XdrLogRaider Defender XDR portal telemetry
A Microsoft Sentinel custom data connector that ingests Microsoft Defender XDR portal-only telemetry — configuration, compliance, drift, exposure, governance — that public Microsoft APIs (Graph Security, Microsoft 365 Defender, MDE) don't expose. https://github.com/akefallonitis/xdrlograider— Defender XDR portal telemetry Happy Hunting 🥳 🎉
Sentinel Foundry - MCP Server (Preview) (Github Community Release)
I’ve been cooking something that a lot of people in SOC have been struggling with — especially on the engineering side of Microsoft Sentinel. Thanks to the Microsoft Security team for shaping the capabilities of Sentinel even better with Sentinel Data Lake & Modern SecOps. Today’s the day I can finally share it. Note: This is not an official Microsoft product, but it is designed to make the Sentinel Build even better (complement) with much more intelligence. 🚀 Sentinel Foundry is now in public preview with 43 tools. (Sentinel Foundry - MCP Server) It’s an MCP server built to act like the brain of a strong Sentinel engineer — helping make building, improving, and operating Sentinel far more practical, faster, and honestly more enjoyable. For a lot of teams, the challenge is not understanding what Sentinel can do. The hard part is the engineering work around it: -> Deciding what data should actually be ingested -> Building a clean, scalable Sentinel foundation -> Writing useful detections instead of noisy ones -> Balancing security value with cost -> Turning ideas into deployable engineering outputs That is exactly why I built Sentinel Foundry to help communities grow stronger. It helps with the real engineering tasks behind Sentinel — from architecture thinking to detection design, deployment planning, ingestion strategy, automation ideas, and many of the workflows outlined in the GitHub project. How does it work? Here’s one of the flagship prompts I ran with it: “Give me a complete security posture report for our workspace. Score each pillar and tell me what to prioritise.” And within seconds, it produced a structured engineering blueprint that would normally take a lot longer to pull together manually. You can see the example prompts here in what it can do: https://github.com/prabhukiranveesam/Sentinel-Foundry#what-can-it-do I want building Sentinel to feel less like repetitive engineering overhead — and more like real security engineering that is fast, creative, and enjoyable. If you work with Sentinel as a SOC L2 analyst, engineer, detection engineer, consultant, or architect, I’d genuinely love for you to try it and tell me what you think. 🔗 Public Preview: https://github.com/prabhukiranveesam/Sentinel-Foundry This is just the start of an AI era — and I’m excited to keep shaping it with more powerful features over the coming days. This is very easy to set up and will be available to all of you at no cost during this month as part of the public preview, and your feedback is extremely valuable to shape this as a powerful solution.Webinar Cancellation
Hi everyone! The webinar originally scheduled for April 14th on "Using distributed content to manage your multi-tenant SecOps" has unfortunately been cancelled for now. We apologize for the inconvenience and hope to reschedule it in the future. Please find other available webinars at: http://aka.ms/securitycommunity All the best, The Microsoft Security Community TeamNew content types supported in multi-tenant content distribution
Onboard new tenants and maintain a consistent security baseline We’re excited to announce a set of new content types that are now supported by the multi-tenant content distribution capability in the Defender portal: You can now distribute analytics rules, automation rules, workbooks, and alert tuning built in rules. What is content distribution? Content distribution is a powerful multi-tenant feature that enables scalable management of security content across tenants. With this capability, you can create content distribution profiles in the multi-tenant portal that allow you to seamlessly replicate existing content—such as custom detection rules and endpoint security policies—from a source tenant to designated target tenants. Once distributed, the content runs on the target tenant, enabling centralized control with localized execution. This allows you to onboard new tenants quickly and maintain a consistent security baseline across tenants. New supported content types With this release, we add support for several new content types: Analytics rules (Sentinel) Automation rules (Sentinel) Workbooks (Sentinel) Alert tuning rules (built-in rules) Soon, we will introduce more content types, including URBAC roles. How it works Navigate to ‘Content Distribution’ in Defender’s multi-tenant management portal Create a new distribution profile or select an existing distribution profile In the ‘Content selection’ step, select one of the new content types to distribute After choosing the content types, select the actual content that you want to distribute. For example, select analytics rules that you want to distribute to other tenants Use the filters to select which tenant (and workspace) to take the content from Choose at least one workspace that you want to distribute the content to. You can select up to 100 workspaces per tenant. Save the distribution profile and the content will be synced to your target tenants Review the sync result in your distribution profile Good to know Automation rules that trigger a playbook cannot currently be distributed Alert tuning rules are currently limited to distributing built-in rules, this will be expanded to custom rules later Learn more For more information, see Content distribution in multitenant management. To get started, navigate to Content distribution. FAQ What pre-requisites are required? Access to more than one tenant, with delegated access via Azure B2B, using multi-tenant management A subscription to Microsoft 365 E5 or Office E5 What permissions are needed to distribute? Each content type requires you to have permission to create that content type on the target tenant. For example, to create Analytics Rules, you require ‘Sentinel Contributor’ permissions. To distribute content using multi-tenant management content distribution, the Security settings (manage) or Security Data Basic (read) permission is required. Both roles are assigned to the Security Administrator and Security Reader Microsoft Entra built-in roles by default. Can I update or expand distribution profiles later? Yes. You can add more content, include additional tenants, or modify scopes as needed.
