Isolate-MDEMachine Playbook: Missing Machine.Read.All Permission Causes Runtime Failures

Any deployment of the Isolate-MDEMachine playbook that followed the existing post-deployment instructions has been silently failing with a Forbidden error at runtime – device isolation never executed. Read More →

Logstash Output Plugin Ruby Version Formally Deprecated - Java Version Now Canonical

The Ruby-based Microsoft Sentinel Logstash output plugin (1.x.x) is now officially deprecated and its documentation separated from the active Java-based version (2.x.x), clarifying which plugin operators should be running. Read More →

ASIM Schema Docs Pruned -- Canonical Definitions Moved to Microsoft Learn

Nine ASIM schema YAML files and a parsers list have been removed from the repo as the canonical schema definitions are now hosted on Microsoft Learn, with two new schemas (Agent Event and Asset Entity) documented in the README. Read More →

GitHub Audit Log Azure Storage Connector: SAS Token Guidance Added to Prevent Credential Rotation Gaps

The GitHub Audit Log Azure Blob Storage connector now includes setup guidance on SAS token signing methods and recommends using Stored Access Policies to enable seamless credential rotation without reissuing tokens. Read More →

Silverfort Connector Docs Updated: MMA Reference Replaced with AMA, Python Check Command Fixed

The Silverfort AMA connector setup instructions now correctly reference Azure Monitoring Agent instead of the legacy Microsoft Monitoring Agent, and the Python version check command has been corrected. Read More →

Valimail Enforce Solution: Publisher Name Typo Corrected in Sentinel UI

Fixes misspelled publisher name from Valimmail to Valimail in the Data Connector configuration UI. Read More →

Oracle Cloud Infrastructure CCF Connector: IAM Permissions Guidance Added

OCI connector UI updated with explicit IAM policy requirements for stream consumption authorization alongside API signing key authentication. Read More →

Google Threat Intelligence Solution: Custom Connector Deployment Prerequisites Clarified

Solution metadata updated to warn customers that Playbooks require manual deployment of the GTI custom Logic Apps connector before use. Read More →

Microsoft Entra ID Table Rename: Hunting Queries Updated for Current Schema

12 hunting queries updated to use EntraIdSignInEvents and EntraIdSpnSignInEvents tables, replacing deprecated AADSignInEventsBeta and AADSpnSignInEventsBeta references. Read More →

Visa Threat Intelligence: Connector Description Update for Certification

Updated Data Connector description in Visa Threat Intelligence solution to resolve certification failure. Read More →

Entra ID Brute Force Detection: Renamed for Broader Windows Device Coverage

Analytic rule renamed from Cloud PC-specific to cover all Entra-authenticated Windows devices, clarifying detection scope without logic changes. Read More →

Logstash Output Plugin: Documentation Update for Version 2.1.1

Version bump to 2.1.1 with efficiency improvements noted but no connector logic changes. Read More →

Microsoft Sentinel Logstash Plugin: Documentation Update Reveals Major Architecture Changes

Documentation updated for Logstash output plugin to reflect version 2.1.0 with Ruby-to-Java refactor, managed identity support, and closed-source transition. Read More →

Island Enterprise Browser V2 Connector: Documentation Clarity Improvements

Updated Island connector titles and descriptions to reduce confusion between legacy V1 and current V2 connectors. Read More →

Data Connector 64 KB Field Truncation: Silent Data Loss Risk Documented

Microsoft Sentinel now documents a critical platform limitation where individual fields exceeding 64 KB are silently truncated during ingestion, creating blind spots in large payload analysis. Read More →

Azure Resource Graph: Table Name Standardization for Query Consistency

Azure Resource Graph connector updated table labels to align with Table Management naming conventions, ensuring consistent query references. Read More →

Detection Template Validation: connectorId Enforcement Added to Review Process

Detection authoring guidelines now require validation of connectorId values against the official repository allowlist to prevent invalid connector references. Read More →

Microsoft Copilot Connector: Updated Product Scope Description

Clarifies connector description to specify M365 Copilot and Security Copilot coverage alongside general improvements. Read More →

Google Kubernetes Engine Connector: Documentation Update Links to Official Microsoft Learn

Google Kubernetes Engine connector documentation updated to reference official Microsoft Learn guides instead of personal repositories. Read More →

Logstash Connector: Extended Version Support for Newer Logstash Releases

Documentation update adds support for Logstash versions 8.19.2, 9.0.8, 9.1.10, and 9.2.4-9.2.5. Read More →