Transitioning from the HTTP Data Collector API to the Log Ingestion API…What does it mean for me?
This article is co-authored by Andrea Fisher, Brian Delaney, and Jon Shectman (Microsoft Customer Success Unit). Many customers have recently received an email sharing the information that the HTTP Data Collector API will be retired on September 14, 2026. What exactly does that mean for you? Either you have deployed a built-in Microsoft Sentinel Data Connector that is using the HTTP Data Collector API or you have configured a custom connector of your own that uses the API. In this blog, we’ll explain why you got (or will receive) this notification, what’s at stake, and what actions you need to take. But first, what is the HTTP Data Collector API Anyway? The HTTP Data Collector API is nothing more than a set of rules and protocols governing (you guessed it!) data collection – in this case to Azure Monitor (a “back end” for Microsoft Sentinel). This API has been deprecated in favor of a newer, improved API, the Azure Monitor Logs Ingestion API. Here is a copy of the email: What actions should I take? As you can see, the Account Information section only lists the Subscription name and ID that are calling the old API. It doesn’t state how your organization is calling it. Below are three possibilities. Do you have a custom application that you built or licensed? Do you have any custom data connectors (likely built as either Azure Functions or codeless connectors)? You have a data connector from the in-product Content Hub, provided by Microsoft or one of our partner ISVs – that will be rewritten prior to the API deprecation date. It’s also possible that you could be using more than one of the above methods in your workspace or in more than one workspace in your subscription. There are several steps you can take to start discovering your usage of this deprecated API. In your Log Analytics workspace, navigate to Settings, then Tables and examine the Type column. Any table built with data from the deprecated API will be of type Custom table (classic). Remember, some of these tables may not be in use anymore; there are many ways to identify tables that are in active use. One way is with a simple query - as in this example: InformationProtectionLogs_CL | where TimeGenerated > ago(90d) You could also examine the Usage and estimated costs chart in Log Analytics, or if you want to check regularly over time you could set up a log search alert rule. Now let’s examine built-in data connectors that use the deprecated API. Generally, they specify their usage in the details: To remediate: If you discover a custom application or data connector, you will need to follow these steps to transition to the Logs Ingestion API before the retirement date. We recommend that you do not wait but start the process early to give your organization time to thoroughly test and migrate all applications and connectors. For built-in data connectors, you’ll need to watch the Content Hub for updates and guidance as shown in these two screenshots: Advantages of the Azure Monitor Logs Ingestion API There are numerous advantages to using the new API: It supports transformations, which enable you to modify the data before it's ingested into the destination table, including filtering and data manipulation. It allows you send data to supported Azure tables or to custom tables that you create. You can extend the schema of Azure tables with custom columns to accept additional data. It lets you send data to multiple destinations. Last but certainly not least (we are security practitioners after all): it allows for granular role-based access controls (RBAC) to limit the ability to ingest data by data collection rule and identity. In Summary The transition from the HTTP Data Collector API to the Azure Monitor Logs Ingestion API is crucial for maintaining data ingestion functionality and security. The new API offers several advantages, including secure OAuth-based authentication, the ability to filter and transform data during ingestion, and granular RBAC. Organizations should proactively transition to the new API before the retirement date of September 14, 2026.
