The Sentinel migration mental model question: what's actually retiring vs what isn't?
Something I keep seeing come up in conversations with other Sentinel operators lately, and I think it's worth surfacing here as a proper discussion. There's a consistent gap in how the migration to the Defender portal is being understood, and I think it's causing some teams to either over-scope their effort or under-prepare. The gap is this: the Microsoft comms have consistently told us *what* is happening (Azure portal experience retires March 31, 2027), but the question that actually drives migration planning, what is architecturally changing versus what is just moving to a different screen, doesn't have a clean answer anywhere in the community right now. The framing I've been working with, which I'd genuinely like to get other practitioners to poke holes in: What's retiring: The Azure portal UI experience for Sentinel operations. Incident management, analytics rule configuration, hunting, automation management: all of that moves to the Defender portal. What isn't changing: The Log Analytics workspace, all ingested data, your KQL rules, connectors, retention config, billing. None of that moves. The Defender XDR data lake is a separate Microsoft-managed layer, not a replacement for your workspace. Where it gets genuinely complex: MSSP/multi-tenant setups, teams with meaningful SOAR investments, and anyone who's built tooling against the SecurityInsights API for incident management (which now needs to shift to Microsoft Graph for unified incidents). The deadline extension from July 2026 to March 2027 tells its own story. Microsoft acknowledged that scale operators needed more time and capabilities. If you're in that camp, that extra runway is for proper planning, not deferral. A few questions I'd genuinely love to hear about from people who've started the migration or are actively scoping it: For those who've done the onboarding already: what was the thing that caught you most off guard that isn't well-documented? For anyone running Sentinel across multiple tenants: how are you approaching the GDAP gap while Microsoft completes that capability? Are you using B2B authentication as the interim path, or Azure Lighthouse for cross-workspace querying? I've been writing up a more detailed breakdown of this, covering the RBAC transition, automation review, and the MSSP-specific path, and the community discussion here is genuinely useful for making sure the practitioner perspective covers the right edge cases. Happy to share more context on anything above if useful.
How do I import Purview Unified Audit Log data related to the use of the Audit Log into Sentinel?
Dear Community, I would like to implement the following scenario on an environment with Microsoft 365 E5 licenses: Scenario: I want to import audit activities into an Azure Log Analytics workspace linked to Sentinel to generate alerts/incidents as soon as a search is performed in the Microsoft 365 Purview Unified Audit Log (primarily for IRM purposes). Challenge: Neither the "Microsoft 365" connector, nor the "Defender XDR" or "Purview" (which appear to be exclusively Azure Purview) connectors are importing the necessary data. Question: Which connector do I have to use in order to obtain Purview Unified Audit Log activities about the use of the Purview Unified Audit Log so that I can identify... ...which user conducted when an audit log search and with what kind of search query. Thank you!New content types supported in multi-tenant content distribution
Onboard new tenants and maintain a consistent security baseline We’re excited to announce a set of new content types that are now supported by the multi-tenant content distribution capability in the Defender portal: You can now distribute analytics rules, automation rules, workbooks, and alert tuning built in rules. What is content distribution? Content distribution is a powerful multi-tenant feature that enables scalable management of security content across tenants. With this capability, you can create content distribution profiles in the multi-tenant portal that allow you to seamlessly replicate existing content—such as custom detection rules and endpoint security policies—from a source tenant to designated target tenants. Once distributed, the content runs on the target tenant, enabling centralized control with localized execution. This allows you to onboard new tenants quickly and maintain a consistent security baseline across tenants. New supported content types With this release, we add support for several new content types: Analytics rules (Sentinel) Automation rules (Sentinel) Workbooks (Sentinel) Alert tuning rules (built-in rules) Soon, we will introduce more content types, including URBAC roles. How it works Navigate to ‘Content Distribution’ in Defender’s multi-tenant management portal Create a new distribution profile or select an existing distribution profile In the ‘Content selection’ step, select one of the new content types to distribute After choosing the content types, select the actual content that you want to distribute. For example, select analytics rules that you want to distribute to other tenants Use the filters to select which tenant (and workspace) to take the content from Choose at least one workspace that you want to distribute the content to. You can select up to 100 workspaces per tenant. Save the distribution profile and the content will be synced to your target tenants Review the sync result in your distribution profile Good to know Automation rules that trigger a playbook cannot currently be distributed Alert tuning rules are currently limited to distributing built-in rules, this will be expanded to custom rules later Learn more For more information, see Content distribution in multitenant management. To get started, navigate to Content distribution. FAQ What pre-requisites are required? Access to more than one tenant, with delegated access via Azure B2B, using multi-tenant management A subscription to Microsoft 365 E5 or Office E5 What permissions are needed to distribute? Each content type requires you to have permission to create that content type on the target tenant. For example, to create Analytics Rules, you require ‘Sentinel Contributor’ permissions. To distribute content using multi-tenant management content distribution, the Security settings (manage) or Security Data Basic (read) permission is required. Both roles are assigned to the Security Administrator and Security Reader Microsoft Entra built-in roles by default. Can I update or expand distribution profiles later? Yes. You can add more content, include additional tenants, or modify scopes as needed.
