azure-sentinel

Azure Sentinel Skill

This skill provides expert guidance for Azure Sentinel. Covers troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. It combines local quick-reference content with remote documentation fetching capabilities.

How to Use This Skill

IMPORTANT for Agent: Use the Category Index below to locate relevant sections. For categories with line ranges (e.g., L35-L120), use read_file with the specified lines. For categories with file links (e.g., [security.md](security.md)), use read_file on the linked reference file

IMPORTANT for Agent: If metadata.generated_at is more than 3 months old, suggest the user pull the latest version from the repository. If mcp_microsoftdocs tools are not available, suggest the user install it: Installation Guide

This skill requires network access to fetch documentation content:

• Preferred: Use mcp_microsoftdocs:microsoft_docs_fetch with query string from=learn-agent-skill. Returns Markdown.
• Fallback: Use fetch_webpage with query string from=learn-agent-skill&accept=text/markdown. Returns Markdown.

Category Index

Category	Lines	Description
Troubleshooting	L37-L50	Diagnosing and fixing Sentinel data ingestion, connectors, analytics rules, KQL/jobs, notebooks, ASIM, and MCP tool issues, including SAP, AWS S3, Syslog/CEF, and Storage Blob.
Best Practices	L51-L76	Best practices for Sentinel SOCs: workspace/data design, detections & tuning, automation/playbooks, incident handling & metrics, UEBA/ASIM/ML use, SAP optimization, and solution lifecycle quality.
Decision Making	L77-L117	Planning Sentinel deployments and migrations (MMA/legacy SIEMs), choosing data tiers/connectors, and optimizing automation, retention, and costs across Azure and Defender portals
Architecture & Design Patterns	L118-L130	Designing Sentinel architectures: multi-workspace/tenant layouts, MSSP/Lighthouse patterns, BCDR, coexistence with other SIEMs, SAP setups, and integration patterns across portals.
Limits & Quotas	L131-L143	Limits, quotas, pricing, availability, and known issues for Microsoft Sentinel data, features, long-term search, and watchlists, including implications of disabling or removing the service.
Security	L144-L158	Configuring Sentinel security: auth for playbooks, RBAC and roles, CMK and data residency, network perimeters, SAP and MSSP protections, and AWS identity disruption actions.
Configuration	L159-L290	Configuring Microsoft Sentinel: data connectors, analytics and automation rules, ASIM schemas, data lake/KQL jobs, UEBA, health/auditing, SAP/AWS/GCP integrations, and MCP/AI tooling.
Integrations & Coding Patterns	L291-L338	Patterns and code samples for integrating Microsoft Sentinel with Logic Apps, data connectors, threat intel feeds, MCP tools, KQL/graph APIs, and external services like Teams, XDR, Purview, and Power BI.
Deployment	L339-L359	Deploying and managing Sentinel content and solutions: CI/CD, repo-based deployments, playbooks, rules as code, marketplace/content hub solutions, and SAP/Dynamics/Power Platform connectors.

Troubleshooting

Topic	URL
Troubleshoot AWS S3 log ingestion connector in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/aws-s3-troubleshoot
Troubleshoot Microsoft Sentinel Azure Storage Blob connector issues	https://learn.microsoft.com/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot
Troubleshoot Syslog and CEF AMA connectors in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/cef-syslog-ama-troubleshooting
Troubleshoot KQL queries and jobs in Sentinel data lake	https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-troubleshoot
Resolve common Jupyter notebook errors in Sentinel data lake	https://learn.microsoft.com/en-us/azure/sentinel/datalake/notebooks-troubleshooting
Troubleshoot and optimize Microsoft Sentinel MCP tools	https://learn.microsoft.com/en-us/azure/sentinel/datalake/troubleshoot-sentinel-mcp
Monitor and troubleshoot Sentinel scheduled analytics rule execution	https://learn.microsoft.com/en-us/azure/sentinel/monitor-optimize-analytics-rule-execution
Troubleshoot Sentinel SAP data connector agent	https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-deploy-troubleshoot
Troubleshoot Microsoft Sentinel analytics rule issues	https://learn.microsoft.com/en-us/azure/sentinel/troubleshoot-analytics-rules
Troubleshoot Microsoft Sentinel solution ingestion and packaging	https://learn.microsoft.com/en-us/azure/sentinel/troubleshoot-sentinel-solutions

