Security Guidance Series: CAF 4.0 Building Proactive Cyber Resilience
It’s Time To Act Microsoft's Digital Defense Report 2025 clearly describes the cyber threat landscape that this guidance is situated in, one that has become more complex, more industrialized, and increasingly democratized. Each day, Microsoft processes more than 100 trillion security signals, giving unparalleled visibility into adversarial tradecraft. Identity remains the most heavily targeted attack vector, with 97% of identity-based attacks relying on password spray, while phishing and unpatched assets continue to provide easy routes for initial compromise. Financially motivated attacks, particularly ransomware and extortion, now make up over half of global incidents, and nation-state operators continue to target critical sectors, including IT, telecommunications, and Government networks. AI is accelerating both sides of the equation: enhancing attacker capability, lowering barriers to entry through open-source models, and simultaneously powering more automated, intelligence-driven defence. Alongside this, emerging risks such as quantum computing underline the urgency of preparing today for tomorrow’s threats. Cybersecurity has therefore become a strategic imperative shaping national resilience and demanding genuine cross-sector collaboration to mitigate systemic risk. It is within this environment that UK public sector organizations are rethinking their approach to cyber resilience. As an Account Executive Apprentice in the Local Public Services team here at Microsoft, I have seen how UK public sector organizations are rethinking their approach to cyber resilience, moving beyond checklists and compliance toward a culture of continuous improvement and intelligence-led defence. When we talk about the UK public sector in this series, we are referring specifically to central government departments, local government authorities, health and care organizations (including the NHS), education institutions, and public safety services such as police, fire, and ambulance. These organizations form a deeply interconnected ecosystem delivering essential services to millions of citizens every day, making cyber resilience not just a technical requirement but a foundation of public trust. Against this backdrop, the UK public sector is entering a new era of cyber resilience with the release of CAF 4.0, the latest evolution of the National Cyber Security Centre’s Cyber Assessment Framework. This guidance has been developed in consultation with national cyber security experts, including the UK’s National Cyber Security Centre (NCSC), and is an aggregation of knowledge and internationally recognized expertise. Building on the foundations of CAF 3.2, this update marks a decisive shift, like moving from a static map to a live radar. Instead of looking back at where threats once were, organizations can now better anticipate them and adjust their digital defences in real time. For the UK’s public sector, this transformation could not be timelier. The complexity of digital public services, combined with the growing threat of ransomware, insider threat, supply chain compromise, and threats from nation state actors, demands a faster, smarter, and more connected approach to resilience. Where CAF 3.2 focused on confirming the presence and effectiveness of security measures, CAF 4.0 places greater emphasis on developing organizational capability and improving resilience in a more dynamic threat environment. While the CAF remains an outcome-based framework, not a maturity model, it is structured around Objectives, Principles, and Contributing Outcomes, with each contributing outcome supported by Indicators of Good Practice. For simplicity, I refer to these contributing outcomes as “controls” throughout this blog and use that term to describe the practical expectations organizations are assessed against. CAF 4.0 challenges organizations not only to understand the threats they face but to anticipate, detect, and respond in a more informed and adaptive way. Two contributing outcomes exemplify this proactive mindset: A2.b Understanding Threat and C2 Threat Hunting. Together, they represent what it truly means to understand your adversaries and act before harm occurs. For the UK’s public sector, achieving these new objectives may seem daunting, but the path forward is clearer than ever. Many organizations are already beginning this journey, supported by technologies that help turn insight into action and coordination into resilience. At Microsoft, we’ve seen how tools like E3, E5, and Sentinel are already helping public sector teams to move from reactive to intelligence-driven security operations. Over the coming weeks, we’ll explore how these capabilities align to CAF 4.0’s core principles and share practical examples of how councils can strengthen their resilience journey through smarter visibility, automation, and collaboration. CAF 4.0 vs CAF 3.2 - What’s Changed and Why It Matters The move from CAF 3.2 to CAF 4.0 represents a fundamental shift in how the UK public sector builds cyber resilience. The focus is no longer on whether controls exist - it is on whether they work, adapt, and improve over time. CAF 4.0 puts maturity at the centre. It pushes organizations to evolve from compliance checklists to operational capability, adopting a threat-informed, intelligence-led, and proactive security posture, by design. CAF 4.0 raises the bar for cyber maturity across the public sector. It calls for departments and authorities to build on existing foundations and embrace live threat intelligence, behavioural analytics, and structured threat hunting to stay ahead of adversaries. By understanding how attackers might target essential services and adapting controls in real time, organizations can evolve from awareness to active defence. Today’s threat actors are agile, persistent, and increasingly well-resourced, which means reactive measures are no longer enough. CAF 4.0 positions resilience as a continuous process of learning, adapting, and improving, supported by data-driven insights and modern security operations. CAF 4.0 is reshaping how the UK’s public sector approaches security maturity. In the coming weeks, we’ll explore what this looks like in practice, starting with how to build a deeper understanding of threat (control A2.b) and elevate threat hunting (control C2) into an everyday capability, using the tools and insights that are available within existing Microsoft E3 and E5 licences to help support these objectives. Until then, how ready is your organization to turn insight into action?
