Exciting Announcements: New Data Connectors Released Using the Codeless Connector Framework
Microsoft Sentinel’s Codeless Connector Framework or ‘CCF’ (formerly called Codeless Connector Platform [CCP]) represents a paradigm shift in data ingestion, making it easier than ever for organisations to do more with Microsoft Sentinel by integrating diverse data sources seamlessly. Designed to simplify and expedite the onboarding of data sources, CCF eliminates the need for extensive coding expertise and maintaining additional services to facilitate ingestion, allowing security teams to focus on what truly matters – safeguarding their environment. Advantages of the Codeless Connector Framework The Codeless Connector Framework offers several compelling benefits: Ease of Use: CCF configuration-based templates allows advanced users to create data connectors without writing exhausting code, making the onboarding process quicker and more accessible to a broader audience. Flexibility: Users can customise data streams to meet their specific needs; optimizing efficacy while ensuring more control on the data being ingested. Scalability: The connectors built using CCF follows a true SaaS auto-expansion model making them highly scalable and natively reliable for large data volumes. Efficiency: By reducing the time and effort required to develop and deploy data connectors, CCF accelerates the availability of critical insights for security monitoring and more rapidly expands the value Microsoft Sentinel provides. What are we up to? We recognize that Codeless Connectors offer substantial advantages over Azure Function App based ingestion in Microsoft Sentinel in most cases. That motivates us to continue investing in modernizing our ingestion patterns for out-of-box connectors; one connector at a time. Another goal of modernizing these connectors is to replace the deprecated HTTP Data Collector API with the Log Ingestion API to send data to Microsoft Sentinel. Announcing the General Availability of New Data Connectors We are continually improving the Data Collection experience for our customers and are thrilled to announce that the following data connectors are now Generally Available (GA) on the Codeless Connector Framework. Atlassian Confluence Ingesting Confluence audit logs allows organizations to monitor collaboration activity, detect security risks, and troubleshoot configuration issues using Confluence audit records. Auth0 With the Auth0 Connector, organizations can effortlessly integrate authentication and authorization data from Auth0 into Microsoft Sentinel. This connector provides valuable insights into user activities and access patterns, bolstering identity security and compliance efforts. Azure DevOps Audit logs from Azure DevOps, allows security teams to monitor user activities, detect anomalous behavior, and investigate potential threats across DevOps environments. Box The Box Connector facilitates the ingestion of file storage and sharing data from Box into Microsoft Sentinel. By leveraging this connector, security teams can monitor file access and sharing activities, ensuring data integrity, and preventing unauthorized access. Google Cloud Platform Load Balancer With GCP Load Balancer and Web Application Firewall (Cloud Armor) logs, security teams can monitor inbound network activity, enforce security policies, and detect threats across GCP environments. Proofpoint POD The ingestion of email security logs allows organizations to monitor message traceability, detect threats, and investigate data exfiltration attempts by attackers and malicious insiders. Proofpoint TAP Email threat intelligence logs, including message and click events, provides visibility into malware and phishing activity to support custom alerts, dashboards, and threat investigation. SentinelOne The SentinelOne Connector enables seamless ingestion of threat intelligence and endpoint security data from SentinelOne into Microsoft Sentinel. This integration empowers security teams to enhance their threat detection capabilities and respond swiftly to potential threats. New Connectors in Public Preview CrowdStrike Falcon Data Replicator (S3 based Polling) Google Cloud Platform VPC Flow Google Cloud Platform DNS Google IAM These new additions are not new out-of-box sources in Microsoft Sentinel, but they do improve how data is collected. The previously Azure Function App based polling has now been upgraded to the Codeless Connector Framework for these products to ensure data collection adheres to the more scalable; advantageous pattern with CCF. As noted previously, the newer version of these connectors replaces the deprecated HTTP Data Collector API with the Log Ingestion API to send data to Microsoft Sentinel. Call to Action! Microsoft Sentinel customers collecting data from any of the mentioned sources using Azure Function Apps are advised to migrate their ingestion streams to newer versions to utilize the Codeless Connector Framework. While we continue to improve the data collection experience across all connectors, we encourage our customers and partners to join the Microsoft Security Communities to benefit from early insights about the latest and greatest with Microsoft Security. Call to Action for ISV Partners We invite our ISV partners to migrate their Azure Function App-based data connectors to the Codeless Connector Framework. By leveraging CCF for data ingestion, we can ensure that our mutual customers benefit from streamlined data integration and enhanced security monitoring in Microsoft Sentinel. We are committed to ensuring partners have all the support needed in this transformation. For any support, please reach out to us at Microsoft Sentinel Partners. Join us in this transformative journey to empower our customers by unlocking the full potential of their security investments with Microsoft Sentinel’s Codeless Connector Framework. References Create a codeless connector for Microsoft Sentinel Migrate from the HTTP Data Collector API to the Log Ingestion API to send data to Azure Monitor LogsManage cases from across tenants in one place
