Merge pull request #309720 from mberdugo/LivestreamDeprecation

v-shils · web-flow · commit 1f3fa7f51246 · 2026-01-14T09:21:44.000-08:00
Livestream deprecation
diff --git a/articles/sentinel/livestream.md b/articles/sentinel/livestream.md
@@ -2,9 +2,10 @@
 title: Detect threats by using hunting livestream in Microsoft Sentinel
 description: Detect threats in real time with hunting livestream in Microsoft Sentinel. Set up sessions, receive notifications, and take action fast.
 ms.topic: how-to
-ms.date: 07/06/2025
+ms.date: 12/06/2025
 ms.author: monaberdugo
 author: mberdugo
+ms.reviewer: Ben Nick
 ms.collection: usx-security
 appliesto:
   - Microsoft Sentinel in the Microsoft Defender portal
@@ -13,14 +14,18 @@ ms.custom:
   - ai-gen-docs-bap
   - ai-gen-description
   - ai-seo-date:07/06/2025
+
+#customer intent: As a Microsoft Sentinel user, I want to learn how to use hunting livestream to detect threats in real time, so that I can quickly respond to security incidents.
 ---
 
 # Detect threats by using hunting livestream in Microsoft Sentinel
 
-Use hunting livestream to create interactive sessions that let you test newly created queries as events occur, get notifications from the sessions when a match is found, and launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query. 
+Use hunting livestream to create interactive sessions that let you test newly created queries as events occur, get notifications from the sessions when a match is found, and launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query.
 
 > [!NOTE]
-> This article is about **Hunting** in Microsoft Sentinel, which also exists in Defender. For **Advanced hunting** in Microsoft Defender, see [Proactively hunt for threats with advanced hunting in Microsoft Defender](/defender-xdr/advanced-hunting-overview).
+>Microsoft Sentinel livestreams will no longer be available from mid-March 2026. To automate queries and notifications, use [KQL jobs](./datalake/kql-jobs.md), [analytics rules](./threat-detection.md#types-of-analytics-rules), or [playbooks](./automation/automate-responses-with-playbooks.md). These alternatives offer persistent query results and support for various messaging platforms.
+
+This article is about **Hunting** in Microsoft Sentinel, which also exists in Defender. For **Advanced hunting** in Microsoft Defender, see [Proactively hunt for threats with advanced hunting in Microsoft Defender](/defender-xdr/advanced-hunting-overview).
 
 [!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
 
@@ -31,34 +36,34 @@ You can create a livestream session from an existing hunting query, or create yo
 1. For Microsoft Sentinel in the [Azure portal](https://portal.azure.com), under **Threat management**, select **Hunting**.<br> For Microsoft Sentinel in the [Defender portal](https://security.microsoft.com/), select **Microsoft Sentinel** > **Threat management** > **Hunting**. Make sure you select *Hunting*, and not *Advanced hunting*.
 
 1. To create a livestream session from a hunting query:
-    
+
     1. From the **Queries** tab, locate the hunting query to use.
     1. Right-click the query and select **Add to livestream**. For example:
-    
+
     > [!div class="mx-imgBorder"]
     > ![create Livestream session from Microsoft Sentinel hunting query](./media/livestream/livestream-from-query.png)
 
 1. To create a livestream session from scratch: 
-    
+
     1. Select the **Livestream** tab.
     1. Select **+ New livestream**.
-    
+
 1. On the **Livestream** pane:
-    
+
     - If you started livestream from a query, review the query and make any changes you want to make.
     - If you started livestream from scratch, create your query.
 
     Livestream supports **cross-resource queries** of data in Azure Data Explorer. [**Learn more about cross-resource queries**](/azure/azure-monitor/logs/azure-monitor-data-explorer-proxy).
 
 1. Select **Play** from the command bar.
-    
+
     The status bar under the command bar indicates whether your livestream session is running or paused. In the following example, the session is running:
-    
+
     > [!div class="mx-imgBorder"]
     > ![create livestream session from Microsoft Sentinel hunting](./media/livestream/livestream-session.png)
 
 1. Select **Save** from the command bar.
-    
+
     Unless you select **Pause**, the session continues to run until you're signed out from the Azure portal.
 
 ## View your livestream sessions
@@ -70,10 +75,10 @@ Find your livestream sessions on the **Hunting** > **Livestream** tab.
 1. Select the **Livestream** tab.
 
 1. Select the livestream session you want to view or edit. For example:
-    
+
     > [!div class="mx-imgBorder"]
     > ![create livestream session from Microsoft Sentinel hunting query](./media/livestream/livestream-tab.png)
-    
+
     Your selected livestream session opens for you to play, pause, edit, and so on.
 
 ## Receive notifications when new events occur
@@ -84,7 +89,7 @@ Livestream notifications for new events appear with the Azure or Defender portal
 
 1. In the Azure or Defender portal, go to the notifications on the top right-hand side of the portal page.
 1. Select the notification to open the **Livestream** pane.
- 
+
 ## Elevate a livestream session to an alert
 
 Promote a livestream session to a new alert by selecting **Elevate to alert** from the command bar on the relevant livestream session:
