the available &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/playbook-triggers-actions" target="_blank" rel="noopener"&gt;playbook triggers and actions&lt;/A&gt; are unchanged. No rewrites are required, but you should adapt how and when &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/playbook-triggers-actions" target="_blank" rel="noopener"&gt;playbook triggers and actions&lt;/A&gt; are invoked to align with the new unified incident model. Playbooks remain a core part of your SOAR toolkit, and are now enhanced by on-demand usage and upcoming AI integration.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;Zero playbook migration. Your SOAR investment carries forward exactly as it is, and the new built-in Defender response actions (device isolation, user containment, attack disruption) cover the most common containment scenarios out of the box, so your custom playbooks can focus on the orchestration and cross-tool workflows that truly need them.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;Workbooks: same canvas, better surroundings&lt;/H4&gt;
&lt;P&gt;Workbooks provide &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/monitor-your-data" target="_blank" rel="noopener"&gt;interactive visualizations and dashboards&lt;/A&gt; for investigation, monitoring, and reporting across Microsoft Sentinel data. With the move to Defender, workbooks remain a core analysis asset, while the surrounding experience improves through tighter integration with unified incidents, hunting, and cross‑product visibility.&lt;/P&gt;
&lt;H4&gt;Comparison&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 837px; border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Capability&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Azure portal&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Defender&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Authoring and storage&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Workbooks are created, edited, and stored in Azure (log analytics/Sentinel)&lt;/LI&gt;
&lt;LI&gt;Full authoring experience available in the Azure portal&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Same workbooks and storage (no duplication)&lt;/LI&gt;
&lt;LI&gt;Authoring still primarily happens in Azure; Defender focuses on consumption and navigation&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Access and navigation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Accessed directly from Microsoft Sentinel → Workbooks&lt;/LI&gt;
&lt;LI&gt;Context switching required between Sentinel and other security tools&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Workbooks are discoverable and accessible from Defender alongside incidents and hunting&lt;/LI&gt;
&lt;LI&gt;Reduced context switching when moving from an incident to visual analysis&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Data scope and context&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Visualizes Sentinel data sources connected to the workspace&lt;/LI&gt;
&lt;LI&gt;Limited native awareness of Defender XDR-generated context&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Workbooks benefit from unified Sentinel + Defender signals available in the same investigation flow&lt;/LI&gt;
&lt;LI&gt;Better alignment with unified incidents and entities&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Incident and investigation integration&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Used as a parallel investigation aid; analysts manually correlate workbook insights with incidents&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Workbooks complement the unified incident queue, enabling faster pivoting from incidents to dashboards and hunting views&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Feature parity and enhancements&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Full feature set for workbook creation and customization&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;No functional regression&lt;/LI&gt;
&lt;LI&gt;Incremental experience improvements through unified navigation and cross-product visibility rather than workbook-specific redesign&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;Key considerations&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;No migration is required&lt;/LI&gt;
&lt;LI&gt;Azure remains the source of truth&lt;/LI&gt;
&lt;LI&gt;Stronger investigative flow&lt;/LI&gt;
&lt;LI&gt;Not replaced by Copilot&lt;/LI&gt;
&lt;LI&gt;Consistent access model&lt;/LI&gt;
&lt;LI&gt;Optional broader sharing&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Best practices&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Standardize key workbooks&lt;/LI&gt;
&lt;LI&gt;Design for pivoting&lt;/LI&gt;
&lt;LI&gt;Reuse, don’t duplicate&lt;/LI&gt;
&lt;LI&gt;Pair with hunting&lt;/LI&gt;
&lt;LI&gt;Review periodically&lt;/LI&gt;
&lt;/UL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;Zero workbook migration. Every dashboard, every visualization, every reporting layer you’ve built keeps working and gets better surroundings: discoverable from incidents, paired with hunting, contextualized by unified entities.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;Hunting: from focused Sentinel to cross-platform advanced hunting&lt;/H4&gt;
&lt;P&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/hunts" target="_blank" rel="noopener"&gt;Hunting&lt;/A&gt; and &lt;A href="https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-overview" target="_blank" rel="noopener"&gt;advanced hunting&lt;/A&gt; both support threat detection and investigation, but they differ in scope and use. Hunting in Microsoft Sentinel focuses on Sentinel logs and is best for hypothesis-driven KQL investigations within Sentinel. Retention of the data used for hunting follows Sentinel log settings. Advanced hunting in Microsoft Defender provides a unified experience across Sentinel and Defender XDR data, enabling cross-platform queries, real-time remediation, and automation. Defender data is typically retained for 30 days, with longer retention available through Sentinel data lake. In short, hunting is best for focused Sentinel investigations, while advanced hunting is built for broader, cross-platform analysis and response.&lt;/P&gt;
&lt;H4&gt;What changes&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Sentinel queries and functions become &lt;STRONG&gt;view-only in Defender&lt;/STRONG&gt; (can execute but not edit directly)&lt;/LI&gt;
&lt;LI&gt;Editing requires returning to Azure portal during transition period&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Major advantage: &lt;/STRONG&gt;Advanced hunting in Defender allows querying across &lt;STRONG&gt;both Sentinel tables and Defender XDR tables in a single query&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Query history shows all queries run across both data sources&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Advanced hunting benefits&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Cross-platform hunting: &lt;/STRONG&gt;Single KQL query spans endpoint (Defender for Endpoint), email (Defender for Office 365), identity (Defender for Identity), and Sentinel data sources&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Unified schema: &lt;/STRONG&gt;All tables accessible in one query editor with schema browser&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Saved Sentinel queries available: &lt;/STRONG&gt;Your existing hunting queries remain accessible&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Custom detections: &lt;/STRONG&gt;Convert hunting queries into detection rules (&lt;A href="https://learn.microsoft.com/en-us/defender-xdr/custom-detection-rules" target="_blank" rel="noopener"&gt;Defender XDR custom detections&lt;/A&gt; for Defender tables; Sentinel analytics rules for Sentinel tables)&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Comparison&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Feature&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Hunting (Sentinel)&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Advanced hunting&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Data scope&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Sentinel logs only&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Sentinel + Defender XDR&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Portal&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Sentinel&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Defender&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Retention&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Based on Sentinel settings&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;30 days (Defender), longer via Sentinel&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Actions&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Create rules/incidents&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Real-time remediation + custom detections&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Complexity&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Focused on Sentinel&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Cross-platform queries&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;One KQL query, four detection surfaces. Threat hunters now span endpoint, identity, email, cloud apps, and Sentinel in a single query—with real-time response actions one click away. Saved Sentinel queries carry forward; the canvas just got bigger.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;From incident-centric to case-centric investigation&lt;/H4&gt;
&lt;P&gt;The detection, automation, and hunting shifts we just walked through all converge on the same question: once the SOC has a richer set of incidents, cross-platform hunts, and automated containment running, where does the longer-form investigative work actually live? In the Azure portal, the incident has always been the top of the work stack—there was nowhere above it to organize a multi-week campaign investigation, a proactive hunt, or an IoC chase across many incidents. Teams reached for OneNote pages, email threads, and external tickets. Defender closes that gap with a new primitive: &lt;STRONG&gt;the case&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;Case management in Defender is a native, security-focused workspace for SecOps work that spans multiple incidents—including multi-incident campaigns, threat hunting, IoC and threat-actor tracking, and detection-tuning backlogs.&lt;/P&gt;
&lt;P&gt;Cases are only available in Defender and require a Sentinel workspace connection. See &lt;A href="https://learn.microsoft.com/en-us/unified-secops/cases-overview" target="_blank" rel="noopener"&gt;Manage security operations cases natively in Microsoft Defender&lt;/A&gt;.&lt;/P&gt;
&lt;H4&gt;Comparison&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Capability&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Azure portal&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Defender (cases)&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Multi-incident container&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Not available; incidents are the top-level work item&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Cases natively link multiple incidents and IoCs&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Workflow and status&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Fixed incident statuses (New/Active/Closed)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Customizable case statuses defined by SOC admins (defaults: New, Open, Closed)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Task tracking&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Not available&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Built-in tasks with owner, priority, due date, and status&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Collaboration&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Comments on individual incidents&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Rich-text comments, attachments (up to 10 per comment), and a full activity audit log&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Linking&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Not available&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Link cases to incidents and to threat intel indicators (preview)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Access control&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Microsoft Sentinel RBAC roles&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Microsoft Defender unified RBAC or Sentinel roles (Reader/Responder/Contributor)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H4&gt;Service limits&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;100,000 cases per tenant&lt;/LI&gt;
&lt;LI&gt;500 GB of attachments per tenant&lt;/LI&gt;
&lt;LI&gt;100 linked incidents per case&lt;/LI&gt;
&lt;LI&gt;See &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/sentinel-service-limits" target="_blank" rel="noopener"&gt;Microsoft Sentinel service limits&lt;/A&gt; for the full set of platform limits&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Transition considerations&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Develop guidelines for when analysts should create a case (e.g., multi-incident campaigns or proactive threat hunts)&lt;/LI&gt;
&lt;LI&gt;If you currently use external ticketing systems (ServiceNow, JIRA) for multi-incident tracking, determine how cases complement or integrate with them&lt;/LI&gt;
&lt;/UL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;Investigations finally have a home above the incident. Multi-incident campaigns, hunts, and IoC chases stop living in OneNote pages and external tickets, and start living next to the security data—with their own status, tasks, comments, and audit trail. Nothing about your existing incident workflow changes; cases simply give you a durable layer for the work that used to fall between the cracks.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;A quick note on watchlists&lt;/H4&gt;
&lt;P&gt;Not everything in this transition is changing—and that’s a feature, not an oversight. Watchlists are a good example: a primitive that was already doing its job well, and that simply carries forward unchanged into the unified experience.&lt;/P&gt;
&lt;P&gt;No changes. Watchlists remain an Azure Sentinel feature for semi-static, custom lookup tables.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Aspect&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Azure portal &lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Defender&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Surrounding context&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Standalone Sentinel blade&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Unified with Defender incidents, hunting, and entity pages&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;Transition considerations&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Watchlists can be accessed under the configuration section as well as through &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/watchlists-queries" target="_blank" rel="noopener"&gt;watchlist queries&lt;/A&gt; alongside Defender XDR data&lt;/LI&gt;
&lt;LI&gt;You can upload a watchlist created from a &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/watchlists-create" target="_blank" rel="noopener"&gt;CSV or other source&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;Your existing watchlists keep working, your existing KQL keeps working, and the surrounding context just got richer—the same lookup table now joins against Defender entities and incidents alongside Sentinel data. Zero migration, broader reach.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;What this means for each persona&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Persona&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What changes in this part&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Detection engineer&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Two engines, one rules view&lt;/LI&gt;
&lt;LI&gt;Reach for custom detections on Defender signals (faster, native response actions); keep Sentinel analytics rules for non-Defender and cross-vendor SIEM&lt;/LI&gt;
&lt;LI&gt;Strong entity mappings matter more than ever—they fuel XDR correlation quality&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;SOAR/Automation owner&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Zero playbook migration—logic apps stay where they are&lt;/LI&gt;
&lt;LI&gt;Re-aim automation rules at unified incidents&lt;/LI&gt;
&lt;LI&gt;Lean on built-in Defender response actions for routine containment&lt;/LI&gt;
&lt;LI&gt;Explore the playbook generator (preview) for AI-assisted authoring&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Threat hunter&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Your KQL canvas is now cross-platform&lt;/LI&gt;
&lt;LI&gt;Saved Sentinel queries carry forward (view-only in Defender during transition; edit in Azure)&lt;/LI&gt;
&lt;LI&gt;“Convert hunt to detection” becomes part of the daily loop&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;SOC analyst&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Workbooks are right where the incident lives&lt;/LI&gt;
&lt;LI&gt;Hunting is one click from triage via “Go hunt”&lt;/LI&gt;
&lt;LI&gt;Built-in response actions reduce the playbook hops for common containment&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Architect&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Decide your detection-by-source policy: Defender data → custom detections; cross-vendor SIEM → analytics rules; firewalls/SaaS without native detections → Sentinel&lt;/LI&gt;
&lt;LI&gt;Plan a dual-automation period while incident triggers shift to unified&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H4&gt;Clearing up common misconceptions&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;“My analytics rules will be deleted.”&lt;/STRONG&gt;&lt;BR /&gt;No analytics rules deleted. Sentinel analytics rules continue to function and appear in the unified custom detection rules blade alongside custom detections.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“I have to rewrite my playbooks.”&lt;BR /&gt;&lt;/STRONG&gt;No rewrite required. All existing playbooks continue to run on Azure Logic Apps. Defender surfaces and triggers them; authoring still happens in Azure.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“Custom detections fully replace analytics rules today.”&lt;BR /&gt;&lt;/STRONG&gt;Not yet. Microsoft is converging them only when custom detections reach full parity.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“My workbooks need to be re-created in Defender.”&lt;BR /&gt;&lt;/STRONG&gt;No need. Same workbooks, same storage, no duplication. Authoring stays in Azure; consumption improves in Defender.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“Fusion is still running quietly.”&lt;BR /&gt;&lt;/STRONG&gt;It is not. Fusion is replaced by the Defender correlation engine. Verify XDR correlation is generating multi-stage incidents and retire any Fusion-tied customizations.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“Advanced Hunting and Hunting are the same thing.”&lt;BR /&gt;&lt;/STRONG&gt;They’re complementary. Hunting is focused on Sentinel while advanced hunting spans Sentinel + Defender XDR with real-time response actions.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Do this week&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Inventory analytics rules by source: Rules targeting Defender data (candidates for custom detections), rules targeting non-Defender (stay as analytics rules), rules targeting firewalls/SaaS without native detections (Sentinel).&lt;/LI&gt;