Are you managing the security needs of a large organization or a managed security service provider (MSSP)? Would you like a unified view of all the cases you are managing across these tenants? We are pleased to announce the latest addition to our case management solution, multi-tenant support, is now generally available (GA). This is the latest step in our journey towards providing a native, security-focused case management system that spans all SecOps workloads in the Microsoft Defender portal, removing customer reliance on third-party SIEM/XDR and ticketing systems. This capability is available for all Microsoft Sentinel customers that have onboarded to the Defender portal.Automating Microsoft Sentinel: Part 2: Automate the mundane away
Welcome to the second entry of our blog series on automating Microsoft Sentinel. In this series, we’re showing you how to automate various aspects of Microsoft Sentinel, from simple automation of Sentinel Alerts and Incidents to more complicated response scenarios with multiple moving parts. So far, we’ve covered Part 1: Introduction to Automating Microsoft Sentinel where we talked about why you would want to automate as well as an overview of the different types of automation you can do in Sentinel. Here is a preview of what you can expect in the upcoming posts [we’ll be updating this post with links to new posts as they happen]: Part 1: Introduction to Automating Microsoft Sentinel Part 2: Automation Rules [You are here] – Automate the mundane away Part 3: Playbooks 1 – Playbooks Part I – Fundamentals Part 4: Playbooks 2 – Playbooks Part II – Diving Deeper Part 5: Azure Functions / Custom Code Part 6: Capstone Project (Art of the Possible) – Putting it all together Part 2: Automation Rules – Automate the mundane away Automation rules can be used to automate Sentinel itself. For example, let’s say there is a group of machines that have been classified as business critical and if there is an alert related to those machines, then the incident needs to be assigned to a Tier 3 response team and the severity of the alert needs to be raised to at least “high”. Using an automation rule, you can take one analytic rule, apply it to the entire enterprise, but then have an automation rule that only applies to those business-critical systems to make those changes. That way only the items that need that immediate escalation receive it, quickly and efficiently. Automation Rules In Depth So, now that we know what Automation Rules are, let’s dive in to them a bit deeper to better understand how to configure them and how they work. Creating Automation Rules There are three main places where we can create an Automation Rule: 1) Navigating to Automation under the left menu 2) In an existing Incident via the “Actions” button 3) When writing an Analytic Rule, under the “Automated response” tab The process for each is generally the same, except for the Incident route and we’ll break that down more in a bit. When we create an Automation Rule, we need to give the rule a name. It should be descriptive and indicative of what the rule is going to do and what conditions it applies to. For example, a rule that automatically resolves an incident based on a known false positive condition on a server named SRV02021 could be titled “Automatically Close Incident When Affected Machine is SRV02021” but really it’s up to you to decide what you want to name your rules. Trigger The next thing we need to define for our Automation Rule is the Trigger. Triggers are what cause the automation rule to begin running. They can fire when an incident is created or updated, or when an alert is created. Of the two options (incident based or alert based), it’s preferred to use incident triggers as they’re potentially the aggregation of multiple alerts and the odds are that you’re going to want to take the same automation steps for all of the alerts since they’re all related. It’s better to reserve alert-based triggers for scenarios where an analytic rule is firing an alert, but is set to not create an incident. Conditions Conditions are, well, the conditions to which this rule applies. There are two conditions that are always present: The Incident provider and the Analytic rule name. You can choose multiple criterion and steps. For example, you could have it apply to all incident providers and all rules (as shown in the picture above) or only a specific provider and all rules, or not apply to a particular provider, etc. etc. You can also add additional Conditions that will