Announcing AI Entity Analyzer in Microsoft Sentinel MCP Server - Public Preview
What is the Entity Analyzer? Assessing the risk of entities is a core task for SOC teams - whether triaging incidents, investigating threats, or automating response workflows. Traditionally, this has required building complex playbooks or custom logic to gather and analyze fragmented security data from multiple sources. With Entity Analyzer, this complexity starts to fade away. The tool leverages your organization’s security data in Sentinel to deliver comprehensive, reasoned risk assessments for any entity you encounter - starting with users and urls. By providing this unified, out-of-the-box solution for entity analysis, Entity Analyzer also enables the AI agents you build to make smarter decisions and automate more tasks - without the need to manually engineer risk evaluation logic for each entity type. And for those building SOAR workflows, Entity Analyzer is natively integrated with Logic Apps, making it easy to enrich incidents and automate verdicts within your playbooks. *Entity Analyzer is rolling out in Public Preview to Sentinel MCP server and within Logic Apps starting today. Learn more here. Deep Dive: How the User Analyzer is already solving problems for security teams Problem: Drowning in identity alerts Security operations centers (SOCs) are inundated with identity-based threats and alert noise. Triaging these alerts requires analyzing numerous data sources across sign-in logs, cloud app events, identity info, behavior analytics, threat intel, and more, all in tandem with each other to reach a verdict - something very challenging to do without a human in the loop today. So, we introduced the User Analyzer, a specialized analyzer that unifies, correlates, and analyzes user activity across all these security data sources. Government of Nunavut: solving identity alert overload with User Analyzer Hear the below from Arshad Sheikh, Security Expert at Government of Nunavut, on how they're using the User Analyzer today: How it's making a difference "Before the User Analyzer, when we received identity alerts we had to check a large amount of data related to users’ activity (user agents, anomalies, IP reputation, etc.). We had to write queries, wait for them to run, and then manually reason over the results. We attempted to automate some of this, but maintaining and updating that retrieval, parsing, and reasoning automation was difficult and we didn’t have the resources to support it. With the User Analyzer, we now have a plug-and-play solution that represents a step toward the AI-driven automation of the future. It gathers all the context such as what the anomalies are and presents it to our analysts so they can make quick, confident decisions, eliminating the time previously spent manually gathering this data from portals." Solving a real problem "For example, every 24 hours we create a low severity incident of our users who successfully sign-in to our network non interactively from outside of our GEO fence. This type of activity is not high-enough fidelity to auto-disable, requiring us to manually analyze the flagged users each time. But with User Analyzer, this analysis is performed automatically. The User Analyzer has also significantly reduced the time required to determine whether identity-based incidents like these are false positives or true positives. Instead of spending around 20 minutes investigating each incident, our analysts can now reach a conclusion in about 5 minutes using the automatically generated summary." Looking ahead "Looking ahead, we see even more potential. In the future, the User Analyzer could be integrated directly with Microsoft Sentinel playbooks to take automated, definitive action such as blocking user or device access based on the analyzer’s results. This would further streamline our incident response and move us closer to fully automated security operations." Want similar benefits in your SOC? Get started with our Entity Analyzer Logic Apps template here. User Analyzer architecture: how does it work? Let’s take a look at how the User Analyzer works. The User Analyzer aggregates and correlates signals from multiple data sources to deliver a comprehensive analysis, enabling informed actions based on user activity. The diagram below gives an overview of this architecture: Step 1: Retrieve Data The analyzer starts by retrieving relevant data from the following sources: Sign-In Logs (Interactive & Non-Interactive): Tracks authentication and login activity. Security Alerts: Alerts from Microsoft Defender solutions. Behavior Analytics: Surfaces behavioral anomalies through advanced analytics. Cloud App Events: Captures activity from Microsoft Defender for Cloud Apps. Identity Information: Enriches user context with identity records. Microsoft Threat Intelligence: Enriches IP addresses with Microsoft Threat Intelligence. Steps 2: Correlate signals Signals are correlated using identifiers such as user IDs, IP addresses, and threat intelligence. Rather than treating each alert or behavior in isolation, the User Analyzer fuses signals to build a holistic risk profile. Step 3: AI-based reasoning In the User Analyzer, multiple AI-powered agents collaborate to evaluate the evidence and reach consensus. This architecture not only improves accuracy and reduces bias in verdicts, but also provides transparent, justifiable decisions. Leveraging AI within the User Analyzer introduces a new dimension of intelligence to threat detection. Instead of relying on static signatures or rigid regex rules, AI-based reasoning can uncover subtle anomalies that traditional detection methods and automation playbooks often miss. For example, an attacker might try to evade detection by slightly altering a user-agent string or by targeting and exfiltrating only a few files of specific types. While these changes could bypass conventional pattern matching, an AI-powered analyzer understands the semantic context and behavioral patterns behind these artifacts, allowing it to flag suspicious deviations even when the syntax looks benign. Step 4: Verdict & analysis Each user is given a verdict. The analyzer outputs any of the following verdicts based on the analysis: Compromised Suspicious activity found No evidence of compromise Based on the verdict, a corresponding recommendation is given. This helps teams make an informed decision whether action should be taken against the user. *AI-generated content from the User Analyzer may be incorrect - check it for accuracy. User Analyzer Example Output See the following example output from the user analyzer within an incident comment: *IP addresses have been redacted for this blog* &CK techniques, a list of malicious IP addresses the user signed in from (redacted for this blog), and a few suspicious user agents the user's activity originated from. Conclusion Entity Analyzer in Microsoft Sentinel MCP server represents a leap forward in alert triage & analysis. By correlating signals and harnessing AI-based reasoning, it empowers SOC teams to act on investigations with greater speed, precision, and confidence.