&lt;LI&gt;Confirm strong entity mappings (accounts, hosts, IPs) on your active analytics rules—these drive XDR correlation quality.&lt;/LI&gt;
&lt;LI&gt;Pilot one custom detection on Defender data with a built-in response action (e.g., device isolation) end to end.&lt;/LI&gt;
&lt;LI&gt;Review your automation rules: which key on incident name, which key on analytic rule name, which trigger playbooks. Plan the dual-automation period.&lt;/LI&gt;
&lt;LI&gt;Validate that all existing playbooks remain triggerable from the unified incident queue.&lt;/LI&gt;
&lt;LI&gt;Run one advanced hunting query that joins Defender XDR tables with Sentinel tables—a small “aha” for the team.&lt;/LI&gt;
&lt;LI&gt;If you use Security Copilot, enable the embedded experience and the &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/sentinel-security-copilot" target="_blank" rel="noopener"&gt;Microsoft Sentinel integration&lt;/A&gt; to surface incident summaries and guided response.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Continue the series&lt;/H4&gt;
&lt;P&gt;All six parts of this series publish close together. Each one stands alone—pick the angle that matters most to you, or read them in order.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-1" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 1 – Beyond a portal move: The strategic shift to Defender&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;Why the transition matters at the architecture and program level—the executive framing, the deadline, and the analyst validation.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-2" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 2 – Anatomy of the change: Incidents, alerts, correlation, and data&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;The component-level mechanics: how the XDR correlation engine replaces Fusion, why incidents are no longer alert-centric, and what changes (and doesn’t) in your data architecture.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-4" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 4 – The governance shift: RBAC, URBAC, data lake, and MSSP&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;The move from Azure RBAC to URBAC, the data lake operating model, and multi-tenant patterns.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-5" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 5 – Your readiness playbook: Adoption helper, costs, APIs, and the checklist&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;A practical plan: the Defender adoption helper, cost reality, API strategy, and the migration checklist.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-6" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 6 – The AI-first SOC: Copilot, UEBA, threat intelligence, and SOC optimization&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;The destination: how Security Copilot, UEBA, threat intelligence, and SOC optimization combine into a fundamentally different operating model.&lt;/P&gt;</description>
      <pubDate>Thu, 18 Jun 2026 18:31:03 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detection-and-automation-reimagined/ba-p/4527933</guid>
      <dc:creator>Mohit_Kumar1</dc:creator>
      <dc:date>2026-06-18T18:31:03Z</dc:date>
    </item>
    <item>
      <title>Anatomy of the change</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/anatomy-of-the-change/ba-p/4527934</link>
      <description>&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN data-teams="true"&gt;Co-authored with Lizet Pena, Caroline Mutua, Alvin Kua and Marco Sudahl&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;Incidents, alerts, correlation, and data—what actually changes with the new platform, and why it works in your favor.&lt;/P&gt;
&lt;P&gt;When you open Microsoft Sentinel in Microsoft Defender for the first time, the shift feels immediate: investigations are cleaner, workflows are more connected, and analysts can move through incidents with far less context switching.&lt;/P&gt;
&lt;P&gt;Instead of pivoting between multiple queues, disconnected investigations, or duplicated alerts, SOC teams gain:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;One unified incident queue&lt;/LI&gt;
&lt;LI&gt;One attack story&lt;/LI&gt;
&lt;LI&gt;One place to investigate and respond&lt;/LI&gt;
&lt;LI&gt;One connected experience across Microsoft security signals&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;But the biggest improvements happen behind the scenes. The move from the Azure portal to Defender brings together incident correlation, alert handling, automation, and data investigation in ways that help SOC teams reduce manual work, improve visibility, and accelerate response.&lt;/P&gt;
&lt;P&gt;This post breaks down the core changes, what remains familiar, and the practical steps teams can take now to prepare.&lt;/P&gt;
&lt;H4&gt;What we will cover&lt;/H4&gt;
&lt;P&gt;In this post we’ll guide you through some changes as you begin using Defender:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;A more connected incident experience&lt;/LI&gt;
&lt;LI&gt;Alerts and schemas evolve for easier investigations&lt;/LI&gt;
&lt;LI&gt;Your underlying data architecture stays intact&lt;/LI&gt;
&lt;LI&gt;Content hub and existing investments continue to work&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;We’ll also cover:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;What these changes mean for different SOC roles&lt;/LI&gt;
&lt;LI&gt;Common misconceptions&lt;/LI&gt;
&lt;LI&gt;A practical “do this week” checklist&lt;/LI&gt;
&lt;LI&gt;For a complete overview of the new experience, visit the &lt;A href="https://learn.microsoft.com/en-us/unified-secops-platform/overview-defender-portal" target="_blank" rel="noopener"&gt;Microsoft Defender portal overview on Microsoft Learn.&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;A more connected incident experience&lt;/H4&gt;
&lt;P&gt;Incidents are the center of security operations. This is where many teams will immediately notice the benefits of Defender.&lt;/P&gt;
&lt;P&gt;In Defender:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Correlation is no longer done by “Fusion” and now is managed through Defender’s correlation engine, creating alerts once across Defender and Sentinel data&lt;/LI&gt;
&lt;LI&gt;Correlation is richer and more connected&lt;/LI&gt;
&lt;LI&gt;Related activity is grouped together more effectively&lt;/LI&gt;
&lt;LI&gt;Analysts investigate through an attack story instead of isolated alerts&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;The result is a more streamlined investigation flow where one campaign or attack chain can be represented as a single incident instead of several disconnected records that must be manually stitched together.&lt;/P&gt;
&lt;P&gt;Analysts gain access to:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Attack story visualization&lt;/LI&gt;
&lt;LI&gt;Related assets and evidence&lt;/LI&gt;
&lt;LI&gt;Investigation timelines&lt;/LI&gt;
&lt;LI&gt;Correlated activities&lt;/LI&gt;
&lt;LI&gt;Cross-domain context&lt;/LI&gt;
&lt;LI&gt;Integrated hunting experiences&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;For organizations using Sentinel data lake and graph capabilities, analysts can also better visualize attack propagation paths and understand how activity may spread across environments. This helps reduce investigation time while improving clarity and confidence during triage.&lt;/P&gt;
&lt;H4&gt;Incident management – side by side&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="width: 1023px; height: 3624px; border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Aspect&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Azure portal&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Defender&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Incident list&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Time range picker for filtering incidents by date&lt;/LI&gt;
&lt;LI&gt;Filter and sort by status, severity and product name&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/defender-xdr/incident-queue#incident-queue" target="_blank" rel="noopener"&gt;Auto-refresh every 30 seconds&lt;/A&gt;&amp;nbsp;&lt;/LI&gt;
&lt;LI&gt;Product name (Sentinel or Defender) and alert count visibility&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Centralized list of incidents with Defender incidents that have a retention period of 180 days while the Sentinel incidents have a retention period that depends on the underlying data retention settings in log analytics (hot interactive retention)&lt;/LI&gt;
&lt;LI&gt;In Defender, incidents can be sourced from different services and the retention of the data related to these incidents depends on the default data retention period for these services&lt;/LI&gt;
&lt;LI&gt;If you need to retain Defender incident data for longer than 180 days, you must explicitly extend the retention period in the Sentinel workspace settings&lt;/LI&gt;
&lt;LI&gt;Incidents and alerts are now shown under the investigation and response menu and can be filtered based on source service&lt;/LI&gt;
&lt;LI&gt;The incidents page has a tab with alerts grouped into the incident, as well as a tab showing similar incidents&lt;/LI&gt;
&lt;LI&gt;Customizable columns and sortable incidents by ML-powered priority score&lt;/LI&gt;
&lt;LI&gt;Exporting and link copying options&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Incident details&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Overview tab with timeline showing alerts and bookmarks&lt;/LI&gt;
&lt;LI&gt;Entities and similar incidents matching&lt;/LI&gt;
&lt;LI&gt;UEBA insights&lt;/LI&gt;
&lt;LI&gt;Comments and tasks for SOC processes&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Sections for attack story, alerts, assets, investigations, evidence and responses, and always-visible incident detail pane&lt;/LI&gt;
&lt;LI&gt;Actions include triggering Sentinel playbooks, exporting incident details in PDF, merging or linking incidents&lt;/LI&gt;
&lt;LI&gt;Activities tab indicates if automation rules or playbooks were run as part of the incident response&lt;/LI&gt;
&lt;LI&gt;An alert can be promoted to incident&lt;/LI&gt;
&lt;LI&gt;Blast radius analysis of propagation path (requires Sentinel data lake and graph) is a graph-based visualization in Microsoft Defender that shows how an attack can spread from a compromised entity to other critical assets&lt;/LI&gt;
&lt;LI&gt;Security Copilot integration optimizes incident investigation and response&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Incident creation&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Created by Sentinel analytic rules, or Fusion from bookmarks/hunting queries&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Each connected Microsoft Sentinel workspace is treated as a separate data source&lt;/LI&gt;
&lt;LI&gt;In multi-workspace setups, you designate one primary workspace and only the primary workspace will receive Defender incidents and alerts and correlation with Defender alerts will also only occur in the primary&lt;/LI&gt;
&lt;LI&gt;Secondary workspaces can continue to ingest Defender tables if configured in the table menu in Defender, while correlation in the secondary workspaces is scoped to data within the secondary workspace&lt;/LI&gt;
&lt;LI&gt;Fusion will be replaced by correlation in the primary and secondary workspaces&lt;/LI&gt;
&lt;LI&gt;Defender can still merge similar incidents based on detected commonalities&lt;/LI&gt;
&lt;LI&gt;Incidents can be created by analytic rules, custom detections, or alerts from different data sources—including Sentinel—while manual incident creation is on the roadmap&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Management actions&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Owner assignment, status (new/active/closed), severity, comments, tags, investigation graph, run playbook&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Stays the same, plus: update name, change severity, assign to users/teams, add tags, update status (active/in progress/resolved), close with resolution classification, run Sentinel playbooks directly, request Defender experts, export PDF, merge/link incidents&lt;/LI&gt;
&lt;LI&gt;AI-generated playbooks (with Security Copilot) with enhanced automation rules allow you to complete automation when a security alert is created&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Collaboration&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Comments (HTML/markdown), bookmarks&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Activity log for tracked comments and audits, tasks feature with assignments and due dates&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Closing&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Classification required (true positive, benign positive, false positive, undetermined)&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Resolution classification required for closure&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Querying&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;KQL through log analytics&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;KQL through advanced hunting or Sentinel data lake exploration, where &lt;A href="https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-overview" target="_blank" rel="noopener"&gt;advanced hunting&lt;/A&gt; allows querying Sentinel and Defender data in a single unified experience&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Security alerts&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Visible as part of an incident&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Can be promoted to incident, and also part of an incident&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Alert details&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Alert sub-menus from incident&lt;/LI&gt;
&lt;LI&gt;Alert details include severity, status, analytics rule, etc.&lt;/LI&gt;
&lt;LI&gt;Entity profile pages&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Full alert properties with MITRE tactics mapping&lt;/LI&gt;
&lt;LI&gt;Entities and evidence with contextual actions&lt;/LI&gt;
&lt;LI&gt;Activities timeline, alert tuning tool, and links to correlated incidents&lt;/LI&gt;
&lt;LI&gt;Customizable alert timeframe filter up to 180 days of alert history&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Attack story&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Legacy investigation graph requiring entity mapping in analytics rules&lt;/LI&gt;
&lt;LI&gt;Limited to incidents up to 30 days old&lt;/LI&gt;
&lt;LI&gt;Greater context switching required&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;td&gt;
&lt;UL&gt;
&lt;LI&gt;Chronological attack story with replay capability&lt;/LI&gt;
&lt;LI&gt;Graph filtering (Preview) by severity, status, service source and entity type&lt;/LI&gt;
&lt;LI&gt;Incident graph with full attack scope and spread&lt;/LI&gt;
&lt;LI&gt;Entity pivoting from attack graph&lt;/LI&gt;
&lt;LI&gt;“Go hunt” for direct advanced hunting across devices, files, etc.&lt;/LI&gt;
&lt;LI&gt;Immediate remediation actions without losing context&lt;/LI&gt;
&lt;/UL&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 341px" /&gt;&lt;col style="width: 341px" /&gt;&lt;col style="width: 341px" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H4&gt;What remains the same&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Incident properties (title, description, severity, MITRE ATT&amp;amp;CK enterprise framework, tactics and techniques mapping) are preserved. Incidents still aggregate alerts and entities as evidence. Manual incident creation from hunting queries is still supported. Alerts and incidents can still be created by API or Logic App.&lt;/LI&gt;
&lt;LI&gt;The &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/roles" target="_blank" rel="noopener"&gt;Microsoft Sentinel Responder role&lt;/A&gt; is the minimum least privilege role required by a SOC analyst to manage incidents, cases, tasks, threat intelligence, and automation rules related to incident management. This role maps to the &lt;A href="https://learn.microsoft.com/en-us/defender-xdr/manage-rbac#start-using-microsoft-defender-unified-rbac-model" target="_blank" rel="noopener"&gt;security Operator in URBAC&lt;/A&gt; (Unified RBAC).&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Correlation becomes more connected&lt;/H4&gt;
&lt;P&gt;One of the most important evolutions is the move from Fusion correlation to the &lt;A href="https://learn.microsoft.com/en-us/defender-xdr/alerts-incidents-correlation" target="_blank" rel="noopener"&gt;Defende&lt;/A&gt;r correlation engine.&lt;/P&gt;
&lt;P&gt;This shift helps:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Reduce duplicate incidents&lt;/LI&gt;
&lt;LI&gt;Improve multi-stage attack correlation&lt;/LI&gt;
&lt;LI&gt;Consolidate related activity into richer investigations&lt;/LI&gt;
&lt;LI&gt;Reduce manual merging work for analysts&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;The goal is simple: give analysts fewer, higher-quality incidents with more context attached.&lt;/P&gt;
&lt;P&gt;Existing analytics rules continue to work, while newer custom detection experiences continue to evolve alongside them.&lt;/P&gt;
&lt;P&gt;Microsoft Security alert rules are no longer displayed. With Sentinel in the Azure portal, security alerts are individual detections generated when Sentinel or integrated Microsoft security services identify suspicious or malicious activity in your environment. When Defender products are connected to Sentinel in the Azure Portal, their alerts flow into Sentinel as security alerts. These alerts are produced by Microsoft managed detection logic and surfaced in Sentinel for unified triage. After enabling Sentinel in Defender, analytic rules do not trigger alerts. These security alerts can be seen and queried on the SecurityAlert table; the analytic rules that previously triggered the security alerts in the Azure portal won’t be visible in Defender.&lt;/P&gt;
&lt;P&gt;The custom detection rules blade in Defender displays both analytics rules and custom detections in a single view.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;One correlation engine instead of two means fewer duplicate incidents, fewer manual merges, and an investigation surface (attack story + blast radius) that’s richer than the legacy investigation graph it replaces.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;Considerations for incidents and correlation&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;Verify that any SOC automation closing or updating incidents using the Sentinel API is redirected to the &lt;A href="https://learn.microsoft.com/en-us/graph/security-concept-overview" target="_blank" rel="noopener"&gt;Microsoft Graph security API&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;Incident IDs, AlertIDs and URLs will change (Defender uses its own identifiers).&lt;/LI&gt;
&lt;LI&gt;Incident names are auto generated by the Defender correlation engine and may differ from Sentinel analytics rule names. Update triage routing or SLA workflows that rely on the name of the incident. Customers can apply correlation exclusions at the analytic rule level or at the tenant level which will not affect the incident title and will then not merge alerts.&lt;/LI&gt;