either include or exclude the rule from running. When you create a new condition, you can build it out by multiple properties ranging from information about the Incident all the way to information about the Entities that are tagged in the incident Remember our earlier Automation Rule title where we said this was a false positive about a server name SRV02021? This is where we make the rule match that title by setting the Condition to only fire this automation if the Entity has a host name of “SRV2021” By combining AND and OR group clauses with the built in conditional filters, you can make the rule as specific as you need it to be. You might be thinking to yourself that it seems like while there is a lot of power in creating these conditions, it might be a bit onerous to create them for each condition. Recall earlier where I said the process for the three ways of creating Automation Rules was generally the same except using the Incident Action route? Well, that route will pre-fill variables for that selected instance. For example, for the image below, the rule automatically took the rule name, the rules it applies to as well as the entities that were mapped in the incident. You can add, remove, or modify any of the variables that the process auto-maps. NOTE: In the new Unified Security Operations Platform (Defender XDR + Sentinel) that has some new best practice guidance: If you've created an automation using "Title" use "Analytic rule name" instead. The Title value could change with Defender's Correlation engine. The option for "incident provider" has been removed and replaced by "Alert product names" to filter based on the alert provider. Actions Now that we’ve tuned our Automation Rule to only fire for the situations we want, we can now set up what actions we want the rule to execute. Clicking the “Actions” drop down list will show you the options you can choose When you select an option, the user interface will change to map to your selected option. For example, if I choose to change the status of the Incident, the UX will update to show me a drop down menu with options about which status I would like to set. If I choose other options (Run playbook, change severity, assign owner, add tags, add task) the UX will change to reflect my option. You can assign multiple actions within one Automation Rule by clicking the “Add action” button and selecting the next action you want the system to take. For example, you might want to assign an Incident to a particular user or group, change its severity to “High” and then set the status to Active. Notably, when you create an Automation rule from an Incident, Sentinel automatically sets a default action to Change Status. It sets the automation up to set the Status to “Closed” and a “Benign Positive – Suspicious by expected”. This default action can be deleted and you can then set up your own action. In a future episode of this blog we’re going to be talking about Playbooks in detail, but for now just know that this is the place where you can assign a Playbook to your Automation Rules. There is one other option in the Actions menu that I wanted to specifically talk about in this blog post though: Incident Tasks Incident Tasks Like most cybersecurity teams, you probably have a run book of the different tasks or steps that your analysts and responders should take for different situations. By using Incident Tasks, you can now embed those runbook steps directly in the Incident. Incident tasks can be as lightweight or as detailed as you need them to be and can include rich formatting, links to external content, images, etc. When an incident with Tasks is generated, the SOC team will see these tasks attached as part of the Incident and can then take the defined actions and check off that they’ve been completed. Rule Lifetime and Order There is one last section of Automation rules that we need to define before we can start automating the mundane away: when should the rule expire and in what order should the rule run compared to other rules. When you create a rule in the standalone automation UX, the default is for the rule to expire at an indefinite date and time in the future, e.g. forever. You can change the expiration date and time to any date and time in the future. If you are creating the automation rule from an Incident, Sentinel will automatically assume that this rule should have an expiration date and time and sets it automatically to 24 hours in the future. Just as with the default action when created from an incident, you can change the date and time of expiration to any datetime in the future, or set it to “Indefinite” by deleting the date. Conclusion In this blog post, we talked about Automation Rules in Sentinel and how you can use them to automate mundane tasks in Sentinel as well as leverage them to help your SOC analysts be more effective and consistent in their day-to-day with capabilities like Incident Tasks. Stay tuned for more updates and tips on automating Microsoft Sentinel!Automating Microsoft Sentinel: A blog series on enabling Smart Security