Best Practices

Topic	URL
Audit and track Microsoft Sentinel incident task history	https://learn.microsoft.com/en-us/azure/sentinel/audit-track-tasks
Design Microsoft Sentinel automation rules for SOAR	https://learn.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules
Apply recommended Microsoft Sentinel playbook templates and use cases	https://learn.microsoft.com/en-us/azure/sentinel/automation/playbook-recommendations
Apply best practices for Microsoft Sentinel workspaces	https://learn.microsoft.com/en-us/azure/sentinel/best-practices
Apply Sentinel-specific best practices for data collection	https://learn.microsoft.com/en-us/azure/sentinel/best-practices-data
Bring custom machine learning models into Microsoft Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/bring-your-own-ml
Manage Sentinel detection lifecycle effectively	https://learn.microsoft.com/en-us/azure/sentinel/detection-lifecycle-management-recommendations
Apply detection tuning recommendations to Sentinel rules	https://learn.microsoft.com/en-us/azure/sentinel/detection-tuning
Use ASIM-based essential domain solutions in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/domain-based-essential-solutions
Reduce Microsoft Sentinel false positives with rules and automation	https://learn.microsoft.com/en-us/azure/sentinel/false-positives
Standardize Microsoft Sentinel incident handling with tasks	https://learn.microsoft.com/en-us/azure/sentinel/incident-tasks
Handle data ingestion delay in scheduled rules	https://learn.microsoft.com/en-us/azure/sentinel/ingestion-delay
Use UEBA data effectively in incident investigations	https://learn.microsoft.com/en-us/azure/sentinel/investigate-with-ueba
Use Sentinel incident metrics to manage SOC performance	https://learn.microsoft.com/en-us/azure/sentinel/manage-soc-with-incident-metrics
Apply operational best practices for Microsoft Sentinel SOCs	https://learn.microsoft.com/en-us/azure/sentinel/ops-guide
Optimize SAP threat detections and content in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/sap/deployment-solution-configuration
Use Security Copilot effectively with Microsoft Sentinel data	https://learn.microsoft.com/en-us/azure/sentinel/sentinel-security-copilot
Summarize Microsoft Sentinel incidents using Security Copilot	https://learn.microsoft.com/en-us/azure/sentinel/sentinel-security-copilot-incident-summary
Manage deprecated Microsoft Sentinel solutions lifecycle	https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solution-deprecation
Apply quality guidelines to Microsoft Sentinel solutions	https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solution-quality-guidance
Use customizable anomaly detection to find threats	https://learn.microsoft.com/en-us/azure/sentinel/soc-ml-anomalies
Use Microsoft Sentinel watchlists for enriched correlation	https://learn.microsoft.com/en-us/azure/sentinel/watchlists

