Microsoft Sentinel documentation

Microsoft Sentinel provides attack detection, threat visibility, proactive hunting, and threat response to help you stop threats before they cause harm.

• Microsoft Sentinel Documentation
• Overview
  • What is Microsoft Sentinel?
  • What's new
  • Best practices
  • Experience in Defender portal
• Plan
  • Deployment planning guide
  • Prerequisites
  • Workspace architecture
    • Design workspace architecture
    • Review sample workspace designs
    • Prepare for multiple workspaces
  • Prioritize data connectors
  • Plan roles and permissions
  • Plan interactive and long-term data retention
  • Plan costs
  • Availability and support
    • Geographical availability and data residency
    • Support for data types in different clouds
    • Feature support in different clouds
    • Regional availability
    • Business continuity and disaster recovery
    • Security baseline
• Deploy
  • Enable Microsoft Sentinel and initial features and content
  • Onboard to Microsoft Sentinel
  • Connect Microsoft Sentinel to the Defender portal
  • Configure content
  • Set up multiple workspaces
  • Enable User and Entity Behavior Analytics UEBA
  • Configure interactive and long-term data retention
  • Deploy side-by-side
• Migrate
  • Transition your environment to the Defender portal
  • Migrate to Microsoft Sentinel
    • Plan and design your migration
      • Plan your migration
      • Use the SIEM migration experience
      • Track migration with a workbook
    • Migrate from ArcSight
      • Migrate detection rules
      • Migrate SOAR automation
      • Export historical data
    • Migrate from Splunk
      • Migrate detection rules
      • Migrate SOAR automation
      • Export historical data
    • Migrate from QRadar
      • Migrate detection rules
      • Migrate SOAR automation
      • Export historical data
    • Ingest historical data
      • Select target platform
      • Select data ingestion tool
      • Ingest data
    • Convert dashboards to workbooks
    • Update SOC processes
• Manage solutions and content
  • Overview
  • Deploy out-of-the-box content
  • Delete out-of-the-box content
  • Manage solution deprecation lifecycle
  • Solution catalog
    • All solutions
    • ASIM-based domain solutions
    • Monitor Zero Trust
  • Manage content as code using repositories
    • Overview
    • Deploy content as code from your repository
    • Customize repository deployments
  • Protect business applications
    • Integrate SAP systems
      • SAP applications
        • Overview
        • Deploy the SAP integration
          • Deployment overview
          • Deployment prerequisites
          • Install the solution for SAP applications
          • Prepare your SAP environment
          • Connect your SAP system
          • Troubleshoot SAP data connector
          • Extra deployment steps
            • Collect SAP HANA audit logs
            • Update the data connector agent
            • Deploy the agent from the command line
            • Deploy the agent with expert options
          • SAP deployment reference advanced
            • Required ABAP permissions
            • Data connector agent kickstart script reference
            • Data connector agent update script reference
            • Data connector agent systemconfig.json file reference
            • Data connector agent systemconfig.ini file reference legacy
        • Enable SAP detections and threat protection
        • Integrate SAP across multiple workspaces
        • Monitor SAP systems
          • Monitor SAP system health and role
          • Monitor SAP audit logs
          • Monitor SAP audit controls
        • SAP solution content reference
          • SAP security content reference
          • Monitored SAP security parameters
          • SAP solution function reference
          • SAP solution log and table reference
        • Stop SAP data collection
      • SAP BTP
        • Overview
        • Security content reference
        • Deploy SAP BTP
    • Integrate Microsoft business applications
      • Overview
      • Deploy for Power Platform and Microsoft Dynamics 365 Customer Engagement
      • Power Platform and Microsoft Dynamics 365 Customer Engagement security content reference
      • Deploy for Dynamics 365 Finance and Operations
      • Dynamics 365 Finance and Operations security content reference
  • Integrate Microsoft Defender for IoT
    • Connect Defender for IoT data with Microsoft Sentinel
    • Investigate Defender for IoT incidents with Microsoft Sentinel
  • Integrate Microsoft Defender XDR
  • Integrate Microsoft Defender for Cloud
• Collect data
  • Overview
  • Best practices
  • Tutorial - Forward syslog data to workspace
  • Connect data sources
  • Ingestion-time data transformation
  • AMA migration for Microsoft Sentinel
  • Ingest data to an auxiliary logs table
  • Find data connector
  • Connection instructions by type
    • General instructions for Microsoft connectors
      • Connect Microsoft Sentinel to Microsoft connectors
      • Connect via API-based connectors
      • Connect via diagnostic settings-based connectors
