Ignite 2025: New Microsoft Sentinel Connectors Announcement
Microsoft Sentinel continues to set the pace for innovation in cloud-native SIEMs, empowering security teams to meet today’s challenges with scalable analytics, built-in AI, and a cost-effective data lake. Recognized as a leader by Gartner and Forrester, Microsoft Sentinel is a platform for all of security, evolving to unify signals, cut costs, and power agentic AI for the modern SOC. As Microsoft Sentinel’s capabilities expand, so does its connector ecosystem. With over 350+ integrations available, organizations can seamlessly bring data from a wide range of sources into Microsoft Sentinel’s analytics and data lake tiers. This momentum is driven by our partners, who continue to deliver new and enhanced connectors that address real customer needs. The past year has seen rapid growth in both the number and diversity of connectors, ensuring that Microsoft Sentinel remains robust, flexible, and ready to meet the demands of any security environment. Today we showcase some of the most recent additions to our growing Microsoft Sentinel ecosystem spanning categories such as cloud security, endpoint protection, identity, IT operations, threat intelligence, compliance, and more: New and notable integrations BlinkOps and Microsoft Sentinel BlinkOps is an enterprise-ready agentic security automation platform that integrates seamlessly with Microsoft Sentinel to accelerate incident response and streamline operations. With Blink, analysts can rapidly build sophisticated workflows and custom security agents—without writing a single line of code—enabling agile, scalable automation with both Microsoft Sentinel and any other security platform. This integration helps eliminate alert fatigue, reduce mean time to resolution (MTTR), and free teams to focus on what matters most: driving faster operations, staying ahead of cyber threats, and unlocking new levels of efficiency through reliable, trusted orchestration. Check Point for Microsoft Sentinel solutions Check Point’s External Risk Management (ERM) IOC and Alerts integration with Microsoft Sentinel streamlines how organizations detect and respond to external threats by automatically sending both alerts and indicators of compromise (IOCs) into Microsoft Sentinel. Through this integration, customers can configure SOAR playbooks to trigger automated actions such as updating security policies, blocking malicious traffic, and executing other security operations tasks. This orchestration reduces manual effort, accelerates response times, and allows IT teams, network administrators, and security personnel to focus on strategic threat analysis—strengthening the organization’s overall security posture. Cloudflare for Microsoft Sentinel Cloudflare’s integration with Microsoft Sentinel, powered by Logpush, brings detailed security telemetry from its Zero Trust and network services into your SIEM environment. By forwarding logs such as DNS queries, HTTP requests, and access events through Logpush, the connector enables SOC teams to correlate Cloudflare data with other sources for comprehensive threat detection. This integration supports automated workflows for alerting and investigation, helping organizations strengthen visibility across web traffic and identity-based access while reducing manual overhead. Contrast ADR for Microsoft Sentinel Contrast Security gives Microsoft Sentinel users their first-ever integration with Application Detection and Response (ADR), delivering real-time visibility into application and API attacks, eliminating the application-layer blind spot. By embedding security directly into applications, Contrast enables continuous monitoring and precise blocking of attacks, and with AI assistance, the ability to fix underlying software vulnerabilities in minutes. This integration helps security teams prioritize actionable insights, reduce noise, and better understand the severity of threats targeting APIs and web apps. GreyNoise Enterprise Solution for Microsoft Sentinel GreyNoise helps Microsoft Sentinel users cut through the noise by identifying and filtering out internet background traffic that clutters security alerts. Drawing from a global sensor network, GreyNoise classifies IP addresses that are scanning the internet, allowing SOC teams to deprioritize benign activity and focus on real threats. The integration supports automated triage, threat hunting, and enrichment workflows, giving analysts the context they need to investigate faster and more effectively. iboss Connector for Microsoft Sentinel The iboss Connector for Microsoft Sentinel delivers real-time ingestion of URL event logs, enriching your SIEM with high-fidelity web traffic insights. Logs are forwarded in Common Event Format (CEF) over Syslog, enabling streamlined integration without the need for a proxy. With built-in parser functions and custom workbooks, the solution supports rapid threat detection and investigation. This integration is especially valuable for organizations adopting Zero Trust principles, offering granular visibility into user access patterns and helping analysts accelerate response workflows. Mimecast Mimecast’s integration with Microsoft Sentinel consolidates email security telemetry into a unified threat detection environment. By streaming data from Mimecast into Microsoft Sentinel’s Log Analytics workspace, security teams can craft custom queries, automate response workflows, and prioritize high-risk events. This connector supports a wide range of use cases, from phishing detection to compliance monitoring, while helping reduce mean time to respond (MTTR). MongoDB Atlas Solution for Microsoft Sentinel MongoDB Atlas integrates with Microsoft Sentinel to provide visibility into database activity and security events across cloud environments. By forwarding database logs into Sentinel, this connector enables SOC teams to monitor access patterns, detect anomalies, and correlate database alerts with broader security signals. The integration allows for custom queries and dashboards to be built on real-time log data, helping organizations strengthen data security, streamline investigations, and maintain compliance for critical workloads. Onapsis Defend Onapsis Defend integrates with Microsoft Sentinel Solution for SAP to deliver real-time security monitoring and threat detection from both cloud and on-premises SAP systems. By forwarding Onapsis's unique SAP exploit detection, proprietary SAP zero-day rules, and expert SAP-focused insights into Microsoft Sentinel, this integration enables SOC teams to correlate SAP-specific risks with enterprise-wide telemetry and accelerate incident response. The integration supports prebuilt analytics rules and dashboards, helping organizations detect suspicious behavior and malicious activity, prioritize remediation, and strengthen compliance across complex SAP application landscapes. Proofpoint on Demand (POD) Email Security for Microsoft Sentinel Proofpoint’s Core Email Protection integrates with Microsoft Sentinel to deliver granular email security telemetry for advanced threat analysis. By forwarding events such as phishing attempts, malware detections, and policy violations into Microsoft Sentinel, SOC teams can correlate Proofpoint data with other sources for a unified view of risk. The connector supports custom queries, dashboards, and automated playbooks, enabling faster investigations and streamlined remediation