&lt;LI&gt;Review any workflow that depends on Fusion-generated incidents, since Fusion is replaced by Defender correlation.&lt;/LI&gt;
&lt;LI&gt;In Defender, teams can use tags, saved queries, and custom hunting tables to capture and organize investigation context after a hunting exercise, providing flexible ways to carry forward important findings.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Alerts and schemas evolve for easier investigation&lt;/H4&gt;
&lt;P&gt;As Sentinel continues to evolve within Defender, incident management becomes more streamlined, connected, and cost-efficient. Instead of relying on separate “Microsoft security alerts” analytics rules to generate incidents from Defender workloads including endpoint, identity and cloud applications now are automatically correlated by the Defender engine into a unified incident queue.&lt;/P&gt;
&lt;P&gt;This new approach helps eliminate duplicate incidents and gives security teams a cleaner, more consolidated investigation experience by bringing related alerts together into a single incident. It also enables organizations to modernize their operations by shifting from alert-level automation to incident-centric workflows, while taking advantage of Defender-native automation capabilities.&lt;/P&gt;
&lt;P&gt;Beyond operational simplicity, this model can also help optimize costs. Since alert data is available without requiring additional log analytics ingestion, organizations can be more selective about ingesting raw logs and focus instead on scenarios where deeper investigations, long-term retention, or compliance requirements make it necessary.&lt;/P&gt;
&lt;H4&gt;Key transition actions&lt;/H4&gt;
&lt;P&gt;To transition effectively organizations should first retire legacy “Microsoft incident creation rules” analytics rules and rely on the individual Defender connectors for alert ingestion. Automation strategies should then be reviewed and adjusted, as incident handling shifts from multiple alert-driven records to a single, correlated incident model—often requiring incident-level workflows.&lt;/P&gt;
&lt;P&gt;The integration also introduces bi-directional incident synchronization between Sentinel and Defender, enabling consistent state management across both environments, although the operational focus should move to Defender. Additionally, the new alert schema separates alert metadata and evidence. Organizations are encouraged to adopt the &lt;A href="https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-alertinfo-table" target="_blank" rel="noopener"&gt;AlertInfo&lt;/A&gt; and &lt;A href="https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-alertevidence-table" target="_blank" rel="noopener"&gt;AlertEvidence&lt;/A&gt; tables in place of the legacy SecurityAlert schema (supported in Advance Hunting) to support richer investigation scenarios.&lt;/P&gt;
&lt;H5&gt;Field-level differences – alert metadata&lt;/H5&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Concept&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Azure (SecurityAlert)&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Defender (AlertInfo)&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Alert ID&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;SystemAlertId&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;AlertId&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Name&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;AlertName&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Title&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Severity&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Severity&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Severity&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Product / Provider&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;ProviderName&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;DetectionSource / ServiceSource&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Description&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Description&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Title / Description equivalent&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Time&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;TimeGenerated&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;TimeGenerated&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The key shift here is naming normalization standardized across Defender signals.&lt;/P&gt;
&lt;H4&gt;Field-level differences – entity/evidence modeling&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Concept&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Azure (SecurityAlert)&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Defender (AlertEvidence)&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Entities&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;JSON (Entities)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Rows (1 row per entity)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Entity type&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Inside JSON&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;EntityType column&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Host&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;JSON field&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;DeviceName, DeviceId&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;User&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;JSON field&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;AccountName, AccountSid&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;IP&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;JSON field&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;IPAddress&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;File&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;JSON field&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;FileName, SHA256&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The key shift here is denormalized JSON pivoting to strongly typed columns for easier joins, filters, and aggregations.&lt;/P&gt;
&lt;H5&gt;Querying differences – before and after&lt;/H5&gt;
&lt;P&gt;&lt;STRONG&gt;Azure (classic):&lt;/STRONG&gt;&lt;/P&gt;
&lt;LI-CODE lang=""&gt;SecurityAlert | extend Entities = parse_json(Entities) | mv -expand Entities | where Entities.Type == "account"&lt;/LI-CODE&gt;
&lt;P&gt;&lt;STRONG&gt;Defender (recommended):&lt;/STRONG&gt;&lt;/P&gt;
&lt;LI-CODE lang=""&gt;AlertInfo | join AlertEvidence on AlertId | where EntityType == "Account"&lt;/LI-CODE&gt;
&lt;P&gt;By leveraging the unified Microsoft Defender connector, your SOC gains efficiency (no double handling of the same threat), clarity (one incident is just one campaign or attack chain), and potential cost savings.&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Why this lands well: &lt;/STRONG&gt;The new schema isn’t a migration tax, it’s a query model that’s easier to write against, easier to teach new analysts, and avoids the JSON parsing Sentinel detection engineers have previously managed.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4&gt;Your underlying data architecture stays intact&lt;/H4&gt;
&lt;P&gt;In this process, you can be assured that your log analytics workspace, retention settings, data export, and governance controls all carry forward.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Aspect&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Azure portal&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Defender&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Storage&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Log analytics workspace in Azure&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Log analytics workspace in Azure (unchanged)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Storage tiers&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Analytic logs, Basic logs, Auxiliary logs, Archive&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;·&amp;nbsp;&amp;nbsp;&amp;nbsp; Analytics logs, Basic logs, Auxiliary logs, Archive (unchanged)&lt;/P&gt;
&lt;P&gt;·&amp;nbsp;&amp;nbsp;&amp;nbsp; Changing the tier for Basic logs or Auxiliary logs requires you to go to the log analytics workspace experience in the Azure portal. &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-overview" target="_blank" rel="noopener"&gt;Sentinel data lake&lt;/A&gt; for long-term retention onboarding is optional and available once Sentinel is configured in the Defender portal&lt;/P&gt;
&lt;P&gt;·&amp;nbsp;&amp;nbsp;&amp;nbsp; If the primary workspace is onboarded to Sentinel data lake, the Basic logs and Auxiliary log tables are converted to the data lake tier&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Workspace default retention&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Configured in log analytics workspace settings&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Workspace default retention continues to be configured in the Azure portal or through CLI/API (unchanged)&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Per-table retention&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Configured per table in log analytics&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Per-table retention and tier management is available directly in Defender&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;Note on data lake availability: &lt;/STRONG&gt;Microsoft Sentinel data lake is not yet available in every Azure region. Check current region coverage on Microsoft Learn before planning onboarding: &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/geographical-availability-data-residency#supported-regions" target="_blank" rel="noopener"&gt;Geographical availability and data residency in Microsoft Sentinel&lt;/A&gt;. Your data lake is provisioned in the same region as your primary Sentinel workspace.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H5&gt;Content hub and existing investments continue to work&lt;/H5&gt;
&lt;P&gt;Content Hub remains the mechanism for discovering and deploying solution packages (connectors, analytics rules, workbooks, playbooks) for Sentinel. Over 450+ solution templates from Microsoft, partners, and community contributors are available in the &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog" target="_blank" rel="noopener"&gt;Sentinel solutions catalog&lt;/A&gt;.&lt;/P&gt;
&lt;H5&gt;Transition considerations&lt;/H5&gt;
&lt;UL&gt;
&lt;LI&gt;Content hub is fully available in Defender. There is no need to switch back to the Azure portal for content management.&lt;/LI&gt;
&lt;LI&gt;Repositories (CI/CD for Sentinel content) and Community continue to function in Defender.&lt;/LI&gt;
&lt;LI&gt;No changes to content update mechanisms. Solutions continue to receive updates through Content Hub as before.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;What this means for each persona&lt;/H4&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Persona&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What changes in this part&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;SOC analyst&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;One unified incident queue. Attack story replaces the legacy investigation graph. “Go hunt” is one click away. Bookmarks are gone—use tags and saved queries instead.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Detection engineer&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;“Microsoft security alerts” analytics rules retire. AlertInfo + AlertEvidence become the canonical schema for new detections and hunting queries. Fusion-dependent logic moves to XDR correlation behavior.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Automation/SOAR owner&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Re-point any incident-update automation to the Microsoft Graph security API. Shift triggers from alert-level to incident-level. Review SLA and routing workflows that key on incident names.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Architect&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Decide your primary workspace explicitly—only the primary receives Defender incidents and alerts and gets XDR correlation. Plan retention deltas (Defender XDR 180 days versus Sentinel-extended).&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Compliance / Data owner&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Log analytics, retention, and per-table controls are unchanged. Data lake onboarding is optional. Document the data residency story for any auditor questions—the storage layer hasn’t moved.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;Clearing up common misconceptions&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;“Fusion still runs in the background.”&lt;/STRONG&gt;&lt;BR /&gt;It does not. Fusion is replaced by the Defender correlation engine on the primary workspace.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“My Sentinel data has to migrate.”&lt;/STRONG&gt;&lt;BR /&gt;It does not. The log analytics workspace is unchanged. Storage, retention, and per-table settings carry forward.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“I lose my existing analytics rules.”&lt;/STRONG&gt;&lt;BR /&gt;Sentinel analytics rules continue to function and are visible in the unified custom detection rules blade alongside custom detections. The roadmap converges them only when custom detections reach full parity.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“Incident IDs will stay the same, so my tickets won’t break.”&lt;/STRONG&gt;&lt;BR /&gt;Incident IDs and URLs change in Defender. Update any external ticketing or webhook integration.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“My Content Hub solutions need to be re-installed.”&lt;/STRONG&gt;&lt;BR /&gt;They don’t. Content Hub is still available in Defender. Solutions, repositories, and community all continue to work.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Get started&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Designate your primary Sentinel workspace&lt;/STRONG&gt; and document the decision. Only the primary receives Defender incidents/alerts and gets XDR correlation.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Inventory automations&lt;/STRONG&gt; that update or close incidents through the Sentinel API. Mark them for re-pointing to the &lt;A href="https://learn.microsoft.com/en-us/graph/security-concept-overview" target="_blank" rel="noopener"&gt;Microsoft Graph security API&lt;/A&gt;.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Identify external systems&lt;/STRONG&gt; keyed on incident IDs, URLs, or incident names. Flag for update.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Pilot one new hunting query&lt;/STRONG&gt; using &lt;A href="https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-alertinfo-table" target="_blank" rel="noopener"&gt;AlertInfo&lt;/A&gt; + &lt;A href="https://learn.microsoft.com/en-us/defender-xdr/advanced-hunting-alertevidence-table" target="_blank" rel="noopener"&gt;AlertEvidence&lt;/A&gt; to build team familiarity with the new schema.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Confirm Content Hub solutions and repositories pipelines&lt;/STRONG&gt; are visible and operational from Defender.&lt;/LI&gt;
&lt;LI&gt;If long-term retention is on your roadmap, &lt;STRONG&gt;confirm your primary workspace region&lt;/STRONG&gt; is supported by the data lake before planning onboarding: &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/geographical-availability-data-residency#supported-regions" target="_blank" rel="noopener"&gt;Geographical availability and data residency&lt;/A&gt;.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Continue the series&lt;/H4&gt;
&lt;P&gt;All six parts of this series are published together. Each one stands alone—pick the angle that matters most to you or read them in order.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-1" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 1 – Beyond a portal move: The strategic shift to Defender&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;Why the transition matters at the architecture and program level—the executive framing, the deadline, and the analyst validation.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-3" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 3 – Detection and automation, reimagined&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;How analytics rules evolve into custom detections, the shift from alert-driven to incident-driven SOAR, and how hunting changes.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-4" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 4 – The governance shift: RBAC, URBAC, data Lake, and MSSP&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;The move from Azure RBAC to URBAC, the data lake operating model, and multi -tenant patterns.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-5" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 5 – Your readiness playbook: Adoption helper, costs, APIs, and the checklist&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;A practical plan: the Defender adoption helper, cost reality, API strategy, and the migration checklist.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-6" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 6 – The AI-first SOC: Copilot, UEBA, threat intelligence, and SOC optimization&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;The destination: how Security Copilot, UEBA, threat intelligence, and SOC optimization combine into a fundamentally different operating model.&lt;/P&gt;</description>
      <pubDate>Wed, 17 Jun 2026 16:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/anatomy-of-the-change/ba-p/4527934</guid>
      <dc:creator>Mohit_Kumar1</dc:creator>
      <dc:date>2026-06-17T16:00:00Z</dc:date>
    </item>
    <item>
      <title>Introducing New Additions to Microsoft Sentinel Normalization and ASIM</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/introducing-new-additions-to-microsoft-sentinel-normalization/ba-p/4524584</link>
      <description>&lt;BLOCKQUOTE&gt;
&lt;P&gt;&lt;STRONG&gt;TL;DR:&lt;/STRONG&gt; New ASIM parsers for Azure Firewall, Key Vault, AWS CloudTrail (EC2, S3, IAM), and 10+ third-party products. Two new schemas — Asset Entities and AI Agent Events. Plus changelogs on GitHub and a heads-up on an upcoming breaking change in ProcessEvent parsers.&lt;/P&gt;
&lt;/BLOCKQUOTE&gt;
&lt;H4 data-line="5"&gt;&lt;STRONG&gt;What's New&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P data-line="7"&gt;Security teams deal with logs from dozens of sources, each with its own schema. This painpoint makes it harder to write detections that work everywhere. The Advanced Security Information Model (ASIM) solves this by normalizing logs into a common schema, so a single analytic rule can cover a wide variety of sources without worrying about the source schema.&lt;/P&gt;
&lt;P data-line="9"&gt;Over the past few months, we have shipped a wave of new parsers, schemas, and improvements to ASIM. Here's everything you need to know.&lt;/P&gt;
&lt;H4 data-line="11"&gt;&lt;STRONG&gt;ASIM Parsers&lt;/STRONG&gt;&lt;/H4&gt;
&lt;H5 data-line="13"&gt;Azure Firewall&lt;/H5&gt;
&lt;P data-line="15"&gt;Azure Firewall logs were previously only supported from the&amp;nbsp;AzureDiagnostics&amp;nbsp;table. Now, we support the dedicated resource-specific tables:&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;th&gt;Table&lt;/th&gt;&lt;th&gt;ASIM Schema&lt;/th&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;AZFWDnsQuery&lt;/td&gt;&lt;td&gt;DNS&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;AZFWNetworkRule&lt;/td&gt;&lt;td&gt;NetworkSession&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;AZFWApplicationRule&lt;/td&gt;&lt;td&gt;WebSession&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H5 data-line="23"&gt;Azure Key Vault&lt;/H5&gt;
