Microsoft Sentinel documentation

Microsoft Sentinel provides attack detection, threat visibility, proactive hunting, and threat response to help you stop threats before they cause harm.

• Microsoft Sentinel Documentation
• Overview
  • What is Microsoft Sentinel?
  • What's new
  • Best practices
  • Experience in Defender portal
• Plan
  • Deployment planning guide
  • Prerequisites
  • Workspace architecture
    • Design workspace architecture
    • Review sample workspace designs
    • Prepare for multiple workspaces
  • Prioritize data connectors
  • Plan roles and permissions
  • Plan interactive and long-term data retention
  • Plan costs
  • Availability and support
    • Geographical availability and data residency
    • Support for data types in different clouds
    • Feature support in different clouds
    • Regional availability
    • Security baseline
• Deploy
  • Enable Microsoft Sentinel and initial features and content
  • Onboard to Microsoft Sentinel
  • Configure content
  • Set up multiple workspaces
  • Enable User and Entity Behavior Analytics UEBA
  • Configure interactive and long-term data retention
  • Deploy side-by-side
• Migrate to Microsoft Sentinel
  • Plan and design your migration
    • Plan your migration
    • Use the SIEM migration experience
    • Track migration with a workbook
  • Migrate from ArcSight
    • Migrate detection rules
    • Migrate SOAR automation
    • Export historical data
  • Migrate from Splunk
    • Migrate detection rules
    • Migrate SOAR automation
    • Export historical data
  • Migrate from QRadar
    • Migrate detection rules
    • Migrate SOAR automation
    • Export historical data
  • Ingest historical data
    • Select target platform
    • Select data ingestion tool
    • Ingest data
  • Convert dashboards to workbooks
  • Update SOC processes
• Enable solutions and content
  • Overview
  • Deploy out-of-the-box content
  • Delete out-of-the-box content
  • Partner integrations best practices
  • Solution catalog
    • All solutions
    • ASIM-based domain solutions
    • Monitor Zero Trust
  • Manage custom content from repositories
    • Overview
    • Deploy custom content from your repository
    • Customize repository deployments
  • Protect business applications
    • Integrate SAP systems
      • SAP applications
        • Overview
        • Deploy the SAP integration
          • Deployment overview
          • Deployment prerequisites
          • Install the solution for SAP applications
          • Prepare your SAP environment
          • Connect your SAP system
          • Troubleshoot SAP data connector agent
          • Extra deployment steps
            • Collect SAP HANA audit logs
            • Update the data connector agent
            • Deploy from the command line
            • Deploy with expert options
          • SAP deployment reference advanced
            • Required ABAP permissions
            • Data connector agent kickstart script reference
            • Data connector agent update script reference
            • Data connector agent systemconfig.json file reference
            • Data connector agent systemconfig.ini file reference legacy
        • Enable SAP detections and threat protection
        • Automatic attack disruption for SAP
        • Integrate SAP across multiple workspaces
        • Monitor SAP systems
          • Monitor SAP system health and role
          • Monitor SAP audit logs
          • Monitor SAP audit controls
        • SAP solution content reference
          • SAP security content reference
          • Monitored SAP security parameters
          • SAP solution function reference
          • SAP solution log and table reference
        • Stop SAP data collection
      • SAP BTP
        • Overview
        • Security content reference
        • Deploy SAP BTP
    • Integrate Microsoft business applications
      • Overview
      • Deploy for Power Platform and Microsoft Dynamics 365 Customer Engagement
      • Power Platform and Microsoft Dynamics 365 Customer Engagement security content reference
      • Deploy for Dynamics 365 Finance and Operations
      • Dynamics 365 Finance and Operations security content reference
  • Integrate Microsoft Defender for IoT
    • Connect Defender for IoT data with Microsoft Sentinel
    • Investigate Defender for IoT incidents with Microsoft Sentinel
  • Integrate Microsoft Defender XDR
  • Integrate Microsoft Defender for Cloud
• Collect data
  • Overview
  • Best practices
  • Tutorial - Forward syslog data to workspace
  • Connect data sources
