What's new in Microsoft Sentinel (2024)

  • Article

This article lists recent features added for Microsoft Sentinel, and new features in related services that provide an enhanced user experience in Microsoft Sentinel.

The listed features were released in the last three months. For information about earlier features delivered, see our Tech Community blogs.

Get notified when this page is updated by copying and pasting the following URL into your feed reader:https://aka.ms/sentinel/rss

Note

For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.

September 2024

  • Import/export of automation rules now generally available (GA)
  • Google Cloud Platform data connectors are now generally available (GA)
  • Microsoft Sentinel now generally available (GA) in Azure Israel Central

Import/export of automation rules now generally available (GA)

The ability to export automation rules to Azure Resource Manager (ARM) templates in JSON format, and to import them from ARM templates, is now generally available after a short preview period.

Learn more about exporting and importing automation rules.

Google Cloud Platform data connectors are now generally available (GA)

Microsoft Sentinel's Google Cloud Platform (GCP) data connectors, based on our Codeless Connector Platform (CCP), are now generally available. WIth these connectors, you can ingest logs from your GCP environment using the GCP Pub/Sub capability:

For more information on these connectors, see Ingest Google Cloud Platform log data into Microsoft Sentinel.

Microsoft Sentinel now generally available (GA) in Azure Israel Central

Microsoft Sentinel is now available in the Israel Central Azure region, with the same feature set as all other Azure Commercial regions.

For more information, see as Microsoft Sentinel feature support for Azure commercial/other clouds and Geographical availability and data residency in Microsoft Sentinel.

August 2024

  • Export and import automation rules (Preview)
  • Microsoft Sentinel support in Microsoft Defender multitenant management (Preview)
  • Premium Microsoft Defender Threat Intelligence data connector (Preview)
  • Unified AMA-based connectors for syslog ingestion
  • Better visibility for Windows security events
  • New Auxiliary logs retention plan (Preview)
  • Create summary rules for large sets of data (Preview)

Export and import automation rules (Preview)

Manage your Microsoft Sentinel automation rules as code! You can now export your automation rules to Azure Resource Manager (ARM) template files, and import rules from these files, as part of your program to manage and control your Microsoft Sentinel deployments as code. The export action will create a JSON file in your browser's downloads location, that you can then rename, move, and otherwise handle like any other file.

The exported JSON file is workspace-independent, so it can be imported to other workspaces and even other tenants. As code, it can also be version-controlled, updated, and deployed in a managed CI/CD framework.

The file includes all the parameters defined in the automation rule. Rules of any trigger type can be exported to a JSON file.

Learn more about exporting and importing automation rules.

Microsoft Sentinel support in Microsoft Defender multitenant management (Preview)

If you've onboarded Microsoft Sentinel to the Microsoft unified security operations platform, Microsoft Sentinel data is now available with Defender XDR data in Microsoft Defender multitenant management. Only one Microsoft Sentinel workspace per tenant is currently supported in the Microsoft unified security operations platform. So, Microsoft Defender multitenant management shows security information and event management (SIEM) data from one Microsoft Sentinel workspace per tenant. For more information, see Microsoft Defender multitenant management and Microsoft Sentinel in the Microsoft Defender portal.

Premium Microsoft Defender Threat Intelligence data connector (Preview)

Your premium license for Microsoft Defender Threat Intelligence (MDTI) now unlocks the ability to ingest all premium indicators directly into your workspace. The premium MDTI data connector adds more to your hunting and research capabilities within Microsoft Sentinel.

For more information, see Understand threat intelligence.

Unified AMA-based connectors for syslog ingestion

With the impending retirement of the Log Analytics Agent, Microsoft Sentinel has consolidated the collection and ingestion of syslog, CEF, and custom-format log messages into three multi-purpose data connectors based on the Azure Monitor Agent (AMA):

  • Syslog via AMA, for any device whose logs are ingested into the Syslog table in Log Analytics.
  • Common Event Format (CEF) via AMA, for any device whose logs are ingested into the CommonSecurityLog table in Log Analytics.
  • New! Custom Logs via AMA (Preview), for any of 15 device types, or any unlisted device, whose logs are ingested into custom tables with names ending in _CL in Log Analytics.

