Microsoft Sentinel Gets New Visibility Capabilities

Microsoft Sentinel is getting new updates aimed at improving how security teams understand and investigate risk. The latest changes add new connectors, clearer analytics, and more integrated insights to help teams work more efficiently across their environments.

Microsoft has introduced new out-of-the-box connectors to simplify the onboarding of security data across cloud, SaaS, and on-premises environments. These include integrations for solutions like Mimecast Audit Logs, CrowdStrike Falcon Endpoint Protection, Vectra XDR, Palo Alto Networks Cloud NGFW, Proofpoint on Demand, Pathlock, MongoDB, Contrast ADR, and more. This expansion helps SOC teams gain unified visibility and richer analytics across their security stack.

Microsoft 365 Copilot data connector

Microsoft Sentinel has also added support for a new connector in public preview that enables ingestion of Microsoft 365 Copilot audit logs and activity data. Security teams can now track how Copilot is used, which enables anomaly detection, policy‑violation identification, and advanced analytics scenarios via the Sentinel data lake.

Multi‑tenant content distribution

Microsoft has introduced support for distributing security content (rules, workbooks, analytics, etc.) across multiple tenants in Microsoft Sentinel. This new multi-tenant content distribution feature is designed to simplify management for MSSPs and large enterprises with distributed environments.

Enhanced UEBA Essentials Solution

The improved User and Entity Behavior Analytics (UEBA) Essentials solution helps SOC teams with faster detection of high-risk activity in cloud and identity systems. This new service supports quicker threat investigation and response workflows in enterprise environments. The UEBA Essentials solution is available through the Sentinel content hub with more than 30 prebuilt UEBA queries.

Partner‑built Security Copilot Agents

Microsoft has announced the general availability of new partner-built Security Copilot agents in Microsoft Security Store within the Defender portal. These agents extend Sentinel with domain-specific expertise directly inside SOC workflows to improve automation and efficiency.

Other improvements and integrations

The Threat Intelligence Briefing Agent uses a structured knowledge graph to deliver more timely, industry‑ and region‑specific threat insights. These improvements give security teams context-rich guidance and practical mitigation steps to help them prioritize the most relevant risks and respond to emerging threats.

Last but not least, Microsoft has announced the integration of Purview Data Security Investigations (DSI) with Sentinel Graph. This feature leverages AI-powered analysis and graph-based activity mapping to reveal how sensitive data was accessed or exposed, and who interacted with it. Microsoft has also extended the deadline for migrating the Sentinel experience from Azure to Defender to March 2027.