Decision Making

Topic	URL
Plan and execute Sentinel migration from MMA to AMA	https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate
Decide and migrate Sentinel alert-trigger playbooks to automation rules	https://learn.microsoft.com/en-us/azure/sentinel/automation/migrate-playbooks-to-automation-rules
Decide when to use the Microsoft Sentinel data lake tier	https://learn.microsoft.com/en-us/azure/sentinel/basic-logs-use-cases
Plan and estimate Microsoft Sentinel billing costs	https://learn.microsoft.com/en-us/azure/sentinel/billing
Manage and monitor Microsoft Sentinel costs and billing	https://learn.microsoft.com/en-us/azure/sentinel/billing-monitor-costs
Use Sentinel prepurchase plans to optimize analytics costs	https://learn.microsoft.com/en-us/azure/sentinel/billing-pre-purchase-plan
Reduce and optimize Microsoft Sentinel costs	https://learn.microsoft.com/en-us/azure/sentinel/billing-reduce-costs
Choose and configure Sentinel connectors for Cisco firewalls	https://learn.microsoft.com/en-us/azure/sentinel/cisco-ftd-firewall
Choose between Sentinel analytics rules and Defender custom detections	https://learn.microsoft.com/en-us/azure/sentinel/compare-analytics-rules-custom-detections
Configure Sentinel interactive and long-term retention	https://learn.microsoft.com/en-us/azure/sentinel/configure-data-retention-archive
Assess Sentinel connector support across clouds	https://learn.microsoft.com/en-us/azure/sentinel/data-type-cloud-support
Choose between KQL jobs, summary rules, and search jobs in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-jobs-summary-rules-search-jobs
Choose which logs to ingest into Sentinel data lake	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-log-ingestion-guidance
Enroll workspaces in Sentinel simplified pricing tiers	https://learn.microsoft.com/en-us/azure/sentinel/enroll-simplified-pricing-tier
Decide when to use search jobs and restore data in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/investigate-large-datasets
Choose Microsoft Sentinel log retention tiers	https://learn.microsoft.com/en-us/azure/sentinel/log-plans
Choose data tiers and retention settings in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/manage-data-overview
Determine Defender XDR data type support across GCC clouds in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-cloud-support
Use Microsoft Sentinel within Defender portal	https://learn.microsoft.com/en-us/azure/sentinel/microsoft-sentinel-defender-portal
Plan migration from legacy SIEM to Microsoft Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/migration
Migrate ArcSight SOAR automation to Sentinel rules and playbooks	https://learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-automation
Map and migrate ArcSight detection rules to Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-detection-rules
Export ArcSight historical data for Sentinel migration	https://learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-historical-data
Choose Azure target platform for Sentinel historical data	https://learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-target-platform
Select data ingestion tools for Sentinel historical logs	https://learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-tool
Migrate QRadar SOAR automation to Sentinel automation	https://learn.microsoft.com/en-us/azure/sentinel/migration-qradar-automation
Map and migrate QRadar detection rules to Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/migration-qradar-detection-rules
Export QRadar historical data for Sentinel migration	https://learn.microsoft.com/en-us/azure/sentinel/migration-qradar-historical-data
Migrate Splunk SOAR automation to Sentinel rules and playbooks	https://learn.microsoft.com/en-us/azure/sentinel/migration-splunk-automation
Map and migrate Splunk detection rules to Sentinel analytics	https://learn.microsoft.com/en-us/azure/sentinel/migration-splunk-detection-rules
Export Splunk historical data for Sentinel migration	https://learn.microsoft.com/en-us/azure/sentinel/migration-splunk-historical-data
Transition Sentinel operations from Azure portal to Defender portal	https://learn.microsoft.com/en-us/azure/sentinel/move-to-defender
Prioritize Microsoft Sentinel data connectors strategically	https://learn.microsoft.com/en-us/azure/sentinel/prioritize-data-connectors
Select domain-specific Sentinel solutions from content hub	https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog
Use SIEM migration tool to map detections	https://learn.microsoft.com/en-us/azure/sentinel/siem-migration
Apply Sentinel SOC optimization recommendations	https://learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-access
Use Sentinel SOC optimization reference recommendations	https://learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-reference

Architecture & Design Patterns

Topic	URL
Design BCDR architecture for Microsoft Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/business-continuity-disaster-recovery
Deploy Sentinel alongside an existing SIEM	https://learn.microsoft.com/en-us/azure/sentinel/deploy-side-by-side
Design Sentinel across multiple workspaces and tenants	https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants
Architect multi-tenant Sentinel for MSSPs with Azure Lighthouse	https://learn.microsoft.com/en-us/azure/sentinel/multiple-tenants-service-providers
Design integration patterns for Microsoft Sentinel solutions	https://learn.microsoft.com/en-us/azure/sentinel/partner-integrations
Plan multi-workspace and multi-tenant Sentinel layouts	https://learn.microsoft.com/en-us/azure/sentinel/prepare-multiple-workspaces
Choose Microsoft Sentinel workspace designs by scenario	https://learn.microsoft.com/en-us/azure/sentinel/sample-workspace-designs
Design multi-workspace architecture for Sentinel SAP	https://learn.microsoft.com/en-us/azure/sentinel/sap/cross-workspace
Implement multi-workspace and multi-tenant Sentinel setup	https://learn.microsoft.com/en-us/azure/sentinel/use-multiple-workspaces

Limits & Quotas

Topic	URL
Microsoft Sentinel data lake service limits reference	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-service-limits
Microsoft Sentinel MCP pricing and usage limits	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-billing
Check Sentinel feature availability by Azure cloud	https://learn.microsoft.com/en-us/azure/sentinel/feature-availability
Understand ASIM known issues and limitations in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/normalization-known-issues
Understand implications and timing of removing Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/offboard-implications
Run Microsoft Sentinel search jobs over long-term data	https://learn.microsoft.com/en-us/azure/sentinel/search-jobs
Review Microsoft Sentinel service limits and quotas	https://learn.microsoft.com/en-us/azure/sentinel/sentinel-service-limits
Create Microsoft Sentinel watchlists with size limits	https://learn.microsoft.com/en-us/azure/sentinel/watchlists-create
Edit Microsoft Sentinel watchlists with ingestion SLA	https://learn.microsoft.com/en-us/azure/sentinel/watchlists-manage