Microsoft Sentinel MCP server - Generally Available With Exciting New Capabilities
Today, we’re excited to announce the General Availability of Microsoft Sentinel MCP (Model Context Protocol) server, a fully managed cloud service built on an open standard that empowers AI agents to seamlessly access your entire security context through natural language, eliminating the need for complex data engineering as you build agents. This unlocks new levels of AI agent performance and effectiveness, enabling them to do more for you. Since the public preview launch on September 30, hundreds of customers have explored MCP tools that provide semantic access to their entire security context. These tools allow security AI agents to operate with unprecedented precision by understanding your unique security context in natural language. Today, we’re introducing multiple innovations and new capabilities designed to help even more customers unlock more with AI-driven security. This post offers a high-level overview of what’s new. Stay tuned for deep-dive blogs that will unpack each feature in detail. Connect to Sentinel MCP server from Multiple AI Platforms By adopting the MCP open standard, we can progress on our mission to empower effective AI agents wherever you choose to run them. Beyond Security Copilot and VSCode Github Copilot, Sentinel MCP server is now natively integrated with Copilot Studio and Microsoft Foundry agent-building experiences. When creating an agent in any of these platforms, you can easily select Sentinel MCP tools, no pre-configuration required. It’s ready to use, so if you are using any of these platforms, dive in and give it a try. Click here for detailed guidance Additionally, you can now connect OpenAI ChatGPT to Sentinel MCP server through a secured OAuth authentication through a simple configuration in Entra. Learn how here assess threat impact on your organization Custom KQL Tools Many organizations rely on a curated library of KQL queries for incident triage, investigation, and threat hunting used in manual Standard Operating Procedures (SOP) or SOAR playbooks—often managed within Defender Advanced Hunting. Now, with Sentinel MCP server, you can instantly transform these saved KQL queries into custom tools with just a click. This new capability allows you to empower your AI agents with precise, actionable data tailored to your unique security workflows. Once a KQL query is saved as a tool, Sentinel MCP server automatically creates and maintains a corresponding MCP tool—ensuring it’s always in sync with the latest version of your saved query in Defender Advanced Hunting. Any connected agent can invoke this tool, confident it reflects your most current logic and requirements. Learn more here Entity Analyzer Assessing the risk of entities is a core task for SOC teams—whether triaging incidents, investigating threats, or automating response workflows. Traditionally, this has required building complex playbooks or custom logic to gather and analyze fragmented security data from multiple sources. With entity analyzer, this complexity is eliminated. The tool leverages your organization’s security data in Sentinel to deliver comprehensive, reasoned risk assessments for any entity your agents encounter – starting with users and urls. By providing a unified, out-of-the-box solution for entity analysis, entity analyzer enables your AI agents to make smarter decisions and automate more tasks—without the need to manually engineer risk evaluation logic for each entity type. This not only accelerates agent development, but also ensures your agents are always working with the most relevant and up-to-date context from across your security environment. Entity Analyzer is now available to any MCP client integrated with Sentinel MCP Server. And for those building SOAR workflows, entity analyzer is natively integrated with Logic Apps, making it easy to enrich entities and automate verdicts within your playbooks. Learn how to build a Logic Apps playbook with Entity Analyzer Graph Tools Microsoft Sentinel graph connects assets, identities, activities, and threat intelligence into a unified security graph, uncovering insights that structured data alone can’t provide such as relationships, blast radius, and attack paths. The graph is now generally available, and these advanced insights can be accessed by AI agents in natural language through a dedicated set of MCP tools. Graph MCP tools are offered in a sign-up preview. Triage Incidents and Alerts Sentinel MCP server extends to enable natural language access to a set of APIs that enable incident and alert triage. AI agents can use these tools to carry out autonomous triage and investigation of Defender XDR and Sentinel alerts and incidents. In the next couple of weeks, it will be available, out of the box, to all customers using Microsoft Defender XDR, Microsoft Sentinel or Microsoft Defender for Endpoint. Stay tuned. Smarter Security, Less Effort With the latest innovations in Sentinel MCP server, security teams can now harness the full power of AI-driven automation with unprecedented simplicity and impact. From seamless integration with leading AI platforms to instant creation of custom KQL tools and out-of-the-box entity analysis, Sentinel MCP server empowers your agents to deliver smarter, faster, and more effective security outcomes. These advancements eliminate manual complexity, accelerate agent development, and ensure your SOC is always equipped with the most relevant context. Currently, features like entity analysis are available at no additional charge; as we continue to evolve the platform, we’ll share updates on future pricing well in advance. Try out the new features today and stay tuned for deep-dive updates as we continue to push the boundaries of AI-powered security automation. Learn how to get startedUncover hidden security risks with Microsoft Sentinel graph
Earlier this fall, we launched Microsoft Sentinel graph – and today, we are pleased to announce that Sentinel graph is generally available starting December 1, 2025. Microsoft Sentinel graph maps the interconnections across activity, asset, and threat intelligence data. This enables comprehensive graph-based security and analysis across pre-and post-breach scenarios in both Microsoft Defender and Microsoft Purview. Customers are already seeing the impact of the graph-powered experiences that is providing insights beyond tabular queries. "The predefined scenarios in Sentinel graph are excellent... it definitely shows where I would need to look as an investigator to figure out what's happening in my environment, who has access to it, not only directly, but also indirectly, a couple of hops away. And that's something that you really can't get through a standard KQL query..." - Gary Bushey, Security Architect, Cyclotron, Inc. Building on this foundation, we are taking Sentinel graph to the next level and are excited to announce the public preview of the following new capabilities. Graph MCP Tools Building on the hunting graph and blast radius analysis capabilities in Microsoft Defender portal. We are excited to announce preview of purpose-built Sentinel graph MCP tools (Blast Radius, Path Discovery, and Exposure Perimeter) that make the graph-powered insights accessible to the AI agents. Using these purpose-built Sentinel graph MCP tools, you will be able to use and build AI agents to get insights from the graph in natural language (figure 1): “What is the blast radius from ‘Laura Hanak’?” “Is there a path from user Mark Gafarov to key vault wg-prod?” “Who can all get to wg-prod key vault?” You can sign up here for a free preview of Sentinel graph MCP tools, which will also roll out starting December 1, 2025. Custom Graphs The security operations teams, including Tier-3 analysts, threat intelligence specialists, and security researchers play a critical role in