Microsoft Defender for IoT new sensor release (22.2.7)
We are happy to announce a new release of Microsoft Defender for IoT sensor (version 22.2.7) What’s new? Improved network devices visualization to include multiple interfaces based on network protocols. Improved alert timeline indications, which now includes detection time and last seen time. A new column named “First Detection time” reflects the first time the alert was detected, to get more context if it was raised more than once. To download sensor 22.2.7 software from Azure portal herePublic Preview | IoT Entity Page in Sentinel
Enhance IoT/OT Threat Monitoring in Your SOC with Sentinel and Defender for IoT See more in our new Blog: IoT Entity Page - Enhance IoT/OT Threat Monitoring in Your SOC With Sentinel and Defender for IoT Defender for IoT's integration with Microsoft Sentinel now supports an IoT device entity page. When investigating incidents and monitoring IoT security in Microsoft Sentinel, you can now identify your most sensitive devices and jump directly to more details on each device entity page. The IoT device entity page provides: Contextual device information about an IoT device, with basic device details and device owner contact information. Device owners are defined by site in the Sites and sensors page in Defender for IoT. Can help prioritize remediation based on device importance and business impact, as per each alert's site, zone, and sensor. For more information, see Investigation enhancements with IOT device entitiesNew Blog Post | Stream Microsoft Defender for IoT alerts to a 3rd party SIEM
Learn how to send Microsoft Defender for IoT alerts to third-party SIEMs such as Splunk, QRadar: Stream Microsoft Defender for IoT alerts to a 3rd party SIEM Customer engagements have taught us that sometimes customers prefer to maintain their existing SIEM, alongside Microsoft Sentinel, or as a standalone SIEM. In this blog, we’ll introduce a solution that sends Microsoft Defender for IoT alerts to an Event Hub that can be consumed by a 3 rd party SIEMs. You can use this solution with Splunk, QRadar, or any other SIEM that supports Event Hub ingestion.Defender for IoT public webinars
These webinars will be held at 08:00-09:00 AM, PST. Sign-up at the links below! FEB 23 Microsoft Defender for IoT | Cloud Capabilities and Security Advantages In this session we will discuss the benefits of connecting Defender for IoT for OT/ICS environments to the cloud. Covering both security and manageability aspects and features and cross platform integrations MAR 24 Better Together | Microsoft Sentinel - IT/OT Threat Monitoring with Defender for IoT Solution In this session we will discuss how Microsoft Sentinel and Microsoft Defender for IoT are driving together a convergence of OT and Corporate cybersecurity disciplines in defense of critical infrastructure. This solution provides the foundation for building a SOC geared towards IoT/ OT monitoring. and is globally applicable for organizations defending both IT/OT-based networks APR 6 Microsoft Defender for IoT | How to Discover and Secure IoT Devices in the Enterprise Environment In this session we will share how Microsoft Defender for IoT is leveraging multiple data sources (including an agentless solution and Microsoft Defender for Endpoints) to discover and secure IoT devices in enterprise networks. Printers, cameras, VoIP phones and other unmanaged devices are posing an increasing risk to enterprises, and the need to identify and protect them becomes a cardinal priority for security teams. We will present our integrated solution and how it complements our OT security offering. Original Post: Defender for IoT public webinars - Microsoft Tech CommunityInvitation | Join the Microsoft Defender for IoT community to influence and earn swag!
Defender for IoT Customer - Join Defender for IoT private community! Access exclusive Defender for IoT content and best practices Be first to try our private previews and influence our features before they become GA Earn digital badges based on your level of contribution Live events To join, please fill out the form at https://aka.ms/SecurityPrP and select “ongoing program” NDA is required Cool swag for the first 50 members who sign up! make sure to fill in your shipping address in the form Are you already a member of our cloud security community? https://aka.ms/SecurityCommunity, Discussion group on LinkedInSensor Disconnection Notifications with Microsoft Defender for IoT and Microsoft Sentinel 🚀
What Does This Playbook Do? This new automated playbook sends real-time email notifications whenever a sensor disconnects from the cloud. This ensures you’re immediately alerted if there’s an issue, allowing you to take quick action to investigate and resolve the problem. Why It’s Important: Real-Time Alerts: Get instant notifications when a sensor goes offline. Proactive Monitoring: Identify the issue early, reducing downtime and improving response times. Seamless Integration: Works effortlessly with Microsoft Defender for IoT and Microsoft Sentinel for a unified security approach. How to Set It Up: Setting up this playbook is quick and easy. For step-by-step instructions, check out the detailed setup guide here. This playbook was created in collaboration with Marian Hristov, a leading partner working with Defender for IoT.Introducing Single Sign-On (SSO) for Sensor Console: Enhanced Security and Streamlined Access
We are excited to announce that Single Sign-On (SSO) is now available for the sensor console! This new feature streamlines the login process by using Entra ID, enhancing security and convenience for all users.Public Preview Announcement: OT-Enabled SOC with Microsoft Sentinel and Defender for IoT
We are excited to announce the public preview of our Defender for IoT solution for Microsoft Sentinel. With this solution, Microsoft Sentinel delivers the first in the industry native SOC experience for IT and OT environments