Security

Topic	URL
Configure authentication for Microsoft Sentinel playbooks	https://learn.microsoft.com/en-us/azure/sentinel/automation/authenticate-playbooks-to-sentinel
Define access restriction policies for Sentinel Standard playbooks	https://learn.microsoft.com/en-us/azure/sentinel/automation/define-playbook-access-restrictions
Enable Sentinel attack disruption actions on AWS identities	https://learn.microsoft.com/en-us/azure/sentinel/aws-disruption
Configure customer-managed keys for Microsoft Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/customer-managed-keys
Enable network security perimeters for Sentinel Storage connectors	https://learn.microsoft.com/en-us/azure/sentinel/enable-storage-network-security
Understand Sentinel geographic availability and data residency	https://learn.microsoft.com/en-us/azure/sentinel/geographical-availability-data-residency
Protect MSSP intellectual property in Sentinel deployments	https://learn.microsoft.com/en-us/azure/sentinel/mssp-protect-intellectual-property
Configure resource-context RBAC for Sentinel data access	https://learn.microsoft.com/en-us/azure/sentinel/resource-context-rbac
Configure Microsoft Sentinel roles and permissions	https://learn.microsoft.com/en-us/azure/sentinel/roles
Assign required SAP ABAP authorizations for Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/sap/required-abap-authorizations
Use Microsoft Sentinel built-in security content for SAP	https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-security-content