New Compliance Solutions in Microsoft Sentinel: HIPAA & GDPR Reports
What’s New? GDPR Compliance & Data Security Solution (Preview) Helps organizations demonstrate compliance with the General Data Protection Regulation (GDPR) and protect personal data in cloud and hybrid environments. Consolidates data from Alerts, Incidents, Microsoft Purview, Azure SQL, Microsoft 365, UEBA, and Entra ID into a unified workbook. Monitors GDPR-related alerts, data classification, sensitive data queries, identity risks, and insider behaviours. Provides clear audit evidence and compliance reports, supporting proactive risk detection and regulatory accountability. HIPAA Compliance Solution (Preview) Designed for healthcare organizations and business associates to meet HIPAA Security and Privacy Rules. Provides robust monitoring of Protected Health Information (PHI) across administrative, technical, and physical safeguards. Features integrated dashboards, analytics, and Azure-native security capabilities for audit readiness and operational efficiency. Includes pre-built workbook tabs for overview, attack range, audit trail reporting, and advanced analysis. Enables anomaly detection (e.g., ransomware, suspicious SQL procedures, password spray attempts) and forensic audit trails for incident investigations. Below, you will find more detailed information about the HIPAA and GDPR connectors. First, we cover the features of the HIPAA connector, followed by the key aspects of the GDPR solution. GDPR Compliance Solution This solution provides a unified workbook that consolidates data from Alerts and Incidents, Microsoft Purview, Azure SQL Databases, Microsoft 365, User & Entity Behavior Analytics (UEBA), and Entra ID. With this workbook, you can: Monitor GDPR and data-theft related alerts and incidents across your Microsoft ecosystem. Gain visibility into data classification and sensitivity labelling with Microsoft Purview. Detect sensitive data queries, anomalous database activity, and unusual access patterns in Azure SQL. Investigate identity risks, anomalous sign-ins, and insider behaviours using Entra ID and UEBA. Provide clear audit evidence and compliance reports across Microsoft 365 and related services. Key Capabilities Security Alerts & Incidents Investigate security alerts and incidents from hosts and resources that store or process personal data. Track alerts mapped to MITRE ATT&CK® tactics and measure responsiveness for breach notification requirements. Focus on GDPR-relevant systems using customizable watchlists. For the Security Alerts & Incidents section to function properly, you must create a watchlist containing servers that host personal data. You must configure this watchlist in Sentinel and populate it with the names of your personal data hosting servers. Sample Watchlist (GDPR_PersonalData_Assets) HostName server1 server2 server3 server4 Data Loss Prevention (DLP) Monitor sensitive data access, leaks, and geolocation-based usage. Detect potential leaks or unauthorized transfers of personal data. Track label-based access patterns and provide evidence of preventive controls. Purview Logs Discover and classify assets, monitor sensitivity labelling, and track data governance. Assess the application of sensitivity labels and provide auditors with data inventory and classification coverage. Azure SQL Databases Detect anomalies and monitor classified data queries. Track application and IP access to classified data for accountability and traceability. Provide auditors with proof of continuous monitoring of database activity. Microsoft 365 Activity Monitor user and administrator activity across Exchange, SharePoint, OneDrive, and Teams. Detect risky behaviours such as external sharing, non-owner mailbox access, and unusual admin operations. Provide a comprehensive audit trail of data activity in Microsoft 365 services. User & Entity Behavior Analytics (UEBA) Analyze anomalous user and entity behaviors to detect insider threats and compromised accounts. Correlate activities across multiple data sources and identify potential data exfiltration attempts. Sign-Ins and Audit (Entra ID) Track risky sign-ins, brute-force attempts, and unusual geolocations. Investigate access patterns to applications and resources handling personal data. Monitor changes to users, groups, and applications for GDPR accountability. References The metrics and monitoring approaches used in the GDPR Compliance Solution are referenced from established workbooks and solutions, including: Microsoft Purview: For data classification, sensitivity labelling, and governance metrics, leveraging Purview’s comprehensive data inventory and classification coverage. Azure SQL