Announcing AI Entity Analyzer in Microsoft Sentinel MCP Server - Public Preview
What is the Entity Analyzer? Assessing the risk of entities is a core task for SOC teams - whether triaging incidents, investigating threats, or automating response workflows. Traditionally, this has required building complex playbooks or custom logic to gather and analyze fragmented security data from multiple sources. With Entity Analyzer, this complexity starts to fade away. The tool leverages your organization’s security data in Sentinel to deliver comprehensive, reasoned risk assessments for any entity you encounter - starting with users and urls. By providing this unified, out-of-the-box solution for entity analysis, Entity Analyzer also enables the AI agents you build to make smarter decisions and automate more tasks - without the need to manually engineer risk evaluation logic for each entity type. And for those building SOAR workflows, Entity Analyzer is natively integrated with Logic Apps, making it easy to enrich incidents and automate verdicts within your playbooks. *Entity Analyzer is rolling out in Public Preview to Sentinel MCP server and within Logic Apps starting today. Learn more here. Deep Dive: How the User Analyzer is already solving problems for security teams Problem: Drowning in identity alerts Security operations centers (SOCs) are inundated with identity-based threats and alert noise. Triaging these alerts requires analyzing numerous data sources across sign-in logs, cloud app events, identity info, behavior analytics, threat intel, and more, all in tandem with each other to reach a verdict - something very challenging to do without a human in the loop today. So, we introduced the User Analyzer, a specialized analyzer that unifies, correlates, and analyzes user activity across all these security data sources. Government of Nunavut: solving identity alert overload with User Analyzer Hear the below from Arshad Sheikh, Security Expert at Government of Nunavut, on how they're using the User Analyzer today: How it's making a difference "Before the User Analyzer, when we received identity alerts we had to check a large amount of data related to users’ activity (user agents, anomalies, IP reputation, etc.). We had to write queries, wait for them to run, and then manually reason over the results. We attempted to automate some of this, but maintaining and updating that retrieval, parsing, and reasoning automation was difficult and we didn’t have the resources to support it. With the User Analyzer, we now have a plug-and-play solution that represents a step toward the AI-driven automation of the future. It gathers all the context such as what the anomalies are and presents it to our analysts so they can make quick, confident decisions, eliminating the time previously spent manually gathering this data from portals." Solving a real problem "For example, every 24 hours we create a low severity incident of our users who successfully sign-in to our network non interactively from outside of our GEO fence. This type of activity is not high-enough fidelity to auto-disable, requiring us to manually analyze the flagged users each time. But with User Analyzer, this analysis is performed automatically. The User Analyzer has also significantly reduced the time required to determine whether identity-based incidents like these are false positives or true positives. Instead of spending around 20 minutes investigating each incident, our analysts can now reach a conclusion in about 5 minutes using the automatically generated summary." Looking ahead "Looking ahead, we see even more potential. In the future, the User Analyzer could be integrated directly with Microsoft Sentinel playbooks to take automated, definitive action such as blocking user or device access based on the analyzer’s results. This would further streamline our incident response and move us closer to fully automated security operations." Want similar benefits in your SOC? Get started with our Entity Analyzer Logic Apps template here. User Analyzer architecture: how does it work? Let’s take a look at how the User Analyzer works. The User Analyzer aggregates and correlates signals from multiple data sources to deliver a comprehensive analysis, enabling informed actions based on user activity. The diagram below gives an overview of this architecture: Step 1: Retrieve Data The analyzer starts by retrieving relevant data from the following sources: Sign-In Logs (Interactive & Non-Interactive): Tracks authentication and login activity. Security Alerts: Alerts from Microsoft Defender solutions. Behavior Analytics: Surfaces behavioral anomalies through advanced analytics. Cloud App Events: Captures activity from Microsoft Defender for Cloud Apps. Identity Information: Enriches user context with identity records. Microsoft Threat Intelligence: Enriches IP addresses with Microsoft Threat Intelligence. Steps 2: Correlate signals Signals are correlated using identifiers such as user IDs, IP addresses, and threat intelligence. Rather than treating each alert or behavior in isolation, the User Analyzer fuses signals to build a holistic risk profile. Step 3: AI-based reasoning In the User Analyzer, multiple AI-powered agents collaborate to evaluate the evidence and reach consensus. This architecture not only improves accuracy and reduces bias in verdicts, but also provides transparent, justifiable decisions. Leveraging AI within the User Analyzer introduces a new dimension of intelligence to threat detection. Instead of relying on static signatures or rigid regex rules, AI-based reasoning can uncover subtle anomalies that traditional detection methods and automation playbooks often miss. For example, an attacker might try to evade detection by slightly altering a user-agent string or by targeting and exfiltrating only a few files of specific types. While these changes could bypass conventional pattern matching, an AI-powered analyzer understands the semantic context and behavioral patterns behind these artifacts, allowing it to flag suspicious deviations even when the syntax looks benign. Step 4: Verdict & analysis Each user is given a verdict. The analyzer outputs any of the following verdicts based on the analysis: Compromised Suspicious activity found No evidence of compromise Based on the verdict, a corresponding recommendation is given. This helps teams make an informed decision whether action should be taken against the user. *AI-generated content from the User Analyzer may be incorrect - check it for accuracy. User Analyzer Example Output See the following example output from the user analyzer within an incident comment: *IP addresses have been redacted for this blog* &CK techniques, a list of malicious IP addresses the user signed in from (redacted for this blog), and a few suspicious user agents the user's activity originated from. Conclusion Entity Analyzer in Microsoft Sentinel MCP server represents a leap forward in alert triage & analysis. By correlating signals and harnessing AI-based reasoning, it empowers SOC teams to act on investigations with greater speed, precision, and confidence.