Configuration

Topic	URL
Add advanced condition groups to Sentinel automation rules	https://learn.microsoft.com/en-us/azure/sentinel/add-advanced-conditions-to-automation-rules
Understand anomaly types detected by Sentinel ML engine	https://learn.microsoft.com/en-us/azure/sentinel/anomalies-reference
Create Data Collection Rules for Sentinel using API examples	https://learn.microsoft.com/en-us/azure/sentinel/api-dcr-reference
Access and query Microsoft Sentinel audit data	https://learn.microsoft.com/en-us/azure/sentinel/audit-sentinel-data
Use SentinelAudit tables for user activity auditing	https://learn.microsoft.com/en-us/azure/sentinel/audit-table-reference
Configure Microsoft Sentinel automation rule properties and conditions	https://learn.microsoft.com/en-us/azure/sentinel/automation-rule-reference
Map CEF keys to Microsoft Sentinel CommonSecurityLog fields	https://learn.microsoft.com/en-us/azure/sentinel/cef-name-mapping
Understand Syslog and CEF AMA connectors for Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/cef-syslog-ama-overview
Configure Security Events connector for anomalous RDP detection	https://learn.microsoft.com/en-us/azure/sentinel/configure-connector-login-detection
Configure ingestion-time data transformation in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/configure-data-transformation
Configure Fusion multistage attack detection rules	https://learn.microsoft.com/en-us/azure/sentinel/configure-fusion-rules
Configure AWS service log connectors for Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/connect-aws
Prepare AWS environment to send logs to Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/connect-aws-configure-environment
Configure AWS EKS S3 connector to ingest audit logs	https://learn.microsoft.com/en-us/azure/sentinel/connect-aws-eks
Configure AWS WAF S3 connector to ingest logs to Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/connect-aws-s3-waf
Configure Microsoft Entra ID connector for Sentinel logs	https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory
Connect Azure Virtual Desktop diagnostics to Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-virtual-desktop
Configure Sentinel connectors for Azure and Microsoft services	https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-windows-microsoft-services
Configure AMA-based Syslog and CEF ingestion to Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog-ama
Configure Custom Logs via AMA to ingest text logs	https://learn.microsoft.com/en-us/azure/sentinel/connect-custom-logs-ama
Configure Defender for Cloud alerts connector for Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/connect-defender-for-cloud
Stream and filter Windows DNS logs to Sentinel via AMA	https://learn.microsoft.com/en-us/azure/sentinel/connect-dns-ama
Configure GCP Pub/Sub connectors to ingest logs to Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform
Enable Defender Threat Intelligence data connectors in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/connect-mdti-data-connector
Stream Microsoft Defender XDR incidents and events to Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender
Configure Purview Information Protection connector for Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-purview
Configure API-based data connectors for Microsoft Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/connect-services-api-based
Set up diagnostic settings-based connectors for Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/connect-services-diagnostic-setting-based
Configure Windows agent-based data connectors for Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/connect-services-windows-based
Create scheduled analytics rules from templates	https://learn.microsoft.com/en-us/azure/sentinel/create-analytics-rule-from-template
Create custom scheduled analytics rules in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/create-analytics-rules
Configure incident creation from alerts in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts
Configure Microsoft Sentinel automation rules for incident response	https://learn.microsoft.com/en-us/azure/sentinel/create-manage-use-automation-rules
Create and manage near-real-time detection rules	https://learn.microsoft.com/en-us/azure/sentinel/create-nrt-rules
Create Microsoft Sentinel incident task lists via automation rules	https://learn.microsoft.com/en-us/azure/sentinel/create-tasks-automation-rule
Customize Sentinel alert names, severity, and tactics	https://learn.microsoft.com/en-us/azure/sentinel/customize-alert-details
Customize activities shown on Sentinel entity timelines	https://learn.microsoft.com/en-us/azure/sentinel/customize-entity-activities
Configure Azure Storage Blob Codeless Connector Framework rules	https://learn.microsoft.com/en-us/azure/sentinel/data-connection-rules-reference-azure-storage
Configure GCP Codeless Connector Framework data connection rules	https://learn.microsoft.com/en-us/azure/sentinel/data-connection-rules-reference-gcp
Configure RestApiPoller data connector and rules JSON	https://learn.microsoft.com/en-us/azure/sentinel/data-connector-connection-rules-reference
Define Codeless Connector Framework data connector UI JSON	https://learn.microsoft.com/en-us/azure/sentinel/data-connector-ui-definitions-reference
Use asset data table mappings in Sentinel data lake	https://learn.microsoft.com/en-us/azure/sentinel/datalake/asset-data-tables
Use audit logs for Sentinel data lake and graph	https://learn.microsoft.com/en-us/azure/sentinel/datalake/auditing-lake-activities
Configure federated data connectors in Sentinel data lake	https://learn.microsoft.com/en-us/azure/sentinel/datalake/data-federation-setup
Create and schedule KQL jobs in Sentinel data lake	https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-jobs
Configure and schedule KQL jobs in Sentinel data lake	https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-jobs
Run and manage KQL queries in Sentinel data lake UI	https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-queries
Schedule and manage Sentinel notebook jobs for data processing	https://learn.microsoft.com/en-us/azure/sentinel/datalake/notebook-jobs
Run and configure Jupyter notebooks on Sentinel data lake	https://learn.microsoft.com/en-us/azure/sentinel/datalake/notebooks
Onboard Sentinel data lake from Defender portal	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-onboard-defender
Onboard to Microsoft Sentinel data lake and graph	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-onboarding
Enable Sentinel MCP connector in ChatGPT or Claude	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-chatgpt-claude-connector
Create and configure custom Sentinel MCP tools from KQL	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-create-custom-tool
Configure Microsoft Sentinel MCP server for AI queries	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-get-started
Use Sentinel MCP tools in Microsoft Foundry projects	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-azure-ai-foundry
Configure Sentinel MCP tools in Microsoft Copilot Studio	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-copilot-studio
Configure Sentinel MCP tools in Microsoft Security Copilot	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-security-copilot
Configure Sentinel MCP tools in Visual Studio Code	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-visual-studio-code
Configure Sentinel workbooks to use data lake as source	https://learn.microsoft.com/en-us/azure/sentinel/datalake/workbooks-for-data-lake
Use DNS AMA connector fields and normalization schema in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/dns-ama-fields
Enable and configure UEBA in Microsoft Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics
Enable Sentinel auditing and health monitoring and query data	https://learn.microsoft.com/en-us/azure/sentinel/enable-monitoring
Reference Microsoft Sentinel entity types and identifiers	https://learn.microsoft.com/en-us/azure/sentinel/entities-reference
Review Fusion-detected multistage attack scenarios in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/fusion-scenario-reference