Database Solution for Sentinel: For monitoring classified data queries, detecting anomalies, and providing continuous database activity auditing. Microsoft Purview Insider Risk Management: For insights into M365 audits, identity risks, and anomalous activities, supporting proactive risk detection and regulatory accountability. HIPAA Compliance Solution The HIPAA Compliance Solution in Microsoft Sentinel—now available in preview—empowers security teams to validate compliance posture, detect anomalies, and respond swiftly to threats. With integrated dashboards, analytics, and Azure-native security capabilities, this solution helps you stay audit-ready while reducing operational complexity. Getting Started: Two Key Steps Connect Data Sources To unlock the full potential of the HIPAA Compliance Solution, you need to integrate key data sources into Microsoft Sentinel. These connectors ensure comprehensive visibility across your HIPAA environment: AzureDiagnostics Collect logs from Azure services, firewalls, and network devices. This is critical for monitoring HIPAA-relevant infrastructure and network traffic anomalies. Recommended Solution: [Azure Firewall Solution in Sentinel Content Hub] for enriched firewall analytics. SecurityEvent Ingest Windows Server event logs to track login activity, access attempts, and policy changes. Recommended Solution: [Windows Security Events Solution] for prebuilt analytics and dashboards. SecurityAlert Pull in alerts from Microsoft Defender and other integrated security tools for anomaly and incident detection. Recommended Solution: [Microsoft Defender for Endpoint Solution] for advanced threat detection and correlation. AuditLogs Capture Azure AD sign-in logs, MFA status, and user activity to validate identity and access controls. Recommended Solution: [Azure Active Directory Solution] for identity governance and compliance insights. DeviceEvents / DeviceProcessEvents Gather endpoint telemetry and Defender for Endpoint alerts to monitor device health and detect compromise attempts. Recommended Solution: [Microsoft Defender for Endpoint Solution] for endpoint security posture. SQLSecurityAuditEvents Enable auditing for HIPAA-relevant databases to track CRUD operations, suspicious stored procedures, and integrity checks. Recommended Solution: [SQL Security Audit Solution] for database compliance and threat detection. Define HIPAA Users and Assets Use Watchlists to specify HIPAA-relevant users and assets within your compliance scope: HIPAA Users Details Watchlist Columns: UserName, TrainingStatus, AccessLevel Upload as CSV and configure in Sentinel under Configuration > Watchlist. HIPAA Assets Watchlist Columns: DeviceName, DeviceType Follow the same steps as above with appropriate naming conventions. To learn more about how to create watchlists, see Create new watchlists - Microsoft Sentinel | Microsoft Learn What’s Included in the Solution Pre-Built Workbook Tabs Overview Tab Track user training status, asset health, login success/failure, MFA status, antivirus coverage, and incident trends. Attack Range Tab This tab focuses on real-time threat visibility and behavioral analytics, giving SOC teams the ability to detect and respond to active threats impacting HIPAA-regulated environments. It visualizes multiple high-risk indicators drawn from security logs, Defender telemetry, and database activity. Key insights provided on this dashboard include: Macaw Ransomware Detection: Identifies endpoints exhibiting encryption-like behavior typical of the Macaw ransomware family, allowing the SOC team to act before patient health data is encrypted or lost. Suspicious SQL Stored Procedures: Flags execution of destructive or data-deletion commands from stored procedures initiated by untrained or unauthorized HIPAA users — a potential insider threat or misuse case. Password Spray Attempts: Detects repeated failed login attempts from a single IP within a short time frame, helping to identify brute-force or credential-stuffing activity targeting HIPAA accounts. Unusual SMB Activity: Surfaces abnormal file-sharing or data transfer patterns between internal servers, indicating potential lateral movement or data exfiltration attempts. Audit Trail Reporting Tab This Tab serves as the organization’s forensic and compliance backbone, enabling security and compliance teams to trace every critical activity within their HIPAA environment. It provides a detailed chronological record of user actions, system processes, and network communications — essential for both incident investigations and regulatory audits. Further Analysis Tab Export pre-written queries for advanced investigation and compliance reporting.
