Edit

Share via


What's new in Microsoft Sentinel

This article lists recent features added for Microsoft Sentinel, and new features in related services that provide an enhanced user experience in Microsoft Sentinel. For new features related to unified security operations in the Defender portal, see the What's new for unified security operations?

The listed features were released in the last six months. For information about earlier features delivered, see our Tech Community blogs.

Note

For information about feature availability in US Government clouds, see the Microsoft Sentinel tables in Cloud feature availability for US Government customers.

October 2025

Export STIX threat intelligence objects (Preview)

Microsoft Sentinel now supports exporting STIX threat intelligence objects to other destinations, such as external platforms. If you've ingested threat intelligence to Microsoft Sentinel from an external platform, such as when using the Threat Intelligence - TAXII data connector, you can now export threat intelligence back to that platform, enabling bi-directional intelligence sharing. This new support provides direct and secure sharing, reducing the need for manual processes or custom playbooks to distribute threat intelligence.

Exporting TI objects is currently supported for TAXII 2.1-based platforms only. You can access the export feature from both the Defender portal and the Azure portal:

For more information, see:

September 2025

Microsoft Sentinel is evolving into a SIEM and platform

Security is being reengineered for the AI era, moving beyond static, rule-based controls and post-breach response toward platform-led, machine-speed defense. To address the challenge of fragmented tools, sprawling signals, and legacy architectures that can't match the velocity and scale of modern attacks, Microsoft Sentinel has evolved into both a SIEM and a platform that unifies data for agentic defense. This update reflects architectural enhancements that support AI-driven security operations at scale. For more information, see What is Microsoft Sentinel?

Key additions include Microsoft Sentinel data lake, Microsoft Sentinel graph, and Microsoft Sentinel Model Context Protocol (MCP) server, as described below.

Microsoft Sentinel data lake is now generally available (GA)

A scalable, cost-efficient foundation for long-term data retention and multi-modal analytics. Microsoft Sentinel data lake enables organizations to unify security data across sources and run advanced analytics without infrastructure overhead.

For more information, see Microsoft Sentinel data lake.

Microsoft Sentinel graph (Preview)

Unified graph analytics for deeper context and threat reasoning. Microsoft Sentinel graph models relationships across users, devices, and activities to support complex threat investigations and pre- and post-breach analysis.

For more information, see What is Microsoft Sentinel graph? (Preview).

Microsoft Sentinel Model Context Protocol (MCP) server (Preview)

A hosted interface for building intelligent agents using natural language. Microsoft Sentinel MCP server simplifies agent creation and data exploration by allowing engineers to query and reason over security data without needing schema knowledge.

For more information, see Model Context Protocol (MCP) overview.

New data sources for enhanced User and Entity Behavior Analytics (UEBA) (Preview)

Microsoft Sentinel's UEBA empowers SOC teams with AI-powered anomaly detection based on behavioral signals in your tenant. It helps prioritize threats using dynamic baselines, peer comparisons, and enriched entity profiles.

UEBA now supports anomaly detection using six new data sources:

  • Microsoft authentication sources:

    These sources provide deeper visibility into identity behavior across your Microsoft environment.

    • Microsoft Defender XDR device logon events: Capture logon activity from endpoints, helping identify lateral movement, unusual access patterns, or compromised devices.
    • Microsoft Entra ID managed identity signin logs: Track sign-ins by managed identities used in automation, such as scripts and services. This is crucial for spotting silent misuse of service identities.
    • Microsoft Entra ID service principal signin logs: Monitor sign-ins by service principals - often used by apps or scripts - to detect anomalies, such as unexpected access or privilege escalation.
  • Third-party cloud and identity management platforms:

    UEBA now integrates with leading cloud and identity management platforms to enhance detection of identity compromise, privilege misuse, and risky access behaviors across multicloud environments.

    • AWS CloudTrail login events: Flag risky login attempts in Amazon Web Services (AWS), such as failed multifactor authentication (MFA) or use of the root account—critical indicators of potential account compromise.
    • GCP audit logs - Failed IAM access events: Capture denied access attempts in Google Cloud Platform, helping identify privilege escalation attempts or misconfigured roles.
    • Okta MFA and authentication security change events: Surface MFA challenges and changes to authentication policies in Okta—signals that might indicate targeted attacks or identity tampering.

These new sources enhance UEBA's ability to detect threats across Microsoft and hybrid environments based on enriched user, device, and service identity data, enhanced behavioral context, and new cross-platform anomaly detection capabilities.

To enable the new data sources, you must be onboarded to the Defender portal.

For more information, see:

August 2025

Edit workbooks directly in the Microsoft Defender portal (Preview)

Now you can create and edit Microsoft Sentinel workbooks directly in the Microsoft Defender portal. This enhancement streamlines your workflow, allows you to manage your workbooks more efficiently, and brings the workbook experience more closely aligned with the experience in the Azure portal.