investigating sophisticated attacks and addressing systemic security issues. Their responsibilities range from uncovering design vulnerabilities and tracing historical exploitation, to analyzing types of abuse and recommending effective solutions. These experts strive to identify hidden patterns within organizational data and struggle with the right tools that can help them differentiate between normal vs. abnormal, keep-up with the changing attack patterns, and handle massive and complex datasets at scale. This requires a high level of flexibility and customization to rapidly iterate on the analysis. We’re taking Microsoft Sentinel graph to the next level and are thrilled to announce the public preview of custom graphs with two new powerful approaches designed specifically for security: ephemeral custom graphs and materialized custom graphs. These innovative approaches empower defenders to create and analyze graphs tailored and tuned to their unique security scenarios to find hidden risks and patterns in their security data available in the Sentinel data lake. Using their data in the lake, defenders will be able author notebooks (figure 2) to model, build, visualize, traverse, and run advanced graph analyses like Chokepoint/Centrality, Blast Radius/Reachability, Prioritized Path/Ranked, and K-hop. It’s a transformative leap in graph analytics, fundamentally changing how security teams understand and mitigate organizational risk by connecting the dots in their data. Figure 2: Custom graphs using Notebook in VS Code You can sign up here for a free preview of custom graph capability, which will also roll out starting December 1, 2025. Ephemeral Custom Graphs Ephemeral custom graphs are for one-time investigations requiring quick pattern examination and rapidly changing large scale data that doesn't justify materialization for reuse. For example, in a typical SOC investigation, brute-force attempts or privilege escalations appear as isolated incidents. But in reality, attackers move laterally through interconnected credentials and resources. Let’s assume, a service account (svc-backup) used by a legacy database is compromised. It holds group membership in “DataOps-Admins,” which shares access with “Engineering-All.” A developer reuses their personal access token across staging and production clusters. Individually, these facts seem harmless. Together, they form a multi-hop credential exposure chain that can only be detected through graph traversal. Sentinel graph helps you to build ad-hoc graphs for an investigation and discarded afterward (not kept in a database for reuse). You can pull the data from the Sentinel data lake and build a graph to explore relationships, run analytics, iterate on nodes/edges, and refine queries in an interactive loop. Here are some additional scenarios where ephemeral custom graphs can expose hidden patterns: Sign-in anomaly hunting: An analyst graphs user logins against source IPs and timestamps to identify unusual patterns (like a single IP connecting to many accounts). By iterating on the graph (filtering nodes, adding context like geolocation), they can spot suspicious login clusters or a credential theft scenario. TTP (Tactics, Techniques, Procedures) investigation: For a specific threat (e.g., a known APT’s techniques), the hunter might use a graph template to map related events. Microsoft Sentinel, for instance, can provide hunting notebook templates for scenarios like investigating lateral movement or scanning logs for leaked credentials, so analysts quickly construct a graph of relevant evidence. Audit log pattern discovery: By graphing Office 365 activity logs or admin audit logs, defenders can apply advanced graph algorithms (like betweenness centrality) to find outliers – e.g., an account that intermediates many rare files access relationships might indicate insider abuse. Materialized Custom Graphs Materialized custom graphs are graph datasets that are stored and maintained over time, often updated at intervals (e.g., daily or hourly). Instead of being thrown away each session, these graphs will be materialized in the graph database for running graph analytics and visualization. Materialized custom graphs will enable organizations to create their custom enterprise knowledge graphs for various use cases, such as every organization already has an identity graph — they just haven’t visualized it yet. Imagine a large enterprise where users, devices, service principals, and applications are constantly changing. New credentials are issued, groups evolve, and permissions shift by the hour. Over time, this churn creates a complex web of implicit trust and shared access that no static tool can capture. Organizations can now build their own identity graphs and materialize them. These materialized custom graphs can continuously map relationships across Azure AD Domain Services, Entra ID, AWS IAM, SaaS platforms, and custom applications, updating daily or hourly to reflect the organization’s true security topology. Organizations can query these graphs and run various advanced graph algorithms and understand the chokepoint, blast radius, attack paths, and so on. This helps detect the gradual buildup of privilege overlap — when identities that were once isolated begin to share access paths through evolving group memberships, role assignments, or inherited permissions. Over weeks or months, these subtle shifts expand the blast radius of any single compromise. Behind the scenes We are partnering with our friends in Microsoft Fabric to bring these new capabilities to market. Mapping a large digital estate into a graph requires new scale out approach and that is what graph in Microsoft Fabric enables. “Discovering modern security risks is a massive data challenge. It requires connecting the dots across an entire digital estate, which can only be achieved with a graph at hyperscale. This is why our Fabric team's partnership with the Sentinel graph team is so critical. We’ve collaborated to build a scale-out graph solution capable of processing billion nodes and edges, delivering the performance and scale our largest security customers need to stay ahead of threats.” - Yitzhak Kesselman, CVP, Fabric Real-Time Intelligence Getting started Check out this video to learn more. To get access to the preview capabilities, please sign-up here. Reference links Data lake blog MCP server blogMicrosoft Ignite 2025: Power the next era of cybersecurity with Microsoft Sentinel
At Microsoft Ignite 2025, we’re showcasing how Microsoft Sentinel —trusted by over 40,000 customers worldwide— combines industry-leading SIEM capabilities with a purpose-built security data lake to transform security operations. This powerful combination delivers deep visibility, advanced analytics, and cost-efficiency—empowering security teams to detect, investigate, and respond faster in an AI-driven era. IT environments and threats have exploded in size and complexity in recent years. Microsoft Sentinel’s AI-powered platform with data lake, graph, and AI tools gives security teams the capabilities they need to keep up. The Sentinel data lake is a game-changer. It enabled Simbian's AI SOC and Threat Hunt Agents to efficiently analyze months of correlated security data across the enterprise. Ambuj Kumar | Co-founder and CEO | Simbian Join us November 18–21 at the Moscone Center in San Francisco or online to explore latest innovations in Sentinel SIEM and data lake, and dive into immersive sessions designed to strengthen defenses and accelerate impact. Proactive Response: Automatic attack disruption on AWS, Proofpoint & Okta Automatic attack disruption is now extending beyond XDR, incorporating data from AWS, Proofpoint and Okta when brought in through Sentinel. By leveraging millions of signals from Microsoft Threat Intelligence, this feature uses AI to detect sophisticated threats like