Update content package Metadata
Hello Sentinel community and Microsoft. Ive been working on a script where i use this command: https://learn.microsoft.com/en-us/rest/api/securityinsights/content-package/install?view=rest-securityinsights-2024-09-01&tabs=HTTP Ive managed to successfully create everything from retrieving whats installed, uninstalling, reinstalling and lastly updating (updating needed to be "list, delete, install" however :'), there was no flag for "update available"). However, now to my issue. As this work like a charm through powershell, the metadata and hyperlinking is not being deployed - at all. So i have my 40 content packages successfully installed through the REST-api, but then i have to visit the content hub in sentinel in the GUI, filter for "installed" and mark them all, then press "install". When i do this the metadata and hyperlinking is created. (Its most noticeable that the analytic rules for the content hubs are not available under analytic rules -> Rule templates after installing through the rest api). But once you press install button in the GUI, they appear. So i looked in to the request that is made when pressing the button. It uses another API version, fine, i can add that to my script. But it also uses 2 variables that are not documented and encrypted-data. they are called c and t: Im also located in EU and it makes a request to SentinelUS. im OK with that, also as mentioned, another API version (2020-06-01) while the REST APi to install content packages above has 2024-09-01. NP. But i can not simulate this last request as the variables are encrypted and not available through the install rest api. They are also not possible to simulate. it ONLY works in the GUI when pressing install. Lastly i get another API version back when it successfully ran through install in GUI, so in total its 3 api versions. Here is my code snippet i tried (it is basically a mimic of the post request in the network tab of the browser then pressing "install" on the package in content hub, after i successfully installed it through the official rest api). function Refresh-WorkspaceMetadata { param ( [Parameter(Mandatory = $true)] [string]$SubscriptionId, [Parameter(Mandatory = $true)] [string]$ResourceGroup, [Parameter(Mandatory = $true)] [string]$WorkspaceName, [Parameter(Mandatory = $true)] [string]$AccessToken ) # Use the API version from the portal sample $apiVeri = "?api-version=" $RefreshapiVersion = "2020-06-01" # Build the batch endpoint URL with the query string on the batch URI $batchUri = "https://management.azure.com/\$batch$apiVeri$RefreshapiVersion" # Construct a relative URL for the workspace resource. # Append dummy t and c parameters to mimic the portal's request. $workspaceUrl = "/subscriptions/$SubscriptionId/resourceGroups/$ResourceGroup/providers/Microsoft.OperationalInsights/workspaces/$WorkspaceName$apiVeri$RefreshapiVersion&t=123456789&c=dummy" # Create a batch payload with several GET requests $requests = @() for ($i = 0; $i -lt 5; $i++) { $requests += @{ httpMethod = "GET" name = [guid]::NewGuid().ToString() requestHeaderDetails = @{ commandName = "Microsoft_Azure_SentinelUS.ContenthubWorkspaceClient/get" } url = $workspaceUrl } } $body = @{ requests = $requests } | ConvertTo-Json -Depth 5 try { $response = Invoke-RestMethod -Uri $batchUri -Method Post -Headers @{ "Authorization" = "Bearer $AccessToken" "Content-Type" = "application/json" } -Body $body Write-Host "[+] Workspace metadata refresh triggered successfully." -ForegroundColor Green } catch { Write-Host "[!] Failed to trigger workspace metadata refresh. Error: $_" -ForegroundColor Red } } Refresh-WorkspaceMetadata -SubscriptionId $subscriptionId -ResourceGroup $resourceGroup -WorkspaceName $workspaceName -AccessToken $accessToken (note: i have variables higher up in my script for subscriptionid, resourcegroup, workspacename and token etc). Ive tried with and without mimicing the T and C variable. none works. So for me, currently, installing content hub packages for sentinel is always: Install through script to get all 40 packages Visit webpage, filter for 'Installed', mark them and press 'Install' You now have all metadata and hyperlinking available to you in your Sentinel (such as hunting rules, analytic rules, workbooks, playbooks -templates). Anyone else manage to get around this or is it "GUI" gated ? Greatly appreciated.[DevOps] dps.sentinel.azure.com no longer responds