Microsoft Sentinel workbooks are based on Azure Monitor workbooks, and help you visualize and monitor the data ingested to Microsoft Sentinel. Workbooks add tables and charts with analytics for your logs and queries to the tools already available.

Workbooks are available in the Defender portal under Microsoft Sentinel > Threat management > Workbooks. For more information, see Visualize and monitor your data by using workbooks in Microsoft Sentinel.

July 2025

Microsoft Sentinel data lake

Microsoft Sentinel is now enhanced with a modern data lake, purpose-built to streamline data management, reduce costs, and accelerate AI adoption for security operations teams. The new Microsoft Sentinel data lake offers cost-effective, long-term storage, eliminating the need to choose between affordability and robust security. Security teams gain deeper visibility and faster incident resolution, all within the familiar Microsoft Sentinel experience, enriched through seamless integration with advanced data analytics tools.

Key benefits of the Microsoft Sentinel data lake include: +Single, open-format data copy for efficient and cost-effective storage +Separation of storage and compute for greater flexibility +Support for multiple analytics engines to unlock deeper insights from your security data +Native integration with Microsoft Sentinel, including the ability to select tiering for log data across analytics and lake tiers For more information, see

Explore the data lake using KQL queries, or use the new Microsoft Sentinel data lake notebook for VS Code to visualize and analyze your data.

For more information, see:

Table management and retention settings in the Microsoft Defender portal

Table management and retention settings are now available in the Microsoft Defender portals. You can view and manage table settings in the Microsoft Defender portal, including retention settings for Microsoft Sentinel and Defender XDR tables, and switch between analytics and data lake tiers.

For more information, see:

Microsoft Sentinel data lake permissions integrated with Microsoft Defender XDR unified RBAC

Starting in July 2025, Microsoft Sentinel data lake permissions are provided through Microsoft Defender XDR unified RBAC. Support for unified RBAC is available in addition the support provided by global Microsoft Entra ID roles.

For more information, see:

For new customers only: Automatic onboarding and redirection to the Microsoft Defender portal

For this update, new Microsoft Sentinel customers are customers who are onboarding the first workspace in their tenant to Microsoft Sentinel on or after July 1, 2025.

Starting July 1, 2025, such new customers who have the permissions of a subscription Owner or a User access administrator, and are also not Azure Lighthouse-delegated users, have their workspaces automatically onboarded to the Defender portal together with onboarding to Microsoft Sentinel. Users of such workspaces, who also aren't Azure Lighthouse-delegated users, see links in Microsoft Sentinel in the Azure portal that redirect them to the Defender portal. Such users use Microsoft Sentinel in the Defender portal only.

Screenshot of redirect links in the Azure portal to the Defender portal.

New customers who don't have relevant permissions aren't automatically onboarded to the Defender portal, but they do still see redirection links in the Azure portal, together with prompts to have a user with relevant permissions manually onboard the workspace to the Defender portal.

This change streamlines the onboarding process and ensures that new customers can immediately take advantage of unified security operations capabilities without the extra step of manually onboarding their workspaces.

For more information, see:

No limit on the number of workspaces you can onboard to the Defender portal

There is no longer any limit to the number of workspaces you can onboard to the Defender portal.

Limitations still apply to the number of workspaces you can include in a Log Analytics query, and in the number of workspaces you can or should include in a scheduled analytics rule.

For more information, see:

Microsoft Sentinel in the Azure portal to be retired July 2026

Microsoft Sentinel is generally available in the Microsoft Defender portal, including for customers without Microsoft Defender XDR or an E5 license. This means that you can use Microsoft Sentinel in the Defender portal even if you aren't using other Microsoft Defender services.

Starting in July 2026, Microsoft Sentinel will be supported in the Defender portal only, and any remaining customers using the Azure portal will be automatically redirected.

If you're currently using Microsoft Sentinel in the Azure portal, we recommend that you start planning your transition to the Defender portal now to ensure a smooth transition and take full advantage of the unified security operations experience offered by Microsoft Defender.

For more information, see:

June 2025

Codeless Connector Platform (CCP) renamed to Codeless Connector Framework (CCF)

The Microsoft Sentinel Codeless Connector Platform (CCP) has been renamed to Codeless Connector Framework (CCF). The new name reflects the platform's evolution and avoids confusion with other platform-oriented services, while still providing the same ease of use and flexibility that users have come to expect.

For more information, see Create a codeless connector for Microsoft Sentinel.

Consolidated Microsoft Sentinel data connector reference

We've consolidated the connector reference documentation, merging the separate connector articles into a single, comprehensive reference table.

You can find the new connector reference at Microsoft Sentinel data connectors. For more information, see Create a codeless connector and Unlock the potential of Microsoft Sentinel's Codeless Connector Framework and do more with Microsoft Sentinel faster.

