A simple KQL query against Sign-in logs gives you visibility into the MFA methods users are actually using:

SigninLogs | where TimeGenerated > ago(90d) | where ResultType == 0 | mv-expand AuthDetails = todynamic(AuthenticationDetails) | extend AuthMethod = tostring(AuthDetails.authenticationMethod) | where isnotempty(AuthMethod) | where AuthMethod !in ("Previously satisfied") | summarize AuthEvents = count(), Users = dcount(UserPrincipalName) by AuthMethod | order by AuthEvents desc 

https://preview.redd.it/nk9rrwqozj0h1.png?width=2664&format=png&auto=webp&s=7b6fab415cec249205902a39a05dd13f8c96e7fe

This is a way to reduce noise before data hits your main analytics tier:

• Filter drops low-value events you do not want to ingest
• Split keeps important data in Analytics while routing the rest to the Data lake.

Why it matters:

1. Lower Sentinel cost,
2. Faster queries,
3. Less analyst fatigue,
4. Better long-term retention strategy.

One detail I like: with split, the data sent to Analytics is also mirrored to the Data lake, while non-matching data goes to Data lake only. That gives you a cleaner SOC experience without losing retention coverage.

Also worth remembering:

1. Rules are based on KQL expressions,
2. Multiple filter conditions are combined with OR,
3. Changes can take up to 1 hour to apply.

This is a very practical feature for teams drowning in firewall, proxy, or other high-volume logs.

Docs:https://learn.microsoft.com/en-us/azure/sentinel/transformation-filter-split

https://preview.redd.it/31zsif0n0zug1.png?width=525&format=png&auto=webp&s=40831a63a388237c12b3d7931ee3eab4b8a2205d

https://preview.redd.it/9c7c8n0n0zug1.png?width=590&format=png&auto=webp&s=820f73c17be565acc4675ef523caa3456584a26e

https://preview.redd.it/s2cspl0n0zug1.png?width=591&format=png&auto=webp&s=68c759f75154ff57b7010e7a1a8376d10e8ec38c

By default, Sentinel health monitoring is not enabled, which means you could be missing visibility into the platform’s own status.

If you are still using Microsoft Sentinel in the Azure portal, make sure to verify whether monitoring is turned on.

[1] Go to Azure portal -> Microsoft Sentinel -> Configuration | Settings -> Settings -> Auditing and Health monitoring

If you have already moved to the Unified SecOps portal — which I highly recommend — you can review those settings there instead.

[2] Go to Microsoft Defender portal -> System -> Settings -> Microsoft Sentinel -> select your Sentinel LaW

Also, when you will have the data install "Microsoft Sentinel Optimization Workbook" solution to view insights of Sentinel

• SIEM health
• SOAR health
• Analytic rule status
• Automation health
• Ingestion insights

About workbook - Introducing Microsoft Sentinel Optimization Workbook | Microsoft Community Hub

https://preview.redd.it/2q7bsey9ncsg1.png?width=960&format=png&auto=webp&s=2a35f5b707e5dcea927c3211905ab99f4e9f7171

https://preview.redd.it/u9pfqlgancsg1.png?width=572&format=png&auto=webp&s=ab8b2acd056abe572158f2a766ac6998f71fbe58

https://preview.redd.it/laiv9yzancsg1.png?width=1568&format=png&auto=webp&s=399473dbac941e1a6a056b45ce9db43a6dccc53c

What’s new?
You can now build code-based playbooks using natural language. Describe what you need, and the system generates:
• A Python playbook
• Clear documentation
• A visual flowchart of the workflow

Why this matters in real SOC life
• Automate notifications, ticketing, enrichment, and response
• Integrate with Microsoft and third-party tools via dynamic APIs
• No need to wait for predefined connectors
• Iterate fast: refine playbooks via chat or manual edits
• Validate with real alerts before going live

Docs: Generate playbooks using AI in Microsoft Sentinel | Microsoft Learn

https://preview.redd.it/cuk462q8m1mg1.png?width=864&format=png&auto=webp&s=9db5683e7ee8bf348ebcf52ed9789e3cdc56f939

In my opinion as example ChatGPT also does good vibe coding if we talk about Logic App/Playbook creation.

