Automated Analytics Rule Tuning


Fine-tuning threat detection rules in your SIEM can be a difficult, delicate, and continuous process of balancing between maximizing your threat detection coverage and minimizing false positive rates. Microsoft Sentinel simplifies and streamlines this process by using machine learning to analyze billions of signals from your data sources as well as your responses to incidents over time.

Near Real Time (NRT) Detections for Microsoft Sentinel Analytics

Microsoft Sentinel now offers a new type of analytics rule that takes advantage of Near Real-Time (NRT) processing. NRT rules are hard coded to run once every minute, to be able to supply you with information as up-to-the-minute as possible. NRT rules have many of the same features and capabilities as scheduled analytics rules. You can group events into alerts or issue an alert for each event; you can map entities and surface custom details, and you can configure dynamic content for alert details.

Bookmark Enhanced Entity Mapping for Hunting

Enables threat hunters to be able to extract the same types of entities and identifiers from hunting query results in log analytics as from Microsoft Sentinel analytic queries.


This Microsoft Sentinel-as-Code experience simplifies the process of managing content for one or more workspaces deployed from one more content repositories. This allows customers to automate the otherwise manual process to deploy content and manage it from a central repository instead of manually updating the content in Microsoft Sentinel workspaces.

Windows Event Forwarding

Customers can stream all Windows Event Forwarding (WEF) logs from the Windows Servers connected to your Microsoft Sentinel workspace using Azure Monitor Agent (AMA). This connection enables you to view dashboards, create custom alerts, and improve investigation. This gives you more insight into your organization’s network and improves your security operation capabilities.

Enrich Threat Intelligence with GeoIP/WhoIs data

Microsoft enriches each indicator with extra GeoLocation and WhoIs data, providing more context for investigations where the selected indicator of compromise (IOC) is found.

Playbook Templates Gallery

From the Microsoft Sentinel navigation menu, select Automation and then the Playbooks templates tab. The playbook templates displayed here demonstrate leading automation scenarios that SOCs tend to use or get ideas from. Most of these playbooks were contributed by the Microsoft Sentinel community, and were originally located in Microsoft Sentinel GitHub repository. Some of these have been integrated into Microsoft Sentinel Solutions.

Fusion for emerging threats with configuration UI

Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks (also known as advanced persistent threats or APT) by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Microsoft Sentinel generates incidents that would otherwise be difficult to catch. These incidents comprise two or more alerts or activities. By design, these incidents are low-volume, high-fidelity, and high-severity.

General availability (GA) of Microsoft Sentinel Threat Intelligence

Announcing the General availability (GA) of Microsoft Sentinel Threat Intelligence in Public cloud

Watchlists templates

Microsoft Sentinel now provides built-in watchlist templates, which you can customize for your environment and use during investigations. After those watchlists are populated with data, you can correlate that data with analytics rules, view it in the entity pages and investigation graphs as insights, create custom uses such as to track VIP or sensitive users, and more.

Incident advanced search

By default, incident searches run across the Incident ID, Title, Tags, Owner, and Product name values only. Now, with the new Advanced search pane, you can scroll down the list to select one or more other parameters to search on.

Fusion Detection for Ransomware

Fusion detection for ransomware is now publicly available. These Fusion detections correlate alerts that are potentially associated with ransomware activities that are observed at defense evasion and execution stages during a specific timeframe. Once such ransomware activities are detected by the Fusion machine learning model, a high severity incident titled ‘Multiple alerts possibly related to Ransomware activity detected’ will be triggered in your workspace.

Microsoft Threat Intelligence Matching Analytics

We have now launched a new analytic rule called Microsoft Threat Intelligence Matching analytics that matches Microsoft generated threat intelligence data with your logs and generates high fidelity alerts/incidents with appropriate severity based on the context of the log. Once a match is generated, the indicator is published to your threat intelligence repository in Microsoft Sentinel.

Microsoft Sentinel Hunting supports ADX cross-resource queries

Now in preview, you can use Azure Data Explorer (ADX) cross-resource queries from with-in the hunting query page, the livestream page, and the logs (Log Analytics) page. Although Log Analytics remains the primary data storage location for performing analysis with Microsoft Sentinel, there are cases where ADX is required to store data due to cost, retention periods, or other factors.

IP Entity Page

Now in preview, the IP entity page is the latest addition to Microsoft Sentinel’s User and Entity Behavior Analytics capabilities. Like the host and account pages, the IP page helps analysts quickly triage and investigate security incidents.

Hunting dashboard refresh

Now in preview, we refreshed the hunting query experience to help you find undetected threats in your environment more quickly. We also provide new ways to identify which hunting results are most relevant to your environment and your desired attack scenarios.