Configure and interpret Sentinel auditing and health monitoring	https://learn.microsoft.com/en-us/azure/sentinel/health-audit
Use SentinelHealth table for SIEM health monitoring	https://learn.microsoft.com/en-us/azure/sentinel/health-table-reference
Manage versions of scheduled analytics rule templates	https://learn.microsoft.com/en-us/azure/sentinel/manage-analytics-rule-templates
Configure and manage installed Sentinel platform solutions	https://learn.microsoft.com/en-us/azure/sentinel/manage-platform-solutions
Configure table retention and tier settings in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/manage-table-tiers-retention
Map data fields to Sentinel entity types in rules	https://learn.microsoft.com/en-us/azure/sentinel/map-data-fields-to-entities
Use Microsoft Purview Information Protection audit record types in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/microsoft-purview-record-types-activities
Monitor Microsoft Sentinel analytics rule health and integrity	https://learn.microsoft.com/en-us/azure/sentinel/monitor-analytics-rule-integrity
Monitor Sentinel automation rules and playbooks health	https://learn.microsoft.com/en-us/azure/sentinel/monitor-automation-health
Monitor Sentinel data connector health with SentinelHealth and workbooks	https://learn.microsoft.com/en-us/azure/sentinel/monitor-data-connector-health
Monitor Sentinel–SAP connector health and performance	https://learn.microsoft.com/en-us/azure/sentinel/monitor-sap-system-health
Use multi-workspace incident views in Microsoft Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/multiple-workspace-view
Configure near-real-time analytics rules for fast detection	https://learn.microsoft.com/en-us/azure/sentinel/near-real-time-rules
Manage workspace-deployed ASIM parsers in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-workspace-parsers
Use ASIM common schema fields in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/normalization-common-fields
Implement ASIM Application Entity schema in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/normalization-entity-application
Implement ASIM Device Entity schema in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/normalization-entity-device
Implement ASIM User Entity schema in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/normalization-entity-user
Map AI agent telemetry to Sentinel ASIM Agent schema	https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-agent
Use ASIM Alert Events normalization schema	https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-alert
Implement ASIM Asset Entity schema in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-asset
Use ASIM Audit Events normalization schema	https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-audit
Use ASIM Authentication normalization schema	https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-authentication
Apply ASIM DHCP normalization schema in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-dhcp
Use ASIM DNS normalization schema in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-dns
Use ASIM File Event normalization schema	https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-file-event
Use Microsoft Sentinel ASIM network session schema fields	https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-network
Use Microsoft Sentinel ASIM process event schema fields	https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-process-event
Use Microsoft Sentinel ASIM registry event schema fields	https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-registry-event
Use Microsoft Sentinel user management normalization schema	https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-user-management
Use legacy Microsoft Sentinel network normalization schema v0.1	https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-v1
Use Microsoft Sentinel ASIM web session schema fields	https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-web
Configure MSTICPy and notebooks for Microsoft Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/notebook-get-started
Advanced MSTICPy and notebook configuration for Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/notebooks-msticpy-advanced
Configure SAP HANA audit log collection in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/sap/collect-sap-hana-audit-logs
Prepare SAP systems for Sentinel SAP connector	https://learn.microsoft.com/en-us/azure/sentinel/sap/preparing-sap
Verify prerequisites for Sentinel SAP monitoring	https://learn.microsoft.com/en-us/azure/sentinel/sap/prerequisites-for-deploying-sap-continuous-threat-monitoring
Reference kickstart script parameters for SAP connector	https://learn.microsoft.com/en-us/azure/sentinel/sap/reference-kickstart
Configure legacy systemconfig.ini for Sentinel SAP agent	https://learn.microsoft.com/en-us/azure/sentinel/sap/reference-systemconfig
Configure systemconfig.json for Sentinel SAP connector	https://learn.microsoft.com/en-us/azure/sentinel/sap/reference-systemconfig-json
Configure SAP connector agent update script options	https://learn.microsoft.com/en-us/azure/sentinel/sap/reference-update
Use expert configuration for Sentinel SAP connector agent	https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-deploy-alternate
Reference SAP logs and tables ingested by Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-log-reference
Tune monitored SAP security parameters for Sentinel rules	https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-suspicious-configuration-security-parameters
Configure scheduled analytics rules in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/scheduled-rules-overview
Use Microsoft Sentinel security alert schema fields	https://learn.microsoft.com/en-us/azure/sentinel/security-alert-schema
Map alert schemas between Sentinel standalone and XDR connectors	https://learn.microsoft.com/en-us/azure/sentinel/security-alert-schema-differences
Understand Sentinel out-of-the-box content centralization	https://learn.microsoft.com/en-us/azure/sentinel/sentinel-content-centralize
Remove and restore Sentinel content hub solutions	https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-delete
Create and configure summary rules in Sentinel solutions	https://learn.microsoft.com/en-us/azure/sentinel/sentinel-summary-rules-creation
Build and publish Sentinel workbooks in solutions	https://learn.microsoft.com/en-us/azure/sentinel/sentinel-workbook-creation
Configure Azure Storage Blob connector for Sentinel logs	https://learn.microsoft.com/en-us/azure/sentinel/setup-azure-storage-connector
Review prerequisites for Microsoft Sentinel solutions	https://learn.microsoft.com/en-us/azure/sentinel/solution-setup-essentials
Configure and use Sentinel summary rules for data aggregation	https://learn.microsoft.com/en-us/azure/sentinel/summary-rules
Surface custom event details in Sentinel alerts	https://learn.microsoft.com/en-us/azure/sentinel/surface-custom-details-in-alerts
Configure threat intelligence feed integrations in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/threat-intelligence-integration
Configure filter and split transformations for Sentinel data	https://learn.microsoft.com/en-us/azure/sentinel/transformation-filter-split
Reference for Sentinel UEBA inputs and enrichments	https://learn.microsoft.com/en-us/azure/sentinel/ueba-reference
Configure Custom Logs via AMA for specific applications	https://learn.microsoft.com/en-us/azure/sentinel/unified-connector-custom-device
Configure unified connectors to integrate Sentinel data	https://learn.microsoft.com/en-us/azure/sentinel/unified-connector-integration
Use schemas for Microsoft Sentinel watchlist templates	https://learn.microsoft.com/en-us/azure/sentinel/watchlist-schemas
Select Windows security event sets for Sentinel ingestion	https://learn.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference
Configure and tune anomaly detection analytics rules	https://learn.microsoft.com/en-us/azure/sentinel/work-with-anomaly-rules
Configure and use Sentinel workspace manager	https://learn.microsoft.com/en-us/azure/sentinel/workspace-manager