Welcome to the first entry of our blog series on automating Microsoft Sentinel. We're excited to share insights and practical guidance on leveraging automation to enhance your security posture. In this series, we'll explore the various facets of automation within Microsoft Sentinel. Whether you're a seasoned security professional or just starting, our goal is to empower you with the knowledge and tools to streamline your security operations and stay ahead of threats. Join us on this journey as we uncover the power of automation in Microsoft Sentinel and learn how to transform your security strategy from reactive to proactive. Stay tuned for our upcoming posts where we'll dive deeper into specific automation techniques and share success stories from the field. Let's make your security smarter, faster, and more resilient together. In this series, we will show you how to automate various aspects of Microsoft Sentinel, from simple automation of Microsoft Sentinel Alerts and Incidents to more complicated response scenarios with multiple moving parts. We’re doing this as a series so that we can build up our knowledge step-by-step and finishing off with a “capstone project” that takes SOAR into areas that most people aren’t aware of or even thought was possible. Here is a preview of what you can expect in the upcoming posts [we’ll be updating this post with links to new posts as they happen]: Part 1: [You are here] – Introduction to Automating Microsoft Sentinel Part 2: Automation Rules – Automate the mundane away Part 3: Playbooks 1 – Playbooks Part I – Fundamentals o Triggers o Entities o In-App Content / GitHub o Consumption plan vs. dedicated – which to choose and why? Part 4: Playbooks 2 – Playbooks Part II – Diving Deeper o Built-In 1 st and 3 rd Party Connections (ServiceNow, etc.) o REST APIs (everything else) Part 5: Azure Functions / Custom Code o Why Azure Functions? o Consumption vs. Dedicated – which to choose and why? Part 6: Capstone Project (Art of the Possible) – Putting it all together Part 1: Introduction to Automating Microsoft Sentinel Microsoft Sentinel is a cloud-native security information and event management (SIEM) platform that helps you collect, analyze, and respond to security threats across your enterprise. But did you know that it also has a native, integrated Security Orchestration, Automation, and Response (SOAR) platform? A SOAR platform that can do just about anything you can think of? It’s true! What is SOAR and why would I want to use it? A Security Orchestration, Automation, and Response (SOAR) platform helps your team take action in response to alerts or events in your SIEM. For example, let’s say Contoso Corp has a policy where if a user has a medium sign-in risk in Entra ID and fails their login three times in a row within a ten-minute timeframe that we force them to re-confirm their identity with MFA. While an analyst could certainly take the actions required, wouldn’t it be better if we could do that automatically? Using the Sentinel SOAR capabilities, you could have an analytic rule that automatically takes the action without the analyst being involved at all. Why Automate Microsoft Sentinel? Automation is a key component of any modern security operations center (SOC). Automation can help you: Reduce manual tasks and human errors Improve the speed and accuracy of threat detection and response Optimize the use of your resources and skills Enhance your visibility and insights into your security environment Align your security processes with your business objectives and compliance requirements Reduce manual tasks and human errors Alexander Pope famously wrote “To err is human; to forgive, divine”. Busy and distracted humans make mistakes. If we can reduce their workload and errors, then it makes sense to do so. Using automation, we can make sure that all of the proper steps in our response playbook are followed and we can make our analysts lives easier by giving them a simpler “point and click” response capability for those scenarios that a human is “in the loop” or by having the system run the automation in response to events and not have to wait for the analyst to respond. Improve the speed and accuracy of threat detection and response Letting machines do machine-like things (such as working twenty-four hours a day) is a good practice. Leveraging automation, we can let our security operations center (SOC) run around the clock by having automation tied to analytics. Rather than waiting for an analyst to come online, triage an alert and then take action, Microsoft Sentinel can stand guard and respond when needed. Optimize the use of your resources and skills Having our team members repeat the same mundane tasks is not optimal for the speed of response and their work satisfaction. By automating the mundane away, we can give our teams more time to learn new things or work on other tasks. Enhance your visibility and insights into your security environment Automation can be leveraged for more than just responding to an alert or incident. We can augment the information we have about entities involved in an alert or incident by using automation to call REST based APIs to do point-in-time lookups of the latest threat information, vulnerability data, patching statuses, etc. Align your security processes with your business objectives and compliance requirements If you have to meet particular regulatory requirements or internal KPIs, automation can help your team to achieve their goals quickly and consistently. What Tools and Frameworks Can