Classic alert-trigger automation in Microsoft Sentinel, where playbooks are assigned directly within analytic rules will retire on 15 March 2026.

Required action:

• Review analytic rules using Automated response – Alert automation (classic)

https://preview.redd.it/en9vbfp31xbg1.png?width=1444&format=png&auto=webp&s=1e1d17542288f7fdb9bd4497f04a629be5de774b

Regional outages shouldn’t stop your operations. By replicating your Log Analytics workspace across regions, you gain the ability to switch over manually to a secondary workspace and keep your monitoring running smoothly.

Replication ensures:
✅ Same configuration in both regions
✅ Continuous ingestion of new logs to both workspaces
✅ Manual switchover during regional failures

Plan ahead, monitor health, and decide when to switch for maximum resilience.

Docs: Enhance resilience by replicating your Log Analytics workspace across regions - Azure Monitor | Microsoft Learn

Must have option, if you are using Microsoft Sentinel as your primary SIEM solution.

Example:

https://preview.redd.it/9armkxj8s66g1.png?width=415&format=png&auto=webp&s=938b81c5fdd0a636dee965c78511381dcf84449d

Price - €0.260 per GB (North Europe region example)

Has anyone noticed that when you're using the Basic table plan in Microsoft Sentinel, the Cost workbook doesn’t show the pricing correctly?

It simply takes the amount of data in GB, multiplies it, and calls it a day. :D

FYI: To see the actual cost, check Cost Management + Billing in the Azure Portal if you're on an Azure PAYG subscription.

If you're using CSP, you’ll need to contact your partner to get a detailed report.

EDIT (25.11.25): Ok, i created this query and added in workbook and visualized as Tiles. West Europe region.

let basicSize = toscalar(Usage | where DataType == "CommonSecurityLog" | summarize sum(Quantity)/1024); let analyticsSize = toscalar(Usage | where IsBillable == true and DataType != "CommonSecurityLog" | summarize sum(Quantity)/1024); union (print Name="Basic GB", Value=strcat(round(basicSize,2)," GB")), (print Name="Analytics GB", Value=strcat(round(analyticsSize,2)," GB")), (print Name="Total GB", Value=strcat(round(basicSize + analyticsSize,2)," GB")), (print Name="Basic Cost", Value=strcat(round(basicSize * {BasicPrice},2)," €")), (print Name="Analytics Cost", Value=strcat(round(analyticsSize * {Price},2)," €")), (print Name="Total Cost", Value=strcat(round(basicSize * {BasicPrice} + analyticsSize * {Price},2)," €")) 

At least something.. :D adjust it and add your tables.. also created new parameter Basic Table plan price.

https://preview.redd.it/6aavnjq1oc3g1.png?width=777&format=png&auto=webp&s=6288a3c88172bb2d0929aefa6ceeb06598923ecb

At lease for CSP it is ok

Microsoft Sentinel is rolling out a standardized account entity naming logic to improve consistency and reliability across incidents, alerts, and automation workflows.

UPN -> Name -> Display name

https://preview.redd.it/zol7ul3wou0g1.png?width=787&format=png&auto=webp&s=7b7a60298b3fb226e2a927d6ca5ae5e2ed4d0c93

https://preview.redd.it/g5mne4juou0g1.png?width=793&format=png&auto=webp&s=728edb9fc836d03edc47753c7a26c62f6f3756d1

Call to action: update queries and automation by December 13, 2025 - standardized account entity naming in incidents and alerts

Microsoft Sentinel’s UEBA now empowers SOC teams with even deeper, AI-driven anomaly detection—thanks to six new data sources!

These additions help you spot threats faster by expanding behavioral visibility across Microsoft and multicloud environments.

Microsoft authentication sources:

🔹Defender XDR device logon events: Detect lateral movement, unusual access, or compromised endpoints.

🔹Entra ID managed identity sign-in logs: Monitor automation/service account activity to catch silent misuse.

🔹Entra ID service principal sign-in logs: Track app/script sign-ins for unexpected access or privilege escalation.

Third-party cloud & identity platforms:

🔹AWS CloudTrail login events: Flag risky AWS logins, failed MFA, or root account use.