&lt;P data-line="25"&gt;Logs that are going to both AzureDiagnostics and resource-specific table AZKVAuditLogs are now normalized in the Audit Event schema.&lt;/P&gt;
&lt;H5 data-line="27"&gt;Azure Synapse SQL and Azure SQL Database&lt;/H5&gt;
&lt;P data-line="29"&gt;Logs that are going to both AzureDiagnostics and resource-specific table SQLSecurityAuditEvents are now normalized to the Audit Event schema.&lt;/P&gt;
&lt;H5 data-line="31"&gt;Azure Traffic Analytics&lt;/H5&gt;
&lt;P data-line="33"&gt;We have added support for the NTANetAnalytics table from Azure Traffic Analytics under the Network Session schema.&lt;/P&gt;
&lt;H5 data-line="35"&gt;AWS CloudTrail&lt;/H5&gt;
&lt;P data-line="37"&gt;AWS CloudTrail previously only mapped to the Authentication schema. Now, you can correlate EC2, S3, and IAM activity through ASIM alongside your Azure telemetry:&lt;/P&gt;
&lt;UL data-line="39"&gt;
&lt;LI&gt;&lt;STRONG&gt;AuditEvent&lt;/STRONG&gt;&amp;nbsp;— Normalized EC2 events&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;FileEvent&lt;/STRONG&gt;&amp;nbsp;— Normalized S3 events&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;UserManagement&lt;/STRONG&gt;&amp;nbsp;— Normalized IAM and Cognito events&lt;/LI&gt;
&lt;/UL&gt;
&lt;H5 data-line="44"&gt;Additional Parser Support&lt;/H5&gt;
&lt;P data-line="46"&gt;We have also integrated the following third-party sources into ASIM:&lt;/P&gt;
&lt;P data-line="48"&gt;&lt;STRONG&gt;Authentication&lt;/STRONG&gt;&amp;nbsp;— Normalize sign-in and identity events for cross-source threat detection.&lt;/P&gt;
&lt;UL data-line="50"&gt;
&lt;LI&gt;CheckPoint Smart Defense&lt;/LI&gt;
&lt;LI&gt;Cisco IOS&lt;/LI&gt;
&lt;LI&gt;Cisco ISE&lt;/LI&gt;
&lt;LI&gt;Fortinet FortiGate&lt;/LI&gt;
&lt;LI&gt;Okta (OktaSystemLogs)&lt;/LI&gt;
&lt;LI&gt;Palo Alto — PAN-OS&lt;/LI&gt;
&lt;LI&gt;Palo Alto — Global Protect&lt;/LI&gt;
&lt;LI&gt;VMware vCenter&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-line="59"&gt;&lt;STRONG&gt;Web Session&lt;/STRONG&gt;&amp;nbsp;— Normalize proxy and web gateway traffic.&lt;/P&gt;
&lt;UL data-line="61"&gt;
&lt;LI&gt;Cisco Umbrella Proxy Logs&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4 data-line="64"&gt;&lt;STRONG&gt;New ASIM Schemas&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P data-line="66"&gt;We have created two new schemas to expand support new use cases.&lt;/P&gt;
&lt;UL data-line="68"&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-asset" target="_blank" rel="noopener"&gt;Asset Entities&lt;/A&gt;&lt;/STRONG&gt;&amp;nbsp;— Provides a normalized view of asset inventory data, enabling you to correlate files and assets across detections and investigations.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-agent" target="_blank" rel="noopener"&gt;AI Agent Events&lt;/A&gt;&lt;/STRONG&gt;&amp;nbsp;— Normalizes telemetry from AI-driven workflows and autonomous agents.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4 data-line="72"&gt;&lt;STRONG&gt;Other Changes&lt;/STRONG&gt;&lt;/H4&gt;
&lt;H5 data-line="74"&gt;GitHub Changes&lt;/H5&gt;
&lt;P data-line="76"&gt;Changelogs for every ASIM parser have been created to better help you understand updates and bug fixes we have implemented. As an example, here is the change log for the Authentication ASIM unifying parser.&amp;nbsp;&lt;A href="https://github.com/Azure/Azure-Sentinel/blob/master/Parsers/ASimAuthentication/CHANGELOG/imAuthentication.md" target="_blank" rel="noopener"&gt;View Changelog&lt;/A&gt;&lt;/P&gt;
&lt;H5 data-line="78"&gt;Breaking Changes&lt;/H5&gt;
&lt;P data-line="80"&gt;While aligning our ProcessEvent parsers to the&amp;nbsp;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-process-event" target="_blank" rel="noopener"&gt;official documentation&lt;/A&gt;, we found a naming inconsistency in the&amp;nbsp;_Im_ProcessCreate&amp;nbsp;function:&lt;/P&gt;
&lt;UL data-line="82"&gt;
&lt;LI&gt;&lt;STRONG&gt;Documentation&lt;/STRONG&gt;&amp;nbsp;specifies the parameter as&amp;nbsp;targetusername_has&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Deployed parsers&lt;/STRONG&gt;&amp;nbsp;used&amp;nbsp;targetusername&lt;/LI&gt;
&lt;/UL&gt;
&lt;P data-line="85"&gt;&lt;STRONG&gt;What we changed:&lt;/STRONG&gt;&amp;nbsp;Both parameter names are now accepted.&lt;/P&gt;
&lt;P data-line="87"&gt;&lt;STRONG&gt;What you need to do:&lt;/STRONG&gt;&amp;nbsp;Update your analytic rules and queries to use&amp;nbsp;targetusername_has. The legacy&amp;nbsp;targetusername&amp;nbsp;parameter will be&amp;nbsp;&lt;STRONG&gt;deprecated in Summer 2026&lt;/STRONG&gt;.&lt;/P&gt;
&lt;H4 data-line="89"&gt;&lt;STRONG&gt;What's Next&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P data-line="91"&gt;We are continuing to expand ASIM with new parsers and schema capabilities to make detection authoring and log correlation even more powerful.&lt;/P&gt;
&lt;P data-line="93"&gt;&lt;A href="https://www.bluevoyant.com/" target="_blank" rel="noopener"&gt;BlueVoyant&lt;/A&gt;&amp;nbsp;is also investing heavily in the ASIM ecosystem, building parsers that enhance detection coverage for their customers.&amp;nbsp;&lt;A href="https://www.bluevoyant.com/blog" target="_blank" rel="noopener"&gt;See how they are using ASIM to operationalize detections&lt;/A&gt;.&lt;/P&gt;
&lt;P data-line="95"&gt;Want to get involved? Browse the&amp;nbsp;&lt;A href="https://github.com/Azure/Azure-Sentinel/tree/master/Parsers" target="_blank" rel="noopener"&gt;ASIM parsers on GitHub&lt;/A&gt;, file issues, or contribute your own. We'd love to hear your feedback.&lt;/P&gt;</description>
      <pubDate>Wed, 17 Jun 2026 15:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/introducing-new-additions-to-microsoft-sentinel-normalization/ba-p/4524584</guid>
      <dc:creator>derricklee</dc:creator>
      <dc:date>2026-06-17T15:00:00Z</dc:date>
    </item>
    <item>
      <title>Announcing Public Preview: Agent Identities Asset Connector for Microsoft Sentinel</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-public-preview-agent-identities-asset-connector-for/ba-p/4527960</link>
      <description>&lt;P&gt;As organizations accelerate adoption of AI agents across Microsoft 365 and enterprise environments, security teams face a fundamental shift:&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Agents are becoming first-class identities and securing them requires understanding both their behavior and their identity context.&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;We are excited to announce the &lt;STRONG&gt;Public Preview of the Agent Identities Asset Connector for Microsoft Sentinel&lt;/STRONG&gt;, a foundational capability that delivers &lt;STRONG&gt;identity context for AI agents&lt;/STRONG&gt;, completing the visibility required for end-to-end agentic security.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Completing the picture: From activity to identity-aware security&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;With the &lt;STRONG&gt;&lt;A class="lia-internal-link lia-internal-url lia-internal-url-content-type-blog" href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/agent-365-connector-monitor-hunt-and-investigate-ai-agent-activity-in-microsoft-/4520836" data-lia-auto-title="A365 (Agent 365) Observability" data-lia-auto-title-active="0" target="_blank"&gt;A365 (Agent 365) Observability&lt;/A&gt; Connector&lt;/STRONG&gt; and &lt;A href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/the-microsoft-copilot-data-connector-for-microsoft-sentinel-is-now-in-public-pre/4491986" target="_blank" rel="noopener" data-lia-auto-title="M365 Copilot" data-lia-auto-title-active="0"&gt;&lt;STRONG&gt;M365 Copilot&lt;/STRONG&gt;&lt;/A&gt;&lt;STRONG&gt; connectors&lt;/STRONG&gt;, Sentinel customers already have deep visibility into:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Agent activity and execution flows&lt;/LI&gt;
&lt;LI&gt;Prompts, tools, and data access&lt;/LI&gt;
&lt;LI&gt;Cross-agent interactions&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;However, activity data alone cannot answer critical security questions, such as:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;What is this agent?&lt;/LI&gt;
&lt;LI&gt;What permissions does it have?&lt;/LI&gt;
&lt;LI&gt;Who owns or governs it?&lt;/LI&gt;
&lt;LI&gt;How does it fit into the broader identity ecosystem?&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;The &lt;STRONG&gt;Agent Identities Asset Connector&lt;/STRONG&gt; addresses this gap by bringing &lt;STRONG&gt;agent identity data into the Sentinel data lake&lt;/STRONG&gt;, enabling correlation with activity signals to deliver &lt;STRONG&gt;enriched, contextual security insights&lt;/STRONG&gt;.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Introducing the Agent Identity data model&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;This connector introduces &lt;STRONG&gt;four core asset tables&lt;/STRONG&gt; that together define the &lt;STRONG&gt;agent identities&lt;/STRONG&gt;:&lt;/P&gt;
&lt;img /&gt;
&lt;OL&gt;
&lt;LI&gt;&lt;STRONG&gt; Agent Users&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;Represents &lt;STRONG&gt;human principals responsible for agents&lt;/STRONG&gt;, including owners, sponsors, or administrators.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;What it provides:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Ownership and accountability relationships&lt;/LI&gt;
&lt;LI&gt;Mapping of agents to human context&lt;/LI&gt;
&lt;LI&gt;Organizational and governance linkage&lt;/LI&gt;
&lt;/UL&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;Why it matters for security:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Enables &lt;STRONG&gt;accountability and traceability&lt;/STRONG&gt; for agent actions&lt;/LI&gt;
&lt;LI&gt;Helps answer: &lt;EM&gt;Who is responsible for this agent?&lt;/EM&gt;&lt;/LI&gt;
&lt;LI&gt;Critical for &lt;STRONG&gt;incident response, governance, and compliance audits&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp;Sample Query&lt;/STRONG&gt;&lt;/P&gt;
&lt;LI-CODE lang="kusto"&gt;EntraAgentUsers | where tenantId has 'TENANTGUIDHERE' | summarize by displayName, userPrincipalName, agentIdentityBlueprintId, agentIdentitySPID, mailNickname, accountEnabled&lt;/LI-CODE&gt;
&lt;OL start="2"&gt;
&lt;LI&gt;&lt;STRONG&gt; Agent Identities&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;Represents the &lt;STRONG&gt;agent itself as a first-class identity&lt;/STRONG&gt;, including its lifecycle and configuration.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;What it provides:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Unique identity for each agent&lt;/LI&gt;
&lt;LI&gt;Lifecycle state (e.g., active, disabled)&lt;/LI&gt;
&lt;LI&gt;Metadata describing the agent type and context&lt;/LI&gt;
&lt;/UL&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;Why it matters for security:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Elevates agents from hidden service constructs to &lt;STRONG&gt;first-class security principals&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Enables &lt;STRONG&gt;identity-aware detection and hunting&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Forms the foundation for &lt;STRONG&gt;monitoring agent behavior at identity granularity&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;Sample Query&lt;/STRONG&gt;&lt;/P&gt;
&lt;LI-CODE lang="kusto"&gt;EntraAgentIdentities | where tenantId has 'TENANTGUIDHERE' | summarize by displayName, createdDateTime, accountEnabled&lt;/LI-CODE&gt;
&lt;OL start="3"&gt;
&lt;LI&gt;&lt;STRONG&gt; Agent Blueprints&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;Represents the &lt;STRONG&gt;definition and design of agents&lt;/STRONG&gt;, how they are constructed and what capabilities they are intended to have.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;What it provides:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Blueprint or template defining agent behavior&lt;/LI&gt;
&lt;LI&gt;Configuration patterns and logical design&lt;/LI&gt;
&lt;LI&gt;Reusable constructs across multiple agents&lt;/LI&gt;
&lt;/UL&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;Why it matters for security:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Enables understanding of &lt;STRONG&gt;intended vs. actual behavior&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Identifies systemic risks across agents built from the same blueprint&lt;/LI&gt;
&lt;LI&gt;Supports &lt;STRONG&gt;proactive risk assessment and governance&lt;/STRONG&gt; at scale&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&amp;nbsp; &amp;nbsp; &amp;nbsp;&lt;STRONG&gt;Sample Query&lt;/STRONG&gt;&lt;/P&gt;
&lt;LI-CODE lang="kusto"&gt;EntraAgentIdentityBlueprints | where tenantId has 'TENANTGUIDHERE' | summarize by displayName, createdDateTime, isDisabled, groupMembershipClaims, signInAudience, publisherDomain&lt;/LI-CODE&gt;
&lt;OL start="4"&gt;
&lt;LI&gt;&lt;STRONG&gt; Agent Blueprint Service Principals&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/OL&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;Represents the &lt;STRONG&gt;service principals tied to agent blueprints&lt;/STRONG&gt;, which define the permissions and execution boundaries.&lt;/P&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;What it provides:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Service principal identities used by agents&lt;/LI&gt;
&lt;LI&gt;Permission scopes and access configurations&lt;/LI&gt;
&lt;LI&gt;Linkage between blueprint design and runtime execution&lt;/LI&gt;
&lt;/UL&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;Why it matters for security:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Exposes &lt;STRONG&gt;what access an agent actually has&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Enables detection of &lt;STRONG&gt;over-permissioned or misconfigured agents&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Critical for enforcing &lt;STRONG&gt;least-privilege access and Zero Trust principles&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P class="lia-indent-padding-left-30px"&gt;&lt;STRONG&gt;Ingesting this data opens the SOC to new opportunities for use cases that meet the growing needs for awareness of agentic workloads within the environment.&lt;/STRONG&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;A Unified Asset Graph for Agentic Security&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Together, these four tables will enable a &lt;STRONG&gt;connected agent identity graph&lt;/STRONG&gt; depicting connections such as Agent User → Agent Identity → Agent Blueprint → Service Principal → Resources/Data.&lt;/P&gt;
&lt;P&gt;This enables Sentinel customers to gain access to key insights and options, such as:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Tracing &lt;STRONG&gt;who owns an agent&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Understanding &lt;STRONG&gt;how it is configured&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Analyzing &lt;STRONG&gt;what permissions it operates with&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Correlating with &lt;STRONG&gt;what it actually does (activity)&lt;/STRONG&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;&lt;STRONG&gt;Unlocking Asset + Activity Correlation&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;With the addition of these agent identity tables, Sentinel customers can now combine activity data from the A365 Observability and Copilot connectors with the asset information brought in from the Agent Identities connector to unlock deeper visibility into security scenarios:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Identity-aware investigations that correlate agent actions with identity, ownership, and permissions to identify which agents performed an action and understand how/why it was allowed&lt;/LI&gt;
&lt;LI&gt;End-to-end traceability by showing the full execution chains, highlighting the identity, tools, and data that was used by an agent&lt;/LI&gt;
&lt;LI&gt;Enriched detection and hunting by joining identity, asset, and SIEM data together within Sentinel data lake to better detect anomalous behavior relative to permissions, identify risky configurations, and improve detection fidelity.&lt;/LI&gt;
&lt;LI&gt;This reflects a core Sentinel principle:&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Asset data enriches activity data to provide deeper, more actionable security insights.&lt;/STRONG&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;From Observability to Agentic Security&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;The Agent Identities connector marks a shift from traditional observability to true agentic security within Sentinel. While customers previously had strong visibility into agent behavior, they often lacked the critical identity and governance context needed to fully understand and control their agent ecosystem. This release bridges that gap by providing a comprehensive, identity-centric view that connects agent activity with ownership, permissions, and relationships. As a result, customers can evolve from simple observability to enriched context and ultimately to actionable control, enabling end-to-end agent governance, identity-driven detections, and graph-based security insights. By establishing agents as raw first-class identities within Sentinel and unifying identity and activity signals, this capability lays the foundation for a cohesive security model that integrates human, non-human, device, and AI agent identities into a single, unified security data platform within Sentinel data lake from Entra, M365, and other sources.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Getting Started&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;To unlock the full value of agentic security in Microsoft Sentinel, enable:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;✅ Install Agent 365 and M365 Copilot Solutions in Content Hub&lt;/LI&gt;
&lt;LI&gt;✅ Enable Agent Identities Asset Connector provided by the solution&lt;/LI&gt;
&lt;LI&gt;✅ Enable A365 Observability Connector provided by the solution&lt;/LI&gt;
&lt;LI&gt;✅ Enable M365 Copilot Connector from the Microsoft Copilot solution&lt;/LI&gt;
&lt;/UL&gt;
&lt;img /&gt;
&lt;P&gt;Together, these provide a&amp;nbsp;&lt;STRONG&gt;comprehensive asset + activity view&lt;/STRONG&gt; for AI agents in your environment.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Final takeaway&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&lt;STRONG&gt;Effective security requires both visibility and context. With the Agent Identities connector, Sentinel now delivers both for AI agents.&lt;/STRONG&gt;&lt;/P&gt;</description>
      <pubDate>Tue, 16 Jun 2026 17:00:01 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/announcing-public-preview-agent-identities-asset-connector-for/ba-p/4527960</guid>
      <dc:creator>Krishna_Sagar_B_V</dc:creator>
      <dc:date>2026-06-16T17:00:01Z</dc:date>
    </item>
    <item>
      <title>Transform your security operation with a unified experience in Defender</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/transform-your-security-operation-with-a-unified-experience-in/ba-p/4527932</link>
      <description>&lt;H5&gt;&lt;STRONG&gt;&lt;SPAN data-teams="true"&gt;Co-authored with Lizet Pena, Caroline Mutua, Alvin Kua and Marco Sudahl&lt;/SPAN&gt;&lt;/STRONG&gt;&lt;/H5&gt;