These connectors replace nearly all the existing connectors for individual device and appliance types that have existed until now, that were based on either the legacy Log Analytics agent (also known as MMA or OMS) or the current Azure Monitor Agent. The solutions provided in the content hub for all of these devices and appliances now include whichever of these three connectors are appropriate to the solution.* The replaced connectors are now marked as "Deprecated" in the data connector gallery.

The data ingestion graphs that were previously found in each device's connector page can now be found in device-specific workbooks packaged with each device's solution.

* When installing the solution for any of these applications, devices, or appliances, to ensure that the accompanying data connector is installed, you must select Install with dependencies on the solution page, and then mark the data connector on the following page.

For the updated procedures for installing these solutions, see the following articles:

  • CEF via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion
  • Syslog via AMA data connector - Configure specific appliance or device for Microsoft Sentinel data ingestion
  • Custom Logs via AMA data connector - Configure data ingestion to Microsoft Sentinel from specific applications

Better visibility for Windows security events

We've enhanced the schema of the SecurityEvent table that hosts Windows Security events, and have added new columns to ensure compatibility with the Azure Monitor Agent (AMA) for Windows (version 1.28.2). These enhancements are designed to increase the visibility and transparency of collected Windows events. If you're not interested in receiving data in these fields, you can apply an ingestion-time transformation ("project-away" for example) to drop them.

New Auxiliary logs retention plan (Preview)

The new Auxiliary logs retention plan for Log Analytics tables allows you to ingest large quantities of high-volume logs with supplemental value for security at a much lower cost. Auxiliary logs are available with interactive retention for 30 days, in which you can run simple, single-table queries on them, such as to summarize and aggregate the data. Following that 30-day period, auxiliary log data goes to long-term retention, which you can define for up to 12 years, at ultra-low cost. This plan also allows you to run search jobs on the data in long-term retention, extracting only the records you want to a new table that you can treat like a regular Log Analytics table, with full query capabilities.

To learn more about Auxiliary logs and compare with Analytics logs, see Log retention plans in Microsoft Sentinel.

For more in-depth information about the different log management plans, see Table plans in the Azure Monitor Logs overview article from the Azure Monitor documentation.

Create summary rules in Microsoft Sentinel for large sets of data (Preview)

Microsoft Sentinel now provides the ability to create dynamic summaries using Azure Monitor summary rules, which aggregate large sets of data in the background for a smoother security operations experience across all log tiers.

  • Access summary rule results via Kusto Query Language (KQL) across detection, investigation, hunting, and reporting activities.
  • Run high performance Kusto Query Language (KQL) queries on summarized data.
  • Use summary rule results for longer in investigations, hunting, and compliance activities.

For more information, see Aggregate Microsoft Sentinel data with summary rules.

July 2024

  • SOC optimizations now generally available
  • SAP Business Technology Platform (BTP) connector now generally available
  • Microsoft unified security platform now generally available

SOC optimizations now generally available

The SOC optimization experience in both the Azure and Defender portals is now generally available for all Microsoft Sentinel customers, including both data value and threat-based recommendations.

  • Use data value recommendations to improve your data usage of ingested billable logs, gain visibility to underused logs, and discover the right detections for those logs or the right adjustments to your log tier or ingestion.

  • Use threat-based recommendations to help identify gaps in coverage against specific attacks based on Microsoft research and mitigate them by ingesting the recommended logs and adding recommended detections.

The recommendations API is still in Preview.

For more information, see:

  • Optimize your security operations
  • SOC optimization reference of recommendations

SAP Business Technology Platform (BTP) connector now generally available (GA)

The Microsoft Sentinel Solution for SAP BTP is now generally available (GA). This solution provides visibility into your SAP BTP environment, and helps you detect and respond to threats and suspicious activities.

