{"id":"e1e145bf-94a3-420e-b3db-95d8eba30976","shortId":"3CXzXx","kind":"skill","title":"azure-sentinel","tagline":"Expert knowledge for Azure Sentinel development including troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when configuring Sentinel connectors, KQL anal","description":"# Azure Sentinel Skill\n\nThis skill provides expert guidance for Azure Sentinel. Covers troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. It combines local quick-reference content with remote documentation fetching capabilities.\n\n## How to Use This Skill\n\n> **IMPORTANT for Agent**: Use the **Category Index** below to locate relevant sections. For categories with line ranges (e.g., `L35-L120`), use `read_file` with the specified lines. For categories with file links (e.g., `[security.md](security.md)`), use `read_file` on the linked reference file\n\n> **IMPORTANT for Agent**: If `metadata.generated_at` is more than 3 months old, suggest the user pull the latest version from the repository. If `mcp_microsoftdocs` tools are not available, suggest the user install it: [Installation Guide](https://github.com/MicrosoftDocs/mcp/blob/main/README.md)\n\nThis skill requires **network access** to fetch documentation content:\n- **Preferred**: Use `mcp_microsoftdocs:microsoft_docs_fetch` with query string `from=learn-agent-skill`. Returns Markdown.\n- **Fallback**: Use `fetch_webpage` with query string `from=learn-agent-skill&accept=text/markdown`. Returns Markdown.\n\n## Category Index\n\n| Category | Lines | Description |\n|----------|-------|-------------|\n| Troubleshooting | L37-L48 | Diagnosing and fixing Microsoft Sentinel ingestion, connector, KQL/data lake, analytics rule (auto-disable), MCP tools, and SAP/AWS/Blob/CEF/Syslog integration issues. |\n| Best Practices | L49-L75 | Best practices for SOC operations in Microsoft Sentinel: rule tuning, automation/playbooks, incident tasks/metrics, watchlists, data collection, solution lifecycle, and monitoring/health. |\n| Decision Making | L76-L112 | Guides for planning and decision-making: SIEM/SOAR migration to Sentinel, pricing and cost optimization, data tiers and retention, connector and platform choices, and deployment/geo strategy. |\n| Architecture & Design Patterns | L113-L126 | Architecting Sentinel deployments: multi-workspace/tenant patterns, MSSP setups, SOAR automation, BCDR/resiliency, cross-workspace data/incident ops, SAP, ML models, and Jupyter-based hunting. |\n| Limits & Quotas | L127-L138 | Limits, quotas, pricing, and retention tiers for Sentinel data, search jobs, watchlists, MCP servers, ASIM, and workspace removal impacts |\n| Security | L139-L154 | Security configuration for Microsoft Sentinel: RBAC and roles, row-level/resource-context access, playbook auth/restrictions, encryption keys, audit logs, SAP roles/params, and network/attack protections. |\n| Configuration | L155-L283 | Configuring Microsoft Sentinel and data lake: connectors, ingestion, retention, analytics/automation rules, ASIM schemas, UEBA, SAP, MCP/AI integrations, monitoring, and workspace management. |\n| Integrations & Coding Patterns | L284-L335 | Integrating Microsoft Sentinel with external data, threat intel, MCP/LLM tools, and collaboration apps, plus APIs, codeless connectors, KQL/graph queries, automation, and solution packaging. |\n| Deployment | L336-L359 | Deploying and managing Microsoft Sentinel solutions and content (CI/CD, ARM, content hub, marketplace) and specialized connectors/agents for SAP, Power Platform, Dynamics, Azure Stack Hub, and hunting notebooks. |\n\n### Troubleshooting\n| Topic | URL |\n|-------|-----|\n| Troubleshoot Microsoft Sentinel AWS S3 connector problems | https://learn.microsoft.com/en-us/azure/sentinel/aws-s3-troubleshoot |\n| Troubleshoot Microsoft Sentinel Azure Storage Blob connector | https://learn.microsoft.com/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot |\n| Troubleshoot Sentinel CEF and Syslog AMA ingestion issues | https://learn.microsoft.com/en-us/azure/sentinel/cef-syslog-ama-troubleshooting |\n| Troubleshoot KQL queries and jobs in Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-troubleshoot |\n| Best practices and troubleshooting for Sentinel MCP tools | https://learn.microsoft.com/en-us/azure/sentinel/datalake/troubleshoot-sentinel-mcp |\n| Troubleshoot Sentinel SAP data connector agent | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-deploy-troubleshoot |\n| Troubleshoot Sentinel analytics rules and AUTO DISABLED | https://learn.microsoft.com/en-us/azure/sentinel/troubleshoot-analytics-rules |\n| Troubleshoot Microsoft Sentinel solution ingestion issues | https://learn.microsoft.com/en-us/azure/sentinel/troubleshoot-sentinel-solutions |\n\n### Best Practices\n| Topic | URL |\n|-------|-----|\n| Audit and track Sentinel incident task changes | https://learn.microsoft.com/en-us/azure/sentinel/audit-track-tasks |\n| Implement Sentinel automation rules for SOAR operations | https://learn.