🔹GCP audit logs – Failed IAM access: Identify denied access attempts and privilege escalation in Google Cloud.

🔹Okta MFA & authentication security changes: Surface MFA challenges and policy changes—potential signals of targeted attacks.

💡 To get to the Entity behavior configuration page:

1. From the Microsoft Defender portal navigation menu, select Settings > Microsoft Sentinel > SIEM workspaces.
2. Select the workspace you want to configure.
3. From the workspace configuration page, select Entity behavior analytics > Configure UEBA.

https://preview.redd.it/4hcgu5j5shqf1.png?width=1213&format=png&auto=webp&s=60a79fabc394608b4245cc6efeb6b309b9ba0fa8

https://learn.microsoft.com/en-us/azure/sentinel/whats-new#new-data-sources-for-enhanced-user-and-entity-behavior-analytics-ueba-preview

This update:

✅ Streamlines your workflow by removing the need to switch between portals

✅ Brings workbook management closer to the Azure experience

✅ Helps you visualize and monitor ingested data more efficiently

🔎 Why it matters:Microsoft Sentinel workbooks are built on Azure Monitor workbooks, giving you powerful visualization tools for your logs and queries. With tables, charts, and interactive analytics, they enhance your ability to monitor security data in real time.

📍 Where to find it:Defender portal → Microsoft Sentinel > Threat management > Workbook

https://preview.redd.it/ry7t77k4ipnf1.png?width=1460&format=png&auto=webp&s=7fb84d78048c135e17a2b95b9f08b7c0d35f7a49

Read more:https://learn.microsoft.com/en-us/azure/sentinel/monitor-your-data?tabs=defender-portal

Microsoft has extended the migration timeline for the legacy ThreatIntelligenceIndicator table.

31 August 2025 → Ingestion into the legacy ThreatIntelligenceIndicator table stops. Historical data remains accessible, but no new data will be added. Update your workbooks, queries, and analytic rules to the new tables:

🔹 ThreatIntelIndicators

🔹 ThreatIntelObjects

https://preview.redd.it/9beq78rc2cif1.png?width=462&format=png&auto=webp&s=9027f2f8b5da09f8c8ff461c2ae316d5d76c1150

31 August 2025 – 21 May 2026 → Optional dual ingestion (legacy + new) available only by service request.

21 May 2026 → Full retirement of the legacy table and ingestion.

💡 Action Required: Ensure all custom content references the new tables to avoid data gaps. If you need more time, request dual ingestion before August 2025.

Table Talk: Sentinel’s New ThreatIntel Tables Explained | Microsoft Community Hub

If currently you are ingesting TI from Microsoft, be sure to create Table transformation to not ingest "Data" table to reduce cost as it is not linked to any analytic rules.

https://preview.redd.it/0jdlnkcf2cif1.png?width=265&format=png&auto=webp&s=b3b1a15911c52ca553cf1aa25c00803992f22f12

Also, check this article regarding TI ingestion optimization- Introducing Threat Intelligence Ingestion Rules | Microsoft Community Hub

On July 25, 2025 - Microsoft Entra ID Solution got an extremely useful update.

Previously, obtaining insights into Conditional Access activities necessitated custom KQL queries or workbooks.

With this latest update, we now have predefined detection rules for:

✅ Creation, modification, and deletion of CA policies,

✅ Detection of risky sign-in bypass attempts,

✅ Identification of privileged or break-glass account targeting,

✅ Monitoring changes in targeted groups.

Visit the Content Hub, update the Microsoft Entra ID Solution, and enable new analytic rules based on your infrastructure needs.

https://preview.redd.it/6ygoqdwjhtgf1.jpg?width=696&format=pjpg&auto=webp&s=6c6afef987e74c51517aff3bd9cb6382f140ba64

https://preview.redd.it/6gxz3ewjhtgf1.jpg?width=929&format=pjpg&auto=webp&s=e20ca33da5aa071371944a1e10e7adf02e7579cd

EDIT 03.09:Hi all,
Just FYI there is new update for Entra ID which will fix CA policy saving problem! Be sure to update that :)

https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/ReleaseNotes.md