phishing, business email compromise, and identity compromise across federated accounts and cloud boundaries. Once an attack is identified, compromised assets are contained in near real time, reducing dwell time and minimizing business impact. Integrating telemetry from AWS, Proofpoint, and Okta, security teams can transition from reactive detection to proactive, cross-platform protection, ensuring cohesive defense and lowering operational complexity. AI-Assisted SOC: introducing agentic tools in Defender We are excited announce Security Copilot-powered agents that can transform how SOC teams detect, investigate, and respond to threats by bringing AI into day-to-day workflows for SIEM and XDR users within Defender. The Threat Hunting Agent transforms threat hunting by allowing analysts to conduct end-to-end investigations using natural language. It provides direct answers, guides users through investigative steps, and surfaces actionable insights. This agent-driven experience helps analysts of all skill levels hunt faster, more accurately, and with rich security context. The Threat Intelligence Briefing Agent is now seamlessly integrated into the Microsoft Defender portal. In just a few minutes, the agent generates tailored threat briefings that synthesize the latest insights from Microsoft Threat Intelligence and hundreds of global sources, directly contextualized to an organization’s unique environment. Analysts can use these briefings to understand evolving risks and emerging campaigns, critical CVEs, and at-risk assets to understand what to focus on first. They can then use the agent’s clear recommendations and deep linking to affected assets to proactively address exposures. With real-time, dynamic intelligence and an intuitive review path, the Threat Intelligence Briefing agent transforms complex threat data into actionable guidance, empowering organizations to make faster, smarter security decisions every day. The Dynamic Threat Detection Agent proactively hunts for false negatives and blind spots that traditional alerting might miss. When a critical incident happens, Copilot automatically hunts to uncover undetected threats—like unusual residual activity around a sensitive identity. This agent turns ‘probably fine’ into proven secure—finding and fixing false negatives to keep organizations safer. Accelerated Onboarding: AI powered SIEM migration tool We’re excited to announce the new enhanced SIEM migration experience for Microsoft Sentinel—designed to simplify and accelerate migrations from Splunk and QRadar. SIEM migrations are complex and resource-intensive, often taking months. While many solutions simply convert queries into proprietary syntax, Microsoft takes a different approach—driving true SOC transformation with advanced correlation and insights that go beyond syntax conversion. This ensures a fully integrated, future-ready SOC aligned with modern security needs—not just translated legacy queries. Support for Splunk will be available in public preview by early December 2025, and QRadar support will follow soon. This tool will enable customers to upload exports from their existing SIEM and receive tailored recommendations for Microsoft Sentinel setup. The tool analyzes uploaded data to identify techniques, data sources, and detection rules, then maps them to production-ready, out-of-the-box Sentinel detections. It also highlights missing connectors and recommends enabling them to ensure full coverage. With one-click activation of recommended rules and connectors, customers can quickly operationalize their security posture without manual configuration. This approach moves beyond simple syntax translation, delivering accurate, intent-based mapping for better detection coverage and ongoing optimization—so your security stays effective and up to date without extra effort. To help customers accelerate their Sentinel journey, Microsoft offers migration support at no additional cost to customers through the Cloud Accelerate Factory program. Eligible customers receive hands-on assistance from Microsoft experts to quickly deploy Sentinel and migrate from Splunk using the new SIEM migration experience, all while collaborating with your preferred migration partner.. For more details, contact your Microsoft representative or visit https://aka.ms/FactoryCustomerPortal Expanded Ecosystem: new and enhanced out-of-the-box connectors Microsoft Sentinel’s growing ecosystem of data connectors is transforming how organizations integrate and secure their environments. With over 350 connectors, easily bring in telemetry from a wide range of sources—cloud platforms, SaaS applications, and on-premises systems—directly into Microsoft Sentinel. We are continuously adding new connectors every month to this ecosystem, and we’re excited to highlight a few of the latest additions here. The following new connectors across various cloud providers are now generally available in Microsoft Sentinel AWS: Network Firewall, Route 53 DNS, Security Hub Findings, Server Access GCP: Apigee, CDN, Cloud Monitor, Cloud Run, Compute Engine, DNS, Google Kubernetes Engine, NAT Resource Manager, SQL, VPC Flow, IAM Palo Alto: Cortex Xpanse, Prisma Cloud CSPM, Prisma CWPP SAP: ETD, Agentless connector Others: Alibaba Cloud ActionTrail Logs, Cisco Secure Endpoint, Cyfirma, Extra Hop, Keeper Security, Lookout MTD, OneLoginIAM, Oracle Cloud Infra, PingOne, Qualys Vulnerability Management, Salesforce, Samsung, SAP ETD, Slack Audit, Snowflake OneTrust (in public preview), and BigID, Cyera and Varonis (coming soon) Connectors enable customers to integrate third-party signal into Microsoft Purview’s Data Security Posture Management (DSPM) solution helping DSPM customers eliminate blind spots and strengthen risk posture across their digital estate. Made possible via integration with the Microsoft Sentinel data lake, DSPM customers can easily turn on and integrate third-party data asset information (such as permissions, location, sensitivity) to achieve a more complete view of risk across their multi-cloud environments. For the full list of connectors see our documentation here. If you have any new connectors you'd like to see, please reach out to our App Assure team. Lower cost and enhanced security: Ingest Diverse Security Data Directly into the Data Lake Microsoft Defender for Endpoint (MDE) data can now be ingested directly into the Sentinel data lake, with table settings managed using the built-in table management experience in the Defender portal. This enables retro-hunting and incident investigations on historical endpoint data, while allowing cost-effective long-term retention without moving data to the analytics tier. Expansion to MDO and MDA is coming in early December. The result: improved visibility, historical analysis, lower total cost of ownership, and powerful capabilities for modern security operations. Plus, you can also ingest Entra, Syslog, CEF, and CommonSecurityLog data directly into the data lake for even broader and cost-efficient coverage. Granular Control: Role based access control in the data lake Microsoft Sentinel data lake has enhanced its permission model to enable users to access workspace data in the lake based on their granular Azure RBAC permissions on each workspace. Customers now gain the flexibility to delegate read access to individual workspaces without relying solely on built-in roles. For additional information on delegating read permissions to workspaces using Azure RBAC, please refer to our documentation. Coming soon is the application identity support for data lake access (SPN/MI). Customers can give service principals or managed identities access to data in the Sentinel data lake, which drives scalable automation with agents or scripts. Just assign these identities to roles in Azure or Entra ID to start using this feature. Improved data access: Updated data lake