Windows Security Events connector

There are now two versions of this connector: Security events is the legacy version, based on the Log Analytics Agent (sometimes known as the MMA or OMS agent), and Windows Security Events is the new version, currently in preview and based on the new Azure Monitor Agent (AMA).

Microsoft Sentinel PowerShell Module has been released

Our GA release of the official Microsoft Sentinel PowerShell module to automate daily operational tasks has been released and can be downloaded from here:

Microsoft Sentinel Solution for SAP

The Microsoft Sentinel SAP data connector enables you to monitor SAP systems for sophisticated threats within the business and application layers. The SAP data connector streams a multitude of 14 application logs from the entire SAP system landscape, and collects logs from both Advanced Business Application Programming (ABAP) via NetWeaver RFC calls and file storage data via OSSAP Control interface. The SAP data connector adds to Microsoft Sentinels ability to monitor the SAP underlying infrastructure.

Customizable ML Anomalies

Now in public preview, Microsoft Sentinel customizable machine learning based anomalies identify unusual behavior in your Sentinel workspace data. These anomalies are enabled by default but they do not trigger alerts or incidents. They are stored in the “Anomalies” table on the “Logs” blade and standard data rates apply. You can disable them globally on the “Settings” blade or on a per anomaly basis. Security analysts can use anomalies to reduce investigation and hunting time as well as improve detections. They can tune the anomalies as necessary without any knowledge of machine learning.

Teams Collaboration

Microsoft Sentinel’s Microsoft Teams collaboration allows SOC teams to seamlessly work together on security incidents with colleagues and external stakeholders and uses a highly-integrated workflow on top of Microsoft Teams and Microsoft Sentinel.

Fusion Advanced Multistage Attack Detection Scenarios with Scheduled Analytics Rules

Microsoft Sentinel leverages machine learning technology, Fusion, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill-chain. There are currently 90 multi-stage attack scenarios detected by Microsoft Sentinel through Fusion, 35 of which are generally available. To help you discover threats and anomalous behaviors that are more tailored to your environment, we are now public previewing multi-stage attack scenarios leveraging a set of scheduled analytics rules.

Incident Timeline

Now in public preview, we are redesigning the Microsoft Sentinel full incident page to display the alerts and bookmarks that are part of the incident in chronological order. As more alerts are added to the incident, and as more bookmarks are added by analysts, the timeline will update to reflect the information known on the incidents. For each alert and bookmark, a side panel will be displayed to show details such as the entities involved, the status, the MITRE tactics used, custom details defined and many other details.

Automation Rules

Automation rules are a new concept in Microsoft Sentinel. This feature allows users to centrally manage the automation of incident handling.

Incidents Filters and Sort Preferences Saving

We are glad to share that Incidents, filters and sort preferences will now be saved on a session-level. The new experience will allow users to keep Incidents’ filters and sort they have set, even while navigating to other areas of the product. The preferences are saved automatically and “behind the scene”, and will immediately show up when navigating back to the incident blade. The preferences will not be saved once leaving Microsoft Sentinel or refreshing the browser.

Microsoft Sentinel CMMC Workbook

This workbook helps you to gain better visibility into your cloud architecture from security perspective while reinforcing CMMC principles for building cyber security critical thinking skills. The workbook consolidates multiple log sources from your Azure environment.

Dynamics 365 CDS Activities Connector


The Dynamics 365 Common Data Service (CDS) activities connector provides insight into admin, user, and support activities, as well as Microsoft Social Engagement logging events.

Data Connectors Health Monitoring Workbook


The Data connectors health monitoring workbook allows you to keep track of your data connectors’ health, connectivity, and performance, from within Microsoft Sentinel. The workbook provides additional monitors, detects anomalies, and gives insight regarding the workspace’s data ingestion status.

SolarWinds Post-Compromise Hunting with Microsoft Sentinel


Microsoft has released a number of new hunting and detection queries for Microsoft Sentinel based on additional observations as well as research released by partners and the wider community. In addition, the SolarWinds post-compromise hunting workbook has been updated to include a number of new sections.

20 New Fusion Detections are now public


There are now 20 new Fusion detections that trigger high severity incidents in the following threat categories: Malicious execution with legitimate process, Crypto-Mining, Credential harvesting, Suspected credential theft activity following suspicious sign-in. You can find the detailed description of all Fusion detections in the link below.

3rd Party Data Connector Acceleration

Microsoft is accelerating its delivery of 3rd party data connectors, with the goal of adding 100 new connectors by July 2021. For a full list and status, click the link below.

Become an Microsoft Sentinel Ninja: The Complete 400-Level Training

In this blog post, we try to walk you through Microsoft Sentinel level 400 training and help you become Microsoft Sentinel master

Leave a Reply

Your email address will not be published. Required fields are marked *