Expanding Cross Cloud Multitenant Security Operations for Government Customers
Securing complex, multitenant environments is a top priority for government organizations operating in highly regulated cloud environments. We are excited to introduce a new capability that enhances multitenant security operations for government cloud customers, enabling cross-cloud visibility and centralized security management. These capabilities are now in public preview. Bringing Multitenant Security Operations to Government Cloud Security teams in government cloud environments—such as GCC High and DoD—face unique challenges when managing multiple tenants across different cloud environments. Until now, they lacked a unified view of their security posture across government and commercial clouds. Challenges customers faced included: US government customers require a unified view between different cloud environments. Such a view must honor high/low boundaries and compliance requirements. Users in federal environments can see only the tenants that are in the same AAD cloud, or add tenants in a structure of DOD <-> GCCH and GCC -> Commercial. The new cross-cloud capabilities are designed to enable customers to gain visibility across different clouds by manually adding remote tenants into their aggregated View. This will enable users in GCCH or DOD to add tenants from GCC or Commercial. With our latest enhancement, multitenant management in the unified SecOps platform now supports the ability to view and manage tenants from different cloud environments across Microsoft Sentinel and Defender XDR. This means that security operations teams working in GCC High and DoD can now view and manage their tenants in Microsoft GCC and Commercial cloud environments, across products—all from a single pane of glass. Why This Matters Government agencies and service providers require strict security controls, data residency compliance, and operational efficiency when managing multiple tenants. This new capability addresses these needs by offering: Unified Incident Management – Security teams can now more easily manage incidents across Microsoft Sentinel and Defender XDR, in a single workstream. Unified view across cloud types - Security analysts can now view and manage security incidents across all their tenants, regardless of cloud environment, enabling faster and more effective response times. Cross-Tenant Investigation – Analysts can investigate threats across multiple tenants and cloud environments, ensuring no blind spots in their security posture. Scalable Content Management – Organizations can now manage and distribute security content at scale across all their tenants, from all environments, reducing operational overhead and improving consistency. Security and Compliance First While enabling cross-cloud visibility, we remain committed to keeping customer data secure and compliant with data residency requirements. Security teams can confidently leverage this new capability, knowing that their sensitive data remains within their designated cloud environment while still benefiting from a consolidated security view. Looking Ahead This is just the beginning. As we continue to enhance multitenant security management, we remain focused on delivering capabilities that improve efficiency, security, and compliance at scale. We encourage security teams in government environments to explore these new capabilities and experience the benefits of unified security management across all their tenants. To learn more, visit Manage tenants in other Microsoft cloud environments - Microsoft's unified security operations platform | Microsoft Learn FAQ: Which clouds could be connected? Answer: If your user is in GCCH or DOD, you can use our multi-tenant solution with tenants from GCCH, DOD, GCC or COM.Announcing Rich Text for Case Management
In the dynamic world of SecOps, managing and communicating information efficiently is vital. Rich Text for Case Management introduces capabilities that allow you to enrich your case documentation with various formatting options, including bold, italics, underlining, code blocks, links, tables, and more. Key Benefits of Rich Text for Case Management Improve Communication Across All Case Elements: Rich text enhances the clarity and impact of case descriptions, comments, tasks, and closing notes. Formatting options help highlight critical information, ensuring important details are not missed, leading to more efficient case handling and better outcomes. Share Queries and Results Using Code Blocks and Tables: Efficient data sharing and analysis are crucial in SecOps. Rich text allows embedding code blocks and tables within case documentation, presenting queries and results clearly and organized, facilitating better analysis and decision-making. Link to Related Content: Rich text supports hyperlinks, enabling direct links to relevant resources, documents, and websites. This ensures all necessary information is easily accessible, enhancing the efficiency of case management. Leveraging Rich Text for Case Management ensures your written content is clear, organized, and effective, ultimately leading to better case outcomes and improved communication within your organization.Announcing Rich Text for Case Management