workflows. This integration helps organizations strengthen email defenses and improve response efficiency across complex attack surfaces. Proofpoint TAP Solution Proofpoint’s Targeted Attack Protection (TAP), part of its Core Email Protection, integrates with Microsoft Sentinel to centralize email security telemetry for advanced threat detection and response. By streaming logs and events from Proofpoint into Microsoft Sentinel, SOC teams gain visibility into phishing attempts, malicious attachments, and compromised accounts. The connector supports custom queries, dashboards, and automated playbooks, enabling faster investigations and streamlined remediation workflows. This integration helps organizations strengthen email defenses while reducing manual effort across incident response processes. Rubrik Integrations with Microsoft Sentinel for Ransomware Protection Rubrik’s integration with Microsoft Sentinel strengthens ransomware resilience by combining data security with real-time threat detection. The connector streams anomaly alerts, such as suspicious deletions, modifications, encryptions, or downloads, directly into Microsoft Sentinel, enabling fast investigations and more informed responses. With built-in automation, security teams can trigger recovery workflows from within Microsoft Sentinel, restoring clean backups or isolating affected systems. The integration bridges IT and SecOps, helping organizations minimize downtime and maintain business continuity when facing data-centric threats. Samsung Knox Asset Intelligence for Microsoft Sentinel Samsung’s Knox Asset Intelligence integration with Microsoft Sentinel equips security teams with near real-time visibility into mobile device threats across Samsung Galaxy enterprise fleets. By streaming security events and logs from managed Samsung devices into Microsoft Sentinel via the Azure Monitor Log Ingestion API, organizations can monitor risk posture, detect anomalies, and investigate incidents from a centralized dashboard. This solution is especially valuable for SOC teams monitoring endpoints for large mobile workforces, offering data-driven insights to reduce blind spots and strengthen endpoint security without disrupting device performance. SAP S/4HANA Public Cloud – Microsoft Sentinel SAP S/4HANA Cloud, public edition integrates with Microsoft Sentinel Solution for SAP to deliver unified, real-time security monitoring for cloud ERP environments. This connector leverages Microsoft’s native SAP integration capabilities to stream SAP logs into Microsoft Sentinel, enabling SOC teams to correlate SAP-specific events with enterprise-wide telemetry for faster, more accurate threat detection and response. SAP Enterprise Threat Detection – Microsoft Sentinel SAP Enterprise Threat Detection integrates with Microsoft Sentinel Solution for SAP to deliver unified, real-time security monitoring across SAP landscapes and the broader enterprise. Normalized SAP logs, alerts, and investigation reports flow into Microsoft Sentinel, enabling SOC teams to correlate SAP-specific alerts with enterprise telemetry for faster, more accurate threat detection and response. SecurityBridge: SAP Data to Microsoft Sentinel SecurityBridge extends Microsoft Sentinel for SAP’s reach into SAP environments, offering real-time monitoring and threat detection across both cloud and on-premises SAP systems. By funneling normalized SAP security events into Microsoft Sentinel, this integration enables SOC teams to correlate SAP-specific risks with broader enterprise telemetry. With support for S/4HANA, SAP BTP, and NetWeaver-based applications, SecurityBridge simplifies SAP security auditing and provides prebuilt dashboards and templates to accelerate investigations. Tanium Microsoft Sentinel Connector Tanium’s integration with Microsoft Sentinel bridges real-time endpoint intelligence and SIEM analytics, offering a unified approach to threat detection and response. By streaming real-time telemetry and alerts into Microsoft Sentinel,Tanium enables security teams to monitor endpoint health, investigate incidents, and trigger automated remediation, all from a single console. The connector supports prebuilt workbooks and playbooks, helping organizations reduce dwell time and align IT and security operations around a shared source of truth. Team Cymru Pure Signal Scout for Microsoft Sentinel Team Cymru’s Pure Signal™ Scout integration with Microsoft Sentinel delivers high-fidelity threat intelligence drawn from global internet telemetry. By enriching Microsoft Sentinel alerts with real-time context on IPs, domains, and adversary infrastructure, Scout enables security teams to proactively monitor third-party compromise, track threat actor infrastructure, and reduce false positives. The integration supports external threat hunting and attribution, enabling analysts to discover command-and-control activity, signals of data exfiltration and compromise with greater precision. For organizations seeking to build preemptive defenses by elevating threat visibility beyond their borders, Scout offers a lens into the broader threat landscape at internet scale. Veeam App for Microsoft Sentinel The Veeam App for Microsoft Sentinel enhances data protection by streaming backup and recovery telemetry into your SIEM environment. The solution provides visibility into backup job status, anomalies, and potential ransomware indicators, enabling SOC teams to correlate these events with broader security signals. With support for custom queries and automated playbooks, this integration helps organizations accelerate investigations, trigger recovery workflows, and maintain resilience against data-centric threats. WithSecure Elements via Function for Microsoft Sentinel WithSecure’s Elements platform integrates with Microsoft Sentinel to provide centralized visibility into endpoint protection and detection events. By streaming incident and malware telemetry into Microsoft Sentinel, organizations can correlate endpoint data with broader security signals for faster, more informed responses. The solution supports a proactive approach to cybersecurity, combining predictive, preventive, and responsive capabilities, making it well-suited for teams seeking speed and flexibility without sacrificing depth. This integration helps reduce complexity while enhancing situational awareness across hybrid environments, and for companies to prevent or minimize any disruption. App Assure: The Microsoft Sentinel promise Every connector in the Microsoft Sentinel ecosystem is built to work out of the box, backed by the App Assure team and the Microsoft Sentinel promise. In the unlikely event that customers encounter any issues, App Assure stands ready to assist to ensure rapid resolution. With the new Microsoft Sentinel data lake features, we extend our promise for customers looking to bring their data to the lake. To request a new connector or features for an existing one, contact us via our intake form. Learn More Microsoft Sentinel data lake Microsoft Sentinel data lake: Unify signals, cut costs, and power agentic AI Introducing Microsoft Sentinel data lake What is Microsoft Sentinel data lake Unlocking Developer Innovation with Microsoft Sentinel data lake Microsoft Sentinel Codeless Connector Framework (CCF) Create a codeless connector for Microsoft Sentinel What’s New in Microsoft Sentinel Microsoft App Assure App Assure home page App Assure services App Assure blog App Assure’s promise: Migrate to Sentinel with confidence App Assure’s Sentinel promise now extends to Microsoft Sentinel data lake RSAC 2025 new Microsoft Sentinel connectors announcement Microsoft Security Microsoft’s Secure Future Initiative Microsoft Unified SecOpsDetect more, spend less: the future of threat intelligence correlation