KQL and notebook experience Run asynchronous KQL queries on the Sentinel data lake to process larger datasets efficiently. Results are stored in a hot cache for up to 24 hours, giving your SOC instant access without rehydrating data to the analytics tier. This accelerates investigations, streamlines workflows, and enables more data to be analyzed in a single query. With Microsoft Sentinel data lake, SOC teams gain immediate access to a curated set of out-of-the-box KQL queries and job templates that cover the most critical security scenarios, enabling teams to quickly establish baselines, hunt threats, rapid anomaly detection and investigation of rare or risky behaviors. These prebuilt analytics empower security teams to quickly surface suspicious patterns, track emerging threats, and automate routine checks across vast historical data—helping organizations stay ahead of attackers, minimize manual effort, and accelerate security operations with confidence. This will be available by early December, see documentation for more information, see KQL and the Microsoft Sentinel data lake - Microsoft Security | Microsoft Learn A new samples panel is available in Visual Studio Code, giving users quick access to notebook examples that have been vetted by Microsoft Research. This helps users get started faster and learn best practices for working with notebooks. Integrated Intelligence: Threat Analytics now included for SIEM customers Customers can now tap into Microsoft’s extensive threat intelligence library, offering deep insights into threat actors, their tactics, and known vulnerabilities—alongside finished intelligence from Microsoft Threat Research. It delivers real-time indicators of compromise and maps to MITRE techniques, tactics, and procedures (TTPs), empowering proactive threat hunting and effective remediation. T Improved triage: AI-powered incident experience The Defender incident queue is getting better. We are in public preview with an updated AI-powered experience, designed to help SOC analysts prioritize incidents more effectively during triage, ensuring that the most critical threats are addressed first. By leveraging an advanced algorithm that assigns risk scores based on alert types, criticality tags, MITRE techniques, threat analytics and more, it brings transparency and actionable insights to incident prioritization. Analysts benefit from a clear view of why incidents are ranked highly, allowing for faster, more confident decision-making. Pre-built solutions: track HIPPA and GDPR compliance We have two new out-of-the-box compliance solutions in public preview, helping customer adhere to industry requirements, without significant configuration. The HIPAA compliance solution helps healthcare organizations safeguard protected health information (PHI) with integrated dashboards, real‑time threat detection, and audit‑ready reporting. Prebuilt analytics and watchlists for users and assets make it easier to monitor access, detect anomalies, and respond to incidents while reducing operational complexity. The GDPR Compliance & Data Security Solution unifies alerts, data classification, and audit evidence across Microsoft Purview, Azure SQL, Microsoft 365, UEBA, and Entra ID to monitor GDPR requirements in cloud and hybrid environments. It offers real‑time risk detection, end‑to‑end audit trails, and customizable dashboards to streamline reporting and strengthen data protection. You can access these solutions in the Content Hub today. To learn more, see: New Compliance Solutions in Microsoft Sentinel: HIPAA & GDPR Reports | Microsoft Community Hub Join us at Ignite 2025 to learn about Microsoft’s latest innovations Be the first to experience these innovations and more at Microsoft Ignite 2025. Register to secure your spot and explore the future of AI-powered security operations. Recommended Ignite Sessions Breakout sessions: BRK 235: Power Agentic Defense with Microsoft Sentinel Theater sessions: THR749: Scale operations and optimize costs with Microsoft Sentinel data lake, THR748: Leveraging the power of Microsoft Sentinel SIEM and data lake Ignite Labs: LAB543-R1 Perform threat hunting in Microsoft Sentinel Additional resources Microsoft Sentinel—AI-Powered Cloud SIEM & Platform Pricing: Pricing page, Plan costs and understand Microsoft Sentinel pricing and billing KQL & Notebooks: Connect Sentinel to Defender, Jupyter notebooks in Microsoft Sentinel data lake, KQL and the Microsoft Sentinel data lake, Permissions for Microsoft Sentinel data lake Learn more about the convergence of MDTI into Sentinel and Defender Read about our Defender announcements, Security Copilot in Defender Microsoft Sentinel Solution for SAP applications: New agentless connector, blogIgnite your future with new security skills during Microsoft Ignite 2025
Ignite your future with new security skills during Microsoft Ignite 2025 AI and cloud technologies are reshaping every industry. Organizations need professionals who can secure AI solutions, modernize infrastructure, and drive innovation responsibly. Ignite brings together experts, learning, and credentials to help you get skilled for the future. Take on the Secure and Govern AI with Confidence Challenge Start your journey with the Azure Skilling Microsoft Challenge. These curated challenges help you practice real-world scenarios and earn recognition for your skills. One of the challenges featured is the Secure and Govern AI with Confidence challenge. This challenge helps you: Implement AI governance frameworks. Configure responsible AI guardrails in Azure AI Foundry. Apply security best practices for AI workloads. Special Offer: Be among the first 5,000 participants to complete this challenge and receive a discounted certification exam voucher—a perfect way to validate your skills and accelerate your career. Completing this challenge earns you a badge and prepares you for advanced credentials—ideal for anyone looking to lead in AI security. Join the challenge today! Validate Your Expertise with this new Microsoft Applied Skill. Applied Skills assessments are scenario-based, so you demonstrate practical expertise—not just theory. Earn the Secure AI Solutions in the Cloud credential—a job-ready validation of your ability to: Configure security for AI services using Microsoft Defender for Cloud. Implement governance and guardrails in Azure AI Foundry. Protect sensitive data and ensure compliance across AI workloads. This applied skill is designed for professionals who want to lead in AI security, accelerate career growth, and stand out in a competitive market. To learn how to prepare and take the applied skill, visit here. Your Next Steps: Security Plans Ignite isn’t just about live sessions—it’s about giving you on-demand digital content and curated learning paths so you can keep building skills long after the event ends. With 15 curated security plans that discuss topics such as controlling access with Microsoft Entra and securing your organization’s data, find what is relevant to you on Microsoft Ignite: Keep the momentum going page.Unlocking Developer Innovation with Microsoft Sentinel data lake