  • Ingestion-time data transformation
  • AMA migration for Microsoft Sentinel
  • Ingest data to an auxiliary logs table
  • Find data connector
  • All connectors
    • 1Password using Azure Functions
    • AbnormalSecurity using Azure Functions
    • AIShield
    • AliCloud using Azure Functions
    • Amazon Web Services
    • Amazon Web Services S3
    • API Protection
    • ARGOS Cloud Security
    • Armis Activities using Azure Functions
    • Armis Alerts using Azure Functions
    • Armis Alerts Activities using Azure Functions
    • Armis Devices using Azure Functions
    • Armorblox using Azure Functions
    • Atlassian Beacon Alerts
    • Atlassian Confluence Audit using Azure Functions
    • Atlassian Jira Audit using Azure Functions
    • Auth0 Access Managementusing Azure Function using Azure Functions
    • Automated Logic WebCTRL
    • Azure Activity
    • Azure Batch Account
    • Azure CloudNGFW By Palo Alto Networks
    • Azure Cognitive Search
    • Azure DDoS Protection
    • Azure Event Hubs
    • Azure Firewall
    • Azure Key Vault
    • Azure Kubernetes Service AKS
    • Azure Logic Apps
    • Azure Service Bus
    • Azure SQL Databases
    • Azure Storage Account
    • Azure Stream Analytics
    • Azure Web Application Firewall WAF
    • BETTER Mobile Threat Defense MTD
    • Bitglass using Azure Functions
    • Bitsight data connector using Azure Functions
    • Box using Azure Functions
    • Cisco ASA/FTD via AMA Preview
    • Cisco Duo Security using Azure Functions
    • Cisco ETD using Azure Functions
    • Cisco Secure Endpoint AMP using Azure Functions
    • Cisco Software Defined WAN
    • Cisco Umbrella using Azure Functions
    • Claroty xDome
    • Cloudflare Preview using Azure Functions
    • Cognni
    • Cohesity using Azure Functions
    • Common Event Format CEF via AMA
    • CommvaultSecurityIQ using Azure Functions
    • Corelight Connector Exporter
    • Cortex XDR - Incidents
    • Cribl
    • CrowdStrike Falcon Adversary Intelligence using Azure Functions
    • Crowdstrike Falcon Data Replicator using Azure Functions
    • Crowdstrike Falcon Data Replicator V2 using Azure Functions
    • Cyber Blind Spot Integration using Azure Functions
    • CyberArkAudit using Azure Functions
    • CyberArkEPM using Azure Functions
    • Cybersixgill Actionable Alerts using Azure Functions
    • Cyborg Security HUNTER Hunt Packages
    • Cynerio Security Events
    • Darktrace Connector for Microsoft Sentinel REST API
    • Datalake2Sentinel
    • Dataminr Pulse Alerts Data Connector using Azure Functions
    • Derdack SIGNL4
    • Digital Shadows Searchlight using Azure Functions
    • Dynamics 365
    • Dynatrace Attacks
    • Dynatrace Audit Logs
    • Dynatrace Problems
    • Dynatrace Runtime Vulnerabilities
    • Elastic Agent Standalone
    • Exchange Security Insights On-Premises Collector
    • Exchange Security Insights Online Collector using Azure Functions
    • F5 BIG-IP
    • Feedly
    • Flare
    • Forcepoint DLP
    • Forescout
    • Forescout Host Property Monitor
    • Fortinet FortiNDR Cloud using Azure Functions
    • Gigamon AMX Data Connector
    • GitHub using Webhooks using Azure Functions
    • GitHub Enterprise Audit Log
    • Google ApigeeX using Azure Functions
    • Google Cloud Platform Cloud Monitoring using Azure Functions
    • Google Cloud Platform DNS using Azure Functions
    • Google Cloud Platform IAM using Azure Functions
    • Google Workspace G Suite using Azure Functions
    • GreyNoise Threat Intelligence using Azure Functions
    • HackerView Intergration using Azure Functions
    • HYAS Protect using Azure Functions
    • Holm Security Asset Data using Azure Functions
    • Illumio SaaS using Azure Functions
    • Imperva Cloud WAF using Azure Functions
    • Infoblox Data Connector via REST API using Azure Functions
    • Infoblox Cloud Data Connector via AMA
    • Infoblox SOC Insight Data Connector via AMA
    • Infoblox SOC Insight Data Connector via REST API
    • InfoSecGlobal Data Connector
    • IONIX Security Logs
    • Island Enterprise Browser Admin Audit Polling CCP
    • Island Enterprise Browser User Activity Polling CCP
    • Jamf Protect
    • LastPass Enterprise - Reporting Polling CCP
    • Lookout using Azure Function
    • Luminar IOCs and Leaked Credentials using Azure Functions
    • MailGuard 365
    • MailRisk by Secure Practice using Azure Functions
    • Microsoft 365
    • Microsoft 365 Defender
    • Microsoft 365 Insider Risk Management
    • Microsoft Active-Directory Domain Controllers Security Event Logs