You Use to Automate Microsoft Sentinel? Microsoft Sentinel provides several tools that enable you to automate your security workflows, such as: Automation Rules o Automation rules can be used to automate Microsoft Sentinel itself. For example, let’s say there is a group of machines that have been classified as business critical and if there is an alert related to those machines, then the incident needs to be assigned to a Tier 3 response team, and the severity of the alert needs to be raised to at least “high”. Using an automation rule, you can take one analytic rule, apply it to the entire enterprise, but then have an automation rule that only applies to those business-critical systems. That way only the items that need that immediate escalation receive it, quickly and efficiently. o Another great use of Automation Rules is to create Incident Tasks for analysts to follow. If you have a process and workflow, by using Incident Tasks, you can have those appear inside of an Incident right there for the analysts to follow. No need to go “look it up” in a PDF or other document. Playbooks: You can use playbooks to automatically execute actions based on triggers, such as alerts, incidents, or custom events. Playbooks are based on Azure Logic Apps, which allow you to create workflows using various connectors, such as Microsoft Teams, Azure Functions, Azure Automation, and third-party services. Azure Functions can be leveraged to run custom code like PowerShell or Python and can be called from Sentinel via Playbooks. This way if you have a process or code that’s beyond a Playbook , you can still call it from the normal Sentinel workflow. Conclusion In this blog post, we introduced the automation capabilities and benefits of SOAR in Microsoft Sentinel, and some of the tools and frameworks that you can use to automate your security workflows. In the next blog posts, we will dive deeper into each of these topics and provide some practical examples and scenarios of how to automate Microsoft Sentinel. Stay tuned for more updates and tips on automating Microsoft Sentinel! Additional Resources What are Automation Rules? Automate Threat Response with playbooks in Microsoft Sentinel
AI-Powered MITRE ATT&CK Tagging for SOC Optimization
This post is part of an update series highlighting new SOC optimization capabilities designed to help SOC teams maximize security value with less manual effort. In this post, we focus on AI-powered MITRE ATT&CK Tagging, which streamlines the process of aligning your detections with the MITRE framework. For an overview of our other recent updates, stay tuned for related posts in this series. Security teams rely on precise, consistent tagging to understand detection coverage, align with frameworks like MITRE ATT&CK, and respond effectively to threats. Yet in practice, tagging detections manually is error-prone, inconsistent, and resource-intensive — leaving gaps in coverage and missed opportunities for insight. To address this challenge, we’re excited to introduce a powerful new capability within SOC Optimization: AI MITRE ATT&CK Tagging. Problem Statement In today’s evolving threat landscape, aligning detection rules with the MITRE ATT&CK framework is critical for understanding and improving an organization’s security posture. MITRE tagging provides a common language to describe attacker behaviour, enabling security teams to assess their threat coverage, identify detection gaps, and drive a threat-informed defence. It powers key SOC experiences in Microsoft Sentinel, such as MITRE coverage views, use case recommendations, incident investigation context, and coverage optimization workflows. When tagging is missing or incomplete — for example, when only tactics are mapped without corresponding techniques — the ability to accurately assess protection against known adversary behaviours is weakened. This limits visibility into which threats are covered, complicates incident correlation, and prevents clear communication of coverage gaps to stakeholders. As a result, security teams struggle to prioritize detection improvements and risk leaving critical areas under protected. These gaps lead to: Incomplete visibility into coverage against known threats Limited ability to recommend or prioritize relevant use cases Fragmented alignment between detection rules and incident response workflows Without consistent MITRE tagging, teams spend valuable time manually reviewing and mapping rules — delaying threat response and reducing overall SOC efficiency. The Solution AI MITRE ATT&CK Tagging automates this process using artificial intelligence models that run directly in your workspace. The model scans your detection content and identifies which MITRE ATT&CK tactics and techniques apply, offering recommended tags for detections that are currently untagged. These recommendations can be easily reviewed and applied, allowing you to: Achieve complete detection coverage aligned with the MITRE ATT&CK framework Eliminate manual effort and reduce human error in tagging Enhance detection clarity and response workflows Gain insights into security posture with more structured and actionable data “AI-based tagging helps us to reduce manual workload that previously we tagged detections manually, as well as helps faster triage. Besides, AI-based tagging