You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| AAD managed identity sign-in logs (Preview) | Microsoft Entra ID |[AADManagedIdentitySignInLogs](/azure/azure-monitor/reference/tables/aadmanagedidentitysigninlogs)| All managed identity sign-in events |
30
-
| AAD service principal sign-in logs (Preview)| Microsoft Entra ID |[AADServicePrincipalSignInLogs](/azure/azure-monitor/reference/tables/aadserviceprincipalsigninlogs)| All service principal sign-in events |
31
-
| Audit Logs | Microsoft Entra ID |[AuditLogs](/azure/azure-monitor/reference/tables/auditlogs)| ApplicationManagement<br>DirectoryManagement<br>GroupManagement<br>Device<br>RoleManagement<br>UserManagementCategory |
32
-
| AWS CloudTrail (Preview)| Amazon Web Services<br>Amazon Web Services S3 |[AWSCloudTrail](/azure/azure-monitor/reference/tables/awscloudtrail)| Console sign-in events.<br>Identified by `EventName = "ConsoleLogin"` and `EventSource = "signin.amazonaws.com"`. Events must have a valid `UserIdentityPrincipalId`. |
| Device Logon Events (Preview)| Microsoft Defender XDR |[DeviceLogonEvents](/azure/azure-monitor/reference/tables/devicelogonevents)| All device logon events |
35
-
| GCP Audit Logs (Preview)| GCP Pub/Sub Audit Logs | [GCPAuditLogs](/azure/azure-monitor/reference/tables/gcpauditlogs) | `apigee.googleapis.com` - API Management Platform<br>`iam.googleapis.com` - Identity and Access Management (IAM) service<br>`iamcredentials.googleapis.com` - IAM Service Account Credentials API<br>`cloudresourcemanager.googleapis.com` - Cloud Resource Manager API<br>`compute.googleapis.com` - Compute Engine API<br>`storage.googleapis.com` - Cloud Storage API<br>`container.googleapis.com` - Kubernetes Engine API<br>`k8s.io` - Kubernetes API<br>`cloudsql.googleapis.com` - Cloud SQL API<br>`bigquery.googleapis.com` - BigQuery API<br>`bigquerydatatransfer.googleapis.com` - BigQuery Data Transfer Service API<br>`cloudfunctions.googleapis.com` - Cloud Functions API<br>`appengine.googleapis.com` - App Engine API<br>`dns.googleapis.com` - Cloud DNS API<br>`bigquerydatapolicy.googleapis.com` - BigQuery Data Policy API<br>`firestore.googleapis.com` - Firestore API<br>`dataproc.googleapis.com` - Dataproc API<br>`osconfig.googleapis.com` - OS Config API<br>`cloudkms.googleapis.com` - Cloud KMS API<br>`secretmanager.googleapis.com` - Secret Manager API<br>Events must have a valid:<br>- `PrincipalEmail` - The user or service account that called the API<br>- `MethodName` - The specific Google API method called<br>- Principal email, in `[email protected]` format. |
36
-
| Okta CL (Preview)| Okta Single Sign-On (using Azure Functions) | Okta_CL | Authentication, multifactor authentication (MFA), and session events, including:<br>`app.oauth2.admin.consent.grant_success`<br>`app.oauth2.authorize.code_success`<br>`device.desktop_mfa.recovery_pin.generate`<br>`user.authentication.auth_via_mfa`<br>`user.mfa.attempt_bypass`<br>`user.mfa.factor.deactivate`<br>`user.mfa.factor.reset_all`<br>`user.mfa.factor.suspend`<br>`user.mfa.okta_verify`<br>`user.session.impersonation.grant`<br>`user.session.impersonation.initiate`<br>`user.session.start`<br>Events must have a valid User ID (`actor_id_s`). |
37
-
| Security Events | Windows Security Events via AMA<br>Windows Forwarded Events |[WindowsEvent](/azure/azure-monitor/reference/tables/windowsevent)<br>[SecurityEvent](/azure/azure-monitor/reference/tables/securityevent)| 4624: An account was successfully logged on<br>4625: An account failed to log on<br>4648: A logon was attempted using explicit credentials<br>4672: Special privileges assigned to new logon<br>4688: A new process has been created |
38
-
| Sign-in Logs | Microsoft Entra ID |[SigninLogs](/azure/azure-monitor/reference/tables/signinlogs)| All sign-in events |
| AAD service principal sign-in logs (Preview)|[Microsoft Entra ID](data-connectors-reference.md#microsoft-entra-id)|[AADServicePrincipalSignInLogs](/azure/azure-monitor/reference/tables/aadserviceprincipalsigninlogs)| All service principal sign-in events |
| AWS CloudTrail (Preview)|[Amazon Web Services](data-connectors-reference.md#amazon-web-services)<br>[Amazon Web Services S3](data-connectors-reference.md#amazon-web-services-s3)|[AWSCloudTrail](/azure/azure-monitor/reference/tables/awscloudtrail)| Console sign-in events.<br>Identified by `EventName = "ConsoleLogin"` and `EventSource = "signin.amazonaws.com"`. Events must have a valid `UserIdentityPrincipalId`. |
