SkillRepo
Sign InSign Up
Catalog
MicrosoftDocs/azure-sentinel

MicrosoftDocs

azure-sentinel

Expert knowledge for Azure Sentinel development including troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when configuring Sentinel data connectors, analytics rules, playbooks/Logic Apps, ASIM schemas, or SAP/AWS/GCP sources, and other Azure Sentinel related development tasks. Not for Azure Defender For Cloud (use azure-defender-for-cloud), Azure Security (use azure-security), Azure Monitor (use azure-monitor), Azure Network Watcher (use azure-network-watcher).

global
Requires network access. Uses mcp_microsoftdocs:microsoft_docs_fetch or fetch_webpage to retrieve documentation.
generated_at:2026-06-21
generator:docs2skills/1.0.0
New
Saved Jun 26, 2026

Azure Sentinel Skill

This skill provides expert guidance for Azure Sentinel. Covers troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. It combines local quick-reference content with remote documentation fetching capabilities.

How to Use This Skill

IMPORTANT for Agent: Use the Category Index below to locate relevant sections. For categories with line ranges (e.g., L35-L120), use read_file with the specified lines. For categories with file links (e.g., [security.md](security.md)), use read_file on the linked reference file

IMPORTANT for Agent: If metadata.generated_at is more than 3 months old, suggest the user pull the latest version from the repository. If mcp_microsoftdocs tools are not available, suggest the user install it: Installation Guide

This skill requires network access to fetch documentation content:

  • Preferred: Use mcp_microsoftdocs:microsoft_docs_fetch with query string from=learn-agent-skill. Returns Markdown.
  • Fallback: Use fetch_webpage with query string from=learn-agent-skill&accept=text/markdown. Returns Markdown.

Category Index

Category Lines Description
Troubleshooting L37-L50 Diagnosing and fixing Sentinel data ingestion, connectors, analytics rules, KQL/jobs, notebooks, ASIM, and MCP tool issues, including SAP, AWS S3, Syslog/CEF, and Storage Blob.
Best Practices L51-L76 Best practices for Sentinel SOCs: workspace/data design, detections & tuning, automation/playbooks, incident handling & metrics, UEBA/ASIM/ML use, SAP optimization, and solution lifecycle quality.
Decision Making L77-L116 Guidance on SIEM migration to Sentinel, choosing data tiers, retention, connectors, automation, and strategies to plan, estimate, monitor, and optimize Sentinel costs and operations.
Architecture & Design Patterns L117-L129 Designing Sentinel architectures: multi-workspace/tenant layouts, MSSP/Lighthouse patterns, BCDR, coexistence with other SIEMs, SAP setups, and integration patterns across portals.
Limits & Quotas L130-L142 Limits, quotas, pricing, availability, and known issues for Microsoft Sentinel data, features, long-term search, and watchlists, including implications of disabling or removing the service.
Security L143-L158 Securing Sentinel: auth and RBAC, playbook access, CMK and data residency, network perimeters, UEBA/SAP security, MSSP IP protection, and AWS identity attack disruption.
Configuration L159-L289 Configuring Microsoft Sentinel: data connectors, analytics and automation rules, ASIM schemas, SAP/AWS/GCP integrations, data lake, MCP tools, health monitoring, and normalization settings.
Integrations & Coding Patterns L290-L337 Integrating Microsoft Sentinel with external data, threat intel, MCP/Copilot, Logic Apps, Teams, ASIM, and data lake APIs, plus building custom connectors, playbooks, and automation workflows.
Deployment L338-L357 Deploying and managing Sentinel content and solutions: CI/CD, repo-based deployments, playbooks, rules as code, marketplace/content hub solutions, and SAP/Dynamics/Power Platform connectors.

Troubleshooting

Topic URL
Troubleshoot AWS S3 log ingestion connector in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/aws-s3-troubleshoot
Troubleshoot Microsoft Sentinel Azure Storage Blob connector issues https://learn.microsoft.com/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot
Troubleshoot Syslog and CEF AMA connectors in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/cef-syslog-ama-troubleshooting
Troubleshoot KQL queries and jobs in Sentinel data lake https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-troubleshoot
Resolve common Jupyter notebook errors in Sentinel data lake https://learn.microsoft.com/en-us/azure/sentinel/datalake/notebooks-troubleshooting
Troubleshoot and optimize Microsoft Sentinel MCP tools https://learn.microsoft.com/en-us/azure/sentinel/datalake/troubleshoot-sentinel-mcp
Monitor and troubleshoot Sentinel scheduled analytics rule execution https://learn.microsoft.com/en-us/azure/sentinel/monitor-optimize-analytics-rule-execution
Troubleshoot Sentinel SAP data connector agent https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-deploy-troubleshoot
Troubleshoot Microsoft Sentinel analytics rule issues https://learn.microsoft.com/en-us/azure/sentinel/troubleshoot-analytics-rules
Troubleshoot Microsoft Sentinel solution ingestion and packaging https://learn.microsoft.com/en-us/azure/sentinel/troubleshoot-sentinel-solutions