    • Microsoft Defender for Cloud Apps
    • Microsoft Defender for Endpoint
    • Microsoft Defender for Identity
    • Microsoft Defender for IoT
    • Microsoft Defender for Office 365 Preview
    • Microsoft Defender Threat Intelligence Preview
    • Microsoft Defender XDR
    • Microsoft Entra ID
    • Microsoft Entra ID Protection
    • Microsoft Exchange Admin Audit Logs by Event Logs
    • Microsoft Exchange HTTP Proxy Logs
    • Microsoft Exchange Logs and Events
    • Microsoft Exchange Message Tracking Logs
    • Microsoft Power BI
    • Microsoft Project
    • Microsoft Purview Preview
    • Microsoft Purview Information Protection
    • Mimecast Audit & Authentication using Azure Functions
    • Mimecast Intelligence for Microsoft - Microsoft Sentinel using Azure Functions
    • Mimecast Secure Email Gateway using Azure Functions
    • Mimecast Targeted Threat Protection using Azure Functions
    • MISP2Sentinel
    • MuleSoft Cloudhub using Azure Functions
    • NC Protect
    • Netclean ProActive Incidents
    • Netskope using Azure Functions
    • Netskope Data Connector using Azure Functions
    • Netskope Web Transactions Data Connector using Azure Functions
    • Network Security Groups
    • Noname Security for Microsoft Sentinel
    • NXLog AIX Audit
    • NXLog BSM macOS
    • NXLog DNS Logs
    • NXLog FIM
    • NXLog LinuxAudit
    • Okta Single Sign-On using Azure Functions
    • OneLogin IAM Platformusing Azure Functions
    • Oracle Cloud Infrastructure using Azure Functions
    • Orca Security Alerts
    • Palo Alto Prisma Cloud CSPM using Azure Functions
    • Perimeter 81 Activity Logs
    • Phosphorus Devices
    • Prancer Data Connector
    • Premium Microsoft Defender Threat Intelligence Preview
    • Proofpoint On Demand Email Security using Azure Functions
    • Proofpoint TAP using Azure Functions
    • Qualys VM KnowledgeBase using Azure Functions
    • Qualys Vulnerability Management using Azure Functions
    • Radiflow iSID via AMA
    • Rapid7 Insight Platform Vulnerability Management Reports using Azure Functions
    • Rubrik Security Cloud data connector using Azure Functions
    • SaaS Security
    • SailPoint IdentityNow using Azure Function
    • Salesforce Service Cloud using Azure Functions
    • SenservaPro Preview
    • SentinelOne using Azure Functions
    • Seraphic Web Security
    • Silverfort Admin Console
    • Slack Audit using Azure Functions
    • Snowflake using Azure Functions
    • Sonrai Data Connector
    • Sophos Cloud Optix
    • Sophos Endpoint Protection using Azure Functions
    • Subscription-based Microsoft Defender for Cloud Legacy
    • Symantec Integrated Cyber Defense Exchange
    • Syslog via AMA
    • Talon Insights
    • Tenable Identity Exposure
    • Tenable Vulnerability Management using Azure Function
    • Tenant-based Microsoft Defender for Cloud Preview
    • TheHive Project - TheHive using Azure Functions
    • Theom
    • Threat intelligence - TAXII
    • Threat Intelligence Platforms
    • Threat Intelligence Upload Indicators API Preview
    • Transmit Security Connector using Azure Functions
    • Trend Vision One using Azure Functions
    • Varonis SaaS
    • Vectra XDR using Azure Functions
    • VMware Carbon Black Cloud using Azure Functions
    • Windows DNS Events via AMA
    • Windows Firewall
    • Windows Firewall Events via AMA Preview
    • Windows Forwarded Events
    • Windows Security Events via AMA
    • WithSecure Elements API Azure Function using Azure Functions
    • Wiz
    • Workplace from Facebook using Azure Functions
    • Zero Networks Segment Audit
    • Zero Networks Segment Audit Function using Azure Functions
    • ZeroFox CTI using Azure Functions
    • ZeroFox Enterprise - Alerts Polling CCP
    • Zimperium Mobile Threat Defense
    • Zoom Reports using Azure Functions
  • Connection instructions by type
    • General instructions for Microsoft connectors
      • Connect Microsoft Sentinel to Microsoft connectors
      • Connect via API-based connectors
      • Connect via diagnostic settings-based connectors
      • Connect via Windows agent-based connectors
    • Azure Functions API connection
    • CEF/Syslog
      • Overview
      • CEF and Syslog via AMA
      • CEF - configure security device
      • Syslog - configure security device
    • Custom log sources text files
      • Collect logs from text files via AMA
      • Custom logs - configure security device
    • DNS via AMA
    • Logstash plugin with Data Collection Rules
  • Connection instructions for service