will be standardized, helping to reduce inconsistencies due to human error”. Farid Kalaidji, Security Lead at Pink Elephant How it looks like Let’s say you’re reviewing your detection posture and come across a new card in SOC Optimization: “Coverage improvement by AI MITRE Tagging”. The card highlights a list of detection rules in your environment that are missing MITRE ATT&CK mappings and offers AI-suggested tags to help close those gaps. You click into the experience and the relevant rules, each with recommended tactic and technique tags. Now you can quickly get a sense of where coverage is missing and what can be improved. If you’re looking for efficiency, you can simply click “Apply All” to tag every recommended rule at once. It’s a quick way to bring your rules up to date and ensure your MITRE coverage reflects your true detection posture – no manual tagging required. This improves not just the MIRTE blade, but also use case recommendation, incident investigation context, and overall visibility into your threat coverage. lease note that by selecting "choose rule", you also have the option to review and tag individual rules from the list. y heading to the MITRE ATT&CK blade, you can validate the improved coverage. The updated view includes newly applied tactics and techniques, reflecting your improved posture. Next Steps Get started with SOC Optimization today. We hope this detailed walkthrough helps you understand the benefits of this feature and improve your security coverage. Microsoft will continue to invest in this feature to assist our customers in defending against evolving security threats. Learn More SOC optimization documentation: SOC optimization overview ; Recommendations logic Short overview and demo: SOC optimization Ninja show In depth webinar: Manage your data, costs and protections with SOC optimization SOC optimization API: Introducing SOC Optimization API | Microsoft Community Hub MITRE ATT&CK coverage: View MITRE coverage for your organization from Microsoft SentinelRisk-based Recommendation for SOC Optimization
This post is part of a blog series highlighting new SOC optimization capabilities designed to help SOC teams maximize security value and reduce costs, leveraging tailored dynamic recommendations. In this post, we will focus on Risk-Based Optimization, an exciting new capability that helps prioritize detection coverage based on the business risks most pertinent to your organization. Security teams often face the challenge of deciding where to focus detection efforts, especially when resources are limited and threats are constantly evolving. Traditional approaches treat all detections equally, making it difficult to align security operations with organizational priorities. The Risk-Based Optimization capability surfaces high-value detection recommendations tied directly to financial, compliance, legal, and reputational risks, helping teams make informed decisions about where to strengthen coverage. “Risk-Based Optimization has significantly influenced decision-making in threat management by providing a structured approach to prioritize and address risks.” Elie El Karkafi, Senior Solutions Architect, ampiO Solutions Importance of risk-based security prioritization One of the most pressing challenges today is that many organizations struggle to align their detection strategies with the real-world business risks that matter most. This disconnect is not just operational — it's organizational. Research shows that just 69% of board members see eye-to-eye with their CISOs (Harvard Business Review - Link). While business stakeholders focus on maintaining operations, controlling costs, and enabling growth, cybersecurity teams focus on threat mitigation, technical coverage, and vulnerability management. Without a shared understanding of risk, misalignment is inevitable. For example, the board might prioritize operational continuity, while the security team might focus on patching critical vulnerabilities - even if those vulnerabilities have no meaningful impact on core business services. This mismatch leads to: Security blind spots where high-value assets remain under protected Misallocation of resources, with low-impact threats consuming equal effort Difficulty communicating security priorities to business leadership Limited ROI visibility, as security investments aren’t tied to business outcomes What’s needed is a shared framework that allows both technical and non-technical stakeholders to view and prioritize cybersecurity risk in business terms. This includes understanding the financial impact of asset compromise — for example, what is the estimated loss if a major airline’s booking system is taken offline, millions of customer records are breached, and the incident becomes public? These are no longer theoretical scenarios — they are real and must be addressed accordingly. A risk-based approach to prioritization begins with understanding your environment: Inventory critical assets, including systems, users, and processes — both internal and external Threat model the ways those assets could be compromised or disrupted Assess exposure, considering threat likelihood and your organization’s risk tolerance Prioritize protections by assigning financial or operational impact values to potential losses Without