Summary rule templates now in public preview

You can now use summary rule templates to deploy pre-built summary rules tailored to common security scenarios. These templates help you aggregate and analyze large datasets efficiently, don't require deep expertise, reduce setup time, and ensure best practices. For more information, see Aggregate Microsoft Sentinel data with summary rules (Preview).

May 2025

All Microsoft Sentinel use cases generally available in the Defender portal

All Microsoft Sentinel use cases that are in general availability, including multitenant and multi-workspace capabilities and support for all government and commercial clouds, are now also supported for general availability in the Defender portal.

We recommend that you onboard your workspaces to the Defender portal to take advantage of unified security operations. For more information, see:

For more information, see:

Unified IdentityInfo table

Customers of Microsoft Sentinel in the Defender portal who have enabled UEBA can now take advantage of a new version of the IdentityInfo table, located in the Defender portal's Advanced hunting section, that includes the largest possible set of fields common to both the Defender and Azure portals. This unified table helps enrich your security investigations across the entire Defender portal.

For more information, see IdentityInfo table.

Additions to SOC optimization support (Preview)

SOC optimization support for:

  • AI MITRE ATT&CK tagging recommendations (Preview): Uses artificial intelligence to suggest tagging security detections with MITRE ATT&CK tactics and techniques.
  • Risk-based recommendations (Preview): Recommends implementing controls to address coverage gaps linked to use cases that may result in business risks or financial losses, including operational, financial, reputational, compliance, and legal risks.

For more information, see SOC optimization reference.

April 2025

Microsoft Sentinel solution for Microsoft Business Apps generally available in the Azure portal

The Microsoft Sentinel solution for Microsoft Business Apps is now generally available in the Azure portal.

Security Copilot generates incident summaries in Microsoft Sentinel in the Azure portal (Preview)

Microsoft Sentinel in the Azure portal now features (in Preview) incident summaries generated by Security Copilot, bringing it in line with the Defender portal. These summaries give your security analysts the up-front information they need to quickly understand, triage, and start investigating developing incidents.

For more information, see Summarize Microsoft Sentinel incidents with Security Copilot.

Multi workspace and multitenant support for Microsoft Sentinel in the Defender portal (Preview)

For preview, in the Defender portal, connect to one primary workspace and multiple secondary workspaces for Microsoft Sentinel. If you onboard Microsoft Sentinel with Defender XDR, a primary workspace's alerts are correlated with Defender XDR data. So incidents include alerts from Microsoft Sentinel's primary workspace and Defender XDR. All other onboarded workspaces are considered secondary workspaces. Incidents are created based on the workspace's data and won't include Defender XDR data.

  • If you plan to use Microsoft Sentinel in the Defender portal without Defender XDR, you can manage multiple workspaces. But, the primary workspace doesn't include Defender XDR data and you won't have access to Defender XDR capabilities.
  • If you're working with multiple tenants and multiple workspaces per tenant, you can also use Microsoft Defender multitenant management to view incidents and alerts, and to hunt for data in Advanced hunting, across both multiple workspaces and tenants.

For more information, see the following articles:

Microsoft Sentinel now ingests all STIX objects and indicators into new threat intelligence tables (Preview)

Microsoft Sentinel now ingests STIX objects and indicators into the new threat intelligence tables, ThreatIntelIndicators and ThreatIntelObjects. The new tables support the new STIX 2.1 schema, which lets you ingest and query various threat intelligence objects, including identity, attack-pattern, threat-actor, and relationship.

Microsoft Sentinel will ingest all threat intelligence into the new ThreatIntelIndicators and ThreatIntelObjects tables, while continuing to ingest the same data into the legacy ThreatIntelligenceIndicator table until July 31, 2025.

Be sure to update your custom queries, analytics and detection rules, workbooks, and automation to use the new tables by July 31, 2025. After this date, Microsoft Sentinel will stop ingesting data to the legacy ThreatIntelligenceIndicator table. We're updating all out-of-the-box threat intelligence solutions in Content hub to leverage the new tables.

For more information, see the following articles:

SOC optimization support for unused columns (Preview)

To optimize your cost/security value ratio, SOC optimization surfaces hardly used data connectors or tables. SOC optimization now surfaces unused columns in your tables. For more information, see SOC optimization reference of recommendations.

March 2025

Agentless connection to SAP now in public preview

The Microsoft Sentinel agentless data connector for SAP and related security content is now included, as public preview, in the solution for SAP applications. This update also includes the following enhancements for the agentless data connector:

For more information, see:

January 2025

Optimize threat intelligence feeds with ingestion rules

Optimize threat intelligence feeds by filtering and enhancing objects before they're delivered to your workspace. Ingestion rules update threat intel object attributes, or filter objects out all together. Check out the blog announcement here!