With more data and intelligence than ever, it’s often a challenge to manage it all while making sure you’re maximizing its value for security investigations. We’ve made it easier for customers leveraging Microsoft’s SIEM and XDR. Now, customers can create custom detections that correlate threat intelligence from feeds brought in through the SIEM with their XDR data, without the need to ingest their XDR data as well. Why this matters Traditionally, correlating threat intelligence with endpoint and identity data required ingesting large volumes of XDR data into the SIEM. While effective, this approach often drove up ingestion and retention costs. The new capability eliminates that dependency, allowing security teams to: Reduce costs – Avoid unnecessary data ingestion charges while still leveraging XDR insights for detection. Accelerate detection – Query XDR and SIEM data seamlessly in near real time, enabling faster identification of threats. Maintain flexibility – Use custom detection rules to tailor alerts to your organization’s unique threat landscape. How it works Threat intelligence integration – Use curated threat indicators from Microsoft or your own threat intelligence platform (TIP) to power detections. Build custom detection rules that query both Sentinel and Defender XDR tables directly. This means you can match threat intelligence indicators—such as malicious IPs, domains, or file hashes (including from third party/non-Microsoft IOCs)—against Defender XDR telemetry without duplicating data in Sentinel. These rules can run on a schedule or in near real time, ensuring timely detection of suspicious activity. Examples of KQL Queries that can be used with Custom Detections, providing the following capabilities: Query the new TI tables (ThreatIntelIndicators and ThreatIntelObjects). Correlate with Defender XDR data without ingestion into Sentinel using Custom Detection rules. Enrich detections with threat actor context for better triage. Example 1: This query identifies any Domain indicators of compromise (IOCs) from threat intelligence (TI) by searching for matches in DeviceNetworkEvents. let dt_lookBack = 1h; // device events time window (how far back to look at traffic) let ioc_lookBack = 14d; // TI time window (how far back to read indicators) let DeviceNetworkEvents_ = DeviceNetworkEvents | where isnotempty(RemoteUrl) | where Timestamp >= ago(dt_lookBack) | where ActionType !has "ConnectionFailed" | extend Domain = tostring(parse_url(tolower(RemoteUrl)).Host) | where isnotempty(Domain) | project-rename DeviceNetworkEvents_TimeGenerated = Timestamp; let DeviceNetworkEventDomains = DeviceNetworkEvents_ | distinct Domain | summarize make_list(Domain); ThreatIntelIndicators | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0))) | where IndicatorType == "domain-name" | extend DomainName = tolower(ObservableValue) | where TimeGenerated >= ago(ioc_lookBack) | extend IndicatorId = tostring(split(Id, "--")[2]) | where DomainName in (DeviceNetworkEventDomains) | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue | where IsActive and (ValidUntil > now() or isempty(ValidUntil)) | extend Description = tostring(parse_json(Data).description) | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel) | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;" | project-reorder *, IsActive, Tags, TrafficLightProtocolLevel, DomainName, Type | join kind=innerunique (DeviceNetworkEvents_) on $left.DomainName == $right.Domain | where DeviceNetworkEvents_TimeGenerated < ValidUntil | summarize DeviceNetworkEvents_TimeGenerated = arg_max(DeviceNetworkEvents_TimeGenerated, *) by IndicatorId | project DeviceNetworkEvents_TimeGenerated, IndicatorId, Url = RemoteUrl, Confidence, Description, Tags, TrafficLightProtocolLevel, ActionType, DeviceId, DeviceName, InitiatingProcessAccountUpn, InitiatingProcessCommandLine, RemoteIP, RemotePort, ReportId | extend Name = tostring(split(InitiatingProcessAccountUpn, '@', 0)[0]), UPNSuffix = tostring(split(InitiatingProcessAccountUpn, '@', 1)[0]) | extend Timestamp = DeviceNetworkEvents_TimeGenerated, UserPrincipalName = InitiatingProcessAccountUpn Example 2: Detect Malicious File Hashes Using ThreatIntelIndicators. Identifies a match in DeviceFileEvents event data from any FileHash IOC from TI let dt_lookBack = 1h; // device events time window (how far back to look at traffic) let ioc_lookBack = 14d; // TI time window (how far back to read indicators) let DeviceFileEvents_ = (union (DeviceFileEvents | where Timestamp > ago(dt_lookBack) | where isnotempty(SHA1) | extend FileHashValue = SHA1), (DeviceFileEvents | where Timestamp > ago(dt_lookBack) | where isnotempty(SHA256) | extend FileHashValue = SHA256)); let Hashes = DeviceFileEvents_ | distinct FileHashValue; ThreatIntelIndicators //extract key part of kv pair | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0))) | where IndicatorType == "file" | extend FileHashType = replace("'", "", substring(ObservableKey, indexof(ObservableKey, "hashes.") + 7, strlen(ObservableKey) - indexof(ObservableKey, "hashes.") - 7)) | extend FileHashValue = ObservableValue | extend IndicatorId = tostring(split(Id, "--")[2]) | where isnotempty(FileHashValue) | where TimeGenerated > ago(ioc_lookBack) // | where FileHashValue in (Hashes) | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue | where IsActive and (ValidUntil > now() or isempty(ValidUntil)) | extend Description = tostring(parse_json(Data).description) | where Description !contains_cs "State: inactive;" and Description !contains_cs "State: falsepos;" | project-reorder *, FileHashType, FileHashValue, Type | join kind=innerunique (DeviceFileEvents_) on $left.FileHashValue == $right.FileHashValue | where TimeGenerated < ValidUntil | summarize TimeGenerated = arg_max(Timestamp, *) by IndicatorId, DeviceId | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel) | extend Description = tostring(parse_json(Data).description) | extend ActivityGroupNames = extract(@"ActivityGroup:(\S+)", 1, tostring(parse_json(Data).labels)) | project TimeGenerated, TrafficLightProtocolLevel, Description, ActivityGroupNames, IndicatorId, FileHashValue, FileHashType, ValidUntil, Confidence, ActionType, DeviceId, DeviceName, FolderPath, RequestAccountDomain, RequestAccountName, RequestAccountSid, MachineGroup, ReportId | extend Timestamp = TimeGenerated Important notes To create these types of Custom Detections, some columns like Timestamp and ReportId are required in the query results, for more information: Create custom detection rules in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn Use asset mappings and entity mappings. Prioritise mapping for high-value entities: User accounts (for credential-based attacks) Devices/hosts (for lateral movement) IP addresses and domains (for network-based threats) Files and processes (for malware execution) Key benefits Cost optimization: No need to ingest Defender XDR data into Sentinel to correlate with threat intelligence. Reduces data ingestion and retention costs significantly while maintaining full detection capability. Extended lookback: Analyse historical data up to 30 