We are excited to announce the public preview of Rich Text for Case Management. Clear and effective communication is critical for making fast and accurate decisions in case investigations. Learn more about how Rich Text can enhance your communication with your SOC team.Multi Workspace for Single tenant is now in Public Preview in Microsoft’s unified SecOps platform
We are excited to continue to expand the use cases addressed with our unified SecOps platform, which brings the capabilities of Microsoft Sentinel, Defender XDR, Security Copilot, Threat Intelligence and more into a single experience with new and more robust functionality. Now, customers can onboard and manage multiple workspaces across Microsoft Sentinel and Defender in one place. Key Benefits of Multi Workspace Experience The multi-workspace experience offers several key benefits that enhance security operations: Unified Entity View: Customers can view all relevant entity data from multiple workspaces in a single entity page, facilitating comprehensive investigations. Workspace Filtering: Users can filter data by workspace when needed, ensuring flexibility in investigations. Enhanced Context: Aggregates alerts, incidents, and timeline events from all workspaces, providing deeper insights into entity behavior. Introducing the Primary Workspace Concept A new concept in the unified SecOps platform is Primary Workspace, which acts as a central hub where Microsoft Sentinel alerts are correlated with XDR data, resulting in incidents that include both Microsoft Sentinel’s primary workspace and XDR alerts. All XDR alerts and incidents are synced back to this workspace, ensuring a cohesive and comprehensive view of security events. The XDR connector is automatically connected to the Primary Workspace upon onboarding and can be switched if necessary. One Primary Workspace must always be connected to use the unified platform effectively. Other onboarded workspaces are considered “Secondary” workspaces, with incidents created based on their individual data. We respect and protect your data boundaries- each workspace’s data will be synced with its own alerts only. Learn more: https://aka.ms/primaryWorkspace Multi Workspace Experience- Key Scenarios Onboarding multiple workspaces to the unified SecOps platform: Open the security portal: https://security.microsoft.com/ There are two options to connect workspaces, you can select either one: Option A: Connecting the workspace through the main home page: Click on” Connect a workspace” in the banner Select the workspaces you wish to onboard and click on “Next”. Select primary workspace Review the text and click on “Connect” After completing the connection, click on “Close”. Option B: Connecting the workspaces through the Settings page: Navigate to Settings and choose “Microsoft Sentinel” Click on "Connect workspace" Follow the same steps as Option A. Switching Primary Workspaces Navigate to Settings and choose "Microsoft Sentinel" On the workspace you wish to assign as Primary, click on the "3 dots" and choose "Set as primary" Confirm and proceed. Incidents and Alerts The incident queue is a single place for a SOC analyst to manage and investigate incidents. The alert queue centralized all your workspaces’ alert in the same place and provides the ability to see the alert page. In the unified queues, you are able now to view all incidents and alerts from all workloads and all workspaces and also filter by workspace. Each alert and incident are related to a single workspace to keep data boundaries. Bi-directional sync: Any change in the unified secOps portal is reflected to Sentinel portal and vice versa. Unified Entities The multi workspace aggregated view enhances entity pages in the unified portal by consolidating data from all relevant Sentinel workspaces into a single, unified experience. This feature enables security teams to gain a complete view of entity-related data without switching between workspaces, improving investigation efficiency and data accessibility. The unified entity page grants you with: Unified Entity View: Customers can see all relevant entity data from multiple workspaces in a single entity page. Workspace Filtering: Users can filter data by workspace when needed, ensuring flexibility in investigations. Enhanced Context: Aggregates alerts, incidents, and timeline events from all workspaces, providing deeper insights into entity behavior. Aggregated view: Provides a unified view of entity data across all workspaces. Supports a predefined logic to display key