Microsoft Sentinel topics

Clarification on UEBA Behaviors Layer Support for Zscaler and Fortinet Logs

RohitN026 — Tue, 24 Feb 2026 16:54:36 GMT

I would like to confirm whether the new UEBA Behaviors Layer in Microsoft Sentinel currently supports generating behavior insights for Zscaler and Fortinet log sources.

Based on the documentation, the preview version of the Behaviors Layer only supports specific vendors under CommonSecurityLog (CyberArk Vault and Palo Alto Threats), AWS CloudTrail services, and GCP Audit Logs. Since Zscaler and Fortinet are not listed among the supported vendors, I want to verify:

Does the UEBA Behaviors Layer generate behavior records for Zscaler and Fortinet logs, or are these vendors currently unsupported for behavior generation? As logs from Zscaler and Fortinet will also be get ingested in CommonSecurityLog table only.

McasShadowItReporting / Cloud Discovery in Azure Sentinel

Felix87 — Tue, 17 Feb 2026 09:48:47 GMT

Hi!

I´m trying to Query the McasShadowItReporting Table, for Cloud App DISCOVERYs

The Table is empty at the moment, the connector is warning me that the Workspace is onboarded to Unified Security Operations Platform
So I cant activate it here

I cant mange it via https://security.microsoft.com/, too

The Documentation ( https://learn.microsoft.com/en-us/defender-cloud-apps/siem-sentinel#integrating-with-microsoft-sentinel )

Leads me to the SIEM Integration, which is configured for (for a while)

I wonder if something is misconfigured here and why there is no log ingress / how I can query them

CrowdStrike API Data Connector (via Codeless Connector Framework) (Preview)

logger2115 — Fri, 13 Feb 2026 17:04:32 GMT

API scopes created. Added to Connector however only streams observed are from Alerts and Hosts.

Detections is not logging? Anyone experiencing this issue? Github has post about it apears to be escalated for feature request.

CrowdStrikeDetections. not ingested

Anyone have this setup and working?

Salesforce Service Cloud (via Codeless Connector Framework)

logger2115 — Fri, 13 Feb 2026 16:53:06 GMT

We have 3 environments, does this connector support multiple tenants or is it limited to onle one FQDN?

Dedicated cluster for Sentinels in different tenants

de3no2 — Thu, 12 Feb 2026 08:47:30 GMT

Hello

I see that there is a possibility to use a dedicated cluster for a workspace in the same Azure region. What about workspaces that reside in different tenants but are in the same Azure region? Is that possible?

We are utilizing multiple tenants, and we want to keep this operational model. However, there is a central SOC, and we wonder if there is a possibility to utilize a dedicated cluster for cost optimization.

How Should a Fresher Learn Microsoft Sentinel Properly?

Arjun34 — Wed, 11 Feb 2026 02:38:02 GMT

Hello everyone,

I am a fresher interested in learning Microsoft Sentinel and preparing for SOC roles.

Since Sentinel is a cloud-native enterprise tool and usually used inside organizations, I am unsure how individuals without company access are expected to gain real hands-on experience.

I would like to hear from professionals who actively use Sentinel:

- How do freshers typically learn and practice Sentinel?

- What learning resources or environments are commonly used by beginners?

- What level of hands-on experience is realistically expected at entry level?

I am looking for guidance based on real industry practice.

Thank you for your time.

How do I import Purview Unified Audit Log data related to the use of the Audit Log into Sentinel?

BM-HV — Thu, 22 Jan 2026 09:29:43 GMT

Dear Community, I would like to implement the following scenario on an environment with Microsoft 365 E5 licenses:

Scenario: I want to import audit activities into an Azure Log Analytics workspace linked to Sentinel to generate alerts/incidents as soon as a search is performed in the Microsoft 365 Purview Unified Audit Log (primarily for IRM purposes).

Challenge: Neither the "Microsoft 365" connector, nor the "Defender XDR" or "Purview" (which appear to be exclusively Azure Purview) connectors are importing the necessary data.

Question: Which connector do I have to use in order to obtain Purview Unified Audit Log activities about the use of the Purview Unified Audit Log so that I can identify...

...which user conducted when an audit log search and with what kind of search query.

Thank you!

Issue connecting Azure Sentinel GitHub app to Sentinel Instance when IP allow list is enabled

JingleDingle — Fri, 16 Jan 2026 04:33:45 GMT

Hi everyone,

I’m running into an issue connecting the Azure Sentinel GitHub app to my Sentinel workspace in order to create our CI/CD pipelines for our detection rules, and I’m hoping someone can point me in the right direction.