Integrations & Coding Patterns

Topic	URL
Create and execute Sentinel incident tasks using playbooks	https://learn.microsoft.com/en-us/azure/sentinel/automation/create-tasks-playbook
Use automation integrations in Microsoft Sentinel playbooks	https://learn.microsoft.com/en-us/azure/sentinel/automation/integrations
Leverage Azure Logic Apps workflows for Sentinel playbooks	https://learn.microsoft.com/en-us/azure/sentinel/automation/logic-apps-playbooks
Use Microsoft Sentinel playbook triggers and actions via Logic Apps	https://learn.microsoft.com/en-us/azure/sentinel/automation/playbook-triggers-actions
Integrate Microsoft Sentinel incidents with Microsoft Teams	https://learn.microsoft.com/en-us/azure/sentinel/collaborate-in-microsoft-teams
Build Azure Functions-based connectors for Sentinel data	https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-functions-template
Integrate Logstash with Sentinel using DCR-based API	https://learn.microsoft.com/en-us/azure/sentinel/connect-logstash-data-connection-rules
Integrate STIX/TAXII threat feeds with Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-taxii
Connect external threat intelligence platforms to Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-tip
Integrate external TIP feeds using Sentinel upload API	https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-upload-api
Create codeless data connectors with Sentinel CCF	https://learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector
Build Sentinel custom connectors with AI agent	https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector-builder-agent
Implement push-based codeless connectors for Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/create-push-codeless-connector
Query Sentinel graphs using GQL syntax and operators	https://learn.microsoft.com/en-us/azure/sentinel/datalake/gql-reference-for-sentinel-custom-graph
Call Sentinel custom graph REST APIs from clients	https://learn.microsoft.com/en-us/azure/sentinel/datalake/graph-rest-api
Query and visualize custom security graphs in Sentinel graph	https://learn.microsoft.com/en-us/azure/sentinel/datalake/graph-visualization
Call Sentinel data lake KQL query REST APIs programmatically	https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-queries-api
Use sample KQL queries for Sentinel data lake investigations	https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-sample-queries
Run sample PySpark notebook code against Sentinel data lake	https://learn.microsoft.com/en-us/azure/sentinel/datalake/notebook-examples
Use sentinel_graph API to build Sentinel security graphs	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-graph-provider-reference
Use Sentinel MCP agent creation tools for Copilot agents	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-agent-creation-tool
Use Sentinel MCP data exploration tools with KQL	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-data-exploration-tool
Integrate Sentinel MCP tools into Azure Logic Apps workflows	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-logic-apps
Use Sentinel MCP triage tools for incident hunting	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-triage-tool
Use MicrosoftSentinelProvider class to access data lake	https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-provider-class-reference
Query and use federated data sources in Microsoft Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/datalake/using-data-federation
Enrich Sentinel entities with geolocation data using REST API	https://learn.microsoft.com/en-us/azure/sentinel/geolocation-data-api
Manage Sentinel hunting queries via Log Analytics REST API	https://learn.microsoft.com/en-us/azure/sentinel/hunting-with-rest-api
Bulk import threat indicators from files into Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/indicators-bulk-file-import
Ingest Defender for Cloud incidents via Defender XDR	https://learn.microsoft.com/en-us/azure/sentinel/ingest-defender-for-cloud-incidents
Integrate Microsoft Defender XDR with Microsoft Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration
Use ASIM KQL parsers for normalized Sentinel queries	https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-parsers
Develop and deploy custom ASIM parsers	https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers
Apply ASIM helper functions in KQL queries	https://learn.microsoft.com/en-us/azure/sentinel/normalization-functions
Build Power BI reports from Sentinel log data	https://learn.microsoft.com/en-us/azure/sentinel/powerbi
Integrate Microsoft Purview insights and rules with Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/purview-solution
Trigger Sentinel playbooks from entities during investigations	https://learn.microsoft.com/en-us/azure/sentinel/respond-threats-during-investigation
Use Sentinel SAP solution KQL functions for analysis	https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-function-reference
Monitor Zero Trust TIC 3.0 with Sentinel solution	https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solution
Call Sentinel SOC optimization recommendations API	https://learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-api
Import threat intelligence STIX objects into Sentinel via upload API	https://learn.microsoft.com/en-us/azure/sentinel/stix-objects-api
Extract non-native incident entities with Sentinel playbooks	https://learn.microsoft.com/en-us/azure/sentinel/tutorial-extract-incident-entities
Use legacy Sentinel upload indicators API for STIX IOCs	https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api
Query STIX indicator and object tables in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/work-with-stix-objects-indicators

