Merge pull request #314314 from poliveria/poliveria-whatsnew-apr-04062026

Add April 2026 updates and remove Jan 2025 section

Author: prmerger-automator[bot]

articles/sentinel/whats-new.md

@@ -4,7 +4,7 @@ description: Learn about the latest new features and announcement in Microsoft S
 author: guywi-ms
 ms.author: guywild
 ms.topic: concept-article
-ms.date: 01/28/2026
+ms.date: 04/06/2026
 #Customer intent: As a security team member, I want to stay updated on the latest features and enhancements in Microsoft Sentinel so that I can effectively manage and optimize my organization's security posture.
 ms.custom:
   - build-2025
@@ -18,6 +18,43 @@ The listed features were released in the last six months. For information about
 
 [!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 
+## April 2026
+
+- [Microsoft Sentinel data federation (Preview)](#microsoft-sentinel-data-federation-preview)
+- [Transform data with filter and split features (Preview)](#transform-data-with-filter-and-split-features-preview)
+- [Accelerate Microsoft Sentinel connector development with Visual Studio Code connector builder agent (Preview)](#accelerate-microsoft-sentinel-connector-development-with-visual-studio-code-connector-builder-agent-preview)
+- [Build custom security graphs (Preview)](#build-custom-graphs-preview)
+- [Entity analyzer is now generally available](#entity-analyzer-is-now-generally-available)
+- [AI-powered SIEM migration tool is now generally available](#ai-powered-siem-migration-tool-is-now-generally-available)
+
+### Microsoft Sentinel data federation (Preview)
+Powered by Microsoft Fabric, Microsoft Sentinel data federation lets you analyze security data where it already lives, without copying or duplicating it. You can federate data from Microsoft Fabric, Azure Data Lake Storage, and Azure Databricks into Microsoft Sentinel data lake, then use familiar Microsoft Sentinel experiences like KQL, notebooks, and custom graphs across both federated and native data.
+
+For more information, see [Data federation overview in Microsoft Sentinel data lake](datalake/data-federation-overview.md).
+
+### Transform data with filter and split features (Preview)
+Native filtering and splitting in the Microsoft Defender portal helps you reduce noise before ingestion, control costs, and intelligently route data between analytics and data lake tiers so you can optimize what gets analyzed versus retained. For more information, see [Transform data using filter and split in Microsoft Sentinel](transformation-filter-split.md).
+
+### Accelerate Microsoft Sentinel connector development with Visual Studio Code connector builder agent (Preview)
+An AI-powered, low-code agent in Visual Studio Code helps you build Microsoft Sentinel connectors in minutes, bringing in new data sources faster and unlocking security outcomes sooner. For more information, see [Get started with custom connectors using AI agent in Microsoft Sentinel](create-custom-connector-builder-agent.md).
+
+### Build custom graphs (Preview)
+Build tailored security graphs across the Sentinel data lake and third-party data to uncover attack paths, blast radius, and hidden relationships. These graphs also serve as a foundation for advanced investigations and AI agents. For more information, see [Custom Graph overview](datalake/custom-graphs-overview.md).
+
+#### Graphs experience in the Microsoft Defender portal (Preview)
+After creating your custom graphs, you can access them in the graphs section of the Defender portal under **Microsoft Sentinel**. From there, you can run Graph Query Language (GQL) queries, view the graph schema, visualize the graph, view graph results in tabular format, and interactively traverse the graph to the next hop with a simple click.
+
+### Entity analyzer is now generally available
+
+[Entity analyzer](datalake/sentinel-mcp-data-exploration-tool.md#entity-analyzer) in the Microsoft Sentinel Model Context Protocol (MCP) [data exploration tool collection](datalake/sentinel-mcp-data-exploration-tool.md) lets you get out-of-the-box, explainable entity risk assessments for URLs and identities using threat intelligence, prevalence, and organizational context.
+
+> [!IMPORTANT]
+> Starting April 1, 2026, you're charged for the Security Compute Units (SCUs) required when using the entity analyzer. For more information, see: [Understand Microsoft Sentinel MCP server pricing, limits, and availability](datalake/sentinel-mcp-billing.md#microsoft-sentinel-entity-analyzer-tool).
+
+### AI-powered SIEM migration tool is now generally available
+Accelerate migrations to Microsoft Sentinel from Splunk and QRadar using an AI-assisted SIEM migration experience designed to reduce manual effort and speed time-to-value. For more information, see [Migrate to Microsoft Sentinel with the SIEM migration experience](siem-migration.md).
+
+
 ## March 2026
 
