Unofficial site — not affiliated with or endorsed by Microsoft Corporation. Microsoft Sentinel is a trademark of Microsoft Corporation.
What Is This?
Microsoft Sentinel Changelog automatically tracks changes to Microsoft Sentinel’s open-source content library and publishes security-focused summaries for detection engineers and SOC analysts who want to stay current without monitoring GitHub directly.
What Gets Tracked
The site monitors the Azure/Azure-Sentinel repository for merged pull requests across all content types:
- Analytics rules — new detections, logic changes, query fixes
- Data connectors — new sources, schema changes, ingestion fixes
- Hunting queries — new hunts, updated logic
- Workbooks and dashboards
- Playbooks and automation
- Parser updates and KQL function changes
Not every merged PR produces a post. Changes that are purely cosmetic, version-bump-only, or otherwise carry no operational signal for defenders are skipped.
How It Works
A scheduled automation pipeline monitors the upstream repository. When new merged PRs are detected, each change is reviewed and a structured post is generated. Posts are published automatically.
Each post includes:
- Summary — one-sentence description of the change
- Security Impact — what visibility was added, lost, or restored; detection gaps opened or closed
- Affected Files — which rules, connectors, or schemas changed
- Rating — a signal-level assessment (Critical, High, Medium, Low, or Informational)
- Action — recommended operator posture (Immediate Fix, Review, Update, Monitor, or No Action)
- View on GitHub — direct link to the source PR
Why This Exists
There is no other resource that tracks the Azure/Azure-Sentinel repository at the pull-request level and explains what each change means for defenders. The alternatives leave gaps:
- Microsoft’s “What’s New” posts cover platform features on a monthly cadence — not individual content PRs.
- Community newsletters are manually curated and weekly at best, covering the broader Sentinel ecosystem rather than every merged change.
- GitHub’s own RSS feed delivers every commit with no filtering or context — pure noise for anyone who isn’t reading diffs for a living.
- Content Hub in-portal updates only surface changes to content you’ve already installed, require an active Sentinel workspace, and say nothing about what actually changed.
Sentinel Changelog fills the space between “a PR was merged” and “here’s what it means for your security operations” — automatically, at near-real-time cadence, on a freely accessible site with RSS.
Part of the motivation was simply wanting an RSS feed to follow. The site publishes a feed for all posts, and also per-tag feeds — so you can subscribe to just DataConnectors, or ASIM, or a specific vendor, and ignore everything else. Pull those feeds into whatever fits your workflow: an RSS reader, an RSS-to-email service like Mailbrew, or pipe them straight into a Slack channel so your SOC team sees relevant changes as they land.
AI Limitations
Posts are AI-generated. The model analyses code diffs and available metadata to assess security relevance, but it can misread intent, miss context that only exists outside the PR, or misjudge severity. Treat each post as a triage signal, not a definitive assessment. When precision matters, follow the View on GitHub link to read the source directly.
Upstream Repository
Azure/Azure-Sentinel — Microsoft’s official open-source repository for Microsoft Sentinel content including detection rules, hunting queries, workbooks, playbooks, and data connectors.