For more information, see Understand threat intelligence ingestion rules.

Matching analytics rule now generally available (GA)

Microsoft provides access to its premium threat intelligence through the Defender Threat Intelligence analytics rule which is now generally available (GA). For more information on how to take advantage of this rule, which generates high-fidelity alerts and incidents, see Use matching analytics to detect threats.

Threat intelligence management interface has moved

Threat intelligence for Microsoft Sentinel in the Defender portal has changed! We've renamed the page Intel management and moved it with other threat intelligence workflows. There's no change for customers using Microsoft Sentinel in the Azure experience.

Screenshot showing new menu placement for Microsoft Sentinel threat intelligence.

Enhancements to threat intelligence capabilities are available for customers using both Microsoft Sentinel experiences. The management interface streamlines the creation and curation of threat intel with these key features:

  • Define relationships as you create new STIX objects.
  • Curate existing threat intelligence with the new relationship builder.
  • Create multiple objects quickly by copying common metadata from a new or existing TI object using a duplication feature.
  • Use advanced search to sort and filter your threat intelligence objects without even writing a Log Analytics query.

For more information, see the following articles:

Unlock advanced hunting with new STIX objects by opting in to new threat intelligence tables

Tables supporting the new STIX object schema aren't available publicly. In order to query threat intelligence for STIX objects with KQL and unlock the hunting model that uses them, request to opt in with this form. Ingest your threat intelligence into the new tables, ThreatIntelIndicators and ThreatIntelObjects alongside with or instead of the current table, ThreatIntelligenceIndicator, with this opt-in process.

For more information, see the blog announcement New STIX objects in Microsoft Sentinel.

Threat intelligence upload API now supports more STIX objects

Make the most of your threat intelligence platforms when you connect them to Microsoft Sentinel with the upload API. Now you can ingest more objects than just indicators, reflecting the varied threat intelligence available. The upload API supports the following STIX objects:

  • indicator
  • attack-pattern
  • identity
  • threat-actor
  • relationship

For more information, see the following articles:

Microsoft Defender Threat Intelligence data connectors now generally available (GA)

Both premium and standard Microsoft Defender Threat Intelligence data connectors are now generally available (GA) in content hub. For more information, see the following articles:

Bicep file support for repositories (Preview)

Use Bicep files alongside or as a replacement of ARM JSON templates in Microsoft Sentinel repositories. Bicep provides an intuitive way to create templates of Azure resources and Microsoft Sentinel content items. Not only is it easier to develop new content items, Bicep makes reviewing and updating content easier for anyone that's a part of the continuous integration and delivery of your Microsoft Sentinel content.

For more information, see Plan your repository content.

SOC optimization updates for unified coverage management

In workspaces onboarded to the Defender portal, SOC optimizations now support both SIEM and XDR data, with detection coverage from across Microsoft Defender services.

In the Defender portal, the SOC optimizations and MITRE ATT&CK pages also now provide extra functionality for threat-based coverage optimizations to help you understand the impact of the recommendations on your environment and help you prioritize which to implement first.

Enhancements include:

Area Details
SOC optimizations Overview page - A High, Medium, or Low score for your current detection coverage. This sort of scoring can help you decide which recommendations to prioritize at a glance.

- An indication of the number of active Microsoft Defender products (services) out of all available products. This helps you understand whether there's a whole product that you're missing in your environment.
Optimization details side pane,
shown when you drill down to a specific optimization
- Detailed coverage analysis, including the number of user-defined detections, response actions, and products you have active.

- Detailed spider charts that show your coverage across different threat categories, for both user-defined and out-of-the-box detections.

- An option to jump to the specific threat scenario in the MITRE ATT&CK page instead of viewing MITRE ATT&CK coverage only in the side pane.

- An option to View full threat scenario to drill down to even further details about the security products and detections available to provide security coverage in your environment.
MITRE ATT&CK page - A new toggle to view coverage by threat scenario. If you've jumped to the MITRE ATT&CK page from either a recommendation details side pane or from the View full threat scenario page, the MITRE ATT&CK page is pre-filtered for your threat scenario.

- The technique details pane, shown on the side when you select a specific MITRE ATT&CK technique, now shows the number of active detections out of all available detections for that technique.

For more information, see Optimize your security operations and Understand security coverage by the MITRE ATT&CK framework.

View granular solution content in the Microsoft Sentinel content hub

Now you can view the individual content available in a specific solution directly from the Content hub, even before you've installed the solution. This new visibility helps you understand the content available to you, and more easily identify, plan, and install the specific solutions you need.

Expand each solution in the Content hub to view included security content. For example:

Screenshot of showing granular content.

The granular solution content updates also include a generative AI-based search engine that helps you run more robust searches, diving deep into the solution content and returning results for similar terms.

For more information, see Discover content.

Next steps