&lt;P&gt;Security operations teams today are being asked to do more than ever: respond faster, manage increasing data volumes, reduce operational complexity, stay ahead of evolving threats, and balance cost and efficiency.&lt;/P&gt;
&lt;P&gt;That’s why Microsoft is bringing Microsoft Sentinel into Microsoft Defender: to bring together SIEM, XDR, threat intelligence, AI, and automation into a single experience.&lt;/P&gt;
&lt;P&gt;By &lt;STRONG&gt;March 31, 2027&lt;/STRONG&gt;, all Microsoft Sentinel customers will be automatically transitioned to Defender. But this transition is about far more than a new interface. It’s an opportunity to modernize the SOC, streamline operations, and unlock capabilities designed for the AI-first era of security operations.&lt;/P&gt;
&lt;P&gt;This blog kicks off a six-part series to help you confidently navigate the transition ahead of time, understand what changes (and what doesn’t), and maximize value along the way.&lt;/P&gt;
&lt;H4&gt;Why this post, and why now&lt;/H4&gt;
&lt;P&gt;This is the first of a six-part helping customers transition their Sentinel experience from the Azure portal to Defender:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt; Part 1 – Beyond a portal move (You are here)&lt;/STRONG&gt;&lt;BR /&gt;○ Part 2 – Anatomy of the change: Incidents, alerts, correlation, and data&lt;BR /&gt;○ Part 3 – Detection and automation, reimagined&lt;BR /&gt;○ Part 4 – The Governance Shift: RBAC, URBAC, Sentinel data lake, and MSSP&lt;BR /&gt;○ Part 5 – Your readiness playbook: Adoption helper, costs, APIs, and checklist&lt;BR /&gt;○ Part 6 – The AI-First SOC: Copilot, UEBA, threat intelligence, and SOC optimization&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;The strategic shift in one paragraph&lt;/H4&gt;
&lt;P&gt;Defender represents the convergence of Microsoft’s security capabilities into a single operational experience. Instead of switching between disconnected tools and workflows, security teams can work from &lt;STRONG&gt;one integrated environment spanning SIEM, XDR, threat intelligence, AI-powered investigation and response, cross-domain correlation, and SOC automation.&lt;/STRONG&gt; Defender helps analysts investigate incidents faster, enables better collaboration across teams, and reduces operational friction across the security lifecycle. Most importantly, it creates a foundation for the future of AI-assisted and agentic security operations.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Why migrate early?&lt;/STRONG&gt;&lt;/P&gt;
&lt;P&gt;While the transition becomes mandatory in 2027, organizations that start earlier can begin realizing value immediately.&lt;/P&gt;
&lt;P&gt;Moving to Defender today helps organizations:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Streamline analyst workflows with a unified incident queue&lt;/LI&gt;
&lt;LI&gt;Reduce investigation time through advanced cross-product correlation&lt;/LI&gt;
&lt;LI&gt;Take advantage of Security Copilot experiences integrated into Defender&lt;/LI&gt;
&lt;LI&gt;Simplify operations across Sentinel and Defender products&lt;/LI&gt;
&lt;LI&gt;Modernize governance and access management models&lt;/LI&gt;
&lt;LI&gt;Prepare their SOC for AI-driven investigation and response&lt;/LI&gt;
&lt;LI&gt;Take advantage of the latest innovations.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Rather than treating migration as a compliance deadline, many customers are approaching it as a strategic modernization initiative for their SOC.&lt;/P&gt;
&lt;H4&gt;What changes, and what stays the same&lt;/H4&gt;
&lt;P&gt;One of the most important things to understand is that this is not a “rip and replace” migration. The foundational elements of Microsoft Sentinel remain intact while the operational experience evolves.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Area&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What changes&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What stays&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Management plane&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Defender becomes the primary experience&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;The Sentinel portal in Azure &amp;nbsp;remains usable until March 31, 2027&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Incident model&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Unified incident queue across Sentinel + Defender, XDR correlation, attack story view&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Log analytics remains the core storage layer&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Access control&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Unified RBAC (URBAC) preferred for cross-product, fine-grained access&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Azure RBAC continues to work until role migration to URBAC; service principals are not supported in URBAC&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Data&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Data lake for long-term retention and advanced analytics&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;No workspace migration required&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Cost&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Data lake can materially reduce overall cost by shifting high-volume logs out of the analytics tier, also allowing longer term retention at a lower cost (up to 12 years)&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;No change in the business model after moving over to Defender&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;col style="width: 33.33%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;The key takeaway: customers are not rebuilding their environments from scratch. Existing investments continue to work while the operational layer becomes more integrated and intelligent.&lt;/P&gt;
&lt;H4&gt;What Defender unlocks&lt;/H4&gt;
&lt;P&gt;The transition to Defender is designed to unlock capabilities that are difficult to achieve in siloed environments.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Security Copilot&lt;/STRONG&gt;&lt;STRONG&gt;:&lt;/STRONG&gt; Defender enables deeper integration with Security Copilot, including:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;AI-assisted incident triage&lt;/LI&gt;
&lt;LI&gt;Natural-language investigation workflows&lt;/LI&gt;
&lt;LI&gt;Guided response recommendations&lt;/LI&gt;
&lt;LI&gt;Natural language to KQL experiences&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Copilot capabilities help reduce analyst fatigue and accelerate investigation workflows.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Unified correlation: &lt;/STRONG&gt;With a single engine across all your alerts you can create richer, more contextual incidents spanning identities, endpoints, email, cloud apps, and data sources. This means you spend less time stitching alerts together manually and more time focused on high-confidence incidents.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Data lake: &lt;/STRONG&gt;Sentinel data lake introduces new flexibility for long-term retention, large-scale analytics, and cross-workspace investigation scenarios.&lt;STRONG&gt; &lt;/STRONG&gt;For many customers, this creates opportunities to balance visibility, compliance, and cost more effectively.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Case management: &lt;/STRONG&gt;Collaborate across teams to respond to incidents.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Playbook generator:&lt;/STRONG&gt; Create custom workflow automations using natural language.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Sentinel graph:&lt;/STRONG&gt; Visualize relationships across users, devices, and activities to investigate attack paths, blast radius, and root cause.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Sentinel MCP server:&lt;/STRONG&gt; Let AI agents and Copilot query Sentinel in natural language through a unified, identity-secured Model Context Protocol interface&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Triage agent:&lt;/STRONG&gt; Autonomous Security Copilot agent that triages high-volume alerts (phishing, identity, cloud) with AI reasoning and a transparent rationale.&lt;/P&gt;
&lt;H4&gt;What this means for you&lt;/H4&gt;
&lt;P&gt;Different roles feel this transition differently. Use this as a quick orientation as later posts go deep on each.&lt;/P&gt;
&lt;DIV class="styles_lia-table-wrapper__h6Xo9 styles_table-responsive__MW0lN"&gt;&lt;table border="1" style="border-width: 1px;"&gt;&lt;thead&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;Role&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;&lt;STRONG&gt;What to pay attention to&lt;/STRONG&gt;&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/thead&gt;&lt;tbody&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Security analyst&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;New incident queue, attack story view, and Copilot-assisted triage – your day-to-day surface changes most.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;Detection engineer&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Custom detections become the forward direction; analytics rules continue to work but the model is evolving from SIEM to XDR detection.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;SOC manager&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;URBAC governance, data lake blast-radius, and incident-centric automation reshape how you run the SOC.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;tr&gt;&lt;td&gt;
&lt;P&gt;&lt;A href="https://learn.microsoft.com/en-us/unified-secops/governance-relationships" target="_blank" rel="noopener"&gt;MSSP and Partner&lt;/A&gt;&amp;nbsp;&lt;/P&gt;
&lt;/td&gt;&lt;td&gt;
&lt;P&gt;Multi-tenant view (up to 100 tenants), planning to support up to 1k tenants, unified incident queue, dual RBAC model – Lighthouse is still needed for Azure resources.&lt;/P&gt;
&lt;/td&gt;&lt;/tr&gt;&lt;/tbody&gt;&lt;colgroup&gt;&lt;col style="width: 50.00%" /&gt;&lt;col style="width: 50.00%" /&gt;&lt;/colgroup&gt;&lt;/table&gt;&lt;/DIV&gt;
&lt;H4&gt;Clearing up common misconceptions&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;“The transition is optional.”&lt;/STRONG&gt;&lt;BR /&gt;No. Customers must migrate their experience by March 31, 2027.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“We need to migrate our workspaces.”&lt;BR /&gt;&lt;/STRONG&gt;You do not need to migrate log analytics workspaces simply to use Microsoft Sentinel in Defender.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“This is only a UI change.”&lt;BR /&gt;&lt;/STRONG&gt;Defender introduces meaningful operational and architectural improvements across investigation, correlation, governance, automation, and AI-assisted workflows.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;“The transition itself increases costs.”&lt;BR /&gt;&lt;/STRONG&gt;There is no additional licensing charge simply for using Sentinel in Defender. Optional capabilities—such as Security Copilot or Sentinel data lake usage—may introduce additional costs depending on adoption and usage patterns.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;How to get started&lt;/H4&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Align your stakeholders:&lt;/STRONG&gt; Brief your SOC leadership and detection engineering leads on the March 31, 2027 deadline and the platform shift narrative.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Form a readiness team:&lt;/STRONG&gt; Identify a small working group (analyst + engineer + SOC manager + identity owner) to own the readiness effort.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Explore Defender:&lt;/STRONG&gt; Start familiarizing yourself with Defender and workflows.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Assess your data strategy:&lt;/STRONG&gt; Review how leveraging the data lake may fit into your future strategy.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Follow Tech Community:&lt;/STRONG&gt; Get more information in this series&lt;/LI&gt;
&lt;/UL&gt;
&lt;H4&gt;Additional resources&lt;/H4&gt;
&lt;P&gt;Further reading: The Microsoft Security Community post &lt;A href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/migrate-sentinel-to-defender---why-it-is-a-security-architecture-decision-not-ju/4513815" target="_blank" rel="noopener"&gt;Migrate Sentinel to Defender – Why it is a security architecture decision, not just a portal change&lt;/A&gt; frames the same thesis from an architectural lens. For the official transition guidance, start with the Microsoft Learn article &lt;A href="https://learn.microsoft.com/en-us/unified-secops-platform/microsoft-sentinel-onboard" target="_blank" rel="noopener"&gt;Connect Microsoft Sentinel to the Microsoft Defender portal&lt;/A&gt;.&lt;/P&gt;
&lt;H4&gt;Continue the series&lt;/H4&gt;
&lt;P&gt;This is the first of six parts. The remaining posts will be published over the coming days. Each one stands alone, so you can read them in order as they go live or jump to the angle that matters most to you once it's out:&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-2" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 2 – Anatomy of the change: Incidents, alerts, correlation, and data&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;If you want component-level mechanics: how the XDR correlation engine replaces Fusion, why incidents are no longer alert-centric, and what changes (and doesn’t) in your data architecture.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-3" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 3 – Detection and automation, reimagined&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;If you write detections or run automation: the shift from analytics rules to custom detections, the move from alert-driven to incident-driven SOAR, and how hunting evolves.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-4" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 4 – The governance shift: RBAC, URBAC, Sentinel data lake, and MSSP&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;If you own identity, access, or multi-tenant operations: the move from Azure RBAC to URBAC, Sentinel data lake, better blast-radius identification, and the MSSP model.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-5" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 5 – Your readiness playbook: Adoption helper, costs, APIs, and the checklist&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;If you need a practical plan: a walk-through of the Defender adoption helper, cost reality, API strategy, and the migration checklist.&lt;/P&gt;
&lt;P&gt;&lt;A href="https://aka.ms/usx-blog-6" target="_blank" rel="noopener"&gt;&lt;STRONG&gt;Part 6 – The AI-first SOC: Copilot, UEBA, Threat intelligence, and SOC optimization&lt;/STRONG&gt;&lt;/A&gt;&lt;/P&gt;
&lt;P&gt;If you want to see the destination: how Security Copilot, UEBA, threat intelligence, and SOC optimization combine into a fundamentally different operating model.&lt;/P&gt;</description>
      <pubDate>Tue, 16 Jun 2026 16:00:00 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/transform-your-security-operation-with-a-unified-experience-in/ba-p/4527932</guid>
      <dc:creator>Mohit_Kumar1</dc:creator>
      <dc:date>2026-06-16T16:00:00Z</dc:date>
    </item>
    <item>
      <title>Reset Data Lake?</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel/reset-data-lake/m-p/4527785#M12942</link>
      <description>&lt;P&gt;Hi,&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Is the only want to reset or change the Data Lake to contact Microsoft Support. We've a ticket open for a few days now. The Data Lake was setup as in a test subscription and we really need to delete it/reset it and start again under a proper production subscription.&amp;nbsp;&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Thanls&lt;/P&gt;</description>
      <pubDate>Fri, 12 Jun 2026 09:54:30 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel/reset-data-lake/m-p/4527785#M12942</guid>
      <dc:creator>DaithiG</dc:creator>
      <dc:date>2026-06-12T09:54:30Z</dc:date>
    </item>
    <item>
      <title>Detecting AI agents and non-human identities in Microsoft Sentinel: the classic-agent blind spot</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel/detecting-ai-agents-and-non-human-identities-in-microsoft/m-p/4526787#M12940</link>
      <description>&lt;P&gt;Build 2026 made the direction official. The industry is moving from the app era into the agent era, and Microsoft spent a real share of the keynote on securing agents across their lifecycle, from discovering what is exploitable to governing what is running in production. On the identity side the centerpiece is Microsoft Entra Agent ID, now generally available, which gives AI agents first-class identities and extends Conditional Access, Identity Protection, and full audit logging to them.&lt;/P&gt;&lt;P&gt;That is good news for agents you build the new way. It is not the whole picture, and the gap is where most SOCs will get hurt first.&lt;/P&gt;&lt;H3&gt;Modern agents are covered. Classic agents are not.&lt;/H3&gt;&lt;P&gt;Entra Agent ID draws a hard line between two kinds of agent.&lt;/P&gt;&lt;P&gt;Modern agents are created through the Agent ID platform, each backed by an agent identity blueprint. They carry a proper Agent ID, a full audit trail, and the complete set of governance capabilities, including Identity Protection for Agents, which establishes a baseline for an agent's normal activity and flags anomalies automatically.&lt;/P&gt;&lt;P&gt;Classic agents are everything that came before, or that gets built outside the platform: AI agents implemented as ordinary service principals or app registrations, for example Copilot Studio agents created before Agent ID was enabled, or any home-grown automation calling Graph with client credentials. In the Entra agent registry they appear with "Has Agent ID: No," and that flag matters, because the Agent ID protections apply to identities that actually hold an Agent ID. Classic agents sit outside Identity Protection for Agents and Conditional Access for Agents.&lt;/P&gt;&lt;P&gt;Here is the uncomfortable part. The non-human identities you already run, the service principals behind your pipelines, your integrations, your scripts, your pre-platform Copilot Studio bots, are almost all classic agents. They tend to outnumber your human accounts, they have no MFA in any meaningful sense, and a credential added to one does not show up in the Azure portal. The new platform protections do not reach them. Until you migrate them, the only place you get detection coverage on that population is your SIEM.&lt;/P&gt;&lt;P&gt;So this is the job Sentinel does that Agent ID does not: detect risky behavior on the classic, service-principal-backed agents that the platform cannot yet protect.&lt;/P&gt;&lt;H3&gt;The telemetry you have, and the one switch people forget&lt;/H3&gt;&lt;P&gt;Three tables carry most of the signal.&lt;/P&gt;&lt;P&gt;AADServicePrincipalSignInLogs records service principal authentications, the client-credentials sign-ins your agents and automation use. No user, no MFA, just an app proving it holds a secret or certificate.&lt;/P&gt;&lt;P&gt;AADManagedIdentitySignInLogs does the same for managed identities.&lt;/P&gt;&lt;P&gt;AuditLogs records directory changes, including the one that matters most for persistence: a new credential added to an application or service principal.&lt;/P&gt;&lt;P&gt;One practical warning before any of this works. Service principal and managed identity sign-in logs are not streamed by default. You have to enable those categories explicitly in the Entra diagnostic settings feeding your workspace. Plenty of teams write the detection, never check, and never notice the table is empty. Verify that first.&lt;/P&gt;&lt;H3&gt;Detection 1: a new credential on a service principal or app&lt;/H3&gt;&lt;P&gt;Adding a secret or certificate to an existing service principal is one of the cleanest persistence techniques in a Microsoft cloud. The attacker compromises a privileged user or app, drops a fresh credential on a service principal that already holds useful Graph permissions, and now has access that survives password resets and session revocation. It maps to MITRE T1098.001, Account Manipulation: Additional Cloud Credentials. For a classic agent it is especially nasty, because there is no Identity Protection baseline watching it.&lt;/P&gt;&lt;LI-CODE lang="kusto"&gt;// Detection 1: new secret or certificate added to an application or service principal