      • Connect via Windows agent-based connectors
    • Azure Functions API connection
    • CEF/Syslog
      • Overview
      • CEF and Syslog via AMA
      • CEF - configure security device
      • Syslog - configure security device
    • Custom log sources text files
      • Collect logs from text files via AMA
      • Custom logs - configure security device
    • DNS via AMA
    • Logstash plugin with Data Collection Rules
  • Connection instructions for service
    • Amazon Web Services
      • Connect Microsoft Sentinel to AWS
      • AWS service logs
      • AWS S3 WAF logs
    • Cisco FTD firewall
    • Google Cloud Platform connectors
    • Microsoft Entra
    • Azure Stack VMs
    • Azure Virtual Desktop
    • Microsoft Defender for Cloud
    • Microsoft Defender XDR
    • Integrate Microsoft Purview
    • Purview Information Protection data
    • Windows security events
  • Configure ingestion-time transformation
  • Configure RDP login detection
  • Create a custom connector
  • Normalize data
    • ASIM overview
    • ASIM schemas
    • ASIM parsers
    • Ingest-time normalization
    • Use ASIM
    • Manage ASIM parsers
    • Modify content to use ASIM
  • Aggregate data
    • Aggregate data with summary rules
    • Aggregate insights from raw data into an Auxiliary table
• Integrate threat intelligence
  • Overview
  • Threat intelligence integrations
  • Enable MDTI data connector
  • Connect threat intelligence with upload API
  • Connect threat intelligence platforms
  • Connect to STIX/TAXII feeds
  • Add threat intelligence in bulk by file
  • Work with threat intelligence
  • Add entity to threat indicators
  • Use threat indicators in analytics rules
  • Use matching analytics to detect threats
  • Work with STIX objects and indicators
• Detect threats and analyze data
  • Monitor and visualize data
    • View collected data on the Overview dashboard
    • View customized views with workbooks
    • Create a Power BI report
  • Threat detection analytics rules
    • Overview
    • Scheduled analytics rules
      • Overview
      • Create a scheduled rule from a template
      • Create a scheduled rule from scratch
      • Enhance detections
        • Map data fields to entities
        • Surface custom details in alerts
        • Customize alert details
    • Near-real-time NRT analytics rules
      • Overview
      • Create NRT analytics rules
    • Anomaly detection rules
      • Overview
      • Work with out-of-the-box anomaly rules
    • Multistage attacks Fusion
      • Overview
      • Configure multistage attack Fusion rules
    • Create incidents from Microsoft Security alerts
    • Export and import analytics rules
    • Manage template versions for analytics rules
    • Handle ingestion delay in analytics rules
    • Get fine-tuning recommendations
    • Troubleshoot analytics rules
  • Tutorial - Detect threats using analytics rules
  • MITRE ATT&CK coverage
  • Data classification with entities
    • Overview
    • Entity pages
    • User and entity behavior analytics UEBA
    • Create custom entity activities
  • Watchlists
    • Overview
    • Create watchlists
    • Build queries or rules
    • Manage watchlists
  • Deploy and monitor decoy honeytokens
  • Handle false positives
• Hunt for threats
  • Overview
  • Conduct end-to-end hunts
  • Advanced hunting in the Defender portal
    • Overview
    • Generate queries with Security Copilot
    • Use functions, saved queries, custom rules
    • Use shared queries
    • Work with query results
    • Explore results containing Microsoft Sentinel data
  • Kusto Query Language
    • Overview
    • Query best practices
    • SQL to KQL cheat sheet
    • Splunk to KQL cheat sheet
    • KQL quick reference
    • Common tasks with KQL for Microsoft Sentinel
    • Other KQL resources
  • Create custom query
  • Bookmarks
  • Livestream
  • Notebooks
    • Overview
    • Get started with notebooks and MSTICPy
    • Launch Jupyter notebook
    • Configure advanced MSTICPy settings
  • Bring your own machine learning
• Investigate incidents
  • Azure portal
    • Overview
    • Triage and manage your incidents
    • Investigate incidents in depth
    • Tutorial - Investigate with UEBA
    • Relate alerts to incidents
    • Create incidents manually
    • Delete incidents
    • Remediate threats while investigating
    • Manage incident workflow with tasks
      • Overview
      • Use tasks to handle incident workflow
      • Audit and track changes to incident tasks
    • Collaborate in Microsoft Teams
  • Defender portal
    • Overview
    • Plan incident response
    • Alerts, incidents, and correlation
    • Manage incidents
  • Entities
    • Overview
    • Create custom entity activities
    • Entity pages in the Defender portal
      • User
      • Device
      • IP
  • Security Copilot
    • Overview
    • Summarize incidents in Azure portal
    • Microsoft Copilot in Microsoft Defender
      • Overview
      • Summarize incidents
      • Run script analysis
      • Analyze files
      • Create incident reports
  • Large datasets
    • Overview
    • Search large datasets