Symptoms:

When configuring the GitHub connection in Sentinel, the repository dropdown does not populate.

There are no explicit errors, but the connection clearly isn’t completing.

If I disable my organization’s IP allow list, everything works as expected and the repos appear immediately.

I’ve seen that some GitHub Apps automatically add the IP ranges they require to an organization’s allow list. However, from what I can tell, the Azure Sentinel GitHub app does not seem to have this capability, and requires manual allow listing instead.

What I’ve tried / researched:

Reviewed Microsoft documentation for Sentinel ↔ GitHub integrations

Looked through Azure IP range and Service Tag documentation

I’ve seen recommendations to allow list the IP ranges published at //api.github.com/meta, as many GitHub apps rely on these ranges

I’ve already tried allow listing multiple ranges from the GitHub meta endpoint, but the issue persists

My questions:

Does anyone know which IP ranges are used by the Azure Sentinel GitHub app specifically?

Is there an official or recommended approach for using this integration in environments with strict IP allow lists?

Has anyone successfully configured this integration without fully disabling IP restrictions?

Any insight, references, or firsthand experience would be greatly appreciated. Thanks in advance!

How to Prevent Workspace Details from Appearing in LAQueryLogs During Cross-Workspace Queries

ParthPatel50 — Mon, 05 Jan 2026 14:09:29 GMT

I’ve onboarded multiple workspaces using Azure Lighthouse, and I’m running cross-workspace KQL queries using the workspace() function.
However, I’ve noticed that LAQueryLogs records the query in every referenced workspace, and the RequestContext field includes details about all other workspaces involved in the query.
Is there any way to run cross-workspace queries without having all workspace details logged in LAQueryLogs for each referenced workspace?

I'm stuck!

MrD — Mon, 08 Dec 2025 14:06:14 GMT

Logically, I'm not sure how\if I can do this.

I want to monitor for EntraID Group additions - I can get this to work for a single entry using this:

AuditLogs
| where TimeGenerated > ago(7d)
| where OperationName == "Add member to group"
| where TargetResources[0].type == "User"
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| where GroupName == "NameOfGroup" <-- This returns the single entry
| extend User = tostring(TargetResources[0].userPrincipalName)
| summarize ['Count of Users Added']=dcount(User), ['List of Users Added']=make_set(User) by GroupName
| sort by GroupName asc

However, I have a list of 20 Priv groups that I need to monitor. I can do this using:

let PrivGroups = dynamic[('name1','name2','name3'});

and then call that like this:

blahblah

| where TargetResources[0].type == "User"
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| where GroupName has_any (PrivGroup)

But that's a bit dirty to update - I wanted to call a watchlist. I've tried defining with:

let PrivGroup = (_GetWatchlist('TestList'));

and tried calling like:

blahblah

I've tried dropping the let and attempted to lookup the watchlist directly:

| where GroupName has_any (_GetWatchlist('TestList'))

The query runs but doesn't return any results (Obvs I know the result exists) - How do I lookup that extracted value on a Watchlist.

Any ideas or pointers why I'm wrong would be appreciated!

Many thanks

Webinar Rescheduled: AI-Powered Entity Analysis in Sentinel's MCP Server

emilyfalla — Fri, 05 Dec 2025 00:50:30 GMT

Hi folks!

The webinar: AI-Powered Entity Analysis in Sentinel's MCP Server which was previously scheduled for: January 13th, 2026, has been rescheduled to: January 27th, 2026, at 9:00 AM PT.

Please delete the old invite from your calendar and find the new one at aka.ms/securitycommunity.

We apologize for the inconvenience and hope to see you there!

Understand New Sentinel Pricing Model with Sentinel Data Lake Tier

Aaida_Aboobakkar — Wed, 26 Nov 2025 12:43:46 GMT

Introduction on Sentinel and its New Pricing Model

Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platform that collects, analyzes, and correlates security data from across your environment to detect threats and automate response. Traditionally, Sentinel stored all ingested data in the Analytics tier (Log Analytics workspace), which is powerful but expensive for high-volume logs. To reduce cost and enable customers to retain all security data without compromise, Microsoft introduced a new dual-tier pricing model consisting of the Analytics tier and the Data Lake tier. The Analytics tier continues to support fast, real-time querying and analytics for core security scenarios, while the new Data Lake tier provides very low-cost storage for long-term retention and high-volume datasets. Customers can now choose where each data type lands—analytics for high-value detections and investigations, and data lake for large or archival types—allowing organizations to significantly lower cost while still retaining all their security data for analytics, compliance, and hunting.