Deployment

Topic	URL
Create and customize Sentinel playbooks from templates	https://learn.microsoft.com/en-us/azure/sentinel/automation/use-playbook-templates
Deploy Sentinel Business Apps solution for Power Platform	https://learn.microsoft.com/en-us/azure/sentinel/business-applications/deploy-power-platform-solution
Set up CI/CD for Sentinel custom content	https://learn.microsoft.com/en-us/azure/sentinel/ci-cd
Manage Sentinel custom content with repository connections	https://learn.microsoft.com/en-us/azure/sentinel/ci-cd-custom-content
Customize repository-based deployments in Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/ci-cd-custom-deploy
Onboard Azure Stack Hub VMs to Microsoft Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-stack
Connect Dynamics 365 Finance and Operations to Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/dynamics-365/deploy-dynamics-365-finance-operations-solution
Import and export Sentinel analytics rules via ARM	https://learn.microsoft.com/en-us/azure/sentinel/import-export-analytics-rules
Import and export Microsoft Sentinel automation rules as code	https://learn.microsoft.com/en-us/azure/sentinel/import-export-automation-rules
Package and publish Sentinel platform solutions	https://learn.microsoft.com/en-us/azure/sentinel/package-platform-solution
Publish Microsoft Sentinel SIEM solutions to marketplace	https://learn.microsoft.com/en-us/azure/sentinel/publish-sentinel-solutions
Deploy SAP data connector agent via command line	https://learn.microsoft.com/en-us/azure/sentinel/sap/deploy-command-line
Deploy containerized SAP data connector to Sentinel	https://learn.microsoft.com/en-us/azure/sentinel/sap/deploy-data-connector-agent-container
Deploy Microsoft Sentinel solution for SAP BTP	https://learn.microsoft.com/en-us/azure/sentinel/sap/deploy-sap-btp-solution
Deploy Sentinel solution for SAP applications	https://learn.microsoft.com/en-us/azure/sentinel/sap/deployment-overview
Update Microsoft Sentinel SAP data connector agent	https://learn.microsoft.com/en-us/azure/sentinel/sap/update-sap-data-connector
Deploy Sentinel solutions from Content hub	https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-deploy
Track Microsoft Sentinel solution status post-publish	https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-post-publish-tracking