Introduction Microsoft Sentinel is evolving rapidly, transforming to be both an industry-leading SIEM and an AI-ready platform that empowers agentic defense across the security ecosystem. In our recent webinar: Introduction to Sentinel data lake for Developers, we explored how developers can leverage Sentinel’s unified data lake, extensible architecture, and integrated tools to build innovative security solutions. This post summarizes the key takeaways and actionable insights for developers looking to harness the full power of Sentinel. The Sentinel Platform: A Foundation for Agentic Security Unified Data and Context Sentinel centralizes security data cost-effectively, supporting massive volumes and diverse data types. This unified approach enables advanced analytics, graph-enabled context, and AI-ready data access—all essential for modern security operations. Developers can visualize relationships across assets, activities, and threats, mapping incidents and hunting scenarios with unprecedented clarity. Extensible and Open Platform Sentinel’s open architecture simplifies onboarding and data integration. Out-of-the-box connectors and codeless connector creation make it easy to bring in third-party data. Developers can quickly package and publish agents that leverage the centralized data lake and MCP server, distributing solutions through Microsoft Security Store for maximum reach. The Microsoft Security Store is a storefront for security professionals to discover, buy, and deploy vetted security SaaS solutions and AI agents from our ecosystem partners. These offerings integrate natively with Microsoft Security products—including the Sentinel platform, Defender, and Entra, to deliver end‑to‑end protection. By combining curated, deploy‑ready solutions with intelligent, AI‑assisted workflows, the Store reduces integration friction and speeds time‑to‑value for critical tasks like triage, threat hunting, and access management. Advanced Analytics and AI Integration With support for KQL, Spark, and ML tools, Sentinel separates storage and compute, enabling scalable analytics and semantic search. Jupyter Notebooks hosted in on-demand Spark environments allow for rich data engineering and machine learning directly on the data lake. Security Copilot agents, seamlessly integrated with Sentinel, deliver autonomous and adaptive automation, enhancing both security and IT operations. Developer Scenarios: Unlocking New Possibilities The webinar showcased several developer scenarios enabled by Sentinel’s platform components: Threat Investigations Over Extended Timelines: Query historical data to uncover slow-moving attacks and persistent threats. Behavioral Baselining: Model normal behavior using months of sign-in logs to detect anomalies. Alert Enrichment: Correlate alerts with firewall and NetFlow data to improve accuracy and reduce false positives. Retrospective Threat Hunting: React to new indicators of compromise by running historical queries across the data lake. ML-Powered Insights: Build machine learning models for anomaly detection, alert enrichment, and predictive analytics. These scenarios demonstrate how developers can leverage Sentinel’s data lake, graph capabilities, and integrated analytics to deliver powerful security solutions. End-to-End Developer Journey The following steps outline a potential workflow for developers to ingest and analyze their data within the Sentinel platform. Data Sources: Identify high-value data sources from your environment to integrate with Microsoft Security data. The journey begins with your unique view of the customer’s digital estate. This is data you have in your platform today. Bringing this data into Sentinel helps customers make sense of their entire security landscape at once. Data Ingestion: Import third-party data into the Sentinel data lake for secure, scalable analytics. As customer data flows from various platforms into Sentinel, it is centralized and normalized, providing a unified foundation for advanced analysis and threat detection across the customer’s digital environment. Sentinel data lake and Graph: Run Jupyter Notebook jobs for deep insights, combining contributed and first-party data. Once data resides in the Sentinel data lake, developers can leverage its graph capabilities to model relationships and uncover patterns, empowering customers with comprehensive insights into security events and trends. Agent Creation: Build Security Copilot agents that interact with Sentinel data using natural language prompts. These agents make the customer’s ingested data actionable, allowing users to ask questions or automate tasks, and helping teams quickly respond to threats or investigate incidents using their own enterprise data. Solution Packaging: Package and distribute solutions via the Microsoft Security Store, reaching customers at scale. By packaging these solutions, developers enable customers to seamlessly deploy advanced analytics and automation tools that harness their data journey— from ingestion to actionable insights—across their entire security estate. Conclusion Microsoft Sentinel’s data lake and platform capabilities open new horizons for developers. By centralizing data, enabling advanced analytics, and providing extensible tools, Sentinel empowers you to build solutions that address today’s security challenges and anticipate tomorrow’s threats. Explore the resources below, join the community, and start innovating with Sentinel today! App Assure: For assistance with developing a Sentinel Codeless Connector Framework (CCF) connector, you can contact AzureSentinelPartner@microsoft.com. Microsoft Security Community: aka.ms/communitychoice Next Steps: Resources and Links Ready to dive deeper? Explore these resources to get started: Get Educated! Sentinel data lake general availability announcement Sentinel data lake official documentation Connect Sentinel to Defender Portal Onboarding to Sentinel data lake Integration scenarios (e.g. hunt | jupyter) KQL queries Jupyter notebooks (link) as jobs (link) VS Code Extension Sentinel graph Sentinel MCP server Security Copilot agents Microsoft Security Store Take Action! Bring your data into Sentinel Build a composite solution Explore Security Copilot agents Publish to Microsoft Security Store List existing SaaS apps in Security StoreGenAI vs Cyber Threats: Why GenAI Powered Unified SecOps Wins
Cybersecurity is evolving faster than ever. Attackers are leveraging automation and AI to scale their operations, so how can defenders keep up? The answer lies in Microsoft Unified Security Operations powered by Generative AI (GenAI). This opens the Cybersecurity Paradox: Attackers only need one successful attempt, but defenders must always be vigilant, otherwise the impact can be huge. Traditional Security Operation Centers (SOCs) are hampered by siloed tools and fragmented data, which slows response and creates vulnerabilities. On average, attackers gain unauthorized access to organizational data in 72 minutes, while traditional defense tools often take on average 258 days to identify and remediate. This is over eight months to detect and resolve breaches, a significant and unsustainable gap. Notably, Microsoft Unified Security Operations, including GenAI-powered capabilities, is also available and supported in Microsoft Government Community Cloud (GCC) and GCC High/DoD environments, ensuring that organizations with the highest compliance and security requirements can benefit from these advanced protections. The Case for Unified Security Operations Unified security operations in Microsoft Defender XDR consolidates SIEM, XDR, Exposure management, and Enterprise Security Posture into a single, integrated experience. This approach allows the following: Breaks down silos by centralizing telemetry across identities, endpoints, SaaS apps, and multi-cloud environments. Infuses AI natively into workflows, enabling faster detection, investigation, and response. Microsoft Sentinel exemplifies this shift with its Data Lake architecture (see my previous post on Microsoft Sentinel’s New Data Lake: Cut Costs & Boost Threat Detection), offering schema-on-read flexibility for petabyte-scale analytics without costly data rehydration. This means defenders can query massive datasets in real time, accelerating threat hunting and forensic analysis. GenAI: A Force Multiplier for Cyber Defense Generative AI transforms security operations from reactive to proactive. Here’s how: Threat Hunting & Incident Response GenAI enables predictive analytics and anomaly detection across hybrid identities, endpoints, and workloads. It doesn’t just find