this structured prioritization, organizations risk spending time and money without truly improving their security posture where it counts. New Risk-Based Optimization solution To help bridge the gap between business risk and security operations, we’re introducing Risk-Based Optimization. With Risk-Based Optimization capability, customers can: Identify under protected, high-risk areas Understand which business risks are impacted, such as financial fraud, data breaches, or operational downtime Receive recommendations aligned with both MITRE ATT&CK tactics and business consequences Key benefits include: Enhanced coverage across broad, business-risk-aligned threat scenarios Prioritization of high-risk threats affecting mission-critical functions Operational efficiency by concentrating resources on high-value detections Visual context through radar charts and MITRE coverage maps Actionable recommendations that integrate into detection tagging and configuration workflows As part of the public preview, Risk-Based Optimization includes three foundational use cases that align threat types with specific business risks: Credential Exploitation Network Intrusion Data Exfiltration These scenarios surface directly within the SOC Optimization experience in the unified portal, alongside existing recommendations. Users receive coverage scores and improvement suggestions that span both SIEM and XDR content — all mapped to relevant MITRE tactics, techniques, and sub-techniques for full visibility and traceability. Risk-Based Optimizations offer a broad, business-centric lens to kickstart a more strategic coverage approach. Customers can begin with these high-level optimizations, then drill down into more specific threat scenarios as needed. “Very impressed with the ease of use and intuitiveness of the feature. It enables Security Operations to focus on making risk-based decisions without being bogged down in technical complexity. The outcomes directly support broader organizational goals. I’m genuinely amazed by how straightforward it is with clear and impactful outcomes”. Shivniel Gounder, Principal Cybersecurity Engineer, DEFEND “It's aligning security measures with business risks, helping to focus resources on high-impact risks. And based on these insights and recommendations, we could have actionable steps to improve security coverage better and better.” Michael Morten Sonne, blog.sonnes.cloud, Microsoft MVP How it looks like Risk-based optimization brings clarity to a challenge every security team faces: how do we know if we're protected where it matters most? In the unified Microsoft security portal, SOC Optimization now surfaces a set of cards, each highlighting a different business risk where your coverage could be improved. Let’s take Credential Exploitation as an example. The card alerts you that your current coverage is low, and that improvements are available. With one click on “Learn about risk types”, you're taken into a detailed view that explains what the risk entails, what business areas it impacts (like financial, compliance, legal, etc.), and how your current MITRE ATT&CK coverage compares to the recommended baseline. The experience is designed for action — you don’t need to search for rules or hunt for guidance. The system surfaces exactly what detections to add, and with a direct link to the Content Hub, you can start improving your coverage immediately. This connected workflow extends into the MITRE Blade as well, where you can view the scenario’s tactics and techniques across the ATT&CK framework, helping you validate improvements and maintain alignment with real-world threats. Risk-based recommendations help transform detection management from a reactive task into a strategic advantage - bridging the gap between technical depth and business impact. “The whole addition of Risk-Based Scenarios is fantastic in terms of driving businesses to act to configure their detection rules. I would like to see this more widely adopted in the future to really build up the visibility of business risks in detections.” Vebjørn Høyland, Senior Cybersecurity Consultant, Move AS Next Steps Get started with Microsoft Sentinel in the Defender portal today to take advantage of SOC Optimization recommendations, tailored for your organization. Microsoft will continue to invest in SOC optimization features to help our customers in enhancing their security against evolving cyberthreats. Learn More SOC optimization documentation: SOC optimization overview ; Recommendation's logic Short overview and demo: SOC optimization Ninja show In depth webinar: Manage your data, costs and protections with SOC optimization SOC optimization API: Introducing SOC Optimization API | Microsoft Community Hub MITRE ATT&CK coverage: View MITRE coverage for your organization from Microsoft Sentinel
Automate Extraction of Microsoft Sentinel Analytical Rules from GitHub Solutions