Hello, Ive been using Repository connections in sentinel to a central DevOps for almost two years now. Today i got my first automated email on error for a webhook related to my last commit from the central repo to my Sentinel intances. Its a webhook that is automticly created in connections that are made the last year (the once from 2 years ago dont have this webhook automaticly created). The hook is found in devops -> service hooks -> webhooks "run state change" for each connected sentinel However, after todays run (which was successfull, all content deployed) this hook generates alerts. It says it cant reach: (EU in my case) eu.prod.dps.sentinel.azure.com full url: https://eu.prod.dps.sentinel.azure.com/webhooks/ado/workspaces/[REDACTED]/sourceControls/[REDACTED] So, what happened to this domain? why is it no longer responding and when was it going offline? I THINK this is the hook that sets the status under Sentinel -> Repositories in the GUI. this success status in screenshoot is from 2025/02/06, no new success has been registered in the receiving Sentinel instance. For the Sentinel that is 2 year old and dont have a hook in my DevOps that last deployment status says "Unknown" - so im fairly sure thats what the webhook is doing. So a second question would be, how can i set up a new webhook ? (it want ID and password of the "Azure Sentinel Content Deployment App" - i will never know that password....) so i cant manually add ieather (if the URL ever comes back online or if a new one exists?). please let me know.
Sentinel Data Connector: Google Workspace (G Suite) (using Azure Functions)
I'm encountering a problem when attempting to run the GWorkspace_Report workbook in Azure Sentinel. The query is throwing this error related to the union operator: 'union' operator: Failed to resolve table expression named 'GWorkspace_ReportsAPI_gcp_CL' I've double-checked, and the GoogleWorkspaceReports connector is installed and updated to version 3.0.2. Has anyone seen this or know what might be causing the table GWorkspace_ReportsAPI_gcp_CL to be unresolved? Thanks!
Trend Micro Vision One Connector Not working
Hi All, Before I get nuked in the comments to raise an issue on the Sentinel Repo. Here me out 😇 Around a month ago, the logs stopped ingesting. A quick snoop around revealed the reason. But I'm not sure if I should raise an issue, or try to fix the issue, risking voiding any future support I can get, since the connector and the app that comes with it are market solutions. Function app was not running due to a dependency issue. Spotted this on the diagnostic logs, under the "exceptions" table. "module named _cffi_backend not found" a python package google tells me, thats used to interact with C code. So logically, I need to find the requirement.txt and make sure the dependency is there. Also make sure the python version on the runtime and Azure matches, The logs were initially flowing as usual . I had completed integrating Trend Micro using Azure Functions based connector around 7 months ago. Worked like a toyota helix until now. So once again, would like to know the community's thoughts on it. ThxxIssue while deploying Sentienl Rules
I know that when deleting a Sentinel rule, you need to wait a specific amount of time before it can be redeployed. However, in this tenant, we've been waiting for almost a month and are still getting the same deployment error ('was recently deleted. You need to allow some time before re-using the same ID. Please try again later. Click here for details'). I still want to use the same ID ect. Does anyone have any idea or similar issue why it's still not possible after waiting for about a month?