Best Practices

Topic URL
Audit and track Microsoft Sentinel incident task history https://learn.microsoft.com/en-us/azure/sentinel/audit-track-tasks
Design Microsoft Sentinel automation rules for SOAR https://learn.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules
Apply recommended Microsoft Sentinel playbook templates and use cases https://learn.microsoft.com/en-us/azure/sentinel/automation/playbook-recommendations
Apply best practices for Microsoft Sentinel workspaces https://learn.microsoft.com/en-us/azure/sentinel/best-practices
Apply Sentinel-specific best practices for data collection https://learn.microsoft.com/en-us/azure/sentinel/best-practices-data
Bring custom machine learning models into Microsoft Sentinel https://learn.microsoft.com/en-us/azure/sentinel/bring-your-own-ml
Manage Sentinel detection lifecycle effectively https://learn.microsoft.com/en-us/azure/sentinel/detection-lifecycle-management-recommendations
Apply detection tuning recommendations to Sentinel rules https://learn.microsoft.com/en-us/azure/sentinel/detection-tuning
Use ASIM-based essential domain solutions in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/domain-based-essential-solutions
Reduce Microsoft Sentinel false positives with rules and automation https://learn.microsoft.com/en-us/azure/sentinel/false-positives
Standardize Microsoft Sentinel incident handling with tasks https://learn.microsoft.com/en-us/azure/sentinel/incident-tasks
Handle data ingestion delay in scheduled rules https://learn.microsoft.com/en-us/azure/sentinel/ingestion-delay
Use UEBA data effectively in incident investigations https://learn.microsoft.com/en-us/azure/sentinel/investigate-with-ueba
Use Sentinel incident metrics to manage SOC performance https://learn.microsoft.com/en-us/azure/sentinel/manage-soc-with-incident-metrics
Apply operational best practices for Microsoft Sentinel SOCs https://learn.microsoft.com/en-us/azure/sentinel/ops-guide
Optimize SAP threat detections and content in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/sap/deployment-solution-configuration
Use Security Copilot effectively with Microsoft Sentinel data https://learn.microsoft.com/en-us/azure/sentinel/sentinel-security-copilot
Summarize Microsoft Sentinel incidents using Security Copilot https://learn.microsoft.com/en-us/azure/sentinel/sentinel-security-copilot-incident-summary
Manage deprecated Microsoft Sentinel solutions lifecycle https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solution-deprecation
Apply quality guidelines to Microsoft Sentinel solutions https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solution-quality-guidance
Use customizable anomaly detection to find threats https://learn.microsoft.com/en-us/azure/sentinel/soc-ml-anomalies
Use Microsoft Sentinel watchlists for enriched correlation https://learn.microsoft.com/en-us/azure/sentinel/watchlists