// MITRE T1098.001 - Account Manipulation: Additional Cloud Credentials
AuditLogs
| where OperationName has_any ("Add service principal", "Certificates and secrets management")
| where Result =~ "success"
| extend Initiator = coalesce(
        tostring(InitiatedBy.user.userPrincipalName),
        tostring(InitiatedBy.app.displayName))
| extend InitiatorIp = tostring(InitiatedBy.user.ipAddress)
| mv-apply Target = TargetResources on (
    where Target.type =~ "Application"
    | extend TargetName  = tostring(Target.displayName),
             TargetId    = tostring(Target.id),
             KeyChanges  = Target.modifiedProperties
  )
| mv-apply Prop = KeyChanges on (
    where tostring(Prop.displayName) =~ "KeyDescription"
    | extend NewKeys = parse_json(tostring(Prop.newValue)),
             OldKeys = parse_json(tostring(Prop.oldValue))
  )
| extend AddedKeys = set_difference(NewKeys, OldKeys)
| where array_length(AddedKeys) &amp;gt; 0
| project TimeGenerated, Initiator, InitiatorIp, TargetName, TargetId, AddedKeys
| order by TimeGenerated desc&lt;/LI-CODE&gt;&lt;P&gt;The operation filter catches the three shapes this event takes in the log: "Add service principal," "Add service principal credentials," and "Update application - Certificates and secrets management." The modifiedProperties parsing isolates the KeyDescription change, and set_difference confirms a key was actually added rather than removed, so rotating out an old credential does not, on its own, fire the rule.&lt;/P&gt;&lt;P&gt;False positives come from legitimate rotation and from automation that provisions app credentials (CI/CD, infrastructure as code). The initiator is the discriminant. A credential added by your deployment pipeline's service account at the usual time is routine. The same change initiated by an interactive admin out of hours, or by an account that never normally touches app credentials, is what you want to surface. Allow-list the expected initiators, not the targets.&lt;/P&gt;&lt;H3&gt;Detection 2: a classic agent signing in from a first-seen IP&lt;/H3&gt;&lt;P&gt;A service principal that has only ever authenticated from your Azure regions and suddenly signs in from somewhere new is a strong signal that its credential has been lifted and is being used elsewhere. Service principals have stable, boring network behavior, which makes a first-seen IP a far cleaner indicator for them than it is for roaming human users. This is the behavioral baseline Identity Protection gives you for free on modern agents, rebuilt in KQL for the classic ones it ignores. MITRE T1078.004, Valid Accounts: Cloud Accounts.&lt;/P&gt;&lt;LI-CODE lang="kusto"&gt;// Detection 2: classic-agent service principal signing in from a previously unseen IP
// MITRE T1078.004 - Valid Accounts: Cloud Accounts
let baseline  = 14d;
let detection = 1d;
let KnownIPs =
    AADServicePrincipalSignInLogs
    | where TimeGenerated between (ago(baseline + detection) .. ago(detection))
    | where tostring(ResultType) == "0"
    | summarize KnownIPSet = make_set(IPAddress) by AppId;
AADServicePrincipalSignInLogs
| where TimeGenerated &amp;gt; ago(detection)
| where tostring(ResultType) == "0"
| lookup kind=leftouter KnownIPs on AppId
| where set_has_element(KnownIPSet, IPAddress) == false
| summarize FirstSeen = min(TimeGenerated),
            Resources = make_set(ResourceDisplayName, 10)
  by ServicePrincipalName, AppId, IPAddress
| order by FirstSeen desc&lt;/LI-CODE&gt;&lt;P&gt;The query builds a per-application baseline of source IPs over the previous two weeks, then flags any successful sign-in today from an address outside that set. Two tuning notes. Brand-new service principals have no baseline, so they surface on first use. That is usually worth seeing once, but you can exclude AppIds younger than the baseline window if it gets noisy. And if your agents egress through shifting cloud IP ranges, widen the comparison from an exact IP to the autonomous system number or a known-range allow-list, otherwise you will chase your own infrastructure.&lt;/P&gt;&lt;P&gt;This complements Agent ID, it does not replace it!&lt;/P&gt;&lt;P&gt;&lt;STRONG&gt;The endgame is not to run these rules forever. It is to shrink the population they apply to.&lt;/STRONG&gt; Inventory your tenant for agents marked "Has Agent ID: No," prioritize the ones holding sensitive Graph permissions, and migrate them onto the Agent ID platform, where Identity Protection and Conditional Access take over the baselining you are doing here by hand. Microsoft has signaled a migration path from classic to modern agents. Treat these two detections as the coverage you need in the meantime, and as a permanent safety net for anything that never makes the move.&lt;/P&gt;&lt;P&gt;If you do one thing this week: enable the service principal sign-in log category, deploy detection 1, and pull a list of every service principal that had a credential added in the last 90 days. That list alone tends to be more interesting than people expect.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Cheers, Marcel&lt;/P&gt;</description>
      <pubDate>Tue, 09 Jun 2026 13:57:23 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel/detecting-ai-agents-and-non-human-identities-in-microsoft/m-p/4526787#M12940</guid>
      <dc:creator>Marcel_Graewer</dc:creator>
      <dc:date>2026-06-09T13:57:23Z</dc:date>
    </item>
    <item>
      <title>The Worm in the Supply Chain: How Defender for Endpoint and Sentinel for SAP BTP Caught Shai-Hulud</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/the-worm-in-the-supply-chain-how-defender-for-endpoint-and/ba-p/4526246</link>
      <description>&lt;P&gt;On &lt;STRONG&gt;29 April 2026&lt;/STRONG&gt;, malicious versions of multiple SAP ecosystem npm packages were briefly published, creating a supply-chain exposure for SAP Cloud Application Programming (CAP) development environments and CI/CD pipelines.&lt;/P&gt;
&lt;P&gt;For a brief window that morning, affected developers have executed a credential-stealing payload on a workstation or, in higher-impact cases, within a CI/CD pipeline.&lt;/P&gt;
&lt;P&gt;SAP developers don't usually think of themselves as a juicy npm target. CAP, BTP, Fiori - that's enterprise turf, not crypto-stealer type territory – Until it is. Join me for the ride.&lt;/P&gt;
&lt;P&gt;&lt;EM&gt;See our &lt;/EM&gt;&lt;A href="https://demos.microsoft.com/Microsoft/play/6373" target="_blank" rel="noopener"&gt;&lt;EM&gt;latest click-video&lt;/EM&gt;&lt;/A&gt;&lt;EM&gt; for an even more dynamic experience of SAP compromises.&lt;/EM&gt;&lt;/P&gt;
&lt;H1&gt;Affected packages and scope&lt;/H1&gt;
&lt;P&gt;Four official npm packages from the SAP development ecosystem were published in malicious versions that day. Security researchers are calling the campaign "Mini Shai-Hulud" - the little cousin of the worm family that has been chewing its way through open-source registries for months. So, the "mini" part is a generous description in my opinion.&lt;/P&gt;
&lt;P&gt;Shai-Hulud has wriggled directly into the SAP supply chain, and that detail alone deserves a pause... &lt;STRONG&gt;SAP CAP&lt;/STRONG&gt; is now interesting enough to &lt;STRONG&gt;have become a target&lt;/STRONG&gt;.&lt;/P&gt;
&lt;P&gt;Four packages, all wearing legitimate SAP branding, all quietly swapped for evil twins:&lt;/P&gt;
&lt;LI-CODE lang=""&gt;@cap-js/sqlite v2.2.2
@cap-js/postgres v2.2.2
@cap-js/db-service v2.10.1 
mbt v1.2.48&lt;/LI-CODE&gt;
&lt;P&gt;These packages are not peripheral dependencies. The @cap-js/* modules are part of the SAP CAP Model used across custom development on SAP BTP, while mbt is the Cloud MTA Build Tool commonly embedded in CI/CD workflows that package and deploy Multi-Target Applications to BTP and on-premises environments. At roughly &lt;A href="https://labs.cloudsecurityalliance.org/research/csa-research-note-mini-shai-hulud-multi-ecosystem-supply-cha/" target="_blank" rel="noopener"&gt;930,000 weekly downloads&lt;/A&gt;, the combined exposure created meaningful downstream attack surface.&lt;/P&gt;
&lt;P&gt;The good news: SAP spotted the compromise fast, yanked the bad versions, and shipped clean replacements. The official guidance lives in SAP Security Note &lt;A href="https://me.sap.com/notes/3747787" target="_blank" rel="noopener"&gt;3747787&lt;/A&gt; - which carries the list of indicators of compromise, file hashes, and mitigation steps.&lt;/P&gt;
&lt;P&gt;Enough theory and evidence talk! Now, SHOW ME the detection!&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&lt;EM&gt;When the worm stirs beneath the sand, weak defenses vanish first.&lt;/EM&gt;&lt;/P&gt;
&lt;H1&gt;Observed telemetry in Microsoft Security products&lt;/H1&gt;
&lt;P&gt;See below excerpt of Microsoft Defender for Endpoint from a compromised developer machine. The worm was neutralized immediately. Check the detection time (same day of release):&lt;/P&gt;
&lt;LI-CODE lang=""&gt;Windows Defender AV detected malware
ToString: DefenderDetection: File: /Users/User***/Projects/dara-api-manager-ui/node_modules/mbt/File***.js, Sha256: *** [Trojan:JS/SPchnStlr.BB],

BlockingStatus: Prevented, BlockingStatusPriority: 900 DetectionTime: 2026-04-29 11:52:11Z DetectorName: 

Microsoft.Cyber.ObservationDetectors.DefenderConcreteDetector Observations (2): DefenderObservation
Description: Defender detected and quarantined 'Trojan:JS/SPchnStlr.BB' in file 'File***.js' ThreatCategory = Trojan, ThreatFamily = SPchnStlr,&lt;/LI-CODE&gt;
&lt;H1&gt;How the Threat Actors Operationalized the Stolen Data&lt;/H1&gt;
&lt;P&gt;The compromise allowed harvesting GitHub tokens, AWS/Azure/GCP secrets, npm credentials, Kubernetes config, SSH keys,&amp;nbsp;&lt;EM&gt;.npmrc&lt;/EM&gt;&amp;nbsp;and .&lt;EM&gt;git-credentials files&lt;/EM&gt;, and CI/CD environment variables.&lt;/P&gt;
&lt;P&gt;The hackers&amp;nbsp;created a public GitHub repository&amp;nbsp;&lt;STRONG&gt;on the victim’s own account&lt;/STRONG&gt;, tagged with the description&amp;nbsp;&lt;EM&gt;“A Mini Shai-Hulud has Appeared“ &lt;/EM&gt;to&lt;EM&gt; &lt;/EM&gt;exfiltrate their reaping.&amp;nbsp;Within hours, more than a thousand such repositories were visible in &lt;A href="https://github.com/search?q=%22A+Mini+Shai-Hulud+has+Appeared%22&amp;amp;type=repositories" target="_blank" rel="noopener"&gt;public GitHub search&lt;/A&gt;.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P class="lia-clear-both"&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;For additional views on the topic check out the blogs of our Sentinel for SAP &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/sap/solution-partner-overview" target="_blank" rel="noopener"&gt;partners&lt;/A&gt;: &lt;A href="https://onapsis.com/blog/sap-cap-mini-shai-hulud-supply-chain-attack/" target="_blank" rel="noopener"&gt;Onapsis&lt;/A&gt;, &lt;A href="https://pathlock.com/blog/security-alerts/sap-npm-supply-chain-incident-malicious-packages-impact-cap-mta/" target="_blank" rel="noopener"&gt;Pathlock&lt;/A&gt;, and &lt;A href="https://securitybridge.com/blog/a-mini-shai-hulud-has-appeared-when-the-npm-supply-chain-reaches-into-sap/" target="_blank" rel="noopener"&gt;SecurityBridge&lt;/A&gt;.&lt;/P&gt;
&lt;H1&gt;Containment and Impact Reduction&lt;/H1&gt;
&lt;P&gt;If you were not as lucky as the developer using Defender for Endpoint and VS Code, you need end to end monitoring of your landscape in and around SAP. Once the worm is loose with cloud tokens it may appear in various unexpected places.&lt;/P&gt;
&lt;P&gt;Microsoft Sentinel Solution for SAP covers your ERP crown jewels, your SAP BTP landscape and allows informed correlation with the rest of your IT estate. Microsoft’s correlation engine:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;ensures traceability&lt;/LI&gt;
&lt;LI&gt;automatic attack disruption and&lt;/LI&gt;
&lt;LI&gt;just-in-time hardening of potential attack paths.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Developers using the cloud-based IDE SAP Business Application Studio are out of reach by Defender for Endpoint but profit from threat monitoring through Sentinel for SAP BTP integrating SAP BTP’s malware scanner the same way.&lt;/P&gt;
&lt;P&gt;See this in action in &lt;A href="https://demos.microsoft.com/Microsoft/play/6373" target="_blank" rel="noopener"&gt;this click-video&lt;/A&gt; and in below screenshot.&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;img /&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;P&gt;SOC analysts get actionable insights and tailored guidance from Security Copilot once SAP BTP signals are added to the Microsoft incident graph - no matter where the threat involving SAP originates from.&lt;/P&gt;
&lt;H1&gt;Getting Started with Sentinel Solution for SAP&lt;/H1&gt;
&lt;P&gt;Rollout of Sentinel for SAP BTP can happen immediately. Learn more from our &lt;A href="https://learn.microsoft.com/azure/sentinel/sap/sap-btp-solution-overview" target="_blank" rel="noopener"&gt;deployment guide&lt;/A&gt;. Check out the &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-btp-security-content" target="_blank" rel="noopener"&gt;security content&lt;/A&gt; reference for more info out-of-the-box detections.&lt;/P&gt;
&lt;P&gt;Sentinel for SAP which covers your ERP solutions and more, requires configuration of SAP Integration Suite as intermediary step. Learn more from our &lt;A href="https://learn.microsoft.com/azure/sentinel/sap/deployment-overview?tabs=agentless" target="_blank" rel="noopener"&gt;deployment guide&lt;/A&gt;. Check out the &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-security-content?pivots=connection-agentless" target="_blank" rel="noopener"&gt;security content&lt;/A&gt; reference for more info out-of-the-box detections&lt;/P&gt;
&lt;H1&gt;Final Words&lt;/H1&gt;
&lt;P&gt;This incident illustrates how far the SAP BTP attack surface now extends and why patching alone is insufficient once malicious code reaches developer tooling and build infrastructure. Effective defense also requires telemetry, correlation, and response coverage across SAP and non-SAP environments.&lt;/P&gt;
&lt;P&gt;See you out there folks!&lt;/P&gt;
&lt;P&gt;#Kudos to Mahesh Mandva and&amp;nbsp;Cameron Gardiner on riding shai-holud with me.&lt;/P&gt;
&lt;P&gt;Feel free to reach out to talk more about SAP Cyber Security.&lt;/P&gt;
&lt;P&gt;Cheers, Martin&lt;/P&gt;
&lt;P&gt;&amp;nbsp;&lt;/P&gt;
&lt;H3&gt;Useful Links&lt;/H3&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://me.sap.com/notes/3747787" target="_blank"&gt;SAP Note 3747787 with mitigation guide&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://labs.cloudsecurityalliance.org/research/csa-research-note-mini-shai-hulud-multi-ecosystem-supply-cha/" target="_blank"&gt;Mini Shai-Hulud: Multi-Ecosystem Developer Supply Chain Attack – Lab Space&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://demos.microsoft.com/Microsoft/play/6373" target="_blank"&gt;Click-Demo for SAP Cyber Security with Microsoft&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/sentinel/sap/sap-solution-security-content?pivots=connection-agentless" target="_blank"&gt;Sentinel for SAP Security Content | Microsoft Learn&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-external-url" href="https://learn.microsoft.com/azure/sentinel/sap/sap-btp-security-content" target="_blank"&gt;Sentinel for SAP BTP Security Content | Microsoft Learn&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Mon, 08 Jun 2026 10:52:16 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/the-worm-in-the-supply-chain-how-defender-for-endpoint-and/ba-p/4526246</guid>
      <dc:creator>MartinPankraz</dc:creator>
      <dc:date>2026-06-08T10:52:16Z</dc:date>
    </item>
    <item>
      <title>MSSP migration to Unified portal: how are you sequencing your customer portfolio?</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel/mssp-migration-to-unified-portal-how-are-you-sequencing-your/m-p/4526191#M12939</link>
      <description>&lt;P&gt;Following the automation and SOAR discussion, I wanted to open a conversation specifically focused on the MSSP and multi-tenant side of the migration, because this is where the coordination challenges are an order of magnitude higher than the technical ones.&lt;/P&gt;&lt;P&gt;A few things I am working through before writing this up as Part 5 of the migration series.&lt;/P&gt;&lt;P&gt;On Workspace Manager: Microsoft's own documentation now points you away from Workspace Manager at the point of onboarding to the Defender portal, directing you to Microsoft Defender multitenant management instead. For MSSPs who built their operating model around Workspace Manager, this is a significant structural change. For those implementing now, the recommendation is to go straight to the multitenant portal. I am interested in what the transition has looked like in practice for teams who were mid-flight on Workspace Manager when this became clear.&lt;/P&gt;&lt;P&gt;On access delegation: one of the more honest framings I want to include in the article is around the GDAP plus Unified RBAC gap. A Microsoft employee confirmed in the RSAC 2026 thread that Unified RBAC support for GDAP in the Defender portal is on the roadmap with no firm date. MSSPs choosing between Entra B2B and the governance relationships model today are making an architectural call that is difficult to reverse. I want to present this accurately, and real experience from practitioners will sharpen that framing.&lt;/P&gt;&lt;P&gt;On the connector deployment constraint: you cannot deploy connectors from a managed workspace configured with Azure Lighthouse alone, you also need GDAP. This makes a layered delegation architecture, Lighthouse plus GDAP plus B2B or governance relationships, necessary rather than optional. I am curious whether MSSPs are already running this layered model or whether most are still trying to make Lighthouse work as a single mechanism.&lt;/P&gt;&lt;P&gt;On migration sequencing: the question I want to ask specifically is how teams are structuring their customer portfolio migration. Are you running waves based on customer complexity, based on contract renewal timing, based on customer risk appetite, or some other factor? And when something goes wrong in one tenant's migration, how are you containing the impact on the rest of the programme?&lt;/P&gt;&lt;P&gt;Sharing the full article once it is written. Happy to discuss anything above in more detail in the thread.&lt;/P&gt;</description>
      <pubDate>Mon, 08 Jun 2026 01:13:15 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel/mssp-migration-to-unified-portal-how-are-you-sequencing-your/m-p/4526191#M12939</guid>
      <dc:creator>AnthonyPorter</dc:creator>
      <dc:date>2026-06-08T01:13:15Z</dc:date>