days without additional storage costs. Enhanced threat context: Leverage ThreatIntelIndicators and ThreatIntelObject tables to enrich alerts with threat actor details, confidence scores, and campaign context. Flexible and customizable detection logic: Build custom KQL-based rules tailored to your organization’s threat landscape. Combine multiple data sources (including third party/non-Microsoft sources) and enrich alerts with contextual threat intelligence. Faster, proactive threat detection: Detect threats without waiting for data ingestion pipelines. Supports scheduled or near real-time queries, improving response times. Key takeaway Security teams can maximize the value of threat intelligence while optimizing costs. By reducing data duplication and enabling advanced correlation, organizations can strengthen their security posture without compromising efficiency. Useful links Custom detection rules get a boost—explore what’s new in Microsoft Defender | Microsoft Community Hub Create custom detection rules in Microsoft Defender XDR - Microsoft Defender XDR | Microsoft Learn Threat intelligence - Microsoft Sentinel | Microsoft Learn
Permissions to see and manage sentinel workspace in Defender XDR
Hi Team, One of my customers recently completed their Sentinel → Defender portal migration. Initially, I didn’t have access to view the Defender portal, but after the migration I was assigned the Security Operator role in Entra (via PIM), which now allows me to access the Defender portal.However, when I navigate to: Defender portal → System → Settings → Microsoft Sentinel → Workspaces. I’m unable to view the available workspaces. The portal shows an insufficient permissions error, and I also cannot switch the primary/secondary workspace. Could you please advise on the exact permissions/roles required to: View the Sentinel workspace list in Defender, and Switch the primary workspace? Thanks in advanceMicrosoft Sentinel’s AI-driven UEBA ushers in the next era of behavioral analytics
Co-author - Ashwin Patil Security teams today face an overwhelming challenge: every data point is now a potential security signal and SOCs are drowning in complex logs, trying to find the needle in the haystack. Microsoft Sentinel User and Entity Behavior Analytics (UEBA) brings the power of AI to automatically surface anomalous behaviors, helping analysts cut through the noise, save time, and focus on what truly matters. Microsoft Sentinel UEBA has already helped SOCs uncover insider threats, detect compromised accounts, and reveal subtle attack signals that traditional rule-based methods often miss. These capabilities were previously powered by a core set of high-value data sources - such as sign-in activity, audit logs, and identity signals - that consistently delivered rich context and accurate detections. Today, we’re excited to announce a major expansion: Sentinel UEBA now supports six new data sources including Microsoft first- and third-party platforms like Azure, AWS, GCP, and Okta, bringing deeper visibility, broader context, and more powerful anomaly detection tailored to your environment. This isn’t just about ingesting more logs. It’s about transforming how SOCs understand behavior, detect threats, and prioritize response. With this evolution, analysts gain a unified, cross-platform view of user and entity behavior, enabling them to correlate signals, uncover hidden risks, and act faster with greater confidence. Newly supported data sources are built for real-world security use cases: Authentication activities MDE DeviceLogonEvents – Ideal for spotting lateral movement and unusual access. AADManagedIdentitySignInLogs – Critical for spotting stealthy abuse of non - human identities. AADServicePrincipalSignInLogs - Identifying anomalies in service principal usage such as token theft or over - privileged automation. Cloud platforms & identity management AWS CloudTrail Login Events - Surfaces risky AWS account activity based on AWS CloudTrail ConsoleLogin events and logon related attributes. GCP Audit Logs - Failed IAM Access, Captures denied access attempts indicating reconnaissance, brute force, or privilege misuse in GCP. Okta MFA & Auth Security Change Events – Flags MFA challenges, resets, and policy modifications that may reveal MFA fatigue, session hijacking, or policy tampering. Currently supports the Okta_CL table (unified Okta connector support coming soon). These sources feed directly into UEBA’s entity profiles and baselines - enriching users, devices, and service identities with behavioral context and anomalies that would otherwise be fragmented across platforms. This will complement our existing supported log sources - monitoring Entra ID sign-in logs, Azure Activity logs and Windows Security Events. Due to the unified schema available across data sources, UEBA enables feature-rich investigation and the capability to correlate across data sources, cross platform identities or devices insights, anomalies, and more. AI-powered UEBA that understands your environment Microsoft Sentinel UEBA goes beyond simple log collection - it continuously learns from your environment. By applying AI models trained on your organization’s behavioral data, UEBA builds dynamic baselines and peer groups, enabling it to spot truly anomalous activity. UBEA builds baselines from 10 days (for uncommon activities) to 6 months, both for the user and their dynamically calculated peers. Then, insights are surfaced on the activities and logs - such as an uncommon activity or first-time activity - not only for the user but among peers. Those insights are used by an advanced AI model to identify high confidence anomalies. So, if a user signs in for the first time from an uncommon location, a common pattern in the environment due to reliance on global vendors, for example, then this will not be identified as an anomaly, keeping the noise down. However, in a tightly controlled environment, this same behavior can be an indication of an attack and will surface in the Anomalies table. Including those signals in custom detections can help affect the severity of an alert. So, while logic is maintained, the SOC is focused on the right priorities. How to use UEBA for maximum impact Security teams can leverage UEBA in several key ways. All the examples below leverage UEBA’s dynamic behavioral baselines looking back up to 6 months. Teams can also leverage the hunting queries from the "UEBA essentials" solution in Microsoft Sentinel's Content Hub. Behavior Analytics: Detect unusual logon times, MFA fatigue, or service principal misuse across hybrid environments. Get visibility into geo-location of events and Threat Intelligence insights. Here’s an example of how you can easily discover Accounts authenticating without MFA and from uncommonly connected countries using UEBA behaviorAnalytics table: BehaviorAnalytics | where TimeGenerated > ago(7d) | where EventSource == "AwsConsoleSignIn" | where ActionType == "ConsoleLogin" and ActivityType == "signin.amazonaws.com" | where ActivityInsights.IsMfaUsed == "No" | where ActivityInsights.CountryUncommonlyConnectedFromInTenant == True | evaluate bag_unpack(UsersInsights, "AWS_") | where InvestigationPriority > 0 // Filter noise - uncomment if you want to see low fidelity noise | project TimeGenerated, _WorkspaceId, ActionType, ActivityType, InvestigationPriority, SourceIPAddress, SourceIPLocation, AWS_UserIdentityType, AWS_UserIdentityAccountId, AWS_UserIdentityArn