Decision Making

Topic URL
Plan and execute Sentinel migration from MMA to AMA https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate
Decide and migrate Sentinel alert-trigger playbooks to automation rules https://learn.microsoft.com/en-us/azure/sentinel/automation/migrate-playbooks-to-automation-rules
Decide when to use the Microsoft Sentinel data lake tier https://learn.microsoft.com/en-us/azure/sentinel/basic-logs-use-cases
Plan and estimate Microsoft Sentinel billing costs https://learn.microsoft.com/en-us/azure/sentinel/billing
Manage and monitor Microsoft Sentinel costs and billing https://learn.microsoft.com/en-us/azure/sentinel/billing-monitor-costs
Use Sentinel prepurchase plans to optimize analytics costs https://learn.microsoft.com/en-us/azure/sentinel/billing-pre-purchase-plan
Reduce and optimize Microsoft Sentinel costs https://learn.microsoft.com/en-us/azure/sentinel/billing-reduce-costs
Choose and configure Sentinel connectors for Cisco firewalls https://learn.microsoft.com/en-us/azure/sentinel/cisco-ftd-firewall
Choose between Sentinel analytics rules and Defender custom detections https://learn.microsoft.com/en-us/azure/sentinel/compare-analytics-rules-custom-detections
Configure Sentinel interactive and long-term retention https://learn.microsoft.com/en-us/azure/sentinel/configure-data-retention-archive
Assess Sentinel connector support across clouds https://learn.microsoft.com/en-us/azure/sentinel/data-type-cloud-support
Choose between KQL jobs, summary rules, and search jobs in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-jobs-summary-rules-search-jobs
Choose which logs to ingest into Sentinel data lake https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-log-ingestion-guidance
Enroll workspaces in Sentinel simplified pricing tiers https://learn.microsoft.com/en-us/azure/sentinel/enroll-simplified-pricing-tier
Decide when to use search jobs and restore data in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/investigate-large-datasets
Choose Microsoft Sentinel log retention tiers https://learn.microsoft.com/en-us/azure/sentinel/log-plans
Choose data tiers and retention settings in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/manage-data-overview
Determine Defender XDR data type support across GCC clouds in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-cloud-support
Plan migration from legacy SIEM to Microsoft Sentinel https://learn.microsoft.com/en-us/azure/sentinel/migration
Migrate ArcSight SOAR automation to Sentinel rules and playbooks https://learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-automation
Map and migrate ArcSight detection rules to Sentinel https://learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-detection-rules
Export ArcSight historical data for Sentinel migration https://learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-historical-data
Choose Sentinel target platform for historical data https://learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-target-platform
Select data ingestion tools for Sentinel migration https://learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-tool
Migrate QRadar SOAR automation to Sentinel automation https://learn.microsoft.com/en-us/azure/sentinel/migration-qradar-automation
Map and migrate QRadar detection rules to Sentinel https://learn.microsoft.com/en-us/azure/sentinel/migration-qradar-detection-rules
Export QRadar historical data for Sentinel migration https://learn.microsoft.com/en-us/azure/sentinel/migration-qradar-historical-data
Migrate Splunk SOAR automation to Sentinel rules and playbooks https://learn.microsoft.com/en-us/azure/sentinel/migration-splunk-automation
Map and migrate Splunk detection rules to Sentinel analytics https://learn.microsoft.com/en-us/azure/sentinel/migration-splunk-detection-rules
Export Splunk historical data for Sentinel migration https://learn.microsoft.com/en-us/azure/sentinel/migration-splunk-historical-data
Transition Sentinel operations from Azure portal to Defender portal https://learn.microsoft.com/en-us/azure/sentinel/move-to-defender
Prioritize Microsoft Sentinel data connectors strategically https://learn.microsoft.com/en-us/azure/sentinel/prioritize-data-connectors
Select domain-specific Sentinel solutions from content hub https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog
Use SIEM migration tool to map detections https://learn.microsoft.com/en-us/azure/sentinel/siem-migration
Apply Sentinel SOC optimization recommendations https://learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-access
Use Sentinel SOC optimization reference recommendations https://learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-reference

Architecture & Design Patterns

Topic URL
Design BCDR architecture for Microsoft Sentinel https://learn.microsoft.com/en-us/azure/sentinel/business-continuity-disaster-recovery
Deploy Sentinel alongside an existing SIEM https://learn.microsoft.com/en-us/azure/sentinel/deploy-side-by-side
Design Sentinel across multiple workspaces and tenants https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants
Architect multi-tenant Sentinel for MSSPs with Azure Lighthouse https://learn.microsoft.com/en-us/azure/sentinel/multiple-tenants-service-providers
Design integration patterns for Microsoft Sentinel solutions https://learn.microsoft.com/en-us/azure/sentinel/partner-integrations
Plan multi-workspace and multi-tenant Sentinel layouts https://learn.microsoft.com/en-us/azure/sentinel/prepare-multiple-workspaces
Choose Microsoft Sentinel workspace designs by scenario https://learn.microsoft.com/en-us/azure/sentinel/sample-workspace-designs
Design multi-workspace architecture for Sentinel SAP https://learn.microsoft.com/en-us/azure/sentinel/sap/cross-workspace
Implement multi-workspace and multi-tenant Sentinel setup https://learn.microsoft.com/en-us/azure/sentinel/use-multiple-workspaces

Limits & Quotas

Topic URL
Microsoft Sentinel data lake service limits reference https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-service-limits
Microsoft Sentinel MCP pricing and usage limits https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-billing
Check Sentinel feature availability by Azure cloud https://learn.microsoft.com/en-us/azure/sentinel/feature-availability
Understand ASIM known issues and limitations in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/normalization-known-issues
Understand implications and timing of removing Sentinel https://learn.microsoft.com/en-us/azure/sentinel/offboard-implications
Run Microsoft Sentinel search jobs over long-term data https://learn.microsoft.com/en-us/azure/sentinel/search-jobs
Review Microsoft Sentinel service limits and quotas https://learn.microsoft.com/en-us/azure/sentinel/sentinel-service-limits
Create Microsoft Sentinel watchlists with size limits https://learn.microsoft.com/en-us/azure/sentinel/watchlists-create
Edit Microsoft Sentinel watchlists with ingestion SLA https://learn.microsoft.com/en-us/azure/sentinel/watchlists-manage

Security

Topic URL
Configure authentication for Microsoft Sentinel playbooks https://learn.microsoft.com/en-us/azure/sentinel/automation/authenticate-playbooks-to-sentinel
Define access restriction policies for Sentinel Standard playbooks https://learn.microsoft.com/en-us/azure/sentinel/automation/define-playbook-access-restrictions
Enable Sentinel attack disruption actions on AWS identities https://learn.microsoft.com/en-us/azure/sentinel/aws-disruption
Configure customer-managed keys for Microsoft Sentinel https://learn.microsoft.com/en-us/azure/sentinel/customer-managed-keys
Configure Microsoft Sentinel UEBA data sources and settings https://learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics
Enable network security perimeters for Sentinel Storage connectors https://learn.microsoft.com/en-us/azure/sentinel/enable-storage-network-security
Understand Sentinel geographic availability and data residency https://learn.microsoft.com/en-us/azure/sentinel/geographical-availability-data-residency
Protect MSSP intellectual property in Sentinel deployments https://learn.microsoft.com/en-us/azure/sentinel/mssp-protect-intellectual-property
Configure resource-context RBAC for Sentinel data access https://learn.microsoft.com/en-us/azure/sentinel/resource-context-rbac
Configure Microsoft Sentinel roles and permissions https://learn.microsoft.com/en-us/azure/sentinel/roles
Assign required SAP ABAP authorizations for Sentinel https://learn.microsoft.com/en-us/azure/sentinel/sap/required-abap-authorizations
Use Microsoft Sentinel built-in security content for SAP https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-security-content

Configuration

Topic URL
Add advanced condition groups to Sentinel automation rules https://learn.microsoft.com/en-us/azure/sentinel/add-advanced-conditions-to-automation-rules
Understand anomaly types detected by Sentinel ML engine https://learn.microsoft.com/en-us/azure/sentinel/anomalies-reference
Create Data Collection Rules for Sentinel using API examples https://learn.microsoft.com/en-us/azure/sentinel/api-dcr-reference
Access and query Microsoft Sentinel audit data https://learn.microsoft.com/en-us/azure/sentinel/audit-sentinel-data
Use SentinelAudit tables for user activity auditing https://learn.microsoft.com/en-us/azure/sentinel/audit-table-reference
Configure Microsoft Sentinel automation rule properties and conditions https://learn.microsoft.com/en-us/azure/sentinel/automation-rule-reference
Map CEF keys to Microsoft Sentinel CommonSecurityLog fields https://learn.microsoft.com/en-us/azure/sentinel/cef-name-mapping
Understand Syslog and CEF AMA connectors for Sentinel https://learn.microsoft.com/en-us/azure/sentinel/cef-syslog-ama-overview
Configure Security Events connector for anomalous RDP detection https://learn.microsoft.com/en-us/azure/sentinel/configure-connector-login-detection
Configure ingestion-time data transformation in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/configure-data-transformation
Configure Fusion multistage attack detection rules https://learn.microsoft.com/en-us/azure/sentinel/configure-fusion-rules
Configure AWS service log connectors for Sentinel https://learn.microsoft.com/en-us/azure/sentinel/connect-aws
Prepare AWS environment to send logs to Sentinel https://learn.microsoft.com/en-us/azure/sentinel/connect-aws-configure-environment
Configure AWS EKS S3 connector to ingest audit logs https://learn.microsoft.com/en-us/azure/sentinel/connect-aws-eks
Configure AWS WAF S3 connector to ingest logs to Sentinel https://learn.microsoft.com/en-us/azure/sentinel/connect-aws-s3-waf
Configure Microsoft Entra ID connector for Sentinel logs https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory
Connect Azure Virtual Desktop diagnostics to Sentinel https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-virtual-desktop
Configure Sentinel connectors for Azure and Microsoft services https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-windows-microsoft-services
Configure AMA-based Syslog and CEF ingestion to Sentinel https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog-ama
Configure Custom Logs via AMA to ingest text logs https://learn.microsoft.com/en-us/azure/sentinel/connect-custom-logs-ama
Configure Defender for Cloud alerts connector for Sentinel https://learn.microsoft.com/en-us/azure/sentinel/connect-defender-for-cloud
Stream and filter Windows DNS logs to Sentinel via AMA https://learn.microsoft.com/en-us/azure/sentinel/connect-dns-ama
Configure GCP Pub/Sub connectors to ingest logs to Sentinel https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform
Enable Defender Threat Intelligence connector in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/connect-mdti-data-connector
Configure Purview Information Protection connector for Sentinel https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-purview
Configure API-based data connectors for Microsoft Sentinel https://learn.microsoft.com/en-us/azure/sentinel/connect-services-api-based
Set up diagnostic settings-based connectors for Sentinel https://learn.microsoft.com/en-us/azure/sentinel/connect-services-diagnostic-setting-based
Configure Windows agent-based data connectors for Sentinel https://learn.microsoft.com/en-us/azure/sentinel/connect-services-windows-based
Create scheduled analytics rules from templates https://learn.microsoft.com/en-us/azure/sentinel/create-analytics-rule-from-template
Create custom scheduled analytics rules in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/create-analytics-rules
Configure incident creation from alerts in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts
Configure Microsoft Sentinel automation rules for incident response https://learn.microsoft.com/en-us/azure/sentinel/create-manage-use-automation-rules
Create and manage near-real-time detection rules https://learn.microsoft.com/en-us/azure/sentinel/create-nrt-rules
Create Microsoft Sentinel incident task lists via automation rules https://learn.microsoft.com/en-us/azure/sentinel/create-tasks-automation-rule
Customize Sentinel alert names, severity, and tactics https://learn.microsoft.com/en-us/azure/sentinel/customize-alert-details
Customize activities shown on Sentinel entity timelines https://learn.microsoft.com/en-us/azure/sentinel/customize-entity-activities
Configure Azure Storage Blob Codeless Connector Framework rules https://learn.microsoft.com/en-us/azure/sentinel/data-connection-rules-reference-azure-storage
Configure GCP Codeless Connector Framework data connection rules https://learn.microsoft.com/en-us/azure/sentinel/data-connection-rules-reference-gcp
Configure RestApiPoller data connector and rules JSON https://learn.microsoft.com/en-us/azure/sentinel/data-connector-connection-rules-reference
Define Codeless Connector Framework data connector UI JSON https://learn.microsoft.com/en-us/azure/sentinel/data-connector-ui-definitions-reference
Use asset data table mappings in Sentinel data lake https://learn.microsoft.com/en-us/azure/sentinel/datalake/asset-data-tables
Use audit logs for Sentinel data lake and graph https://learn.microsoft.com/en-us/azure/sentinel/datalake/auditing-lake-activities
Configure federated data connectors in Sentinel data lake https://learn.microsoft.com/en-us/azure/sentinel/datalake/data-federation-setup
Create and schedule KQL jobs in Sentinel data lake https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-jobs
Configure and schedule KQL jobs in Sentinel data lake https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-jobs
Run and manage KQL queries in Sentinel data lake UI https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-queries
Schedule and manage Sentinel notebook jobs for data processing https://learn.microsoft.com/en-us/azure/sentinel/datalake/notebook-jobs
Run and configure Jupyter notebooks on Sentinel data lake https://learn.microsoft.com/en-us/azure/sentinel/datalake/notebooks
Onboard Sentinel data lake from Defender portal https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-onboard-defender
Onboard to Microsoft Sentinel data lake and graph https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-onboarding
Enable Sentinel MCP connector in ChatGPT or Claude https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-chatgpt-claude-connector
Create and configure custom Sentinel MCP tools from KQL https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-create-custom-tool
Configure Microsoft Sentinel MCP server for AI queries https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-get-started
Use Sentinel MCP tools in Microsoft Foundry projects https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-azure-ai-foundry
Configure Sentinel MCP tools in Microsoft Copilot Studio https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-copilot-studio
Configure Sentinel MCP tools in Microsoft Security Copilot https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-security-copilot
Configure Sentinel MCP tools in Visual Studio Code https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-visual-studio-code
Configure Sentinel workbooks to use data lake as source https://learn.microsoft.com/en-us/azure/sentinel/datalake/workbooks-for-data-lake
Use DNS AMA connector fields and normalization schema in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/dns-ama-fields
Enable Sentinel auditing and health monitoring and query data https://learn.microsoft.com/en-us/azure/sentinel/enable-monitoring
Reference Microsoft Sentinel entity types and identifiers https://learn.microsoft.com/en-us/azure/sentinel/entities-reference
Review Fusion-detected multistage attack scenarios in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/fusion-scenario-reference
Configure and interpret Sentinel auditing and health monitoring https://learn.microsoft.com/en-us/azure/sentinel/health-audit