For more information, see:

  • Microsoft Sentinel Solution for SAP Business Technology Platform (BTP)
  • Deploy the Microsoft Sentinel solution for SAP BTP
  • Microsoft Sentinel Solution for SAP BTP: security content reference

Microsoft unified security platform now generally available

Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. The Microsoft unified security operations platform brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Copilot in Microsoft Defender. For more information, see the following resources:

June 2024

  • Codeless Connector Platform now generally available
  • Advanced threat indicator search capability available

Codeless Connector Platform now generally available

The Codeless Connector Platform (CCP), is now generally available (GA). Check out the announcement blog post.

For more information on the CCP enhancements and capabilities, see Create a codeless connector for Microsoft Sentinel.

Advanced threat indicator search capability available

Threat intelligence search and filtering capabilities have been enhanced, and the experience now has parity across the Microsoft Sentinel and Microsoft Defender portals. Search supports a maximum of 10 conditions with each containing up to 3 subclauses.

For more information, see the updated screenshot in View and manage your threat indicators.

Next steps

On-board Azure Sentinel

Get visibility into alerts

What's new in Microsoft Sentinel (2024)
Top Articles
37 Best Travel Blog Examples to Inspire You in 2024
7 Foods That Lower Testosterone Levels in Men
Is Sam's Club Plus worth it? What to know about the premium warehouse membership before you sign up
Cold Air Intake - High-flow, Roto-mold Tube - TOYOTA TACOMA V6-4.0
Craigslist Niles Ohio
Wizard Build Season 28
Readyset Ochsner.org
Apex Rank Leaderboard
Elden Ring Dex/Int Build
Atrium Shift Select
Skip The Games Norfolk Virginia
Oppenheimer & Co. Inc. Buys Shares of 798,472 AST SpaceMobile, Inc. (NASDAQ:ASTS)
Elizabethtown Mesothelioma Legal Question
Missing 2023 Showtimes Near Landmark Cinemas Peoria
Sony E 18-200mm F3.5-6.3 OSS LE Review
Gino Jennings Live Stream Today
Munich residents spend the most online for food
Tamilrockers Movies 2023 Download
Katherine Croan Ewald
Diamond Piers Menards
The Ultimate Style Guide To Casual Dress Code For Women
Site : Storagealamogordo.com Easy Call
Is Windbound Multiplayer
Filthy Rich Boys (Rich Boys Of Burberry Prep #1) - C.M. Stunich [PDF] | Online Book Share
Integer Division Matlab
Sandals Travel Agent Login
Horn Rank
Ltg Speech Copy Paste
Random Bibleizer
Craigslist Fort Smith Ar Personals
The Clapping Song Lyrics by Belle Stars
Poe T4 Aisling
R/Sandiego
Kempsville Recreation Center Pool Schedule
Rogold Extension
Beaver Saddle Ark
Log in or sign up to view
A Man Called Otto Showtimes Near Amc Muncie 12
Powerspec G512
Saybyebugs At Walmart
2007 Jaguar XK Low Miles for sale - Palm Desert, CA - craigslist
Miami Vice turns 40: A look back at the iconic series
Love Words Starting with P (With Definition)
Tlc Africa Deaths 2021
Youravon Com Mi Cuenta
Nope 123Movies Full
Kushfly Promo Code
Diario Las Americas Rentas Hialeah
Game Akin To Bingo Nyt
Marion City Wide Garage Sale 2023
Latest Posts
Article information

Author: Manual Maggio

Last Updated:

Views: 5890

Rating: 4.9 / 5 (69 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Manual Maggio

Birthday: 1998-01-20

Address: 359 Kelvin Stream, Lake Eldonview, MT 33517-1242

Phone: +577037762465

Job: Product Hospitality Supervisor

Hobby: Gardening, Web surfing, Video gaming, Amateur radio, Flag Football, Reading, Table tennis

Introduction: My name is Manual Maggio, I am a thankful, tender, adventurous, delightful, fantastic, proud, graceful person who loves writing and wants to share my knowledge and understanding with you.