🔧 Enhancing Pre-Deployment Rule Insights Extracting metadata like Rule Name, Severity, MITRE Tactics, and Techniques for out-of-the-box analytical rules across multiple solutions can be time-consuming when done manually—especially before the rules are deployed. 🚀 Script Overview The PowerShell script, hosted on GitHub, lets you: Provide the exact Microsoft Sentinel solution name as input, from Microsoft Sentinel GitHub: Azure-Sentinel/Solutions at master · Azure/Azure-Sentinel · GitHub Automatically query the [Microsoft Sentinel GitHub repo] Parse all associated analytical rule YAMLs under that solution Export relevant metadata into a structured CSV 📥 GitHub Link This is My GitHub repository where the custom PowerShell script is hosted. It allows you to extract built-in analytical rules from Microsoft Sentinel solutions based on the solution name: 🔗 GitHub - SentinelArtifactExtract (Optimized Script) 📝 Pre-Requisites: Generate GitHub Personal Access token: GitHub official page to generate PAT: Managing your personal access tokens - GitHub Docs Why GitHub PAT token: It will help us to Authenticate and overcome the GitHub API rate limit Error (403). Download the Script from GitHub to Azure CloudShell: Use Invoke-WebRequest or curl to download the raw script: Command to Download the Raw Script from GitHub: Invoke-WebRequest -Uri "https://raw.githubusercontent.com/vdabhi123/SentinelArtifactExtract/main/Extract%20Sentinel%20Analytical%20Rule%20with%20Solution%20Name%20prompt/OptimizedVersionPromptforSolutionNameOnly" -OutFile "ExtractRules.ps1 Invoke-WebRequest in Azure CloudShell Update the Script with you GitHub PAT (generated in pre-requisite 1) in main script: To update the PAT token you can use vim and ensure to run the updated script. 🧪 How to Use the Script Open Azure Cloud Shell (PowerShell). Upload and run the script. (This is Optional if Pre-requisite 3 is followed) Run the Script and Enter the **exact** solution name (e.g., `McAfee ePolicy Orchestrator`). The script fetches rule metadata and exports to CSV in the same directory. Download the CSV from Cloud Shell. & 2 as highlighted. 📤 Sample Output The script generates a CSV with the following columns: - `Solution` - `AnalyticalRuleName` - `Description` - `Severity` - `MITRE_Tactics` - `MITRE_Techniques` Example file name: Formatted Output with all Analytical Rule and other metadata for the Solution: ✅ Benefits Streamlines discovery of built-in analytical rules for initial Microsoft Sentinel deployments. Accelerates requirements gathering by exporting rules into a shareable CSV format. Enables collaborative planning—output can be shared with clients or Microsoft to determine which rules to implement or recommend. Eliminates manual effort of browsing GitHub or Microsoft Sentinel UI or exporting and reviewing full JSON rule files individually. 💡 Pro Tips Always verify the solution name from the official Microsoft Sentinel GitHub Solutions folder. Azure-Sentinel/Solutions at master · Azure/Azure-Sentinel · GitHub 📌 Final Thoughts This script was created in response to a real-world project need and is focused on improving the discovery and extraction of Microsoft Sentinel analytical rules. A follow-up blog covering the export of additional Sentinel artifacts—such as Playbooks, Workbooks, and Hunting Queries—will be published soon.Announcing File Attachments for Case Management
Effective information sharing is crucial for resolving cases efficiently. Today, we are excited to announce the launch of File Attachments for Case Management, a capability designed to enhance your case investigations with the sharing of reports, emails, screenshots, log files, and more, all in one centralized location within a case. Key Benefits of Attachments for Case Management Centralized Information: File attachments ensure that all relevant documents, images, and data are stored in one place. Reduce your reliance on external file storage and stop hunting through emails—everything you need is right at your fingertips within the case. Comprehensive Documentation: From contracts and evidence to client communications and reports, file attachments provide a complete and organized record of all case-related materials. This comprehensive documentation is invaluable for audits, reviews, and future reference. More Accurate Response: Minimize errors and increase confidence in case outcomes by leveraging all relevant information related to a case. Comb over vulnerability assessments, patch documentation, configuration changes, etc. and ensure you have all the context you need about a case. Attachments Experience: The experience is super simple. Go to the Case details page, click the “Attachments” tab, click “Upload”, select your file, and wait for the upload. The file is malware scanned in the background. Once scanning is complete anyone with access to the case can download the file. If you need to upload malware samples, you can wrap them in password protected zip files. Q&A: How much file storage do I get? 500 GB. Do file attachments stay in region? Yes, they are stored in the same region as their tenant. What if I need to attach malware samples for case investigation? Zip and password protect your malware samples. Malware samples that have not been zipped and password protect will be removed by malware scan. Coming Soon! Add file attachments and screenshots directly to comments to quickly review attachments in the Activity Log. Conclusion Attachments for Case Management ensures you have all the necessary information to make quick and informed decisions about a case. This leads to better case outcomes and improved communication for your organization. Learn more Case management overview Case management blog post