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules |\n| Automate Sentinel response to compromised users with playbooks | https://learn.microsoft.com/en-us/azure/sentinel/automation/tutorial-respond-threats-playbook |\n| Apply operational best practices for Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/best-practices |\n| Apply data collection best practices in Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/best-practices-data |\n| Apply fine-tuning recommendations to Sentinel rules | https://learn.microsoft.com/en-us/azure/sentinel/detection-tuning |\n| Use ASIM-based essential domain solutions in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/domain-based-essential-solutions |\n| Reduce false positives in Microsoft Sentinel analytics | https://learn.microsoft.com/en-us/azure/sentinel/false-positives |\n| Standardize Sentinel incident handling with tasks | https://learn.microsoft.com/en-us/azure/sentinel/incident-tasks |\n| Handle data ingestion delay in Sentinel rules | https://learn.microsoft.com/en-us/azure/sentinel/ingestion-delay |\n| Use Sentinel incident metrics to manage SOC performance | https://learn.microsoft.com/en-us/azure/sentinel/manage-soc-with-incident-metrics |\n| Update SOC and analyst processes for Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/migration-security-operations-center-processes |\n| Monitor health and integrity of Microsoft Sentinel analytics rules | https://learn.microsoft.com/en-us/azure/sentinel/monitor-analytics-rule-integrity |\n| Monitor and optimize Sentinel scheduled analytics rule execution | https://learn.microsoft.com/en-us/azure/sentinel/monitor-optimize-analytics-rule-execution |\n| Protect MSSP intellectual property in Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/mssp-protect-intellectual-property |\n| Apply operational recommendations for Microsoft Sentinel SOCs | https://learn.microsoft.com/en-us/azure/sentinel/ops-guide |\n| Configure Sentinel SAP detections and threat protection | https://learn.microsoft.com/en-us/azure/sentinel/sap/deployment-solution-configuration |\n| Monitor Zero Trust TIC 3.0 with Sentinel solution | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solution |\n| Manage lifecycle of deprecated Sentinel solutions | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solution-deprecation |\n| Apply quality guidelines to Microsoft Sentinel solutions | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solution-quality-guidance |\n| Use Sentinel watchlists to enrich and correlate events | https://learn.microsoft.com/en-us/azure/sentinel/watchlists |\n| Maintain and edit Microsoft Sentinel watchlists safely | https://learn.microsoft.com/en-us/azure/sentinel/watchlists-manage |\n| Use Sentinel incident tasks in analyst workflows | https://learn.microsoft.com/en-us/azure/sentinel/work-with-tasks |\n\n### Decision Making\n| Topic | URL |\n|-------|-----|\n| Plan and execute migration from MMA to AMA for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate |\n| Decide and migrate Sentinel alert-trigger playbooks to automation rules | https://learn.microsoft.com/en-us/azure/sentinel/automation/migrate-playbooks-to-automation-rules |\n| Choose when to use Microsoft Sentinel data lake tier | https://learn.microsoft.com/en-us/azure/sentinel/basic-logs-use-cases |\n| Plan and estimate Microsoft Sentinel pricing and billing | https://learn.microsoft.com/en-us/azure/sentinel/billing |\n| Analyze and optimize Microsoft Sentinel cost and billing | https://learn.microsoft.com/en-us/azure/sentinel/billing-monitor-costs |\n| Use Microsoft Sentinel prepurchase plans to save costs | https://learn.microsoft.com/en-us/azure/sentinel/billing-pre-purchase-plan |\n| Reduce Microsoft Sentinel costs with product features | https://learn.microsoft.com/en-us/azure/sentinel/billing-reduce-costs |\n| Choose and configure Sentinel connectors for Cisco ASA/FTD | https://learn.microsoft.com/en-us/azure/sentinel/cisco-ftd-firewall |\n| Compare Sentinel analytics rules vs Defender custom detections | https://learn.microsoft.com/en-us/azure/sentinel/compare-analytics-rules-custom-detections |\n| Assess Sentinel connector data type support by cloud | https://learn.microsoft.com/en-us/azure/sentinel/data-type-cloud-support |\n| Choose between KQL jobs, summary rules, and search jobs | https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-jobs-summary-rules-search-jobs |\n| Plan side-by-side deployment with existing SIEM | https://learn.microsoft.com/en-us/azure/sentinel/deploy-side-by-side |\n| Enroll Sentinel workspaces in simplified pricing tiers | https://learn.microsoft.com/en-us/azure/sentinel/enroll-simplified-pricing-tier |\n| Check Microsoft Sentinel feature availability by Azure cloud | https://learn.microsoft.com/en-us/azure/sentinel/feature-availability |\n| Plan Sentinel deployment for geography and data residency | https://learn.microsoft.com/en-us/azure/sentinel/geographical-availability-data-residency |\n| Choose data tiers and retention for Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/manage-data-overview |\n| Use Microsoft Sentinel within the Defender portal | https://learn.microsoft.com/en-us/azure/sentinel/microsoft-sentinel-defender-portal |\n| Plan migration from legacy SIEMs to Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/migration |\n| Migrate ArcSight SOAR automation to Sentinel rules and playbooks | https://learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-automation |\n| Map and migrate ArcSight detection rules to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-detection-rules |\n| Export ArcSight historical data for Sentinel migration | https://learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-historical-data |\n| Choose an Azure target platform for Sentinel historical data | https://learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-target-platform |\n| Select a data ingestion tool for Sentinel historical logs | https://learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-tool |\n| Migrate QRadar SOAR automation to Sentinel automation rules | https://learn.microsoft.com/en-us/azure/sentinel/migration-qradar-automation |\n| Migrate QRadar detection rules to Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/migration-qradar-detection-rules |\n| Export QRadar historical data for Sentinel migration | https://learn.microsoft.com/en-us/azure/sentinel/migration-qradar-historical-data |\n| Migrate Splunk SOAR automation to Sentinel automation rules | https://learn.microsoft.com/en-us/azure/sentinel/migration-splunk-automation |\n| Migrate Splunk detection rules to Microsoft Sentinel analytics | https://learn.microsoft.com/en-us/azure/sentinel/migration-splunk-detection-rules |\n| Export Splunk historical data for Sentinel migration | https://learn.microsoft.com/en-us/azure/sentinel/migration-splunk-historical-data |\n| Choose between Sentinel standalone and XDR alert connectors | https://learn.microsoft.com/en-us/azure/sentinel/security-alert-schema-differences |\n| Select Sentinel content hub solutions by domain | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog |\n| Use Sentinel SIEM migration experience for rule mapping | https://learn.microsoft.com/en-us/azure/sentinel/siem-migration |\n| Apply SOC optimization recommendations in Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-access |\n\n### Architecture & Design Patterns\n| Topic | URL |\n|-------|-----|\n| Design Sentinel SOAR with automation rules and playbooks | https://learn.microsoft.com/en-us/azure/sentinel/automation/automation |\n| Bring custom machine learning models into Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/bring-your-own-ml |\n| Design BCDR and resiliency architecture for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/business-continuity-disaster-recovery |\n| Query and manage Sentinel data across workspaces and tenants | https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants |\n| Investigate Sentinel incidents using large dataset search | https://learn.microsoft.com/en-us/azure/sentinel/investigate-large-datasets |\n| Work with Sentinel incidents across multiple workspaces | https://learn.microsoft.com/en-us/azure/sentinel/multiple-workspace-view |\n| Use Jupyter notebooks for Sentinel threat hunting | https://learn.microsoft.com/en-us/azure/sentinel/notebooks |\n| Design Microsoft Sentinel solution components and patterns | https://learn.microsoft.com/en-us/azure/sentinel/partner-integrations |\n| Design multi-workspace architecture for Sentinel SAP | https://learn.microsoft.com/en-us/azure/sentinel/sap/cross-workspace |\n| Use workspace manager to operate multiple Sentinel workspaces | https://learn.microsoft.com/en-us/azure/sentinel/workspace-manager |\n\n### Limits & Quotas\n| Topic | URL |\n|-------|-----|\n| Service limits and quotas for Microsoft Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-service-limits |\n| Sentinel MCP server pricing, limits, and availability | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-billing |\n| Select Microsoft Sentinel log retention tiers and limits | https://learn.microsoft.com/en-us/azure/sentinel/log-plans |\n| Review ASIM known issues and limitations in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-known-issues |\n| Understand removal impact of Microsoft Sentinel workspaces | https://learn.microsoft.com/en-us/azure/sentinel/offboard-implications |\n| Run Sentinel search jobs for large datasets and archives | https://learn.microsoft.com/en-us/azure/sentinel/search-jobs |\n| Review Microsoft Sentinel service limits and quotas | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-service-limits |\n| Create Sentinel watchlists and manage file size limits | https://learn.microsoft.com/en-us/azure/sentinel/watchlists-create |\n\n### Security\n| Topic | URL |\n|-------|-----|\n| Audit Microsoft Sentinel queries and user activities | https://learn.microsoft.com/en-us/azure/sentinel/audit-sentinel-data |\n| Configure authentication for Microsoft Sentinel playbooks | https://learn.microsoft.com/en-us/azure/sentinel/automation/authenticate-playbooks-to-sentinel |\n| Define access restriction policies for Sentinel Standard playbooks | https://learn.microsoft.com/en-us/azure/sentinel/automation/define-playbook-access-restrictions |\n| Enable automated attack disruption actions on AWS identities | https://learn.microsoft.com/en-us/azure/sentinel/aws-disruption |\n| Set up customer-managed keys for Microsoft Sentinel encryption | https://learn.microsoft.com/en-us/azure/sentinel/customer-managed-keys |\n| Use audit log for Sentinel data lake and graph activities | https://learn.microsoft.com/en-us/azure/sentinel/datalake/auditing-lake-activities |\n| Enable network security for Sentinel Azure Storage connector | https://learn.microsoft.com/en-us/azure/sentinel/enable-storage-network-security |\n| Configure resource-context RBAC for Microsoft Sentinel data access | https://learn.microsoft.com/en-us/azure/sentinel/resource-context-rbac |\n| Configure Microsoft Sentinel roles and permissions | https://learn.microsoft.com/en-us/azure/sentinel/roles |\n| ABAP roles and authorizations for Sentinel SAP logs | https://learn.microsoft.com/en-us/azure/sentinel/sap/required-abap-authorizations |\n| SAP security parameters monitored by Sentinel analytics | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-suspicious-configuration-security-parameters |\n| Configure row-level RBAC scoping in Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/scoping |\n\n### Configuration\n| Topic | URL |\n|-------|-----|\n| Add advanced OR condition groups to Sentinel automation rules | https://learn.microsoft.com/en-us/azure/sentinel/add-advanced-conditions-to-automation-rules |\n| Use Microsoft Sentinel audit tables for monitoring | https://learn.microsoft.com/en-us/azure/sentinel/audit-table-reference |\n| Configure Microsoft Sentinel automation rules and conditions | https://learn.microsoft.com/en-us/azure/sentinel/automation-rule-reference |\n| Security content reference for Power Platform and CE | https://learn.microsoft.com/en-us/azure/sentinel/business-applications/power-platform-solution-security-content |\n| Map CEF keys to Sentinel CommonSecurityLog fields | https://learn.microsoft.com/en-us/azure/sentinel/cef-name-mapping |\n| Configure Syslog and CEF connectors via Azure Monitor Agent | https://learn.microsoft.com/en-us/azure/sentinel/cef-syslog-ama-overview |\n| Configure Security Events connector for anomalous RDP detection | https://learn.microsoft.com/en-us/azure/sentinel/configure-connector-login-detection |\n| Configure interactive and long-term Sentinel data retention | https://learn.microsoft.com/en-us/azure/sentinel/configure-data-retention-archive |\n| Configure ingestion-time