| GCP Audit Logs (Preview)| [GCP Pub/Sub Audit Logs](data-connectors-reference.md#gcp-pubsub-audit-logs) | [GCPAuditLogs](/azure/azure-monitor/reference/tables/gcpauditlogs) | `apigee.googleapis.com` - API Management Platform<br>`iam.googleapis.com` - Identity and Access Management (IAM) service<br>`iamcredentials.googleapis.com` - IAM Service Account Credentials API<br>`cloudresourcemanager.googleapis.com` - Cloud Resource Manager API<br>`compute.googleapis.com` - Compute Engine API<br>`storage.googleapis.com` - Cloud Storage API<br>`container.googleapis.com` - Kubernetes Engine API<br>`k8s.io` - Kubernetes API<br>`cloudsql.googleapis.com` - Cloud SQL API<br>`bigquery.googleapis.com` - BigQuery API<br>`bigquerydatatransfer.googleapis.com` - BigQuery Data Transfer Service API<br>`cloudfunctions.googleapis.com` - Cloud Functions API<br>`appengine.googleapis.com` - App Engine API<br>`dns.googleapis.com` - Cloud DNS API<br>`bigquerydatapolicy.googleapis.com` - BigQuery Data Policy API<br>`firestore.googleapis.com` - Firestore API<br>`dataproc.googleapis.com` - Dataproc API<br>`osconfig.googleapis.com` - OS Config API<br>`cloudkms.googleapis.com` - Cloud KMS API<br>`secretmanager.googleapis.com` - Secret Manager API<br>Events must have a valid:<br>- `PrincipalEmail` - The user or service account that called the API<br>- `MethodName` - The specific Google API method called<br>- Principal email, in `[email protected]` format. |
36
+
| Okta CL (Preview)|[Okta Single Sign-On (using Azure Functions)](data-connectors-reference.md#okta-single-sign-on-using-azure-functions)| Okta_CL | Authentication, multifactor authentication (MFA), and session events, including:<br>`app.oauth2.admin.consent.grant_success`<br>`app.oauth2.authorize.code_success`<br>`device.desktop_mfa.recovery_pin.generate`<br>`user.authentication.auth_via_mfa`<br>`user.mfa.attempt_bypass`<br>`user.mfa.factor.deactivate`<br>`user.mfa.factor.reset_all`<br>`user.mfa.factor.suspend`<br>`user.mfa.okta_verify`<br>`user.session.impersonation.grant`<br>`user.session.impersonation.initiate`<br>`user.session.start`<br>Events must have a valid User ID (`actor_id_s`). |
37
+
| Security Events |[Windows Security Events via AMA](data-connectors-reference.md#windows-security-events-via-ama)<br>[Windows Forwarded Events](data-connectors-reference.md#windows-forwarded-events)|[WindowsEvent](/azure/azure-monitor/reference/tables/windowsevent)<br>[SecurityEvent](/azure/azure-monitor/reference/tables/securityevent)| 4624: An account was successfully logged on<br>4625: An account failed to log on<br>4648: A logon was attempted using explicit credentials<br>4672: Special privileges assigned to new logon<br>4688: A new process has been created |
38
+
| Sign-in Logs |[Microsoft Entra ID](data-connectors-reference.md#microsoft-entra-id)|[SigninLogs](/azure/azure-monitor/reference/tables/signinlogs)| All sign-in events |
Copy file name to clipboardExpand all lines: articles/sentinel/whats-new.md
+12-1Lines changed: 12 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn about the latest new features and announcement in Microsoft S
4
4
author: guywi-ms
5
5
ms.author: guywild
6
6
ms.topic: concept-article
7
-
ms.date: 09/28/2025
7
+
ms.date: 01/22/2026
8
8
#Customer intent: As a security team member, I want to stay updated on the latest features and enhancements in Microsoft Sentinel so that I can effectively manage and optimize my organization's security posture.
9
9
ms.custom:
10
10
- build-2025
@@ -41,6 +41,17 @@ UEBA behaviors can be enabled independently from UEBA anomaly detection.
41
41
42
42
For more information, see [Translate raw security logs to behavioral insights using UEBA behaviors in Microsoft Sentinel](../sentinel/entity-behaviors-layer.md).
43
43
44
+
### Enable UEBA directly from data connector configuration (Preview)
45
+
46
+
You can now enable UEBA for supported data sources directly from the data connector configuration page, reducing management time and preventing coverage gaps. When you enable new connectors, you can onboard the data source to UEBA without navigating to a separate configuration page.
47
+
48
+
This integration allows you to see which data sources feed into UEBA and enable that feed directly from the connector configuration.
49
+
50
+
For more information, see:
51
+
52
+
-[Connect data sources to Microsoft Sentinel by using data connectors](configure-data-connector.md#enable-user-and-entity-behavior-analytics-ueba-from-supported-connectors)
53
+
54
+
44
55
### New detections for Sentinel solution for SAP BTP
45
56
46
57
This update expands [detection coverage for SAP BTP](../sentinel/sap/sap-btp-security-content.md#built-in-analytics-rules), strengthening visibility into high‑risk control plane, integration, and identity activities.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments