You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/whats-new.md
+26-24Lines changed: 26 additions & 24 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,6 +27,32 @@ If you're looking for items older than six months, you'll find them in the [Arch
27
27
28
28
## October 2022
29
29
30
+
-[Microsoft 365 Defender now integrates Azure Active Directory Identity Protection (AADIP)](#microsoft-365-defender-now-integrates-azure-active-directory-identity-protection-aadip)
31
+
-[Out of the box anomaly detection on the SAP audit log (Preview)](#out-of-the-box-anomaly-detection-on-the-sap-audit-log-preview)
32
+
33
+
### Microsoft 365 Defender now integrates Azure Active Directory Identity Protection (AADIP)
34
+
35
+
As of **October 24, 2022**, [Microsoft 365 Defender](/microsoft-365/security/defender/) will be integrating [Azure Active Directory Identity Protection (AADIP)](../active-directory/identity-protection/index.yml) alerts and incidents. Customers can choose between two levels of integration:
36
+
37
+
-**Selective alerts** (default) includes only alerts chosen by Microsoft security researchers, mostly of Medium and High severities.
38
+
-**All alerts** includes all AADIP alerts of any severity.
39
+
40
+
This integration can't be disabled.
41
+
42
+
Microsoft Sentinel customers (who are also AADIP subscribers) with [Microsoft 365 Defender integration](microsoft-365-defender-sentinel-integration.md) enabled will automatically start receiving AADIP alerts and incidents in their Microsoft Sentinel incidents queue. Depending on your configuration, this may affect you as follows:
43
+
44
+
- If you already have your AADIP connector enabled in Microsoft Sentinel, you may receive duplicate incidents. To avoid this, you have a few choices, listed here in descending order of preference:
45
+
46
+
| Preference | Action in Microsoft 365 Defender | Action in Microsoft Sentinel |
47
+
| - | - | - |
48
+
|**1**| Keep the default AADIP integration of **Selective alerts**. | Disable **incident creation** in your AADIP data connector. |
49
+
|**2**| Choose the **All alerts** AADIP integration. | Use automation rules to automatically close incidents with unwanted alerts.<br><br>Disable **incident creation** in your AADIP data connector. |
50
+
|**3**| Don't use Microsoft 365 Defender for AADIP alerts:<br>Choose either option for AADIP integration. | Use automation rules to close all incidents where <br>- the *incident provider* is `Microsoft 365 Defender` and <br>- the *alert provider* is `Azure Active Directory Identity Protection`. <br><br>Keep **incident creation** enabled in your AADIP data connector. |
51
+
52
+
- If you don't have your [AADIP connector](data-connectors-reference.md#azure-active-directory-identity-protection) enabled, you must enable it. Be sure **not** to enable incident creation on the connector page. If you don't enable the connector, you may receive AADIP incidents without any data in them.
53
+
54
+
- If you're first enabling your Microsoft 365 Defender connector now, the AADIP connection will be made automatically behind the scenes. You won't need to do anything else.
55
+
30
56
### Out of the box anomaly detection on the SAP audit log (Preview)
31
57
32
58
The SAP audit log records audit and security events on SAP systems, like failed sign-in attempts or other over 200 security related actions. Customers monitor the SAP audit log and generate alerts and incidents out of the box using Microsoft Sentinel built-in analytics rules.
@@ -139,34 +165,10 @@ Learn how to [add an entity to your threat intelligence](add-entity-to-threat-in
139
165
140
166
## August 2022
141
167
142
-
-[Heads up: Microsoft 365 Defender now integrates Azure Active Directory Identity Protection (AADIP)](#heads-up-microsoft-365-defender-now-integrates-azure-active-directory-identity-protection-aadip)
-[New data sources for User and entity behavior analytics (UEBA) (Preview)](#new-data-sources-for-user-and-entity-behavior-analytics-ueba-preview)
145
170
-[Microsoft Sentinel Solution for SAP is now generally available](#microsoft-sentinel-solution-for-sap-is-now-generally-available)
146
171
147
-
### Heads up: Microsoft 365 Defender now integrates Azure Active Directory Identity Protection (AADIP)
148
-
149
-
As of **October 24, 2022**, [Microsoft 365 Defender](/microsoft-365/security/defender/) will be integrating [Azure Active Directory Identity Protection (AADIP)](../active-directory/identity-protection/index.yml) alerts and incidents. Customers can choose between two levels of integration:
150
-
151
-
-**Selective alerts** (default) includes only alerts chosen by Microsoft security researchers, mostly of Medium and High severities.
152
-
-**All alerts** includes all AADIP alerts of any severity.
153
-
154
-
This integration can't be disabled.
155
-
156
-
Microsoft Sentinel customers (who are also AADIP subscribers) with [Microsoft 365 Defender integration](microsoft-365-defender-sentinel-integration.md) enabled will automatically start receiving AADIP alerts and incidents in their Microsoft Sentinel incidents queue. Depending on your configuration, this may affect you as follows:
157
-
158
-
- If you already have your AADIP connector enabled in Microsoft Sentinel, you may receive duplicate incidents. To avoid this, you have a few choices, listed here in descending order of preference:
159
-
160
-
| Preference | Action in Microsoft 365 Defender | Action in Microsoft Sentinel |
161
-
| - | - | - |
162
-
|**1**| Keep the default AADIP integration of **Selective alerts**. | Disable **incident creation** in your AADIP data connector. |
163
-
|**2**| Choose the **All alerts** AADIP integration. | Use automation rules to automatically close incidents with unwanted alerts.<br><br>Disable **incident creation** in your AADIP data connector. |
164
-
|**3**| Don't use Microsoft 365 Defender for AADIP alerts:<br>Choose either option for AADIP integration. | Use automation rules to close all incidents where <br>- the *incident provider* is `Microsoft 365 Defender` and <br>- the *alert provider* is `Azure Active Directory Identity Protection`. <br><br>Keep **incident creation** enabled in your AADIP data connector. |
165
-
166
-
- If you don't have your [AADIP connector](data-connectors-reference.md#azure-active-directory-identity-protection) enabled, you must enable it. Be sure **not** to enable incident creation on the connector page. If you don't enable the connector, you may receive AADIP incidents without any data in them.
167
-
168
-
- If you're first enabling your Microsoft 365 Defender connector now, the AADIP connection will be made automatically behind the scenes. You won't need to do anything else.
169
-
170
172
### Azure resource entity page (Preview)
171
173
172
174
Azure resources such as Azure Virtual Machines, Azure Storage Accounts, Azure Key Vault, Azure DNS, and more are essential parts of your network. Threat actors might attempt to obtain sensitive data from your storage account, gain access to your key vault and the secrets it contains, or infect your virtual machine with malware. The new [Azure resource entity page](entity-pages.md) is designed to help your SOC investigate incidents that involve Azure resources in your environment, hunt for potential attacks, and assess risk.
0 commit comments