Use SentinelHealth table for SIEM health monitoring https://learn.microsoft.com/en-us/azure/sentinel/health-table-reference
Manage versions of scheduled analytics rule templates https://learn.microsoft.com/en-us/azure/sentinel/manage-analytics-rule-templates
Configure and manage installed Sentinel platform solutions https://learn.microsoft.com/en-us/azure/sentinel/manage-platform-solutions
Configure table retention and tier settings in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/manage-table-tiers-retention
Map data fields to Sentinel entity types in rules https://learn.microsoft.com/en-us/azure/sentinel/map-data-fields-to-entities
Configure Microsoft Defender XDR integration with Sentinel https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration
Use Microsoft Purview Information Protection audit record types in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/microsoft-purview-record-types-activities
Monitor Microsoft Sentinel analytics rule health and integrity https://learn.microsoft.com/en-us/azure/sentinel/monitor-analytics-rule-integrity
Monitor Sentinel automation rules and playbooks health https://learn.microsoft.com/en-us/azure/sentinel/monitor-automation-health
Monitor Sentinel data connector health with SentinelHealth and workbooks https://learn.microsoft.com/en-us/azure/sentinel/monitor-data-connector-health
Monitor Sentinel–SAP connector health and performance https://learn.microsoft.com/en-us/azure/sentinel/monitor-sap-system-health
Use multi-workspace incident views in Microsoft Sentinel https://learn.microsoft.com/en-us/azure/sentinel/multiple-workspace-view
Configure near-real-time analytics rules for fast detection https://learn.microsoft.com/en-us/azure/sentinel/near-real-time-rules
Manage workspace-deployed ASIM parsers in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-workspace-parsers
Use ASIM common schema fields in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/normalization-common-fields
Implement ASIM Application Entity schema in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/normalization-entity-application
Implement ASIM Device Entity schema in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/normalization-entity-device
Implement ASIM User Entity schema in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/normalization-entity-user
Map AI agent telemetry to Sentinel ASIM Agent schema https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-agent
Use ASIM Alert Events normalization schema https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-alert
Use ASIM Asset Entity schema in Microsoft Sentinel https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-asset
Use ASIM Audit Events normalization schema https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-audit
Use ASIM Authentication normalization schema https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-authentication
Apply ASIM DHCP normalization schema in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-dhcp
Use ASIM DNS normalization schema in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-dns
Use ASIM File Event normalization schema https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-file-event
Use Microsoft Sentinel ASIM network session schema fields https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-network
Use Microsoft Sentinel ASIM process event schema fields https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-process-event
Use Microsoft Sentinel ASIM registry event schema fields https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-registry-event
Use Microsoft Sentinel user management normalization schema https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-user-management
Use legacy Microsoft Sentinel network normalization schema v0.1 https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-v1
Use Microsoft Sentinel ASIM web session schema fields https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-web
Configure MSTICPy and notebooks for Microsoft Sentinel https://learn.microsoft.com/en-us/azure/sentinel/notebook-get-started
Advanced MSTICPy and notebook configuration for Sentinel https://learn.microsoft.com/en-us/azure/sentinel/notebooks-msticpy-advanced
Configure SAP HANA audit log collection in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/sap/collect-sap-hana-audit-logs
Prepare SAP systems for Sentinel SAP connector https://learn.microsoft.com/en-us/azure/sentinel/sap/preparing-sap
Verify prerequisites for Sentinel SAP monitoring https://learn.microsoft.com/en-us/azure/sentinel/sap/prerequisites-for-deploying-sap-continuous-threat-monitoring
Reference kickstart script parameters for SAP connector https://learn.microsoft.com/en-us/azure/sentinel/sap/reference-kickstart
Configure legacy systemconfig.ini for Sentinel SAP agent https://learn.microsoft.com/en-us/azure/sentinel/sap/reference-systemconfig
Configure systemconfig.json for Sentinel SAP connector https://learn.microsoft.com/en-us/azure/sentinel/sap/reference-systemconfig-json
Configure SAP connector agent update script options https://learn.microsoft.com/en-us/azure/sentinel/sap/reference-update
Use expert configuration for Sentinel SAP connector agent https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-deploy-alternate
Reference SAP logs and tables ingested by Sentinel https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-log-reference
Tune monitored SAP security parameters for Sentinel rules https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-suspicious-configuration-security-parameters
Configure scheduled analytics rules in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/scheduled-rules-overview
Use Microsoft Sentinel security alert schema fields https://learn.microsoft.com/en-us/azure/sentinel/security-alert-schema
Map alert schemas between Sentinel standalone and XDR connectors https://learn.microsoft.com/en-us/azure/sentinel/security-alert-schema-differences
Understand Sentinel out-of-the-box content centralization https://learn.microsoft.com/en-us/azure/sentinel/sentinel-content-centralize
Remove and restore Sentinel content hub solutions https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-delete
Create and configure summary rules in Sentinel solutions https://learn.microsoft.com/en-us/azure/sentinel/sentinel-summary-rules-creation
Build and publish Sentinel workbooks in solutions https://learn.microsoft.com/en-us/azure/sentinel/sentinel-workbook-creation
Configure Azure Storage Blob connector for Sentinel logs https://learn.microsoft.com/en-us/azure/sentinel/setup-azure-storage-connector
Review prerequisites for Microsoft Sentinel solutions https://learn.microsoft.com/en-us/azure/sentinel/solution-setup-essentials
Configure and use Sentinel summary rules for data aggregation https://learn.microsoft.com/en-us/azure/sentinel/summary-rules
Surface custom event details in Sentinel alerts https://learn.microsoft.com/en-us/azure/sentinel/surface-custom-details-in-alerts
Configure threat intelligence feed integrations in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/threat-intelligence-integration
Configure filter and split transformations for Sentinel data https://learn.microsoft.com/en-us/azure/sentinel/transformation-filter-split
Reference for Sentinel UEBA inputs and enrichments https://learn.microsoft.com/en-us/azure/sentinel/ueba-reference
Configure Custom Logs via AMA for specific applications https://learn.microsoft.com/en-us/azure/sentinel/unified-connector-custom-device
Configure unified connectors to integrate Sentinel data https://learn.microsoft.com/en-us/azure/sentinel/unified-connector-integration
Use schemas for Microsoft Sentinel watchlist templates https://learn.microsoft.com/en-us/azure/sentinel/watchlist-schemas
Select Windows security event sets for Sentinel ingestion https://learn.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference
Configure and tune anomaly detection analytics rules https://learn.microsoft.com/en-us/azure/sentinel/work-with-anomaly-rules
Configure and use Sentinel workspace manager https://learn.microsoft.com/en-us/azure/sentinel/workspace-manager

Integrations & Coding Patterns

Topic URL
Add investigation entities as threat indicators in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/add-entity-to-threat-intelligence
Create and execute Sentinel incident tasks using playbooks https://learn.microsoft.com/en-us/azure/sentinel/automation/create-tasks-playbook
Use automation integrations in Microsoft Sentinel playbooks https://learn.microsoft.com/en-us/azure/sentinel/automation/integrations
Leverage Azure Logic Apps workflows for Sentinel playbooks https://learn.microsoft.com/en-us/azure/sentinel/automation/logic-apps-playbooks
Use Microsoft Sentinel playbook triggers and actions via Logic Apps https://learn.microsoft.com/en-us/azure/sentinel/automation/playbook-triggers-actions
Integrate Microsoft Sentinel incidents with Microsoft Teams https://learn.microsoft.com/en-us/azure/sentinel/collaborate-in-microsoft-teams
Build Azure Functions-based connectors for Sentinel data https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-functions-template
Integrate Logstash with Sentinel using DCR-based API https://learn.microsoft.com/en-us/azure/sentinel/connect-logstash-data-connection-rules
Configure Microsoft Defender XDR connector for Sentinel https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender
Integrate STIX/TAXII threat feeds with Sentinel https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-taxii
Connect external threat intelligence platforms to Sentinel https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-tip
Integrate external TIP feeds via Sentinel upload API https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-upload-api
Create codeless data connectors with Sentinel CCF https://learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector
Build Sentinel custom connectors with AI agent https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector-builder-agent
Implement push-based codeless connectors for Sentinel https://learn.microsoft.com/en-us/azure/sentinel/create-push-codeless-connector
Query Sentinel graphs using GQL syntax and operators https://learn.microsoft.com/en-us/azure/sentinel/datalake/gql-reference-for-sentinel-custom-graph
Call Sentinel custom graph REST APIs from clients https://learn.microsoft.com/en-us/azure/sentinel/datalake/graph-rest-api
Call Sentinel data lake KQL query REST APIs programmatically https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-queries-api
Use sample KQL queries for Sentinel data lake investigations https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-sample-queries
Run sample PySpark notebook code against Sentinel data lake https://learn.microsoft.com/en-us/azure/sentinel/datalake/notebook-examples
Use sentinel_graph API to build Sentinel security graphs https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-graph-provider-reference
Use Sentinel MCP agent creation tools for Copilot agents https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-agent-creation-tool
Use Sentinel MCP data exploration tools with KQL https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-data-exploration-tool
Integrate Sentinel MCP tools into Azure Logic Apps workflows https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-logic-apps
Use Sentinel MCP triage tools for incident hunting https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-triage-tool
Use MicrosoftSentinelProvider class to access data lake https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-provider-class-reference
Query and use federated data sources in Microsoft Sentinel https://learn.microsoft.com/en-us/azure/sentinel/datalake/using-data-federation
Enrich Sentinel entities with geolocation data using REST API https://learn.microsoft.com/en-us/azure/sentinel/geolocation-data-api
Manage Sentinel hunting queries via Log Analytics REST API https://learn.microsoft.com/en-us/azure/sentinel/hunting-with-rest-api
Bulk import threat intelligence files into Sentinel https://learn.microsoft.com/en-us/azure/sentinel/indicators-bulk-file-import
Ingest Defender for Cloud incidents via Defender XDR https://learn.microsoft.com/en-us/azure/sentinel/ingest-defender-for-cloud-incidents
Use ASIM KQL parsers for normalized Sentinel queries https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-parsers
Develop and deploy custom ASIM parsers https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers
Apply ASIM helper functions in KQL queries https://learn.microsoft.com/en-us/azure/sentinel/normalization-functions
Build Power BI reports from Sentinel log data https://learn.microsoft.com/en-us/azure/sentinel/powerbi
Integrate Microsoft Purview insights and rules with Sentinel https://learn.microsoft.com/en-us/azure/sentinel/purview-solution
Trigger Sentinel playbooks from entities during investigations https://learn.microsoft.com/en-us/azure/sentinel/respond-threats-during-investigation
Use Sentinel SAP solution KQL functions for analysis https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-function-reference
Monitor Zero Trust TIC 3.0 with Sentinel solution https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solution
Call Sentinel SOC optimization recommendations API https://learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-api
Import threat intelligence STIX objects into Sentinel via upload API https://learn.microsoft.com/en-us/azure/sentinel/stix-objects-api
Extract non-native incident entities with Sentinel playbooks https://learn.microsoft.com/en-us/azure/sentinel/tutorial-extract-incident-entities
Use legacy Sentinel upload indicators API for STIX IOCs https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api
Query STIX indicator and object tables in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/work-with-stix-objects-indicators