    • Amazon Web Services logs
    • AWS S3 WAF logs
    • CloudWatch events via Lambda function
    • Google Cloud Platform connectors
    • Microsoft Entra
    • Azure Stack VMs
    • Azure Virtual Desktop
    • Microsoft Defender for Cloud
    • Microsoft Defender XDR
    • Integrate Microsoft Purview
    • Purview Information Protection data
    • Windows security events
  • Configure ingestion-time transformation
  • Configure RDP login detection
  • Create a custom connector
  • Create a codeless connector
  • Normalize data
    • ASIM overview
    • ASIM schemas
    • ASIM parsers
    • Ingest-time normalization
    • Use ASIM
    • Develop ASIM parsers
    • Manage ASIM parsers
    • Modify content to use ASIM
  • Aggregate data with summary rules
• Integrate threat intelligence
  • Overview
  • Threat intelligence integrations
  • Enable MDTI data connector
  • Connect threat intelligence upload API
  • Connect threat intelligence platforms
  • Connect to STIX/TAXII feeds
  • Add indicators in bulk by file
  • Work with threat indicators
  • Add entity to threat indicators
  • Use threat indicators in analytics rules
  • Use matching analytics to detect threats
• Detect threats and analyze data
  • Monitor and visualize data
    • View collected data on the Overview dashboard
    • View customized views with workbooks
    • Create a Power BI report
  • Threat detection analytics rules
    • Overview
    • Scheduled analytics rules
      • Overview
      • Create a scheduled rule from a template
      • Create a scheduled rule from scratch
      • Enhance detections
        • Map data fields to entities
        • Surface custom details in alerts
        • Customize alert details
    • Near-real-time NRT analytics rules
      • Overview
      • Create NRT analytics rules
    • Anomaly detection rules
      • Overview
      • Work with out-of-the-box anomaly rules
    • Multistage attacks Fusion
      • Overview
      • Configure multistage attack Fusion rules
    • Create incidents from Microsoft Security alerts
    • Export and import analytics rules
    • Manage template versions for analytics rules
    • Handle ingestion delay in analytics rules
    • Get fine-tuning recommendations
    • Troubleshoot analytics rules
  • Tutorial - Detect threats using analytics rules
  • MITRE ATT&CK coverage
  • Data classification with entities
    • Overview
    • Entity pages
    • User and entity behavior analytics UEBA
    • Create custom entity activities
  • Watchlists
    • Overview
    • Create watchlists
    • Build queries or rules
    • Manage watchlists
  • Deploy and monitor decoy honeytokens
  • Handle false positives
• Hunt for threats
  • Overview
  • Conduct end-to-end hunts
  • Advanced hunting in the Defender portal
    • Overview
    • Generate queries with Security Copilot
    • Use functions, saved queries, custom rules
    • Use shared queries
    • Work with query results
    • Explore results containing Microsoft Sentinel data
  • Kusto Query Language
    • Overview
    • Query best practices
    • SQL to KQL cheat sheet
    • Splunk to KQL cheat sheet
    • KQL quick reference
    • Other KQL resources
  • Create custom query
  • Bookmarks
  • Livestream
  • Notebooks
    • Overview
    • Get started with notebooks and MSTICPy
    • Launch Jupyter notebook
    • Configure advanced MSTICPy settings
  • Bring your own machine learning
• Investigate incidents
  • Azure portal
    • Overview
    • Investigate incidents
    • Tutorial - Investigate with UEBA
    • Relate alerts to incidents
    • Create incidents manually
    • Delete incidents
    • Remediate threats while investigating
    • Manage incident workflow with tasks
      • Overview
      • Use tasks to handle incident workflow
      • Audit and track changes to incident tasks
    • Collaborate in Microsoft Teams
  • Defender portal
    • Overview
    • Alerts, incidents, and correlation
    • Manage incidents
  • Entities
    • Overview
    • Create custom entity activities
    • Entity pages in the Defender portal
      • User
      • Device
      • IP
  • Security Copilot
    • Overview
    • Microsoft Copilot in Microsoft Defender
      • Overview
      • Summarize incidents
      • Run script analysis
      • Analyze files
      • Create incident reports
  • Large datasets
    • Overview
    • Search large datasets
    • Restore historical data
• Automate responses
  • Overview
  • Respond to threats using automation
  • Automatically enrich incident information
  • Extract incident entities with non-native actions