New Compliance Solutions in Microsoft Sentinel: HIPAA & GDPR Reports
What’s New? GDPR Compliance & Data Security Solution (Preview) Helps organizations demonstrate compliance with the General Data Protection Regulation (GDPR) and protect personal data in cloud and hybrid environments. Consolidates data from Alerts, Incidents, Microsoft Purview, Azure SQL, Microsoft 365, UEBA, and Entra ID into a unified workbook. Monitors GDPR-related alerts, data classification, sensitive data queries, identity risks, and insider behaviours. Provides clear audit evidence and compliance reports, supporting proactive risk detection and regulatory accountability. HIPAA Compliance Solution (Preview) Designed for healthcare organizations and business associates to meet HIPAA Security and Privacy Rules. Provides robust monitoring of Protected Health Information (PHI) across administrative, technical, and physical safeguards. Features integrated dashboards, analytics, and Azure-native security capabilities for audit readiness and operational efficiency. Includes pre-built workbook tabs for overview, attack range, audit trail reporting, and advanced analysis. Enables anomaly detection (e.g., ransomware, suspicious SQL procedures, password spray attempts) and forensic audit trails for incident investigations. Below, you will find more detailed information about the HIPAA and GDPR connectors. First, we cover the features of the HIPAA connector, followed by the key aspects of the GDPR solution. GDPR Compliance Solution This solution provides a unified workbook that consolidates data from Alerts and Incidents, Microsoft Purview, Azure SQL Databases, Microsoft 365, User & Entity Behavior Analytics (UEBA), and Entra ID. With this workbook, you can: Monitor GDPR and data-theft related alerts and incidents across your Microsoft ecosystem. Gain visibility into data classification and sensitivity labelling with Microsoft Purview. Detect sensitive data queries, anomalous database activity, and unusual access patterns in Azure SQL. Investigate identity risks, anomalous sign-ins, and insider behaviours using Entra ID and UEBA. Provide clear audit evidence and compliance reports across Microsoft 365 and related services. Key Capabilities Security Alerts & Incidents Investigate security alerts and incidents from hosts and resources that store or process personal data. Track alerts mapped to MITRE ATT&CK® tactics and measure responsiveness for breach notification requirements. Focus on GDPR-relevant systems using customizable watchlists. For the Security Alerts & Incidents section to function properly, you must create a watchlist containing servers that host personal data. You must configure this watchlist in Sentinel and populate it with the names of your personal data hosting servers. Sample Watchlist (GDPR_PersonalData_Assets) HostName server1 server2 server3 server4 Data Loss Prevention (DLP) Monitor sensitive data access, leaks, and geolocation-based usage. Detect potential leaks or unauthorized transfers of personal data. Track label-based access patterns and provide evidence of preventive controls. Purview Logs Discover and classify assets, monitor sensitivity labelling, and track data governance. Assess the application of sensitivity labels and provide auditors with data inventory and classification coverage. Azure SQL Databases Detect anomalies and monitor classified data queries. Track application and IP access to classified data for accountability and traceability. Provide auditors with proof of continuous monitoring of database activity. Microsoft 365 Activity Monitor user and administrator activity across Exchange, SharePoint, OneDrive, and Teams. Detect risky behaviours such as external sharing, non-owner mailbox access, and unusual admin operations. Provide a comprehensive audit trail of data activity in Microsoft 365 services. User & Entity Behavior Analytics (UEBA) Analyze anomalous user and entity behaviors to detect insider threats and compromised accounts. Correlate activities across multiple data sources and identify potential data exfiltration attempts. Sign-Ins and Audit (Entra ID) Track risky sign-ins, brute-force attempts, and unusual geolocations. Investigate access patterns to applications and resources handling personal data. Monitor changes to users, groups, and applications for GDPR accountability. References The metrics and monitoring approaches used in the GDPR Compliance Solution are referenced from established workbooks and solutions, including: Microsoft Purview: For data classification, sensitivity labelling, and governance metrics, leveraging Purview’s comprehensive data inventory and classification coverage. Azure SQL