Please flow diagram depicts new sentinel pricing model:

Now let's understand this new pricing model with below scenarios:

Scenario 1A (PAY GO)
Scenario 1B (Usage Commitment)
Scenario 2 (Data Lake Tier Only)

Scenario 1A (PAY GO)

Requirement

Suppose you need to ingest 10 GB of data per day, and you must retain that data for 2 years. However, you will only frequently use, query, and analyze the data for the first 6 months.

Solution

To optimize cost, you can ingest the data into the Analytics tier and retain it there for the first 6 months, where active querying and investigation happen. After that period, the remaining 18 months of retention can be shifted to the Data Lake tier, which provides low-cost storage for compliance and auditing needs. But you will be charged separately for data lake tier querying and analytics which depicted as Compute (D) in pricing flow diagram.

Pricing Flow / Notes

The first 10 GB/day ingested into the Analytics tier is free for 31 days under the Analytics logs plan.
All data ingested into the Analytics tier is automatically mirrored to the Data Lake tier at no additional ingestion or retention cost.
For the first 6 months, you pay only for Analytics tier ingestion and retention, excluding any free capacity.
For the next 18 months, you pay only for Data Lake tier retention, which is significantly cheaper.

Azure Pricing Calculator Equivalent

Assuming no data is queried or analyzed during the 18-month Data Lake tier retention period:

Although the Analytics tier retention is set to 6 months, the first 3 months of retention fall under the free retention limit, so retention charges apply only for the remaining 3 months of the analytics retention window. Azure pricing calculator will adjust accordingly.

Scenario 1B (Usage Commitment)

Now, suppose you are ingesting 100 GB per day. If you follow the same pay-as-you-go pricing model described above, your estimated cost would be approximately $15,204 per month.

However, you can reduce this cost by choosing a Commitment Tier, where Analytics tier ingestion is billed at a discounted rate. Note that the discount applies only to Analytics tier ingestion—it does not apply to Analytics tier retention costs or to any Data Lake tier–related charges.

Please refer to the pricing flow and the equivalent pricing calculator results shown below.

Monthly cost savings:
$15,204 – $11,184 = $4,020 per month

Now the question is: What happens if your usage reaches 150 GB per day?
Will the additional 50 GB be billed at the Pay-As-You-Go rate?

No. The entire 150 GB/day will still be billed at the discounted rate associated with the 100 GB/day commitment tier bucket.

Azure Pricing Calculator Equivalent (100 GB/ Day)

Azure Pricing Calculator Equivalent (150 GB/ Day)

Scenario 2 (Data Lake Tier Only)

Requirement

Suppose you need to store certain audit or compliance logs amounting to 10 GB per day. These logs are not used for querying, analytics, or investigations on a regular basis, but must be retained for 2 years as per your organization’s compliance or forensic policies.

Solution

Since these logs are not actively analyzed, you should avoid ingesting them into the Analytics tier, which is more expensive and optimized for active querying.
Instead, send them directly to the Data Lake tier, where they can be retained cost-effectively for future audit, compliance, or forensic needs.

Pricing Flow

Because the data is ingested directly into the Data Lake tier, you pay both ingestion and retention costs there for the entire 2-year period.
If, at any point in the future, you need to perform advanced analytics, querying, or search, you will incur additional compute charges, based on actual usage.
Even with occasional compute charges, the cost remains significantly lower than storing the same data in the Analytics tier.

Realized Savings

Scenario	Cost per Month
Scenario 1: 10 GB/day in Analytics tier	$1,520.40
Scenario 2: 10 GB/day directly into Data Lake tier	$202.20 (without compute) $257.20 (with sample compute price)

Scenario

Cost per Month

Scenario 1: 10 GB/day in Analytics tier

$1,520.40

Scenario 2: 10 GB/day directly into Data Lake tier

$202.20 (without compute)

$257.20 (with sample compute price)

Savings with no compute activity:
$1,520.40 – $202.20 = $1,318.20 per month
Savings with some compute activity (sample value):
$1,520.40 – $257.20 = $1,263.20 per month