entity values across components. Introduces workspace filtering in Timeline, Incidents & Alerts, and Insights tabs. Entity Page Enhancements: Overview Section: Displays entity metadata aggregated from all workspaces. Timeline View: Supports events from all workspaces with workspace-based filtering. Incidents & Alerts: Aggregates incidents and alerts from multiple workspaces. Sentinel Tab: Defaults to the primary workspace but allows workspace filtering. Side Pane: Provides a summary view, dynamically updating based on workspace data. Advanced Hunting In Advanced Hunting, you'll be able to explore all your security data in a single place. For hunting and investigation purposes, you'll be able to: Query all Microsoft Sentinel workspaces data. Run queries across multiple workspaces using workspace operator. Access all Logs content of the workspace, including queries and functions, for read/ query Create custom detections on primary workspace Create Analytic rule with workspace operator on a secondary workspace. Microsoft Sentinel features + Using Workspace selector After you connect your workspace to the unified portal, Microsoft Sentinel is on the left-hand side navigation pane. Many of the existing Microsoft Sentinel features are integrated into the unified portal and are similar. Workspace selector: for users with permissions to multiple workspaces, in each Sentinel page, a workspace selector is added to the toolbox. User can easily switch between workspaces using the selector by clicking on “Select a workspace”. SOC Optimization The SOC Optimization feature is also available in the unified portal and contains data and recommendations for multiple workspaces. FAQ Who can onboard multiple workspaces? To onboard a primary workspace, user must be: Global admin/ Security admin AND Owner of subscription OR Global admin/ Security admin AND User access admin AND Microsoft Sentinel contributor To onboard secondary workspaces, user must be Owner of subscription OR User access admin and Microsoft Sentinel contributor. Who can change the primary workspace? Global admin or security admin can change workspace type (Primary/ Secondary) Do I need to onboard all my workspaces? You don’t need to onboard all your workspaces to use this feature, although we highly recommend you to, to ensure full coverage across all your environment. Will all users in my organization have access to all workspaces in the unified security operations portal? No - we respect the permissions granted for each user. Users can see only the data from the workspace they have permissions to. Will data from one workspace be synced to a second workspace? No, we keep the data boundaries between workspaces and ensure that each workspace will only be synced with its own data. When will multi-tenancy be available? Multi-tenancy in the unified SecOps platform for single workspace is already in GA. Multi-tenancy for multiple workspaces is released to public preview with this capability as well. Can I still access my environment in Azure? Yes, all experiences remain the same. We provide bi-directional sync to make sure all changes are up to date. Conclusion Microsoft’s unified SecOps platform support for multi workspace customers represents a significant leap forward in cybersecurity management. By centralizing operations and providing robust tools for detection, investigation, and automation, it empowers organizations to maintain a vigilant and responsive security posture. The platform’s flexibility and comprehensive view of security data make it an invaluable asset for modern security operations. With the public preview now available, organizations can experience firsthand the transformative impact of the Unified Security Operations Platform. Join us in pioneering a new era of cybersecurity excellence. Learn More Please visit our documentation to learn more on the scenarios supported and how to onboard multiple workspaces to the unified platform: https://aka.ms/OnboardMultiWSMonthly news - April 2025
Microsoft Defender XDR Monthly news April 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new assets we released over the past month across our Defender products. In this edition, we are looking at all the goodness from March 2025. Defender for Cloud has it's own Monthly News post, have a look at their blog space. ⏰ April 9th & 10th is Microsoft Secure! Make sure you join this virtual event to hear about our latest product announcements. Three broadcast times are available, offering opportunities to get your questions answered by subject matter experts at a time that suits you best. April 9, 2025 | 8:00 AM – 9:00 AM PT (UTC-7) | Americas broadcast April 10, 2025 | 10:00 AM – 11:00 AM CET (UTC+1) | Europe, Middle East, Africa broadcast April 10, 2025 | 12:00 PM – 1:00 PM SGT (UTC+8) | Asia broadcast Microsoft Secure - Home - Microsoft Secure registration home page. New episodes of the