Modernize security operations to secure agentic AI—Microsoft Sentinel at Ignite 2025
Security is a core focus at Microsoft Ignite this year, with the Security Forum on November 17, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners. Join us in San Francisco, November 17–21, or online, November 18–20, to learn what’s new and what’s next across SecOps, data, cloud, and AI—and how to get more from the Microsoft capabilities you already use. This year, Microsoft Sentinel takes center stage with sessions and labs designed to help you unify data, automate response, and leverage AI-powered insights for faster, more effective threat detection. Featured sessions: BRK235: Power agentic defense with Microsoft Sentinel Explore Microsoft Sentinel’s platform architecture, graph intelligence, and agentic workflows to automate, investigate, and respond with speed and precision. BRK246: Blueprint for building the SOC of the future Learn how to architect a modern SOC that anticipates and prevents threats using predictive shielding, agentic AI, and graph-powered reasoning. LAB543: Perform threat hunting in Microsoft Sentinel Dive deep into advanced threat hunting, KQL queries, and proactive investigation workflows to sharpen your security operations. Explore and filter the full security catalog by topic, format, and role: aka.ms/Ignite/SecuritySessions. Why attend: Ignite is your opportunity to see the latest innovations in Microsoft Sentinel, connect with experts, and gain hands-on experience. Sessions will also touch on future directions for agentic AI and unified SOC operations, as outlined in Microsoft’s broader security roadmap. Security Forum (November 17): Kick off with an immersive, in‑person pre‑day focused on strategic security discussions and real‑world guidance from Microsoft leaders and industry experts. Select Security Forum during registration. Connect with peers and security leaders through these signature security experiences: Security Leaders Dinner—CISOs and VPs connect with Microsoft leaders. CISO Roundtable—Gain practical insights on secure AI adoption. Secure the Night Party—Network in a relaxed, fun setting. Register for Microsoft Ignite >
Unified SecOps XDR
Hi, I am reaching out to community to seek understanding regarding Unified SecOps XDR portal for Multi-tenant Multi-workspace. Our organization already has a Azure lighthouse setup. My question is if M365 lighthouse license also required for the Multi-tenant Multi-workspace in unified SecOps XDR portal?
GITHUB - AI Sentinel attack simulation
The recent support for Model Context Protocol (MCP) with Claude Desktop has opened the door for some really useful testing capability with Sentinel and emerging threats. I'm happy to share with the community a GitHub project that demonstrates the use of MCP against current exploits to generate simulated attack data that can be used with testing migrated ASIM alert rules. MCP allows for up-to-date exploits to be queried... ... and with AI prompting, simulated attack events can be created against our Sentinel test environments. Which results in a simulated attack based on the exploit being referenced. This is really useful for testing the migration of our Sentinel alert rules to ASIM! The full code and details about the project are available here: https://laurierhodes.info/node/175
Unified Security Operation Sentinel Vs Defender Tables
I have a question regarding the Unified SOC portal. In the session below, they highlighted one advantage: the ability to use Defender and Sentinel Tables together. However, both the SignInLogs and DeviceLogonEvents tables are already accessible in Sentinel through the Defender connector. Am I missing something, or did they use an incorrect example to demonstrate an advantage that Sentinel already provides? https://www.youtube.com/live/ndAKk8l5VMo?si=ZvUh21DaknXRYgXr&t=1223
Unified Sentinel and playbooks
Hi all It's been a few weeks now since the unified Sentinel experience dropper publicly and I've been running that since then. It was alot of bells, whistles and hype build since the Ignite event but I feel like...meh, now what. What happened to playbooks? What happened to all the automations we had that enriched events into the the audit logs in Sentinel for correlation? These are either gone or not working as intended anymore. Before the "unification" we had an incident come in from our firewalls with a blocked URL which was enriched from externa threat intelligence sources and could be closed within minutes by an operator after scrolling the audit log. Now it seems the idea is for the operator to click around in the Defender portal and view the different pages for similar information, not to mentioning the seemingly nesessity for the Microsoft Intelligence platform, before the operator can determine the posture of an incident. It feels like we took a step back. Peace /FredrikWhat's New: Tags column is now available in Azure Sentinel incidents page!
Hello everyone, We are happy to share with you a small but important improvement we added to our incidents blade – a new tag column is now available as part of the Incidents list! Tags are an integral part of the triaging process so we are now exposing them in a new column of the incident list. This improvement allows users to get informed about the tags that are related to the incidents without having to pivot to the incident preview page or full details. Every second counts, right?Announcing General Availability of PIM Enabled Azure Lighthouse Delegations
I am excited to share today’s general availability announcement of PIM Enabled Azure Lighthouse Delegations. With Azure Lighthouse, service providers can deliver managed services using comprehensive and robust tooling built into the Azure platform. The addition of PIM enabled delegations takes Azure Lighthouse’s granular access to the next level, by assigning service providers the exact level of access needed, per resource, for the exact amount of time needed to complete a task. This has been a top ask from customers, and we’re thrilled to deliver this powerful capability to our customers! Learn more in the announcement here: Azure Lighthouse PIM Enabled Delegations - Microsoft Community Hub.
Microsoft sentinel custom parsers
Dear All, There are charges as per the Microsoft website for creating custom coloumns during parsing. Please let me know the following:- What is the charge exactly? How much i will charge if i do parsing and create a single custom coloumns? What is i do the parsing and use the already existing coloumns for example "Account", is there any charges for it? Kindly share any supporting documents or links from Microsoft for support. Regards Sammy. https://techcommunity.microsoft.com/t5/microsoft-sentinel/latest-costing-billing-changes/m-p/3679568Pre-rqieist for Defender for endpoint and MMA agent installation
Dear All, We need to install the Defender for endpoint agent and the latest MMA agent(Sentienl) in our environment. Kindly let me know the minimum permissons required for the service account for both:- 1) Domain joined machine? 2) Non-domain joined machine? (what min. role required for service account? is it local admin? or any other min. role possible)