Azure passowrd protection
We have a hybrid Azure infrastructure with an AD Connector installed on-prem and configured for PTA. We installed the password protection server and registered it with the Azure tenant, then deployed the DC agent on all domain controllers. Both the proxy and agents are operational. We published a few banned words to block in case anyone uses them. For testing, I changed my password to include one of the banned words. To my surprise, I was able to change the password. I checked the corresponding logon server, and the DC event viewer showed that the password was validated, but the banned word was in the password list that Azure set to enforce. Why is it not blocking the change?
Windows 11 - Can't Change The Order Of Taskbar Icons
The title pretty much explains it all. I recently updated to Windows 11, and as I expected, I regret it, for numerous reasons. My biggest issue currently though is with my taskbar. I do tons of stuff with my PC on various apps, and I like to have those apps organized in a very specific way on my taskbar so they're easy to find. Well, ever since I upgraded, I can't move my taskbar icons. I'm tech savvy, so yea, I did all the common sense things. I tried right-clicking an empty space on the taskbar to make sure it's unlocked. The only two items that pop up when I right click it are "Task Manager" and "Taskbar Settings". So after that, I went into taskbar settings, figuring the lock feature must've been moved into there. I went through every single item on my taskbar personalization settings at least eight times now. Opened all the drop-downs, even went to other places in settings to try and find it. There is no "unlock taskbar" option in my taskbar settings either. I scanned everything on the drive with both "DISM.exe /Online /Cleanup-image /Restorehealth" and "sfc /scannow". Neither found any issues. Can someone take a screenshot of where the "lock taskbar" option is supposed to be found in "personalization > taskbar" now? I am curious as to where it's supposed to be, and if anything else is missing too. But most importantly, can someone give me a suggestion to fix it? I hate to do system restores, as any time I did it in the past, it messed up multiple files of mine. Oh, and before you ask, this was an upgrade, not a fresh install. I don't have enough hours in the day as it is for extremely important things, let alone spend hours and hours completely reinstalling my OS, all apps, configuring it the way I want, etc. It'd easily take me half a day, which I do not have anytime soon. So, any suggestions where I don't have to spend hours and hours or jack up my hard drive to fix this would be greatly appreciated. Thanks for you time.I am getting an error about the secure boot
I recently started getting this,should I be worried about this: Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here. When the check the msi download page,the latest bios version is E17T2IMS.110 and this is the version I currently have installed.Solved How can I shutdown a newly installed Windows 11 without a Microsoft Account ?
I bought a used Windows 10 laptop with an enclosure that has an exterior coloured in rose gold. The installation is encrypted with BitLocker. I was not given a BitLocker key. This unit is an HP 15dy0702ds. I removed the SSD and installed a bigger SSD and installed Windows 11. I know a child that likes rose gold. I want to send this computer from Canada to Florida, U.S.A.. On a clean installation of Windows 11 is the Microsoft Account sign in screen as shown. As far as I know it is unavoidable. I prefer to let the child in Florida sign in. My problem is that there does not seem to be a way to shutdown Windows 11 at this point. When the unit is sent via courier, I would prefer Windows 11 be completely shutdown. When I press the power button, the screen goes black and the power light is blinking. The user guide says the blinking power light indicates the sleep state (a power-saving state). As in the title ... How can I shutdown a newly installed Windows 11 without a Microsoft Account ? I believe powering the unit off while in UEFI setup would cause a shutdown. Strangely, I cannot get a prompt to access the UEFI setup. My usual means of entering UEFI setup is to power on while repeatedly hitting the ESC key. It does not go to UEFI setup and instead it shows the same Windows screen for the Microsoft Account sign in. The HP user guide says power on and hit F10 is the way to get into UEFI setup but that does not work either. This unit does not have an easily removable battery.