 - [Call to action: update older Microsoft Sentinel content as code (Sentinel repositories) API versions before June 15, 2026](#call-to-action-update-older-microsoft-sentinel-content-as-code-sentinel-repositories-api-versions-before-june-15-2026)
@@ -543,107 +580,6 @@ For more information, see:
 - [Microsoft Sentinel solution for SAP applications - functions reference](sap/sap-solution-function-reference.md)
 - [Troubleshooting your Microsoft Sentinel solution for SAP applications deployment](sap/sap-deploy-troubleshoot.md)
 
-## January 2025
-
-- [Optimize threat intelligence feeds with ingestion rules](#optimize-threat-intelligence-feeds-with-ingestion-rules)
-- [Matching analytics rule now generally available (GA)](#matching-analytics-rule-now-generally-available-ga)
-- [Threat intelligence management interface updated](#threat-intelligence-management-interface-has-moved)
-- [Unlock advanced hunting with new STIX objects by opting in to new threat intelligence tables](#unlock-advanced-hunting-with-new-stix-objects-by-opting-in-to-new-threat-intelligence-tables)
-- [Threat intelligence upload API now supports more STIX objects](#threat-intelligence-upload-api-now-supports-more-stix-objects)
-- [Microsoft Defender Threat Intelligence data connectors now generally available (GA)](#microsoft-defender-threat-intelligence-data-connectors-now-generally-available-ga)
-- [Bicep file support for repositories (Preview)](#bicep-file-support-for-repositories-preview)
-- [SOC optimization updates for unified coverage management](#soc-optimization-updates-for-unified-coverage-management)
-- [View granular solution content in the Microsoft Sentinel content hub](#view-granular-solution-content-in-the-microsoft-sentinel-content-hub)
-
-### Optimize threat intelligence feeds with ingestion rules
-
-Optimize threat intelligence feeds by filtering and enhancing objects before they're delivered to your workspace. Ingestion rules update threat intel object attributes, or filter objects out all together. Check out the blog announcement [here](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/introducing-threat-intelligence-ingestion-rules/4379019)!
-
-For more information, see [Understand threat intelligence ingestion rules](understand-threat-intelligence.md#configure-ingestion-rules).
-
-### Matching analytics rule now generally available (GA)
-
-Microsoft provides access to its premium threat intelligence through the Defender Threat Intelligence analytics rule which is now generally available (GA). For more information on how to take advantage of this rule, which generates high-fidelity alerts and incidents, see [Use matching analytics to detect threats](use-matching-analytics-to-detect-threats.md).
-
-### Threat intelligence management interface has moved
-
-Threat intelligence for Microsoft Sentinel in the Defender portal has changed! We've renamed the page **Intel management** and moved it with other threat intelligence workflows. There's no change for customers using Microsoft Sentinel in the Azure experience.
-
-:::image type="content" source="media/whats-new/intel-management-navigation.png" alt-text="Screenshot showing new menu placement for Microsoft Sentinel threat intelligence.":::
-
-Enhancements to threat intelligence capabilities are available for customers using both Microsoft Sentinel experiences. The management interface streamlines the creation and curation of threat intel with these key features:
-
-- Define relationships as you create new STIX objects.
-- Curate existing threat intelligence with the new relationship builder.
-- Create multiple objects quickly by copying common metadata from a new or existing TI object using a duplication feature.
-- Use advanced search to sort and filter your threat intelligence objects without even writing a Log Analytics query.
-
-For more information, see the following articles:
-- [New STIX objects in Microsoft Sentinel](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/announcing-public-preview-new-stix-objects-in-microsoft-sentinel/4369164)
-- [Understand threat intelligence](understand-threat-intelligence.md#create-and-manage-threat-intelligence)
-- [Uncover adversaries with threat intelligence in the Defender portal](/unified-secops-platform/threat-intelligence-overview)
-
-### Unlock advanced hunting with new STIX objects by opting in to new threat intelligence tables
-
-Tables supporting the new STIX object schema aren't available publicly. In order to query threat intelligence for STIX objects with KQL and unlock the hunting model that uses them, request to opt in with [this form](https://forms.office.com/r/903VU5x3hz?origin=lprLink). Ingest your threat intelligence into the new tables, `ThreatIntelIndicators` and `ThreatIntelObjects` alongside with or instead of the current table, `ThreatIntelligenceIndicator`, with this opt-in process.
-
-For more information, see the blog announcement [New STIX objects in Microsoft Sentinel](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/announcing-public-preview-new-stix-objects-in-microsoft-sentinel/4369164).
-
-### Threat intelligence upload API now supports more STIX objects
-