threats—it anticipates them. Behavioral Analytics with UEBA Advanced User and Entity Behavior Analytics (UEBA) powered by AI correlates signals from multi-cloud environments and identity providers like Okta, delivering actionable insights for insider risk and compromised accounts. [13 -Micros...s new UEBA | Word] Automation at Scale AI-driven playbooks streamline repetitive tasks, reducing manual workload and accelerating remediation. This frees analysts to focus on strategic threat hunting. Microsoft Innovations Driving This Shift For SOC teams and cybersecurity practitioners, these innovations mean you spend less time on manual investigations and more time leveraging actionable insights, ultimately boosting productivity and allowing you to focus on higher-value security work that matters most to your organization. Plus, by making threat detection and response faster and more accurate, you can reduce stress, minimize risk, and demonstrate greater value to your stakeholders. Sentinel Data Lake: Unlocks real-time analytics at scale, enabling AI-driven threat detection without rehydration costs. Microsoft Sentinel data lake overview UEBA Enhancements: Multi-cloud and identity integrations for unified risk visibility. Sentinel UEBA’s Superpower: Actionable Insights You Can Use! Now with Okta and Multi-Cloud Logs! Security Copilot & Agentic AI: Harnesses AI and global threat intelligence to automate detection, response, and compliance across the security stack, enabling teams to scale operations and strengthen Zero Trust defenses defenders. Security Copilot Agents: The New Era of AI, Driven Cyber Defense Sector-Specific Impact All sectors are different, but I would like to focus a bit on the public sector at this time. This sector and critical infrastructure organizations face unique challenges: talent shortages, operational complexity, and nation-state threats. GenAI-centric platforms help these sectors shift from reactive defense to predictive resilience, ensuring mission-critical systems remain secure. By leveraging advanced AI-driven analytics and automation, public sector organizations can streamline incident detection, accelerate response times, and proactively uncover hidden risks before they escalate. With unified platforms that bridge data silos and integrate identity, endpoint, and cloud telemetry, these entities gain a holistic security posture that supports compliance and operational continuity. Ultimately, embracing generative AI not only helps defend against sophisticated cyber adversaries but also empowers public sector teams to confidently protect the services and infrastructure their communities rely on every day. Call to Action Artificial intelligence is driving unified cybersecurity. Solutions like Microsoft Defender XDR and Sentinel now integrate into a single dashboard, consolidating alerts, incidents, and data from multiple sources. AI swiftly correlates information, prioritizes threats, and automates investigations, helping security teams respond quickly with less manual work. This shift enables organizations to proactively manage cyber risks and strengthen their resilience against evolving challenges. Picture a single pane of glass where all your XDRs and Defenders converge, AI instantly shifts through the noise, highlighting what matters most so teams can act with clarity and speed. That may include: Assess your SOC maturity and identify silos. Use the Security Operations Self-Assessment Tool to determine your SOC’s maturity level and provide actionable recommendations for improving processes and tooling. Also see Security Maturity Model from the Well-Architected Framework Explore Microsoft Sentinel, Defender XDR, and Security Copilot for AI-powered security. Explains progressive security maturity levels and strategies for strengthening your security posture. What is Microsoft Defender XDR? - Microsoft Defender XDR and What is Microsoft Security Copilot? Design Security in Solutions from Day One! Drive embedding security from the start of solution design through secure-by-default configurations and proactive operations, aligning with Zero Trust and MCRA principles to build resilient, compliant, and scalable systems. Design Security in Solutions from Day One! Innovate boldly, Deploy Safely, and Never Regret it! Upskill your teams on GenAI tools and responsible AI practices. Guidance for securing AI apps and data, aligned with Zero Trust principles Build a strong security posture for AI About the Author: Hello Jacques "Jack” here! I am a Microsoft Technical Trainer focused on helping organizations use advanced security and AI solutions. I create and deliver training programs that combine technical expertise with practical use, enabling teams to adopt innovations like Microsoft Sentinel, Defender XDR, and Security Copilot for stronger cyber resilience. #SkilledByMTT #MicrosoftLearnSentinel UEBA’s Superpower: Actionable Insights You Can Use! Now with Okta and Multi-Cloud Logs!
Microsoft Sentinel continues to evolve as a cloud-native Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) solution, empowering security teams to detect, investigate, and respond to threats with speed and precision. The latest update introduces advanced User and Entity Behavior Analytics (UEBA), expanding support for new eligible logs, including multi-cloud sources and the Okta identity provider. This leap strengthens coverage and productivity by surfacing anomalies, actionable insights, and rich security context across entities and raw logs. Building on these enhancements, Sentinel UEBA now enables security teams to correlate activity seamlessly across diverse platforms like Azure, AWS, Google Cloud, and Okta, providing a unified risk perspective and empowering SOC analysts to quickly identify suspicious patterns such as unusual logins, privilege escalations, or anomalous access attempts. By leveraging behavioral baselines and contextual data about users, devices, and cloud resources, organizations benefit from improved detection accuracy and a reduction in false positives, streamlining investigations and accelerating threat response. For our Government Customers and for information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers. What’s New in Sentinel UEBA? Expanded Log Support: Sentinel now ingests and analyzes logs from a broader set of sources, including multi-cloud environments and Okta. This means security teams can correlate user and entity activity across Azure, AWS, Google Cloud, and Okta, gaining a unified view of risk. Actionable Insights: UEBA surfaces anomalies, such as unusual login patterns, privilege escalations, and suspicious access attempts by analyzing behavioral baselines and deviations. These insights help SOC analysts prioritize investigations and respond to threats faster. Rich Security Context: By combining raw logs with contextual information about users, devices, and cloud resources, Sentinel UEBA provides a holistic view of each entity’s risk posture. This enables more accurate detection and reduces false positives. To maximize the benefits of Sentinel UEBA’s expanded capabilities, organizations should focus on integrating all relevant cloud and identity sources, establishing behavioral baselines for users and entities, and leveraging automated response workflows to streamline investigations. Continuous tuning of UEBA policies and proactive onboarding of new log sources, such as Okta and multi-cloud environments, ensures that security teams remain agile in the face of evolving threats. By utilizing dedicated dashboards to monitor for anomalies like impossible travel and privilege changes, and by training SOC analysts to interpret insights and automate incident responses, teams can significantly enhance their threat detection and mitigation strategies while fostering a culture of ongoing learning and operational excellence. Microsoft