    • Restore historical data
• Automate responses
  • Overview
  • Respond to threats using automation
  • Automatically enrich incident information
  • Extract incident entities with non-native actions
  • Automation rules
    • Automation rules
    • Create automation rules
    • Add advanced conditions to automation rules
    • Create incident tasks using automation rules
    • Export and import automation rules
  • Playbooks
    • Overview
    • Recommended and sample playbooks
    • Customize playbooks from templates
    • Create and manage playbooks
    • Supported triggers and actions in playbooks
    • Azure Logic Apps for Microsoft Sentinel playbooks
    • Authenticate playbooks to Microsoft Sentinel
    • Automate and run playbooks
    • Advanced playbook scenarios
      • Migrate alert playbooks to automation rules
      • Define an access restriction for Standard-plan playbooks
      • Create and perform advanced incident tasks using playbooks
• SOC optimizations
  • Optimize your security operations
  • Use SOC optimizations programmatically
  • SOC optimization reference
• Manage Microsoft Sentinel
  • Manage costs and billing
    • Monitor costs
    • Reduce costs
    • Switch to simplified pricing tiers
    • Optimize costs with pre-purchase plan
    • Manage data retention
    • Auxiliary logs use cases
  • Manage multiple workspaces
    • Workspaces in the Defender portal
    • Workspace manager in the Azure portal
    • Extend across multiple workspaces
  • Microsoft Sentinel for MSSPs
    • Manage multiple tenants MSSP
    • Work with incidents in multiple workspaces
    • Manage your intellectual property in Microsoft Sentinel
  • Manage workspace access
  • Set up customer-managed keys
  • Manage your SOC with incident metrics
  • Monitor Microsoft Sentinel health
    • Overview
    • Enable auditing and health monitoring
    • Monitor data connector health
    • Monitor automation rules and playbooks health
    • Monitor and optimize execution of analytics rules
    • Audit and monitor the health of analytics rules
  • Auditing Microsoft Sentinel with Azure Activity Logs
  • Remove Microsoft Sentinel from your workspaces
• Build and publish Microsoft Sentinel solutions
  • Overview
  • Sentinel solution quality guidelines
  • Partner integrations best practices
  • Creating codeless data connectors CCF
  • Creating analytics rules
  • Creating hunting queries
  • Creating workbooks
  • Creating playbooks
  • Creating ASIM parsers
  • Publish solutions
  • Solution lifecycle post publish
  • Remove Microsoft Sentinel from your workspace
    • Overview
    • Remove Microsoft Sentinel
• Troubleshoot
  • Troubleshoot AWS S3 connector issues
• Reference
  • Service limits
  • Microsoft Sentinel REST-API
  • OOTB content centralization changes
  • Management references
    • Microsoft Sentinel Logic Apps connector
    • Azure CLI
    • Microsoft Sentinel PowerShell
    • SentinelHealth table reference
    • SentinelAudit table reference
    • Azure RBAC roles
      • All Azure roles
      • Microsoft Sentinel roles
  • Advanced Security Information Model ASIM
    • ASIM content
    • ASIM parsers
    • ASIM common fields
    • ASIM helper functions
    • ASIM known issues
    • ASIM schemas
      • ASIM alert event schema
      • ASIM audit event schema
      • ASIM authentication schema
      • ASIM DNS schema
      • ASIM DHCP schema
      • ASIM file event schema
      • ASIM network session schema
      • ASIM process event schema
      • ASIM registry event schema
      • ASIM user management schema
      • ASIM web session schema
      • Legacy network normalization schema
  • Automation and response references
    • SOAR content catalog
    • Automation rules reference
  • Data collection references
    • Data source schema reference
    • Security alert schema reference
    • CEF log field mapping
    • Windows security event sets
    • DNS over AMA reference
    • Data connector definitions API reference
    • RestApiPoller data connectors API reference
    • GCP data connectors API reference
    • Sample API requests for creating Data Collection Rules DCRs
    • Microsoft Purview Information Protection reference
    • Microsoft 365 Defender connector data type support
  • Detection and analysis references
    • Top Microsoft Sentinel workbooks
    • Entities reference
    • UEBA reference
    • Anomalies reference
    • Multistage attack detection scenarios
    • Watchlist template schemas
    • Manage hunting queries with REST-API
    • Enrich entities with geolocation data with REST-API
    • Threat intelligence upload API reference
    • Legacy upload indicator API reference
  • Operations guide
• Resources
  • Sample workspace architecture
  • Microsoft Sentinel blog
  • Pricing
  • Build your skills for Microsoft Sentinel
    • Microsoft Applied Skill - Configure SIEM security operations using Microsoft Sentinel
    • Microsoft Sentinel skill-up training
    • Learn modules for Microsoft Sentinel
    • [Learn modules for Kusto Query Language KQL](https://learn.microsoft.com/training/browse/?expanded=azure&terms=kusto query language)