  • Automation rules
    • Automation rules
    • Create automation rules
    • Add advanced conditions to automation rules
    • Create incident tasks using automation rules
    • Export and import automation rules
  • Playbooks
    • Overview
    • Recommended and sample playbooks
    • Customize playbooks from templates
    • Create and manage playbooks
    • Supported triggers and actions in playbooks
    • Azure Logic Apps for Microsoft Sentinel playbooks
    • Authenticate playbooks to Microsoft Sentinel
    • Automate and run playbooks
    • Advanced playbook scenarios
      • Migrate alert playbooks to automation rules
      • Define an access restriction for Standard-plan playbooks
      • Create and perform advanced incident tasks using playbooks
• SOC optimizations
  • Optimize your security operations
  • Use SOC optimizations programmatically
  • SOC optimization reference
• Manage Microsoft Sentinel
  • Manage costs and billing
    • Monitor costs
    • Reduce costs
    • Switch to simplified pricing tiers
    • Optimize costs with pre-purchase plan
    • Manage data retention
    • Auxiliary logs use cases
  • Connect Microsoft Sentinel to Microsoft Defender XDR
  • Manage multiple workspaces
    • Workspace manager
    • Extend across multiple workspaces
  • Microsoft Sentinel for MSSPs
    • Manage multiple tenants MSSP
    • Work with incidents in multiple workspaces
    • Manage your intellectual property in Microsoft Sentinel
  • Manage workspace access
  • Set up customer-managed keys
  • Manage your SOC with incident metrics
  • Monitor Microsoft Sentinel health
    • Overview
    • Enable auditing and health monitoring
    • Monitor data connector health
    • Monitor automation rules and playbooks health
    • Monitor and optimize execution of analytics rules
    • Audit and monitor the health of analytics rules
  • Auditing Microsoft Sentinel with Azure Activity Logs
  • Remove Microsoft Sentinel from your workspaces
• Troubleshoot
  • Troubleshoot AWS S3 connector issues
• Reference
  • Service limits
  • Microsoft Sentinel REST-API
  • OOTB content centralization changes
  • Build and publish Microsoft Sentinel solutions
    • Publish solutions
    • Solution lifecycle post publish
  • Management references
    • Microsoft Sentinel Logic Apps connector
    • Azure CLI
    • Microsoft Sentinel PowerShell
    • SentinelHealth table reference
    • SentinelAudit table reference
    • Azure RBAC roles
      • All Azure roles
      • Microsoft Sentinel roles
  • Advanced Security Information Model ASIM
    • ASIM content
    • ASIM parsers
    • ASIM common fields
    • ASIM helper functions
    • ASIM known issues
    • ASIM schemas
      • ASIM alert event schema
      • ASIM audit event schema
      • ASIM authentication schema
      • ASIM DNS schema
      • ASIM DHCP schema
      • ASIM file event schema
      • ASIM network session schema
      • ASIM process event schema
      • ASIM registry event schema
      • ASIM user management schema
      • ASIM web session schema
      • Legacy network normalization schema
  • Automation and response references
    • SOAR content catalog
    • Automation rules reference
  • Data collection references
    • Data source schema reference
    • Security alert schema reference
    • CEF log field mapping
    • Windows security event sets
    • DNS over AMA reference
    • Data connector definitions API reference
    • RestApiPoller data connectors API reference
    • GCP data connectors API reference
    • Sample API requests for creating Data Collection Rules DCRs
    • Microsoft Purview Information Protection reference
    • Microsoft 365 Defender connector data type support
  • Detection and analysis references
    • Top Microsoft Sentinel workbooks
    • Entities reference
    • UEBA reference
    • Anomalies reference
    • Multistage attack detection scenarios
    • Watchlist template schemas
    • Manage hunting queries with REST-API
    • Enrich entities with geolocation data with REST-API
    • Upload indicator API reference
  • Compare playbooks, workbooks, and notebooks
  • Operations guide
• Resources
  • Sample workspace architecture
  • Microsoft Sentinel blog
  • Pricing
  • Build your skills for Microsoft Sentinel
    • Microsoft Applied Skill - Configure SIEM security operations using Microsoft Sentinel
    • Microsoft Sentinel skill-up training
    • Learn modules for Microsoft Sentinel
    • [Learn modules for Kusto Query Language KQL](https://learn.microsoft.com/training/browse/?expanded=azure&terms=kusto query language)