    </item>
    <item>
      <title>SentinelHealth: Scheduled Rule Retry Logging Does Not Match Docs</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel/sentinelhealth-scheduled-rule-retry-logging-does-not-match-docs/m-p/4525128#M12938</link>
      <description>&lt;P&gt;## Objective&lt;/P&gt;&lt;P&gt;I am working on a health checks architecture for Microsoft Sentinel analytic rules. The goal is to build a set of monitoring queries/approaches that cover rule execution failures, configuration issues (entity mapping, partial success), rule audit tracking, and auto-disabled rule detection.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;## My Current Approach&lt;/P&gt;&lt;P&gt;So far I have built monitoring for the following areas using the SentinelHealth and SentinelAudit tables:&lt;/P&gt;&lt;P&gt;- Scheduled rule window failures (retry exhaustion)&lt;/P&gt;&lt;P&gt;- NRT rule execution delays (cumulative delay over 25 minutes)&lt;/P&gt;&lt;P&gt;- Partial success and configuration issues (entity mapping drops, alert size limits, semantic errors) with transient error codes filtered out&lt;/P&gt;&lt;P&gt;- Auto-disabled rules detection&lt;/P&gt;&lt;P&gt;- Rule disable/delete audit tracking via SentinelAudit + AzActivity&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;## The Issue: Scheduled Rule Retry Logging&lt;/P&gt;&lt;P&gt;The documentation at https://learn.microsoft.com/en-us/azure/sentinel/monitor-analytics-rule-integrity#scheduled-rules states that when a scheduled rule fails, it is retried 5 more times on the same window (6 total attempts). It also provides this query to detect completely skipped windows:&lt;/P&gt;&lt;P&gt;```kql&lt;/P&gt;&lt;P&gt;_SentinelHealth()&lt;/P&gt;&lt;P&gt;| where SentinelResourceType == @"Analytics Rule"&lt;/P&gt;&lt;P&gt;| where SentinelResourceKind == "Scheduled"&lt;/P&gt;&lt;P&gt;| where Status != "Success"&lt;/P&gt;&lt;P&gt;| extend startTime = tostring(ExtendedProperties["QueryStartTimeUTC"])&lt;/P&gt;&lt;P&gt;| summarize failuresByStartTime = count() by startTime, SentinelResourceId&lt;/P&gt;&lt;P&gt;| where failuresByStartTime == 6&lt;/P&gt;&lt;P&gt;| summarize count() by SentinelResourceId&lt;/P&gt;&lt;P&gt;```&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;This query assumes that each retry attempt is logged as a separate event in SentinelHealth, all sharing the same QueryStartTimeUTC. You would then count 6 failure records per startTime to identify a fully skipped window.&lt;/P&gt;&lt;P&gt;However, in practice I am seeing different behavior. I ran a diagnostic query with a 90-day lookback (480 non-success events total, 73 unique rules). Every single event had a count of 1 per unique (SentinelResourceName, startTime) combination. No grouping of retries was observed at all.&lt;/P&gt;&lt;P&gt;I then found an actual failed-window event that confirms this. Here is the record:&lt;/P&gt;&lt;P&gt;- Rule: Port scan detected (ASIM Network Session schema)&lt;/P&gt;&lt;P&gt;- Status: Failure&lt;/P&gt;&lt;P&gt;- Description: "Rule's scheduled run at 06/01/2026 10:43:55 failed after numerous attempts. It will be re-executed over the next scheduled time."&lt;/P&gt;&lt;P&gt;- Issue Code: SemanticErrorInQuery&lt;/P&gt;&lt;P&gt;- Only 1 SentinelHealth record exists for this failed window&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;The Description field says "failed after numerous attempts" which indicates the retries happened internally, but only one consolidated Failure event was written to SentinelHealth after all retries were exhausted. The individual retry attempts do not appear as separate records.&lt;/P&gt;&lt;P&gt;This means the failuresByStartTime == 6 query from the documentation would never match this pattern, because there is only 1 record per failed window, not 6.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;## Why This Matters&lt;/P&gt;&lt;P&gt;Yes, completely skipped windows are rare. In my 90-day dataset most failures were permanent types (SemanticErrorInQuery, QueryGeneralError) that would not benefit from retries anyway. But they still happen, and if a tenant experiences a transient issue that causes a higher rate of failed windows, the documented query would silently return nothing.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;For my health checks I have rewritten the detection to simply look for Status == "Failure" with Description containing "failed after numerous attempts" which matches the actual consolidated event Sentinel writes.&lt;/P&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;## Questions&lt;/P&gt;&lt;OL&gt;&lt;LI&gt;Is the documented failuresByStartTime == 6 query still accurate? Or has the retry logging behavior changed to write a single consolidated event per failed window?&lt;/LI&gt;&lt;LI&gt;Are there specific failure types or conditions where individual retries are logged as separate events? Perhaps transient failures behave differently from permanent ones in this regard?&lt;/LI&gt;&lt;LI&gt;For anyone else building health monitoring on SentinelHealth - am I missing any important use cases beyond what I described above?&lt;/LI&gt;&lt;/OL&gt;&lt;P&gt;&amp;nbsp;&lt;/P&gt;&lt;P&gt;Any clarification would be appreciated.&lt;/P&gt;</description>
      <pubDate>Wed, 03 Jun 2026 09:41:53 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel/sentinelhealth-scheduled-rule-retry-logging-does-not-match-docs/m-p/4525128#M12938</guid>
      <dc:creator>SomeZnimav</dc:creator>
      <dc:date>2026-06-03T09:41:53Z</dc:date>
    </item>
    <item>
      <title>What’s new in Microsoft Sentinel: May 2026</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-in-microsoft-sentinel-may-2026/ba-p/4523419</link>
      <description>&lt;P&gt;Welcome to the May edition of What's new in Microsoft Sentinel. This month’s updates focus on unified role-based access control (RBAC), ecosystem breadth, AI-agent security, and high-assurance identity.&lt;/P&gt;
&lt;P&gt;RBAC and row-level scoping are now generally available, giving security teams a single, granular permissions model across Sentinel and the Microsoft Defender portal and enabling multi-team SOC collaboration. The Sentinel connector catalog has passed 400 connectors, expanding coverage across Microsoft and third-party data sources and helping customers and partners onboard new data faster with the Codeless Connector Framework (CCF). The Agent 365 connector, now in public preview, brings AI agent telemetry into Sentinel data lake as first-class standardized signals so you can monitor agent behavior alongside identity, endpoint, and cloud activity. Finally, Entra Verified ID partner integrations in Microsoft Security Store are now generally available, delivering high‑assurance identity verification that makes account recovery after compromise far safer and significantly reduces the risk of re‑compromise.&lt;/P&gt;
&lt;P&gt;Read on for the full list of updates across Sentinel in May.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Sentinel innovations:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A class="lia-internal-link" href="#community--1-SIEM" target="_blank" rel="noopener" data-lia-auto-title="Sentinel SIEM" data-lia-auto-title-active="0"&gt;Sentinel SIEM&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-internal-link" href="#community--1-lake" target="_blank" rel="noopener" data-lia-auto-title="Sentinel data lake" data-lia-auto-title-active="0"&gt;Sentinel data lake&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A class="lia-internal-link" href="#community--1-store" target="_blank" rel="noopener" data-lia-auto-title="Microsoft Security Store" data-lia-auto-title-active="0"&gt;Microsoft Security Store&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;&lt;a id="community--1-SIEM" class="lia-anchor"&gt;&lt;/a&gt;&lt;STRONG class="lia-linked-item"&gt;Sentinel SIEM&lt;/STRONG&gt;&lt;/H1&gt;
&lt;H4&gt;&lt;STRONG&gt;Unified role-based access controls and row level scoping [Generally available]&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Sentinel now delivers general availability of two powerful access management capabilities: Unified RBAC and row-level data scoping. Together, these innovations provide a consistent, end-to-end model for controlling who can access data and what actions they can take — extending unified permissions management across the Defender portal while enabling granular, row-level visibility within a single Sentinel workspace.&lt;/P&gt;
&lt;P&gt;With Unified RBAC, organizations can simplify and centralize permissions across security workloads, reducing operational overhead, while row-level scoping enables secure collaboration across multiple teams by ensuring users only see data aligned to their role or scope. This milestone unlocks more scalable, multi-team SOC operations without the need for workspace segmentation, helping us to advance toward fully unified, granular access control across Microsoft Security.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Tenant groups [Public preview]&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Managing security across multiple tenants just got simpler. Tenant Groups in the Microsoft Defender multi-tenant portal (MTO) give managed security service providers (MSSPs), cloud service partners (CSPs), and multi-tenant security teams a flexible way to organize tenants into logical groupings such as customer segment, geography, or operational priority, and instantly switch views with a single click. This streamlined experience reduces noise, improves investigation focus, and aligns to how teams actually work, all while respecting existing permissions and access controls. &lt;A href="https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/organize-your-multitenant-view-with-tenant-groups-in-microsoft-defender/4522992" target="_blank" rel="noopener"&gt;Learn more.&lt;/A&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Out-of-the-box integrations for Sentinel automation&lt;/STRONG&gt;&lt;STRONG&gt; [Public preview]&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Out-of-the-box (OOTB) integrations for Sentinel automation brings a centralized catalog to easily discover, configure, and manage both Microsoft and third-party integrations. With simple, authentication-based setup, users can quickly add integrations and seamlessly incorporate them into playbooks. The experience places OOTB and custom integrations side by side, with enhanced with smart search, recommendations, and duplicate prevention to streamline automation workflows end to end. &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/automation/integrations" target="_blank" rel="noopener"&gt;Learn more.&lt;/A&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;UEBA enhancements [Public preview]&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Microsoft Sentinel UEBA continues to evolve with improvements that simplify management and expand detection coverage.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;A dedicated UEBA tab view in the Sentinel settings page consolidates UEBA and behaviors settings, making configuration easier to find and manage. &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics?tabs=azure#access-ueba-from-ueba-tab" target="_blank" rel="noopener"&gt;Learn more.&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;UEBA insights and anomalies now support the OktaV2_CL table alongside the existing Okta_CL table, extending anomalous activity and anomalous MFA failures detections to customers using the newer Okta connector format, without requiring new anomaly types. &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/ueba-reference?tabs=log-analytics" target="_blank" rel="noopener"&gt;Learn more.&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;UEBA extends GCP Audit Logs coverage with five anomaly detections for login activity, privileged actions, resource deployments, secret/KMS key access, and infrastructure usage. &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/anomalies-reference#ueba-anomalies" target="_blank" rel="noopener"&gt;Learn more.&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Together, these updates make UEBA easier to operate while extending its visibility into identity and behavior signals from additional cloud and identity providers.&lt;/P&gt;
&lt;P&gt;⁠&lt;A href="https://www.microsoft.com/en-us/security/blog/2026/04/28/simplifying-aws-defense-microsoft-sentinel-ueba/" target="_blank" rel="noopener"&gt;Read the latest blog&lt;/A&gt; from the Microsoft Defender Research Team to learn more about Microsoft Sentinel UEBA and binary feature stacking, which uses clear binary signals to help establish behavioral context and inform investigation and detection decisions.&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Threat Intelligence – TAXII Export connector [Generally available]&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Sentinel supports threat intelligence export through the built-in Threat Intelligence – Trusted Automated Exchange of Intelligence Information (TAXII) Export connector, giving customers a standards-based way to share curated Structured Threat Information Expression (STIX) objects with supported TAXII 2.1 platforms. Configured from the Defender portal, the connector handles destination setup and intelligence delivery to external platforms. The capability supports cross-organization intelligence sharing for collective defense and centralized management in multi-tenant environments, with use cases across government, critical infrastructure, and large distributed organizations. Additional enhancements are planned, including more export options and expanded destination support. &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-taxii" target="_blank" rel="noopener"&gt;Learn more.&lt;/A&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Decision-stage resources for SIEM migration to Sentinel&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;The AI-powered SIEM migration experience helps teams analyze detections, identify required data sources and connectors, and plan a phased move to Sentinel. But, customers still need help turning that analysis into a clear decision. To support that step, we’re introducing two new customer-facing resources: the &lt;STRONG&gt;Sentinel SIEM Migration Decision and Planning Guide&lt;/STRONG&gt;, which explains the migration journey, outputs, and decision checkpoints before execution, and the &lt;STRONG&gt;Decision-Stage Customer FAQ&lt;/STRONG&gt;, which answers common questions around disruption, cost, dual running, detection coverage, and delivery support. Together, these resources help make migration conversations more concrete and move teams more quickly from evaluation to a clearer, lower-risk next step.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Learn more:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;Read the blog:&lt;A href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/accelerate-your-move-to-microsoft-sentinel-with-the-new-ai-powered-siem-migratio/4488505" target="_blank" rel="noopener"&gt; AI-powered SIEM migration experience announcement&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Download the guide: &lt;A class="lia-external-url" href="https://aka.ms/Migration_Decision_Planning_Guide" target="_blank" rel="noopener"&gt;Decision and planning guide&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Download the FAQ: &lt;A class="lia-external-url" href="https://aka.ms/Migration_Customer_FAQ" target="_blank" rel="noopener"&gt;Decision-stage customer FAQ&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Learn more: &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/siem-migration" target="_blank" rel="noopener"&gt;SIEM migration experience documentation&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;Register for live AMA (Jun 23 at 9am PT): &lt;A href="https://techcommunity.microsoft.com/event/microsoft-security-events/ask-microsoft-anything-the-microsoft-sentinel-siem-migration-experience/4521635" target="_blank" rel="noopener"&gt;Live Microsoft Tech Community AMA on SIEM migration&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;&lt;a id="community--1-lake" class="lia-anchor"&gt;&lt;/a&gt;&lt;STRONG class="lia-linked-item"&gt;Sentinel data lake&lt;/STRONG&gt;&lt;/H1&gt;
&lt;H4&gt;&lt;STRONG&gt;400+ Sentinel data connectors&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;The Sentinel connector catalog now includes &lt;STRONG&gt;400+ connectors&lt;/STRONG&gt;, providing broad, ready-to-deploy coverage across Microsoft and third-party data sources. Customers can flexibly ingest security data into Microsoft Sentinel analytics tier or the data lake tier. The Codeless Connector Framework (CCF) and VS code-based connector builder agent enables partners and customers to onboard new data sources faster and scale the catalog. Discover connectors in the Sentinel Content hub within the Defender portal or build custom connectors when needed. &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector-builder-agent" target="_blank" rel="noopener"&gt;Learn more.&lt;/A&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Agent 365 connector&lt;/STRONG&gt;&lt;STRONG&gt; [Public preview]&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Agent 365 connector streams AI agent telemetry from Agent 365 into Sentinel data lake, giving SOC teams visibility into agent behavior alongside identity, endpoint, and cloud signals. With the Agent 365 connector in place, Sentinel data lake becomes the system of record for agent security, turning activity such as data exposure or access drift into first-class security signals that analysts can correlate, hunt across, and investigate. Telemetry is normalized and to mapped to standard Advanced Security Information Model (&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/normalization" target="_blank" rel="noopener"&gt;ASIM&lt;/A&gt;) schemas, ready for analytics and detections, and end-to-end investigations can run through KQL, graph, and MCP-powered workflows. Install the connector with a single click from Sentinel Content Hub in the Defender portal.&amp;nbsp;&lt;A href="https://techcommunity.microsoft.com/blog/microsoftsentinelblog/agent-365-connector-monitor-hunt-and-investigate-ai-agent-activity-in-microsoft-/4520836" target="_blank" rel="noopener"&gt;Learn more.&lt;/A&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;CCF support for Azure Blob Storage &lt;/STRONG&gt;&lt;STRONG&gt;[Public preview]&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Sentinel Codeless Connector Framework (CCF) supports Azure Blob Storage as a data source, providing an ingestion pattern designed for high-volume security data. Partners and customers can build CCF connectors that read from Blob Storage through a durable architecture that buffers spikes, handles backpressure, and reduces data loss risk during outages or throttling, making ingestion more reliable for variable or distributed pipelines. The pattern broadens compatibility with partners already streaming logs to Azure as part of their audit data delivery, with Cloudflare and Netskope as early adopters. App Assure further provides engineering-backed support for designing, validating, and remediating the Azure Blob Storage CCF connector integration. &lt;A href="https://aka.ms/SentinelAzureBlobStorage" target="_blank" rel="noopener"&gt;Learn more.&lt;/A&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Data filtering and splitting [Generally available]&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;At RSAC, we announced built‑in filtering and splitting capabilities in Microsoft Sentinel, which is now generally available. As security teams ingest more data, it is important to optimize security data pipeline by controlling what data is ingested and in which tier. With filtering and splitting natively integrated into the Defender portal, security teams can shape data before it reaches Sentinel, without switching tools or managing custom JSON files. Using simple KQL‑based transformations directly in the UI, you can filter low‑value events and intelligently route data, making ingestion optimization faster, more intuitive, and easier to manage at scale.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Filtering&lt;/STRONG&gt; at ingest time allows you to remove low‑value or benign events to reduce noise, lower unnecessary processing, and ensure high‑signal data drives detections and investigations.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Splitting &lt;/STRONG&gt;enables intelligent routing of data between the analytics tier and the data lake tier based on relevance and usage.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;Together, these capabilities help you balance cost and performance while scaling data ingestion sustainably as your digital estate grows. &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/transformation-filter-split" target="_blank" rel="noopener"&gt;Learn more.&lt;/A&gt;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Transition your Sentinel connectors to the Codeless Connector Framework (CCF) [Action required]&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/azure-monitor/logs/custom-logs-migrate?tabs=azure-cli" target="_blank" rel="noopener"&gt;Azure has announced&lt;/A&gt; that the legacy Azure Data Collection API will be deprecated on September 14, 2026. Sentinel recommends customers &lt;A href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/action-required-transition-from-http-data-collector-api-in-microsoft-sentinel/4499777?previewMessage=true" target="_blank" rel="noopener"&gt;review existing connectors and upgrade to the latest Codeless Connector Framework (CCF) versions&lt;/A&gt; to ensure continued access to the newest Sentinel capabilities. &lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector" target="_blank" rel="noopener"&gt;CCF&lt;/A&gt; delivers a fully managed SaaS experience with built-in health monitoring, centralized credential management, and improved performance. This enables partners and customers to onboard new data sources faster and at scale.&lt;/P&gt;