Database Solution for Sentinel: For monitoring classified data queries, detecting anomalies, and providing continuous database activity auditing. Microsoft Purview Insider Risk Management: For insights into M365 audits, identity risks, and anomalous activities, supporting proactive risk detection and regulatory accountability. HIPAA Compliance Solution The HIPAA Compliance Solution in Microsoft Sentinel—now available in preview—empowers security teams to validate compliance posture, detect anomalies, and respond swiftly to threats. With integrated dashboards, analytics, and Azure-native security capabilities, this solution helps you stay audit-ready while reducing operational complexity. Getting Started: Two Key Steps Connect Data Sources To unlock the full potential of the HIPAA Compliance Solution, you need to integrate key data sources into Microsoft Sentinel. These connectors ensure comprehensive visibility across your HIPAA environment: AzureDiagnostics Collect logs from Azure services, firewalls, and network devices. This is critical for monitoring HIPAA-relevant infrastructure and network traffic anomalies. Recommended Solution: [Azure Firewall Solution in Sentinel Content Hub] for enriched firewall analytics. SecurityEvent Ingest Windows Server event logs to track login activity, access attempts, and policy changes. Recommended Solution: [Windows Security Events Solution] for prebuilt analytics and dashboards. SecurityAlert Pull in alerts from Microsoft Defender and other integrated security tools for anomaly and incident detection. Recommended Solution: [Microsoft Defender for Endpoint Solution] for advanced threat detection and correlation. AuditLogs Capture Azure AD sign-in logs, MFA status, and user activity to validate identity and access controls. Recommended Solution: [Azure Active Directory Solution] for identity governance and compliance insights. DeviceEvents / DeviceProcessEvents Gather endpoint telemetry and Defender for Endpoint alerts to monitor device health and detect compromise attempts. Recommended Solution: [Microsoft Defender for Endpoint Solution] for endpoint security posture. SQLSecurityAuditEvents Enable auditing for HIPAA-relevant databases to track CRUD operations, suspicious stored procedures, and integrity checks. Recommended Solution: [SQL Security Audit Solution] for database compliance and threat detection. Define HIPAA Users and Assets Use Watchlists to specify HIPAA-relevant users and assets within your compliance scope: HIPAA Users Details Watchlist Columns: UserName, TrainingStatus, AccessLevel Upload as CSV and configure in Sentinel under Configuration > Watchlist. HIPAA Assets Watchlist Columns: DeviceName, DeviceType Follow the same steps as above with appropriate naming conventions. To learn more about how to create watchlists, see Create new watchlists - Microsoft Sentinel | Microsoft Learn What’s Included in the Solution Pre-Built Workbook Tabs Overview Tab Track user training status, asset health, login success/failure, MFA status, antivirus coverage, and incident trends. Attack Range Tab This tab focuses on real-time threat visibility and behavioral analytics, giving SOC teams the ability to detect and respond to active threats impacting HIPAA-regulated environments. It visualizes multiple high-risk indicators drawn from security logs, Defender telemetry, and database activity. Key insights provided on this dashboard include: Macaw Ransomware Detection: Identifies endpoints exhibiting encryption-like behavior typical of the Macaw ransomware family, allowing the SOC team to act before patient health data is encrypted or lost. Suspicious SQL Stored Procedures: Flags execution of destructive or data-deletion commands from stored procedures initiated by untrained or unauthorized HIPAA users — a potential insider threat or misuse case. Password Spray Attempts: Detects repeated failed login attempts from a single IP within a short time frame, helping to identify brute-force or credential-stuffing activity targeting HIPAA accounts. Unusual SMB Activity: Surfaces abnormal file-sharing or data transfer patterns between internal servers, indicating potential lateral movement or data exfiltration attempts. Audit Trail Reporting Tab This Tab serves as the organization’s forensic and compliance backbone, enabling security and compliance teams to trace every critical activity within their HIPAA environment. It provides a detailed chronological record of user actions, system processes, and network communications — essential for both incident investigations and regulatory audits. Further Analysis Tab Export pre-written queries for advanced investigation and compliance reporting.