Virtual Ninja Show has been published, covering various products and scenarios. Microsoft's Zero Trust approach Resolving high CPU utilization in Microsoft Defender Antivirus Microsoft Defender for Endpoint Client Analyzer overview Mastering onboarding issues with Defender for Endpoint Client Analyzer Mastering endpoint security settings issues with Defender for Endpoint Client Analyzer Connecting your Apps to Defender for Cloud Apps Unified Security Operations Platform: Microsoft Defender XDR & Microsoft Sentinel What’s new in Microsoft Defender XDR at Secure 2025 (Webinar) Microsoft Sentinel Repositories: Manage Your SIEM Content as code Like a Pro (GA Announcement) The content hub offers the best way to find new content or manage the solutions you already installed, now with granular AI search. (Public Preview) The Microsoft Sentinel agentless data connector for SAP and related security content is now included, as public preview, in the solution for SAP applications. Blog post: Transforming public sector security operations in the AI era Discover how Microsoft's AI-powered, unified SecOps can revolutionize public sector security operations and safeguard multiplatform, multi-cloud environments with industry-leading innovation and seamless integration. Ready to elevate your cyber defense? (Public Preview) The incident description has moved within the incident page. The incident description is now displayed after the incident details. For more information, see Incident details. The Microsoft 365 alert policies can now only be managed in the Microsoft Defender portal. For more information, see Alert policies in Microsoft 365. You can now link Threat analytics reports when setting up custom detections. Learn more Microsoft Defender for Endpoint Update to the Microsoft Defender Antivirus group policies documentation. Learn more Addition of the default settings for Potentially Unwanted Applications (PUA) documentation. Learn more New video (9 mins): How Microsoft is redefining endpoint security New documentation: Troubleshoot Microsoft Defender Antivirus scan issues Microsoft Defender for Office 365 User reported messages by third-party add-ins can be sent to Microsoft for analysis: In user reported settings, admins can select Monitor reported messages in Outlook > Use a non-Microsoft add-in button. In the Reported message destination section, select Microsoft and my reporting mailbox, and then provide the email address of the internal Exchange Online mailbox where user-reported messages by the third-party add-in are routed to. Microsoft analyzea these reported messages and provides result on the User reported tab of Submissions page at https://security.microsoft.com/reportsubmission?viewid=user. Create allow entries directly in the Tenant Allow/Block List: You can now create allow entries for domains & addresses and URLs directly in the Tenant Allow/Block List. This capability is available in Microsoft 365 Worldwide, GCC, GCC High, DoD, and Office 365 operated by 21Vianet. Microsoft Defender for Cloud Apps (GA) Unified Identity inventory now general available. Learn more Defending against OAuth based attacks with automatic attack disruption. Microsoft’s Automatic attack disruption capabilities disrupt sophisticated in-progress attacks and prevent them from spreading, now including OAuth app-based attacks. Attack disruption is an automated response capability that stops in-progress attacks by analyzing the attacker’s intent, identifying compromised assets, and containing them in real time. Level Up Your App Governance With Microsoft Defender for Cloud Apps Workshop Series. Join one of these workshops to learn: Real-world examples of OAuth attacks New pre-built templates and custom rules to simplify app governance How to quickly identify and mitigate risks from high-risk or suspicious apps Best practices for operationalizing app governance to improve your security posture These workshops are designed to accommodate global participation, with flexible date and time options. Protecting SaaS apps from OAuth threats with attack path, advanced hunting and more. Read this blog post to learn about various new capabilities rolling out over the next few weeks. Microsoft Defender for Identity Blog post: Discover and protect Service Accounts with Microsoft Defender for Identity Microsoft Defender for Identity now includes a Service Account Discovery capability, offering you centralized visibility into service accounts across your Active Directory environment. New health issue for cases where sensors running on VMware have network configuration mismatch. The Identities page under Assets has been updated to provide better visibility and management of identities across your environment. New LDAP query events were added to the IdentityQueryEvents table in Advanced Hunting to provide more visibility into additional LDAP search queries running in the customer environment. Microsoft Security Blogs Silk Typhoon targeting IT supply chain Malvertising campaign leads to info stealers hosted on GitHub New XCSSET malware adds new obfuscation, persistence techniques to infect Xcode projects Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware StilachiRAT analysis: From system reconnaissance to cryptocurrency theft Analyzing open-source bootloaders: Finding vulnerabilities faster with AI Threat Analytics (Access to the Defender Portal needed) Vulnerability Profile: CVE-2024-40711 – Veeam Backup Activity profile: Moonstone Sleet using Qilin ransomware [TA update] Actor Profile: Secret Blizzard Actor profile: Berry Sandstorm Activity profile: DarkGate malware samples delivered through fake Notion websites followed by ClickFix technique Activity profile: Secret Blizzard and Aqua Blizzard collaborate to target Ukrainian military devices [TA update] Actor profile - Swirl Typhoon Vulnerability profile: CVE-2024-57726 Multiple vulnerabilities found in SimpleHelp Remote Support Software Activity profile: Lumma Stealer spreads via YouTube video descriptions [TA update] Actor profile: Aqua Blizzard Tool profile: Latrodectus Vulnerability profile: CVE-2025-26633 Tool profile: WinRing0 Activity profile: Storm-0485 phishing activity Activity profile: Silk Typhoon targeting IT supply chain Activity profile: Storm-1877 evolving tactics to target users with ClickFix attacks Threat overview: Business Email Compromise [Snapshot] Actor profile: Storm-2372 [TA update] Actor profile: ZigZag Hail Actor profile: Storm-0287 Activity profile: Secret Blizzard abusing Visual Studio Code tunneling service Activity Profile: Clickfix and Malvertising campaigns leveraging node.exe application Actor profile: Yulong Flood Vulnerability profile: CVE-2024-43451- NTLM Hash Disclosure Spoofing Vulnerability Tool profile: FrostyStash [TA update] Tool profile: Mimikatz Tool profile: Mamba 2FA Activity profile: Phishing campaign deploying PureLogStealer targets users in Central America [TA update] Vulnerability profile: CVE 2025-0282: Ivanti Connect Secure, Policy Secure, and ZTA Gateway [TA update] Actor profile: Silk Typhoon Seamless SSO Abuse via AADInternals [TA update] SystemBC Tool Profile Vulnerability profile: CVE-2025-22224 – VMwareGo agentless with Microsoft Sentinel Solution for SAP
What a title during Agentic AI times 😂 Dear community, Bringing SAP workloads under the protection of your SIEM solution is a primary concern for many customers out there. The window for defenders is small “Critical SAP vulnerabilities being weaponized in less than 72 hours of a patch release and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.” (SAP SE + Onapsis, Apr 6 2024) Having a turn-key solution as much as possible leads to better adoption of SAP security. Agent-based solutions running in Docker containers, Kubernetes, or other self-hosted environemnts are not for everyone. Microsoft Sentinel for SAP’s latest new capability re-uses the SAP Cloud Connector to profit from already existing setups, established integration processes, and well-understood SAP components. Meet agentless ❌🤖 The new integration path leverages SAP Integration Suite to connect Microsoft Sentinel with your SAP systems. The Cloud integration capability of SAP Integration Suite speaks all relevant protocols, has connectivity into all the places where your SAP systems might live, is strategic for most SAP customers, and is fully SAP RISE compatible by design. Are you deployed on SAP Business Technology Platform yet? Simply upload our Sentinel for SAP integration package (see bottom box in below image) to your SAP Cloud Integration instance, configure it for your environment, and off you go. Best of all: The already existing SAP security content (detections, workbooks, and playbooks) in Microsoft Sentinel continues to function the same way as it does for the Docker-based collector agent variant. The integration marks your steppingstone to bring your SAP threat signals into the Unified Security Operations Platform – a combination of Defender XDR and Sentinel – that looks beyond SAP at your whole IT estate. Microsoft Sentinel solution for SAP applications is certified for SAP S/4HANA Cloud, Private Edition RISE with SAP, and SAP S/4HANA on-premises. So, you are all good to go😎 You are already dockerized or agentless? Then proceed to this post to learn more about what to do once the SAP logs arrived in Sentinel. Final Words During the preview we saw drastically reduced deployment times for SAP customers being less familiar with Docker, Kubernetes and Linux administration. Cherry on the cake: the network challenges don’t have to be tackled again. The colleagues running your SAP Cloud Connector went through that process a long time ago. SAP Basis rocks 🤘 Get started from here on Microsoft Learn. Find more details on our blog on the SAP Community. Cheers Martin