&lt;H1&gt;&lt;a id="community--1-store" class="lia-anchor"&gt;&lt;/a&gt;&lt;STRONG class="lia-linked-item"&gt;Microsoft Security Store&lt;/STRONG&gt;&lt;/H1&gt;
&lt;H4&gt;&lt;STRONG&gt;Entra Verified ID partner integrations via Security Store [Generally available]&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Security Store helps organizations secure one of the most critical steps in incident response: safe account recovery after compromise. Once a SOC team detects and contains a potential account takeover (ATO), restoring access requires high confidence that the user is legitimate. Through partner integrations with IDEMIA, AU10TIX, CLEAR, 1Kosmos, and WhoAmI, customers can extend Entra Verified ID with high-assurance identity verification (such as document and biometric checks) to validate users during recovery, onboarding, or helpdesk workflows. This helps replace weaker fallback methods that attackers often exploit, enabling SOC and IT teams to safely restore access while reducing risk of re-compromise.&amp;nbsp;&lt;A href="https://techcommunity.microsoft.com/blog/microsoft-entra-blog/passkeys-aren%E2%80%99t-the-finish-line-eliminating-fallbacks-and-fixing-recovery/3627345" target="_blank" rel="noopener"&gt;Learn more.&lt;/A&gt;&amp;nbsp;&lt;/P&gt;
&lt;H4&gt;&lt;STRONG&gt;Purview Data Security Triage Agent in Defender [Public preview]&lt;/STRONG&gt;&lt;/H4&gt;
&lt;P&gt;Security Store powers how customers discover and activate data security agents across Defender and Microsoft Purview, starting with the Data Security Triage Agent. &amp;nbsp;This capability delivers AI-generated summaries and prioritization of Data Loss Prevention (DLP) alerts directly into Defender XDR, helping security teams reduce noise and focus on the incidents that matter most. By unifying discovery and activation through Security Store, customers can deploy data security agents in fewer steps and enable more integrated workflows across threat and data protection surfaces. &lt;A href="https://learn.microsoft.com/en-us/purview/copilot-in-purview-triage-dlp-agent-get-started" target="_blank" rel="noopener"&gt;Learn more.&lt;/A&gt;&lt;/P&gt;
&lt;H1&gt;&lt;STRONG&gt;Additional resources&lt;/STRONG&gt;&lt;/H1&gt;
&lt;P&gt;&lt;STRONG&gt;Blogs and documentation:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://techcommunity.microsoft.com/blog/microsoft-security-blog/from-idea-to-production-%E2%80%94-building-microsoft-security-store-advisor-with-an-agen/4519043" target="_blank" rel="noopener"&gt;From idea to production: Building Security Store Advisor with an agentic SDLC&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Upcoming webinars:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;June 4: &lt;A href="https://msevents.microsoft.com/event?id=3728353065" target="_blank" rel="noopener"&gt;End-to-End Security in the Age of Agentic AI&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;June 10: &lt;A href="https://msevents.microsoft.com/event?id=3933862676" target="_blank" rel="noopener"&gt;Deploy, optimize, and implement threat protection with Sentinel&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;June 10: &lt;A href="https://msevents.microsoft.com/event?id=762323258" target="_blank" rel="noopener"&gt;Security Foundations for AI Adoption&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;June 24: &lt;A href="https://msevents.microsoft.com/event?id=904737331" target="_blank" rel="noopener"&gt;Modern Security Made Simple: Stay Ahead of Threats with Sentinel&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;&lt;STRONG&gt;Upcoming events:&lt;/STRONG&gt;&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;June 2–3: Microsoft Build, San Francisco (and free online)
&lt;UL&gt;
&lt;LI&gt;CEO Satya Nadella Day 1 keynote&lt;/LI&gt;
&lt;LI&gt;90+ sessions, Microsoft Security experts onsite&lt;/LI&gt;
&lt;LI&gt;Register:&amp;nbsp;&lt;A href="https://register.build.microsoft.com/flow/microsoft/build26/welcome/page/welcome" target="_blank" rel="noopener"&gt;build.microsoft.com&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;
&lt;/LI&gt;
&lt;/UL&gt;
&lt;H1&gt;&lt;STRONG&gt;Stay connected&lt;/STRONG&gt;&lt;/H1&gt;
&lt;P&gt;Check back each month for the latest innovations, updates, and events to ensure you’re getting the most out of &lt;A href="https://aka.ms/microsoftsentinel" target="_blank" rel="noopener"&gt;Microsoft Sentinel&lt;/A&gt;. We’ll see you in the next edition!&lt;/P&gt;</description>
      <pubDate>Thu, 04 Jun 2026 10:07:32 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-in-microsoft-sentinel-may-2026/ba-p/4523419</guid>
      <dc:creator>Sowmys</dc:creator>
      <dc:date>2026-06-04T10:07:32Z</dc:date>
    </item>
    <item>
      <title>Agent 365 connector: Monitor, hunt, and investigate AI agent activity in Microsoft Sentinel</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/agent-365-connector-monitor-hunt-and-investigate-ai-agent/ba-p/4520836</link>
      <description>&lt;P&gt;As enterprises scale the use of AI agents, SOC teams need visibility into AI agent behavior. The &lt;STRONG&gt;Agent 365 connector,&lt;/STRONG&gt; now in public preview, streams rich agent telemetry from Agent 365 into Microsoft Sentinel data lake. Agent activity, such as agent data exposure or access drift, is surfaced alongside other security data, giving SOC teams a unified view across digital environments. AI Agent actions are correlated with agent identity, endpoint, and cloud signals, enabling analysts to run end‑to‑end investigations using KQL, graph, and MCP-powered workflows. &lt;EM&gt;&amp;nbsp;&lt;/EM&gt;&lt;/P&gt;
&lt;H1&gt;Why this matters for organizations&lt;/H1&gt;
&lt;P&gt;By centralizing security and AI agent telemetry in Sentinel data lake, organizations establish a unified control plane for securing AI agents. This enables security teams to analyze agent activity in context with broader signals and investigate using familiar Sentinel tools. This unlocks the ability for SOCs to detect risky or anomalous agent behavior early, understand impact quickly, and respond with speed and confidence. As AI agents take on real operational responsibility, this level of visibility is critical to prevent blind spots, reduce risk, and ensure agents operate safely at enterprise scale.&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;End&lt;/STRONG&gt;‑&lt;STRONG&gt;to&lt;/STRONG&gt;‑&lt;STRONG&gt;end visibility into AI agent behavior: &lt;/STRONG&gt;A centralized view of AI agent behavior allows AI agents to be treated as first-class entities alongside users, identities, endpoints, and workloads.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Advanced hunting with KQL: &lt;/STRONG&gt;Hunt using KQL to proactively uncover unusual AI agent execution patterns, sensitive actions, or activity without clear human context. These hunts help surface potential risk early using the same workflows already used for other security data.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Analyzing blast radius and impact with Sentinel graph: &lt;/STRONG&gt;Security teams can correlate AI agent activity with identities, endpoints, and cloud resources to understand blast radius and potential impact during an investigation. By pivoting across related entities in Sentinel, analysts can assess how agent actions connect to the broader environment and support deeper, end‑to‑end investigations.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;Querying agent data through MCP:&lt;/STRONG&gt; Use MCP to surface agent observability data through AI assistants, letting analysts pull agent telemetry into investigation workflows alongside other Sentinel data.&lt;/LI&gt;
&lt;/UL&gt;
&lt;H2&gt;Agent 365 connector key capabilities&lt;/H2&gt;
&lt;P&gt;Install the Agent 365 connector with a single click using Sentinel Content Hub in the Defender portal. Once enabled, two capabilities come online automatically:&lt;/P&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;STRONG&gt;Unified agent telemetry across Agent 365 agent experiences:&lt;/STRONG&gt; Rich Agent 365 agent telemetry streams into Sentinel data lake, ready to analyze alongside identity, endpoint, and cloud signals using familiar SOC workflows.&lt;/LI&gt;
&lt;LI&gt;&lt;STRONG&gt;ASIM unified schema for AI agent observability:&lt;/STRONG&gt; Agent 365 agent observability data is normalized into an ASIM-aligned schema so it is consistent, queryable, and ready for analytics and detections.&lt;/LI&gt;
&lt;/UL&gt;
&lt;P&gt;With the connector in place, Sentinel data lake becomes the system of record and the control plane for Agent 365 agent security—turning agent behavior into first-class security signals across SecOps workflows like hunting, investigation, detection engineering, and response.&lt;/P&gt;
&lt;H1&gt;Use cases&lt;/H1&gt;
&lt;P&gt;&lt;STRONG&gt;Prevent sensitive data exposure from misconfigured agents&lt;/STRONG&gt;&lt;BR /&gt;When an AI agent is granted broader access than intended, a crafted prompt could override safeguards and expose confidential data. With agent telemetry, security teams can trace the full execution path—from prompt to tools to data access—to quickly identify the root cause and contain the exposure.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Detect and control agent access drift over time&lt;/STRONG&gt;&lt;BR /&gt;As agents take on new tasks, their permissions can expand beyond the original scope, often without clear visibility. Agent telemetry enables continuous behavioral baselining, making it easier to spot abnormal access patterns early and prevent privilege misuse before it escalates.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Uncover hidden lateral movement across agent workflows&lt;/STRONG&gt;&lt;BR /&gt;Agents often collaborate and delegate tasks across systems, creating complex chains of execution that are difficult to track. Agent telemetry provides visibility into these interactions, mapping delegation paths and helping teams understand and limit the potential blast radius.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Defend against prompt injection and manipulation attacks&lt;/STRONG&gt;&lt;BR /&gt;Attackers can craft prompts to override agent instructions and manipulate behavior. By capturing prompts and reasoning flows, agent telemetry enables detection of these attacks and provides the context needed to investigate and remediate quickly.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Accelerate SOC investigations with end-to-end visibility&lt;/STRONG&gt;&lt;BR /&gt;When an agent is involved in a security alert, understanding its actions can be challenging. Agent telemetry correlates prompts, identities, tools, and data access into a unified timeline, giving SOC teams the clarity needed to investigate faster and respond with confidence.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Strengthen governance and compliance for AI agents&lt;/STRONG&gt;&lt;BR /&gt;Organizations need visibility into what agents exist and what data they can access. Agent telemetry provides a comprehensive audit trail of agent activity and access patterns, supporting compliance reporting and policy enforcement.&lt;/P&gt;
&lt;P&gt;&lt;STRONG&gt;Enable proactive threat hunting on agent behavior&lt;/STRONG&gt;&lt;BR /&gt;Security teams need to stay ahead of emerging risks as agent usage grows. Agent telemetry enables advanced hunting across agent activity, helping detect anomalies, uncover patterns, and identify threats before they impact the organization.&lt;/P&gt;
&lt;H1&gt;Get started with Agent 365 connector&lt;/H1&gt;
&lt;P&gt;Getting started is straightforward.&lt;/P&gt;
&lt;OL&gt;
&lt;LI&gt;In the Microsoft Defender portal, navigate to &lt;STRONG&gt;Microsoft Sentinel&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Open &lt;STRONG&gt;Content hub&lt;/STRONG&gt; and search for &lt;STRONG&gt;Agent 365&lt;/STRONG&gt;&lt;/LI&gt;
&lt;LI&gt;Install the &lt;STRONG&gt;Agent 365 Connector &lt;/STRONG&gt;(if not already installed)&lt;/LI&gt;
&lt;LI&gt;Open the connector page and select &lt;STRONG&gt;Connect&lt;/STRONG&gt; to begin ingestion&lt;/LI&gt;
&lt;/OL&gt;
&lt;P&gt;Once connected, AI agent telemetry starts flowing into Sentinel, ready for hunting, investigation, and response. Data ingestion and analytics are billed using existing Sentinel meters.&lt;/P&gt;
&lt;H1&gt;Learn more&lt;/H1&gt;
&lt;UL&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/data-connectors-reference#a365-observability" target="_blank" rel="noopener"&gt;Find the Agent 365 data connector | Microsoft Learn&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-deploy?tabs=defender-portal" target="_blank" rel="noopener"&gt;Discover and manage Sentinel out-of-the-box content | Microsoft Learn&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/configure-data-connector?tabs=defender-portal" target="_blank" rel="noopener"&gt;Connect data sources to Sentinel by using data connectors | Microsoft Learn&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-sample-queries" target="_blank" rel="noopener"&gt;Sample KQL queries for Sentinel data lake | Microsoft Learn&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://www.youtube.com/playlist?list=PL3ZTgFEc7LyvM-OlDTB8BDV_aARfmBMG9" target="_blank" rel="noopener"&gt;Watch the Sentinel data lake video playlist | Microsoft Security&lt;/A&gt;&lt;/LI&gt;
&lt;LI&gt;&lt;A href="https://aka.ms/Get_started/Sentinel_datalake" target="_blank" rel="noopener"&gt;Get started with Sentinel data lake | Microsoft Learn&lt;/A&gt;&lt;/LI&gt;
&lt;/UL&gt;</description>
      <pubDate>Mon, 18 May 2026 16:05:15 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/agent-365-connector-monitor-hunt-and-investigate-ai-agent/ba-p/4520836</guid>
      <dc:creator>RGupta</dc:creator>
      <dc:date>2026-05-18T16:05:15Z</dc:date>
    </item>
    <item>
      <title>Sentinel SOAR migration to Unified portal: what broke? anyone evaluated the AI playbook generator?</title>
      <link>https://techcommunity.microsoft.com/t5/microsoft-sentinel/sentinel-soar-migration-to-unified-portal-what-broke-anyone/m-p/4519890#M12935</link>
      <description>&lt;P&gt;I want to open a conversation specifically focused on the automation and SOAR side of the migration, because this is the area where problems most commonly surface after onboarding rather than during it.&lt;/P&gt;&lt;P&gt;A quick orientation: the Unified portal introduces a specific constraint that catches teams by surprise. Alert-triggered automation for alerts created by Microsoft Defender XDR is not available in the Defender portal. The main use case for alert-triggered automation in this context is responding to alerts from analytics rules where incident creation is disabled. If you had alert-triggered playbooks firing on Defender XDR signals, those need to be re-evaluated against the incident trigger model. This is documented by Microsoft, but it is easy to miss in the volume of migration guidance.&lt;/P&gt;&lt;P&gt;The automation failure mode I have seen most consistently: automation rules built around incident title conditions. The Defender XDR correlation engine assigns its own incident names, so any condition keyed to "if incident title contains X" stops matching without throwing an error. The rule is still active, the automation is still enabled, and everything looks fine until someone notices a class of enrichment or response has gone quiet. Microsoft's recommendation is to use Analytic rule name as the condition instead.&lt;/P&gt;&lt;P&gt;There is also a firm near-term deadline separate from the March 2027 portal retirement: queries and automation need to be updated by July 1, 2026 for standardised account entity naming. The Name field will consistently hold only the UPN prefix from that date. Any automation comparing AccountName against a full UPN will break.&lt;/P&gt;&lt;P&gt;A few specific questions for practitioners:&lt;/P&gt;&lt;UL&gt;&lt;LI&gt;When you onboarded or reviewed your automation post-onboarding, what broke silently versus what produced a visible error? Silent failures are the dangerous ones and sharing specific patterns would be genuinely useful for the community.&lt;/LI&gt;&lt;LI&gt;Has anyone evaluated the new AI playbook generator in the Defender portal? It requires Security Copilot with SCUs available and generates Python-based automation coauthored with Cline in an embedded VS Code environment. Interested in real-world comparisons against existing Logic Apps workflows for the same use case.&lt;/LI&gt;&lt;LI&gt;For those who have migrated alert-triggered playbooks to automation rule invocation: did you find edge cases in the migration, particularly around playbooks used by multiple analytics rules simultaneously?&lt;/LI&gt;&lt;/UL&gt;&lt;P&gt;Writing this up as Part 4 of the migration series. Sharing the article link once it is live for anyone who wants the full detail.&lt;/P&gt;</description>
      <pubDate>Thu, 14 May 2026 23:42:29 GMT</pubDate>
      <guid>https://techcommunity.microsoft.com/t5/microsoft-sentinel/sentinel-soar-migration-to-unified-portal-what-broke-anyone/m-p/4519890#M12935</guid>
      <dc:creator>AnthonyPorter</dc:creator>
      <dc:date>2026-05-14T23:42:29Z</dc:date>
    </item>
  </channel>
</rss>