-Make the most of your threat intelligence platforms when you connect them to Microsoft Sentinel with the upload API. Now you can ingest more objects than just indicators, reflecting the varied threat intelligence available. The upload API supports the following STIX objects:
-
-- `indicator`
-- `attack-pattern`
-- `identity`
-- `threat-actor`
-- `relationship`
-
-For more information, see the following articles:
-
-- [Connect your threat intelligence platform with the upload API (Preview)](connect-threat-intelligence-upload-api.md)
-- [Import threat intelligence to Microsoft Sentinel with the upload API (Preview)](stix-objects-api.md)
-- [New STIX objects in Microsoft Sentinel](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/announcing-public-preview-new-stix-objects-in-microsoft-sentinel/4369164)
-
-### Microsoft Defender Threat Intelligence data connectors now generally available (GA)
-
-Both premium and standard Microsoft Defender Threat Intelligence data connectors are now generally available (GA) in content hub. For more information, see the following articles:
-
-- [Explore Defender Threat Intelligence licenses](https://www.microsoft.com/security/business/siem-and-xdr/microsoft-defender-threat-intelligence#areaheading-oc8e7d)
-- [Enable the Microsoft Defender Threat Intelligence data connector](connect-mdti-data-connector.md)
-
-### Bicep file support for repositories (Preview)
-Use Bicep files alongside or as a replacement of ARM JSON templates in Microsoft Sentinel repositories. Bicep provides an intuitive way to create templates of Azure resources and Microsoft Sentinel content items. Not only is it easier to develop new content items, Bicep makes reviewing and updating content easier for anyone that's a part of the continuous integration and delivery of your Microsoft Sentinel content.
-
-For more information, see [Plan your repository content](ci-cd-custom-content.md#plan-your-repository-content).
-
-### SOC optimization updates for unified coverage management
-
-In workspaces onboarded to the Defender portal, SOC optimizations now support both SIEM and XDR data, with detection coverage from across Microsoft Defender services. 
-
-In the Defender portal, the **SOC optimizations** and **MITRE ATT&CK** pages also now provide extra functionality for threat-based coverage optimizations to help you understand the impact of the recommendations on your environment and help you prioritize which to implement first.
-
-Enhancements include:
-
-|Area | Details|
-|-----|--------|
-|**SOC optimizations Overview page** | - A **High**, **Medium**, or **Low** score for your current detection coverage. This sort of scoring can help you decide which recommendations to prioritize at a glance. <br><br>- An indication of the number of active Microsoft Defender products (services) out of all available products. This helps you understand whether there's a whole product that you're missing in your environment. |
-| **Optimization details side pane**,<br> shown when you drill down to a specific optimization| - Detailed coverage analysis, including the number of user-defined detections, response actions, and products you have active. <br><br>- Detailed spider charts that show your coverage across different threat categories, for both user-defined and out-of-the-box detections. <br><br>- An option to jump to the specific threat scenario in the **MITRE ATT&CK** page instead of viewing MITRE ATT&CK coverage only in the side pane.<br><br>- An option to **View full threat scenario** to drill down to even further details about the security products and detections available to provide security coverage in your environment. |
-|**MITRE ATT&CK page** | - A new toggle to view coverage by threat scenario. If you've jumped to the **MITRE ATT&CK** page from either a recommendation details side pane or from the **View full threat scenario** page, the **MITRE ATT&CK** page is pre-filtered for your threat scenario. <br><br>- The technique details pane, shown on the side when you select a specific MITRE ATT&CK technique, now shows the number of active detections out of all available detections for that technique. |
-
-For more information, see [Optimize your security operations](soc-optimization/soc-optimization-access.md) and [Understand security coverage by the MITRE ATT&CK framework](mitre-coverage.md).
-
-### View granular solution content in the Microsoft Sentinel content hub
-
-Now you can view the individual content available in a specific solution directly from the **Content hub**, even before you've installed the solution. This new visibility helps you understand the content available to you, and more easily identify, plan, and install the specific solutions you need.
-
-Expand each solution in the Content hub to view included security content. For example:
-
-:::image type="content" source="media/sentinel-solutions-deploy/solutions-list.png" alt-text="Screenshot of showing granular content.":::
-
-The granular solution content updates also include a generative AI-based search engine that helps you run more robust searches, diving deep into the solution content and returning results for similar terms.
-
-For more information, see [Discover content](sentinel-solutions-deploy.md#discover-content).
 
 ## Next steps