Anomaly detection Identify lateral movement, dormant account reactivation, or brute-force attempts, even when they span cloud platforms. Below are examples of how to discover UEBA Anomalous AwsCloudTrail anomalies via various UEBA activity insights or device insights attributes: Anomalies | where AnomalyTemplateName in ( "UEBA Anomalous Logon in AwsCloudTrail", // AWS ClousTrail anomalies "UEBA Anomalous MFA Failures in Okta_CL", "UEBA Anomalous Activity in Okta_CL", // Okta Anomalies "UEBA Anomalous Activity in GCP Audit Logs", // GCP Failed IAM access anomalies "UEBA Anomalous Authentication" // For Authentication related anomalies ) | project TimeGenerated, _WorkspaceId, AnomalyTemplateName, AnomalyScore, Description, AnomalyDetails, ActivityInsights, DeviceInsights, UserInsights, Tactics, Techniques Alert optimization Use UEBA signals to dynamically adjust alert severity in custom detections—turning noisy alerts into high-fidelity detections. The example below shows all the users with anomalous sign in patterns based on UEBA. Joining the results with any of the AWS alerts with same AWS identity will increase fidelity. BehaviorAnalytics | where TimeGenerated > ago(7d) | where EventSource == "AwsConsoleSignIn" | where ActionType == "ConsoleLogin" and ActivityType == "signin.amazonaws.com" | where ActivityInsights.FirstTimeConnectionViaISPInTenant == True or ActivityInsights.FirstTimeUserConnectedFromCountry == True | evaluate bag_unpack(UsersInsights, "AWS_") | where InvestigationPriority > 0 // Filter noise - uncomment if you want to see low fidelity noise | project TimeGenerated, _WorkspaceId, ActionType, ActivityType, InvestigationPriority, SourceIPAddress, SourceIPLocation, AWS_UserIdentityType, AWS_UserIdentityAccountId, AWS_UserIdentityArn, ActivityInsights | evaluate bag_unpack(ActivityInsights) Another example shows anomalous key vault access from service principal with uncommon source country location. Joining this activity with other alerts from the same service principle increases fidelity of the alerts. You can also join the anomaly UEBA Anomalous Authentication with other alerts from the same identity to bring the full power of UEBA into your detections. BehaviorAnalytics | where TimeGenerated > ago(1d) | where EventSource == "Authentication" and SourceSystem == "AAD" | evaluate bag_unpack(ActivityInsights) | where LogonMethod == "Service Principal" and Resource == "Azure Key Vault" | where ActionUncommonlyPerformedByUser == "True" and CountryUncommonlyConnectedFromByUser == "True" | where InvestigationPriority > 0 Final thoughts This release marks a new chapter for Sentinel UEBA—bringing together AI, behavioral analytics, and cross-cloud and identity management visibility to help defenders stay ahead of threats. If you haven’t explored UEBA yet, now’s the time. Enable it in your workspace settings and don’t forget to enable anomalies as well (in Anomalies settings). And if you’re already using it, these new sources will help you unlock even more value. Stay tuned for our upcoming Ninja show and webinar (register at aka.ms/secwebinars), where we’ll dive deeper into use cases. Until then, explore the new sources, use the UEBA workbook, update your watchlists, and let UEBA do the heavy lifting. UEBA onboarding and setting documentation Identify threats using UEBA UEBA enrichments and insights reference UEBA anomalies referenceXDR advanced hunting region specific endpoints
Hi, I am exploring XDR advanced hunting API to fetch data specific to Microsoft Defender for Endpoint tenants. The official documentation (https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) mentions to switch to Microsoft Graph advanced hunting API. I had below questions related to it: 1. To fetch the region specific(US , China, Global) token and Microsoft Graph service root endpoints(https://learn.microsoft.com/en-us/graph/deployments#app-registration-and-token-service-root-endpoints ) , is the recommended way to fetch the OpenID configuration document (https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc#fetch-the-openid-configuration-document) for a tenant ID and based on the response, the region specific SERVICE/TOKEN endpoints could be fetched? Since using it, there is no need to maintain different end points for tenants in different regions. And do we use the global service URL https://login.microsoftonline.com to fetch OpenID config document for a tenantID in any region? 2. As per the documentation, Microsoft Graph Advanced hunting API is not supported in China region (https://learn.microsoft.com/en-us/graph/api/security-security-runhuntingquery?view=graph-rest-1.0&tabs=http). In this case, is it recommended to use Microsoft XDR Advanced hunting APIs(https://learn.microsoft.com/en-us/defender-xdr/api-advanced-hunting) to support all region tenants(China, US, Global)?Microsoft Sentinel for SAP Agentless connector GA
Dear Community, Today is the day: Our new agentless connector for Microsoft Sentinel Solution for SAP applications is Generally Available now! Fully onboarded to SAP’s official Business Accelerator Hub and ready for prime time wherever your SAP systems are waiting – on-premises, hyperscalers, RISE, or GROW – to be protected. Let’s hear from an agentless customer: “With the Microsoft Sentinel Solution for SAP and its new agentless connector, we accelerated deployment across our SAP landscape without the complexity of containerized agents. This streamlined approach elevated our SOC’s visibility into SAP security events, strengthened our compliance posture, and enabled faster, more informed incident response” SOC Specialist, North American aviation company Use the video below to kick off your own agentless deployment today. #Kudos to the amazing mvigilante for showing us around the new connector! But we didn’t stop there! Security is being reengineered for the AI era - moving from static, rule-based controls to platform-driven, machine-speed defence that anticipates threats before they strike. Attackers think in graphs - Microsoft does too. We’re bringing relationship-aware context to Microsoft Security - so defenders and AI can see connections, understand the impact of a potential compromise (blast radius), and act faster across pre-breach and post-breach scenarios including SAP systems - your crown jewels. See it in action in below phishing-compromise which lead to an SAP login bypassing MFA with followed operating-system activities on the SAP host downloading trojan software. Enjoy this clickable experience for more details on the scenario. Shows how a phishing compromise escalated to an SAP MFA bypass, highlighting cross-domain correlation. The Sentinel Solution for SAP has AI-first in mind and directly integrates with our security platform on the Defender portal for enterprise-wide signal correlation, Security Copilot reasoning, and Sentinel Data Lake usage. Your real-time SAP detections operate on the Analytics tier for instant results and threat hunting, while the same SAP logs get mirrored to the lake for cost-efficient long-term storage (up to 12 years). Access that data for compliance reporting or historic analysis through KQL jobs on the lake. No more – yeah, I have the data stored somewhere to tick the audit report check box – but be able to query and use your SAP telemetry in long term storage at scale. Learn more here. Findings from the Agentless Connector preview During our preview we learned that majority of customers immediately profit from the far smoother onboarding experience compared to the Docker-based approach. Deployment efforts and time to first SAP log arrival in Sentinel went from days and weeks to hours. ⚠️ Deprecation notice for containerized data connector agent ⚠️ The containerised SAP data connector will be deprecated on 30 September 2026. This change aligns with the discontinuation of the SAP RFC SDK, SAP's strategic integration roadmap, and customer demand for simpler integration. Migrate to the new agentless connector for simplified onboarding and compliance with SAP’s roadmap. All new deployments starting October 31, 2025, will only have the new agentless connector option, and existing customers should plan their migration using the guidance on Microsoft Learn. It will be billed at the same price as the containerized agent, ensuring no cost impact for customers. Note📌: To support transition for those of you on the Docker-based data connector, we have enhanced our built-in KQL functions for SAP to work across data sources for hybrid and parallel execution. Spotlight on new Features Inspired by the feedback of early adopters we are shipping two of the most requested new capabilities with GA right away. Customizable polling frequency: Balance threat detection value (1min intervals best value) with utilization of SAP Integration Suite resources based on your needs. ⚠️Warning! Increasing the intervals may result in message processing truncation to avoid SAP CPI saturation. See this blog for more insights. Refer to the max-rows parameter and SAP documentation to make informed decisions. Customizable API endpoint path suffix: Flexible endpoints allow running all your SAP security integration flows from the agentless connector and adherence to your naming strategies. Furthermore, you can add the community extensions like SAP S/4HANA Cloud public edition (GROW), the SAP Table Reader, and more. Displays the simplified onboarding flow for the agentless SAP connector You want more? Here is your chance to share additional feature requests to influence our backlog. We would like to hear from you! Getting Started with Agentless The new agentless connector automatically appears in your environment – make sure to upgrade to the latest version 3.4.05 or higher. Sentinel Content Hub View: Highlights the agentless SAP connector tile in Microsoft Defender portal, ready for one-click deployment and integration with your security platform The deployment experience on Sentinel is fully automatic with a single button click: It creates the Azure Data Collection Endpoint (DCE), Data Collection Rule (DCR), and Microsoft Entra ID app registration assigned with RBAC role "Monitoring Metrics Publisher" on the DCR to allow SAP log ingest. Explore partner add-ons that build on top of agentless The ISV partner ecosystem for the Microsoft Sentinel Solution for SAP is growing to tailor the agentless offering even further. The current cohort has flagship providers like our co-engineering partner SAP SE themselves with their security products SAP LogServ & SAP Enterprise Threat Detection (ETD), and our mutual partners Onapsis and SecurityBridge. Ready to go agentless? ➤ Get started from here ➤ Explore partner add-ons here. ➤ Share feature requests here. Next Steps Once deployed, I recommend to check AryaG’s insightful blog series for details on how to move to production with the built-in SAP content of agentless. Looking to expand protection to SAP Business Technology Platform? Here you go. #Kudos to the amazing Sentinel for SAP team and our incredible community contributors! That's a wrap 🎬. Remember: bringing SAP under the protection of your central SIEM isn't just a checkbox - it's essential for comprehensive security and compliance across your entire IT estate. Cheers, MartinOperationalizing the Sentinel data lake: A Practitioner’s Guide
This article is part of The Sentinel data lake Practitioner Series. Part 1 of the series focuses on operationalizing the Sentinel data lake and our strategic vision for the customers. This series is evolving based on inputs and feedback from the community as well as various components of turning raw security data and workflows into operational security engine. Why This Series? Microsoft recently announced Sentinel data lake unlocking massive potential for security teams. Security data lakes are the foundation of modern detection and investigation. This blog series is designed to empower you to fully leverage your Sentinel data lake investment – providing practical tools, actionable workflows, and analyst-ready templates that simplify querying datalake-tier data and enable SOC teams to turn raw logs into meaningful security insights. With the right guidance, you can maximize the value you get from your Sentinel data lake. Microsoft Security research team has worked extensively on modular Jupyter notebooks, Python-based data analysis, enrichment, and visualization libraries, and security-driven analysis workflows at scale. We believe the key to adoption lies in researcher-driven operationalization—bringing these methods directly to practitioners in ways they can use immediately. Strategic Vision for Operationalization of Sentinel data lake Our approach centers on researcher-led enablement with ready-to-use workflows and customer community activation. The above infographic outlines four building blocks that brings a security data lake to life: Research curated and Community-Powered Content Hub Researcher-curated GitHub repository. Shared notebooks, detection templates, and models. Continuous contributions from the security researchers and community. Notebook & Model Templates Jupyter & VS Code notebooks tailored for analyst use. ML/GenAI models tailored for security data enrichment and anomaly detection. Modular queries for detections and investigations. Historical Data Enablement Analytics to data lake tier automation for cost-efficient historical queries. Dynamic baselining over months/years of logs to tune detections. Unlocking long-tail investigation scenarios otherwise left dormant. Practical real world Use Cases Historical threat hunting on network, identity, and cloud logs. Dynamic detection tuning at scale. GenAI-powered investigations. Post-incident deep dives to uncover the full blast radius. Getting Started Notebook: Building Familiarity with the Data Lake Framework Before diving into advanced workflows, we’ve published a Getting Started Notebook designed to help practitioners quickly onboard to the Sentinel Data Lake environment. This notebook introduces foundational concepts that will be used across subsequent examples and pipelines. What it covers: Connecting to the Data Lake: Learn how to establish authenticated Spark sessions and securely read data from the Sentinel Data Lake workspace. Exploring Data with Apache Spark: A short hands-on tour using PySpark to inspect schema, preview records, and perform lightweight data transformations at scale. Writing Back to the Lake: Understand the pattern of persisting processed or enriched datasets back to data lake tier for reuse in analytic notebooks and downstream detection pipelines via elevating them to analytics tier. Running Modular Pipelines: Step through a simple example of how pipeline jobs ingest raw security logs (e.g., SigninLogs), apply filters and enrichments, and output ready-to-use tables for later detection development. This foundational notebook ensures analysts and engineers are comfortable with the basic Spark + Sentinel data lake interaction model — the same model used in the advanced operational notebooks (for example, Password Spray Detection or Anomaly Detection workflows) later in this series. Our Commitment This new blog series will serve as a practitioner’s guide for operationalizing security data lakes. In the following weeks, we’ll gradually deliver: Modular Notebook templates to accelerate hunting, baselining, and investigations. End-to-end workflows connecting datalake-tier → analytics-tier → Sentinel detections. Enrichment and Gen AI-driven tools to reduce repetitive manual work and investigation friction. Reusable examples and walkthroughs based on real-world high-volume data sources Our goal is to make Sentinel data lake practical for customers by delivering actionable notebooks, workflows, and enablement. Expected Outcomes for Customers By operationalizing the Sentinel data lake in this way, enterprise customers can expect: Reduced Time-to-Value – Analysts can move from raw logs to actionable detections in days, not months. Improved Detection Quality – Long-term baselining and historical analysis reduce false positives and increase fidelity in your detections. Operational Efficiency – Automated enrichment and packaged workflows minimize manual investigation effort. Cost Optimization – analytics tier -to-data lake tier data workflows avoid expensive, ad-hoc queries and make historical data practical to use. Join the Journey This series is built by practitioners, for practitioners. Alongside blogs, we’ll also share: GitHub repository with reusable notebooks and model templates. Webinars and demos to walk through the workflows. Together, we’ll move beyond storage and make the security data lake truly operational, analyst-friendly, and impactful. Upcoming articles will demonstrate how notebooks and templates can turn research into workflows that are ready for analysts, featuring practical notebook examples available on GitHub. What's next? Join us at Microsoft Ignite in San Francisco on November 17–21, or online, November 18–20, for deep dives and practical labs to help you maximize your Microsoft Defender investments and to get more from the Microsoft capabilities you already use. Security is a core focus at Ignite this year, with the Security Forum on November 17th, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners Featured sessions BRK237: Identity Under Siege: Modern ITDR from Microsoft Join experts in Identity and Security to hear how Microsoft is streamlining collaboration across teams and helping customers better protect, detect, and respond to threats targeting your identity fabric. BRK240 – Endpoint security in the AI era: What's new in Defender Discover how Microsoft Defender’s AI-powered endpoint security empowers you to do more, better, faster. BRK236 – Your SOC’s ally against cyber threats, Microsoft Defender Experts See how Defender Experts detect, halt, and manage threats for you, with real-world outcomes and demos. LAB541 – Defend against threats with Microsoft Defender Get hands-on with Defender for Office 365 and Defender for Endpoint, from onboarding devices to advanced attack mitigation. Explore and filter the full security catalog by topic, format, and role: aka.ms/SessionCatalogSecurity. Why attend? Ignite is the place to learn about the latest Defender capabilities, including new agentic AI integrations and unified threat protection. We will also share future-facing innovations in Defender, as part of our ongoing commitment to autonomous defense. Security Forum—Make day 0 count (November 17) Kick off with an immersive, in person preday focused on strategic security discussions and real-world guidance from Microsoft leaders and industry experts. Select Security Forum during registration. Register for Microsoft Ignite >
Unified detection rule management
Hi, I attended the webinar yesterday regarding the new unified custom detection rules in Defender XDR. I was wondering about the management of a library of rules. As with any SOC, our solution has a library of custom rules which we manage in a release cycle for a number of clients in different Tenants. To avoid having to manage rules individually we use the JSON approach, importing the library so it will update rules that we need to tune. Currently I'm not seeing an option to import unified detection rules in Defender XDR via JSON. Is that a feature that will be added? Thanks ZivAutomating IOC hunts in Microsoft Sentinel data lake
Security operations are undergoing significant transformation driven by the introduction of AI and a rapidly evolving threat landscape. With Microsoft Sentinel data lake now generally available, organizations can centralize all their security data in a purpose-built security data lake. This helps optimize costs, simplify data management, and accelerate the adoption of AI in security operations. This empowers defenders to transcend legacy security controls, adopting advanced analytics and automation for more dynamic and effective protection. A key advantage of the Sentinel data lake is its cost-efficiency, making it ideal for ingesting and retaining large volumes of security logs, such as network logs, without incurring high expenses or compromising coverage. By storing all security data in a unified, cost-effective data lake, organizations gain comprehensive, long-term visibility for historical threat hunting and TI matching, enabling investigations across extended timelines without the prohibitive costs of traditional analytics solutions. In this blog we will explore how security teams can leverage KQL jobs in Sentinel data lake to automate threat hunting and threat intelligence matching across network logs, enabling scalable, cost-effective, and continuous threat detection. By doing so, SOCs can efficiently process large volumes of data and transform raw logs into actionable insights efficiently with minimal manual intervention. What are KQL jobs? KQL jobs in Sentinel data lake are automated one-time or scheduled jobs that run Kusto Query Language (KQL) queries on data lake. These jobs help security teams investigate and hunt for threats more easily by automating processes like checking logs against known threat data. By automating tasks such as IOC matching with historical or high-volume data, analysts are able to concentrate on higher-value activities. This results in more effective threat detection and response. The next section demonstrates how to use the data lake for Threat Intelligence (TI) matching across network logs. IOC matching on network log on data lake Network logs, such as firewall and proxy data, are essential for uncovering advanced threats and supporting investigations. However, storing all this data in the analytics tier is often expensive, leading to reduced retention and potential blind spots. With Sentinel data lake, SOCs can store all their raw telemetry, at a fraction of the cost, making it possible to hunt for threats across a much broader timeline without financial constraints. However, simply storing data isn’t enough. To turn raw logs into actionable insights, SOC teams need to automate both summarization and threat intelligence (TI) matching. Scheduled KQL jobs make this possible by scanning new data in a schedule as it arrives in the data lake, surfacing suspicious activity for analyst review. Schedule KQL job for TI matching on network logs Here’s a practical example of how a SOC can use a scheduled KQL job to summarize network activity and correlate it with threat intelligence indicators. In this scenario, a KQL job is run to identify network log entries from Palo Alto firewalls that match known malicious IPs from ThreatIntelIndicators table. The output provides the complete network log row, enriched with relevant threat intelligence fields for further investigation and response. Create your query: let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}'; let dt_lookBack = 75m; // Look back 1 hour for CommonSecurityLog events let ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators // Fetch threat intelligence indicators related to IP addresses let IP_Indicators = ThreatIntelIndicators //extract key part of kv pair | extend IndicatorType = replace(@"\[|\]|\""", "", tostring(split(ObservableKey, ":", 0))) | where IndicatorType in ("ipv4-addr", "ipv6-addr", "network-traffic") | extend NetworkSourceIP = toupper(ObservableValue) | extend TrafficLightProtocolLevel = tostring(parse_json(AdditionalFields).TLPLevel) | where TimeGenerated >= ago(ioc_lookBack) | extend TI_ipEntity = iff(isnotempty(NetworkSourceIP), NetworkSourceIP, NetworkSourceIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith "fe80" and TI_ipEntity !startswith "::" and TI_ipEntity !startswith "127." | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by Id, ObservableValue | where IsActive and (ValidUntil > now() or isempty(ValidUntil)); // Perform a join between IP indicators and CommonSecurityLog events IP_Indicators | project-reorder *, Tags, TrafficLightProtocolLevel, NetworkSourceIP, TI_ipEntity // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation | join kind=innerunique ( CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) | extend MessageIP = extract(IPRegex, 0, Message) | extend CS_ipEntity = iff((not(ipv4_is_private(SourceIP)) and isnotempty(SourceIP)), SourceIP, DestinationIP) | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity) | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.CS_ipEntity // Filter out logs that occurred after the expiration of the corresponding indicator | where CommonSecurityLog_TimeGenerated < ValidUntil // Group the results by IndicatorId and CS_ipEntity, and keep the log entry with the latest timestamp | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by Id, CS_ipEntity // Select the desired output fields | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, Id, ValidUntil, Confidence, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction Source: Microsoft Sentinel GitHub repo Before submitting a KQL job you may want to test your query interactively, using the KQL queries page: Create a KQL job: To match against new logs periodically, we would like to schedule this job to run every hour to summarize network log and match against latest IOCs in ThreatInelIndicators. To avoid missing any logs, I suggest adding an overlap between lookback and schedules, to make sure all logs are scanned. For example, you can set lookback of the last 75 minutes and execute job runs every 60 minutes. KQL jobs can run ad-hoc or be scheduled based on your preferred frequency (by minutes, hourly, daily, weekly or monthly), automatically summarizing new network activity and highlighting matches with known malicious indicators. Analysts can then focus on the most relevant events, accelerating investigations and reducing noise. Results are automatically available in the analytics tier and can be used to set up an automated detection using Analytics rules. The cost of running KQL jobs in Sentinel data lake depends on the volume of data scanned and how frequently the jobs run. Data lake KQL queries and jobs are priced at $0.005 per GB scanned. For example, if a KQL job scans 1 TB of data daily, the monthly cost would be around $150 USD. This pricing model allows organizations to perform large-scale threat hunting and intelligence matching without the high expenses typically associated with traditional SIEMs. $0.005 per GB scanned. For more details around Microsoft Sentinel data lake costs for KQL queries and jobs, see https://azure.microsoft.com/en-us/pricing/calculator. Summary and next steps Threat hunting at scale within Sentinel data lake is simplified with KQL jobs. SOC teams can use this method for various hunting or anomaly detection scenarios such as efficiently aggregating and correlating network logs with threat intelligence, enhancing visibility, agility, and assurance, and transforming raw telemetry into actionable security insights. KQL jobs provide several benefits: Continuous threat coverage: Scheduled jobs utilizing KQL automatically correlate high-volume logs located directly in the data lake with up-to-date threat intelligence. This process helps minimize detection gaps and blind spots. Efficient use of resources: Automating TI matching saves analysts from repetitive queries, allowing them to focus on investigating validated alerts rather than sifting through raw logs. Faster response times: Suspicious connections flagged by minutes or every hour enable quicker triage and containment before threats escalate. Historical context: Matches are retained against long-term or high volume logs, enabling analysts to trace back patterns of malicious activity and support deeper investigations. Get started with Microsoft Sentinel data lake today. Microsoft Sentinel data lake overview - Microsoft Security | Microsoft Learn KQL and the Microsoft Sentinel data lake - Microsoft Security | Microsoft Learn Microsoft Sentinel Pricing | Microsoft Security What's next? Join us at Microsoft Ignite in San Francisco on November 17–21, or online, November 18–20, for deep dives and practical labs to help you maximize your Microsoft Defender investments and to get more from the Microsoft capabilities you already use. Security is a core focus at Ignite this year, with the Security Forum on November 17th, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners Featured sessions BRK237: Identity Under Siege: Modern ITDR from Microsoft Join experts in Identity and Security to hear how Microsoft is streamlining collaboration across teams and helping customers better protect, detect, and respond to threats targeting your identity fabric. BRK240 – Endpoint security in the AI era: What's new in Defender Discover how Microsoft Defender’s AI-powered endpoint security empowers you to do more, better, faster. BRK236 – Your SOC’s ally against cyber threats, Microsoft Defender Experts See how Defender Experts detect, halt, and manage threats for you, with real-world outcomes and demos. LAB541 – Defend against threats with Microsoft Defender Get hands-on with Defender for Office 365 and Defender for Endpoint, from onboarding devices to advanced attack mitigation. Explore and filter the full security catalog by topic, format, and role: aka.ms/SessionCatalogSecurity. Why attend? Ignite is the place to learn about the latest Defender capabilities, including new agentic AI integrations and unified threat protection. We will also share future-facing innovations in Defender, as part of our ongoing commitment to autonomous defense. Security Forum—Make day 0 count (November 17) Kick off with an immersive, in person preday focused on strategic security discussions and real-world guidance from Microsoft leaders and industry experts. Select Security Forum during registration. Register for Microsoft Ignite >