Learn, UEBA Engine Key Practices for Maximizing UEBA To help organizations fully leverage the latest capabilities of Sentinel UEBA, adopting proven practices is essential. The following key strategies will empower security teams to maximize value, enhance detection, and streamline their operations. Integrate Multi-Cloud Logs: Ensure all relevant cloud and identity sources (Azure, AWS, GCP, Okta) are connected to Sentinel for comprehensive coverage. Baseline Normal Behavior: Use UEBA to establish behavioral baselines for users and entities, making it easier to spot anomalies. Automate Response: Leverage Sentinel’s SOAR capabilities to automate investigation and response workflows for detected anomalies. Continuous Tuning: Regularly review and refine UEBA policies to adapt to evolving threats and organizational changes. This image shows how Microsoft Sentinel UEBA analyzes user and entity behavior to detect suspicious activity and anomalies, helping security teams identify advanced threats and insider risks more accurately. Microsoft Learn, UEBA pipeline Call to Action Start by onboarding Okta and multi-cloud logs into Sentinel. Use UEBA dashboards to monitor for unusual activities, such as impossible travel, multiple failed logins, or privilege changes. Automate alerts and incident response to reduce manual workload and accelerate threat mitigation. Assess your current log sources and identity providers. Onboard Okta and multi-cloud logs into Sentinel, enable UEBA, and start monitoring behavioral anomalies. Train your SOC team on interpreting UEBA insights and automating response actions. Stay ahead of threats by continuously tuning your analytics and integrating new sources as your environment evolves. Reference Links for Sentinel UEBA Advanced threat detection with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel Microsoft Sentinel User and Entity Behavior Analytics (UEBA) reference Investigate incidents with UEBA data What's new in Microsoft Sentinel Microsoft Sentinel documentation home About the Author: Hi! Jacques “Jack” here, Microsoft Technical Trainer. I’m passionate about empowering teams to master security and operational excellence. As you advance your skills, pair technical expertise with a commitment to sharing knowledge and ongoing training. Create opportunities to lead workshops, stay current on threats and best practices, and foster a culture of continuous learning. #SkilledByMTT #MicrosoftLearnIntroducing Microsoft Sentinel graph (Public Preview)
Security is being reengineered for the AI era—moving beyond static, rulebound controls and after-the-fact response toward platform-led, machine-speed defense. The challenge is clear: fragmented tools, sprawling signals, and legacy architectures that can’t match the velocity and scale of modern attacks. What’s needed is an AI-ready, data-first foundation—one that turns telemetry into a security graph, standardizes access for agents, and coordinates autonomous actions while keeping humans in command of strategy and high-impact investigations. Security teams already center operations on their SIEM for end-to-end visibility, and we’re advancing that foundation by evolving Microsoft Sentinel into both the SIEM and the platform for agentic defense—connecting analytics and context across ecosystems. And today, we announced the general availability of Sentinel data lake and introduced new preview platform capabilities that are built on Sentinel data lake (Figure 1), so protection accelerates to machine speed while analysts do their best work. We are excited to announce the public preview of Microsoft Sentinel graph, a deeply connected map of your digital estate across endpoints, cloud, email, identity, SaaS apps, and enriched with our threat intelligence. Sentinel graph, a core capability of the Sentinel platform, enables Defenders and Agentic AI to connect the dots and bring deep context quickly, enabling modern defense across pre-breach and post-breach. Starting today, we are delivering new graph-based analytics and interactive visualization capabilities across Microsoft Defender and Microsoft Purview. Attackers think in graphs. For a long time, defenders have been limited to querying and analyzing data in lists forcing them to think in silos. With Sentinel graph, Defenders and AI can quickly reveal relationships, traversable digital paths to understand blast radius, privilege escalation, and anomalies across large, cloud-scale data sets, deriving deep contextual insight across their digital estate, SOC teams and their AI Agents can stay proactive and resilient. With Sentinel graph-powered experiences in Defender and Purview, defenders can now reason over assets, identities, activities, and threat intelligence to accelerate detection, hunting, investigation, and response. Incident graph in Defender. The incident graph in the Microsoft Defender portal is now enriched with ability to analyze blast radius of the active attack. During an incident investigation, the blast radius analysis quickly evaluates and visualizes the vulnerable paths an attacker could take from a compromise entity to a critical asset. This allows SOC teams to effectively prioritize and focus their attack mitigation and response saving critical time and limiting impact. Hunting graph in Defender. Threat hunting often requires connecting disparate pieces of data to uncover hidden paths that attackers exploit to reach your crown jewels. With the new hunting graph, analysts can visually traverse the complex web of relationships between users, devices, and other entities to reveal privileged access paths to critical assets. This graph-powered exploration transforms threat hunting into a proactive mission, enabling SOC teams to surface vulnerabilities and intercept attacks before they gain momentum. This approach shifts security operations from reactive alert handling to proactive threat hunting, enabling teams to identify vulnerabilities and stop attacks before they escalate. Data risk graph in Purview Insider Risk Management (IRM). Investigating data leaks and insider risks is challenging when information is scattered across multiple sources. The data risk graph in IRM offers a unified view across SharePoint and OneDrive, connecting users, assets, and activities. Investigators can see not just what data was leaked, but also the full blast radius of risky user activity. This context helps data security teams triage alerts, understand the impact of incidents, and take targeted actions to prevent future leaks. Data risk graph in Purview Data Security Investigation (DSI). To truly understand a data breach, you need to follow the trail—tracking files and their activities across every tool and source. The data risk graph does this by automatically combining unified audit logs, Entra audit logs, and threat intelligence, providing an invaluable insight. With the power of the data risk graph, data security teams can pinpoint sensitive data access and movement, map potential exfiltration paths, and visualize the users and activities linked to risky files, all in one view. Getting started Microsoft Defender If you already have the Sentinel data lake, the required graph will be auto provisioned when you login into the Defender portal; hunting graph and incident graph experience will appear in the Defender portal. New to data lake? Use the Sentinel data lake onboarding flow to provision the data lake and graph. Microsoft Purview Follow the Sentinel data lake onboarding flow to provision the data lake and graph. In Purview Insider Risk Management (IRM), follow the instructions here. In Purview Data Security Investigation (DSI), follow the instructions here. Reference links Watch Microsoft Secure Microsoft Secure news blog Data lake blog MCP server blog ISV blog Security Store blog Copilot blog Microsoft Sentinel—AI-Powered Cloud SIEM | Microsoft Security