Deployment

Topic URL
Create and customize Sentinel playbooks from templates https://learn.microsoft.com/en-us/azure/sentinel/automation/use-playbook-templates
Deploy Sentinel Business Apps solution for Power Platform https://learn.microsoft.com/en-us/azure/sentinel/business-applications/deploy-power-platform-solution
Set up CI/CD for Sentinel custom content https://learn.microsoft.com/en-us/azure/sentinel/ci-cd
Manage Sentinel custom content with repository connections https://learn.microsoft.com/en-us/azure/sentinel/ci-cd-custom-content
Customize repository-based deployments in Sentinel https://learn.microsoft.com/en-us/azure/sentinel/ci-cd-custom-deploy
Onboard Azure Stack Hub VMs to Microsoft Sentinel https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-stack
Connect Dynamics 365 Finance and Operations to Sentinel https://learn.microsoft.com/en-us/azure/sentinel/dynamics-365/deploy-dynamics-365-finance-operations-solution
Import and export Sentinel analytics rules via ARM https://learn.microsoft.com/en-us/azure/sentinel/import-export-analytics-rules
Import and export Microsoft Sentinel automation rules as code https://learn.microsoft.com/en-us/azure/sentinel/import-export-automation-rules
Package and publish Sentinel platform solutions https://learn.microsoft.com/en-us/azure/sentinel/package-platform-solution
Publish Microsoft Sentinel SIEM solutions to marketplace https://learn.microsoft.com/en-us/azure/sentinel/publish-sentinel-solutions
Deploy SAP data connector agent via command line https://learn.microsoft.com/en-us/azure/sentinel/sap/deploy-command-line
Deploy containerized SAP data connector to Sentinel https://learn.microsoft.com/en-us/azure/sentinel/sap/deploy-data-connector-agent-container
Deploy Microsoft Sentinel solution for SAP BTP https://learn.microsoft.com/en-us/azure/sentinel/sap/deploy-sap-btp-solution
Deploy Sentinel solution for SAP applications https://learn.microsoft.com/en-us/azure/sentinel/sap/deployment-overview
Update Microsoft Sentinel SAP data connector agent https://learn.microsoft.com/en-us/azure/sentinel/sap/update-sap-data-connector
Deploy Sentinel solutions from Content hub https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-deploy
Files1
1 files · 18.2 KB

Select a file to preview

Analysis failed

Analysis is temporarily unavailable due to high demand. Please retry in a few minutes.

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Add MicrosoftDocs/azure-sentinel to your library

Get Started Free

Command Palette

Search for a command to run...