Azure calculator equivalent without compute

Azure calculator equivalent with Sample Compute

Conclusion

The combination of the Analytics tier and the Data Lake tier in Microsoft Sentinel enables organizations to optimize cost based on how their security data is used. High-value logs that require frequent querying, real-time analytics, and investigation can be stored in the Analytics tier, which provides powerful search performance and built-in detection capabilities. At the same time, large-volume or infrequently accessed logs—such as audit, compliance, or long-term retention data—can be directed to the Data Lake tier, which offers dramatically lower storage and ingestion costs. Because all Analytics tier data is automatically mirrored to the Data Lake tier at no extra cost, customers can use the Analytics tier only for the period they actively query data, and rely on the Data Lake tier for the remaining retention. This tiered model allows different scenarios—active investigation, archival storage, compliance retention, or large-scale telemetry ingestion—to be handled at the most cost-effective layer, ultimately delivering substantial savings without sacrificing visibility, retention, or future analytical capabilities.

Sentinel to Defender | Two-part webinar series: Dec 9 & 16

RenWoods — Thu, 20 Nov 2025 16:05:41 GMT

Register here

Defender Entity Page w/ Sentinel Events Tab

HeyNiko — Thu, 20 Nov 2025 14:45:36 GMT

One device is displaying the Sentinel Events Tab, while the other is not. The only difference observed is that one device is Azure AD (AAD) joined and the other is Domain Joined. Could this difference account for the missing Sentinel events data?

Any insight would be appreciated!

Tenant-based Microsoft Defender for Cloud Connector

logger2115 — Thu, 13 Nov 2025 22:04:01 GMT

As the title states the connector is connect but no alerts show in Sentinel. Alerts are in Defender for Cloud they do not show in Sentinel. Data connector is connected, law exports are configured to send to law rg. What's missing?

Asia Pacific and Japan- Get Insider Access to Microsoft Security Products!

RenWoods — Wed, 12 Nov 2025 21:13:14 GMT

https://aka.ms/JoinAPJCommunity

Sentinel to Defender webinar series CANCELLED, will be rescheduled at a later date.

RenWoods — Tue, 04 Nov 2025 15:50:32 GMT

The Sentinel to Defender webinar series has been cancelled. Please visit aka.ms/securitycommunity to sign up for upcoming Microsoft Security webinars and to join the mailing list to be notified of future sessions. We apologize for any inconvenience.

Microsoft Application Protection Incidents

manntj — Tue, 28 Oct 2025 11:08:28 GMT

Hi,

Seeing a small number of incidents within Sentinel with the Alert product name of 'Microsoft Application Protection'.

Can view them in Sentinel but when clicking on the hyper link to be taken to the defender portal I can't access them?

Two things, which Defender suite are these alerts coming from? Which roles/permissions are required to view them within the Defender/Unified portal?

Ingest IOC from Google Threat Intelligence into Sentinel

HA13029 — Fri, 24 Oct 2025 12:00:25 GMT

Hi all,

I'm string to ingest IOCs from Google Threat Intelligence into Sentinel.

I follow the guide at gtidocs.virutotal.com/docs/gti4sentinel-guide

API KEY is correct.

PS: I'm using standard free public API (created in Viru Total)

Managed Identitity has been configured using the correct role.

When I run the Logic APP, I received an HTTP error 403

"code": "ForbiddenError",

"message": "You are not authorized to perform the requested operation"

What's the problem ??

Regards,

Issue when ingesting Defender XDR table in Sentinel

lsoumille — Fri, 24 Oct 2025 08:52:54 GMT

Hello,

We are migrating our on-premises SIEM solution to Microsoft Sentinel since we have E5 licences for all our users. The integration between Defender XDR and Sentinel convinced us to make the move.

We have a limited budget for Sentinel, and we found out that the Auxiliary/Data Lake feature is sufficient for verbose log sources such as network logs.

We would like to retain Defender XDR data for more than 30 days (the default retention period). We implemented the solution described in this blog post: https://jeffreyappel.nl/how-to-store-defender-xdr-data-for-years-in-sentinel-data-lake-without-expensive-ingestion-cost/

However, we are facing an issue with 2 tables: DeviceImageLoadEvents and DeviceFileCertificateInfo. The table forwarded by Defender to Sentinel are empty like this row:

We created a support ticket but so far, we haven't received any solution. If anyone has experienced this issue, we would appreciate your feedback.

Lucas