data transformation and custom log ingestion | https://learn.microsoft.com/en-us/azure/sentinel/configure-data-transformation |\n| Configure Fusion multistage attack detection rules | https://learn.microsoft.com/en-us/azure/sentinel/configure-fusion-rules |\n| Configure AWS service log connector for Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-aws |\n| Prepare AWS environment to send logs to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-aws-configure-environment |\n| Configure AWS WAF S3 connector to ingest logs to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-aws-s3-waf |\n| Configure Microsoft Entra ID connector to send logs to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory |\n| Connect Azure Virtual Desktop telemetry to Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-virtual-desktop |\n| Configure Sentinel connections to Azure and Microsoft services | https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-windows-microsoft-services |\n| Configure AMA-based syslog and CEF ingestion to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog-ama |\n| Configure Custom Logs via AMA to ingest text-file logs | https://learn.microsoft.com/en-us/azure/sentinel/connect-custom-logs-ama |\n| Connect Microsoft Defender for Cloud alerts to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-defender-for-cloud |\n| Configure AMA connector for Windows DNS log streaming | https://learn.microsoft.com/en-us/azure/sentinel/connect-dns-ama |\n| Configure GCP Pub/Sub connectors to ingest logs into Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform |\n| Configure Microsoft Defender XDR connector in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender |\n| Stream Microsoft Purview Information Protection data to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-purview |\n| Configure API-based data connectors for Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-services-api-based |\n| Configure diagnostic settings-based connectors for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-services-diagnostic-setting-based |\n| Configure Windows agent-based data connectors for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-services-windows-based |\n| Create scheduled analytics rules from Sentinel templates | https://learn.microsoft.com/en-us/azure/sentinel/create-analytics-rule-from-template |\n| Create custom scheduled analytics rules in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/create-analytics-rules |\n| Configure incident creation from alerts in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts |\n| Configure Sentinel automation rules for incident response | https://learn.microsoft.com/en-us/azure/sentinel/create-manage-use-automation-rules |\n| Create and manage NRT detection rules in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/create-nrt-rules |\n| Create Sentinel incident task lists via automation rules | https://learn.microsoft.com/en-us/azure/sentinel/create-tasks-automation-rule |\n| Customize Sentinel alert names, severity, and tactics | https://learn.microsoft.com/en-us/azure/sentinel/customize-alert-details |\n| Customize activities on Sentinel entity timelines | https://learn.microsoft.com/en-us/azure/sentinel/customize-entity-activities |\n| Configure CCF JSON for Azure Storage Blob connector | https://learn.microsoft.com/en-us/azure/sentinel/data-connection-rules-reference-azure-storage |\n| Configure RestApiPoller connector JSON for Sentinel CCF | https://learn.microsoft.com/en-us/azure/sentinel/data-connector-connection-rules-reference |\n| Reference Sentinel-supported data source schemas | https://learn.microsoft.com/en-us/azure/sentinel/data-source-schema-reference |\n| Use asset data tables in Microsoft Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/asset-data-tables |\n| Configure federated data connectors in Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/data-federation-setup |\n| Configure and schedule KQL jobs in Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-jobs |\n| Configure and schedule KQL jobs in Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-jobs |\n| Manage Microsoft Sentinel data lake KQL jobs | https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-manage-jobs |\n| Run and manage KQL queries in Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-queries |\n| Create and schedule Sentinel Spark notebook jobs | https://learn.microsoft.com/en-us/azure/sentinel/datalake/notebook-jobs |\n| Configure connectors and retention for Sentinel data lake tiers | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-connectors |\n| Onboard Sentinel data lake from Defender portal | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-onboard-defender |\n| Onboard tenants to Microsoft Sentinel data lake and graph | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-onboarding |\n| Use Sentinel MCP data exploration tools | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-data-exploration-tool |\n| Configure and use the Microsoft Sentinel MCP server | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-get-started |\n| Use Sentinel MCP tools with Microsoft Foundry AI agents | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-azure-ai-foundry |\n| Configure Sentinel MCP tools in Microsoft Copilot Studio | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-copilot-studio |\n| Add Sentinel MCP tools to Microsoft Security Copilot | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-security-copilot |\n| Build Sentinel workbooks using data lake as source | https://learn.microsoft.com/en-us/azure/sentinel/datalake/workbooks-for-data-lake |\n| Configure DNS over AMA connector fields and schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/dns-ama-fields |\n| Security content reference for Dynamics 365 F&O | https://learn.microsoft.com/en-us/azure/sentinel/dynamics-365/dynamics-365-finance-operations-security-content |\n| Enable and configure Sentinel UEBA data sources | https://learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics |\n| Enable Sentinel auditing and health monitoring and query logs | https://learn.microsoft.com/en-us/azure/sentinel/enable-monitoring |\n| Use Sentinel entity types and identifiers correctly | https://learn.microsoft.com/en-us/azure/sentinel/entities-reference |\n| Configure auditing and health monitoring in Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/health-audit |\n| Query and interpret Microsoft Sentinel health tables | https://learn.microsoft.com/en-us/azure/sentinel/health-table-reference |\n| Bulk import threat indicators from files into Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/indicators-bulk-file-import |\n| Manage Sentinel analytics rule template versions | https://learn.microsoft.com/en-us/azure/sentinel/manage-analytics-rule-templates |\n| Configure and manage installed Microsoft Sentinel platform solutions | https://learn.microsoft.com/en-us/azure/sentinel/manage-platform-solutions |\n| Configure table retention and tier settings for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/manage-table-tiers-retention |\n| Map analytics rule fields to Sentinel entities | https://learn.microsoft.com/en-us/azure/sentinel/map-data-fields-to-entities |\n| Use Purview Information Protection connector record types in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/microsoft-purview-record-types-activities |\n| Monitor Sentinel automation rules and playbook health | https://learn.microsoft.com/en-us/azure/sentinel/monitor-automation-health |\n| Monitor Microsoft Sentinel data connector health and ingestion | https://learn.microsoft.com/en-us/azure/sentinel/monitor-data-connector-health |\n| Monitor SAP–Sentinel connection health and alerts | https://learn.microsoft.com/en-us/azure/sentinel/monitor-sap-system-health |\n| Configure multi-tenant management for Microsoft Sentinel MSSPs | https://learn.microsoft.com/en-us/azure/sentinel/multiple-tenants-service-providers |\n| Configure near-real-time analytics rules in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/near-real-time-rules |\n| Manage workspace-deployed ASIM parsers in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-workspace-parsers |\n| Apply ASIM common schema fields in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-common-fields |\n| Develop and deploy custom ASIM parsers for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers |\n| Implement ASIM Application Entity schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-entity-application |\n| Implement ASIM Device Entity schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-entity-device |\n| Implement ASIM User Entity schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-entity-user |\n| Manage and customize ASIM parsers in Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-manage-parsers |\n| Convert Sentinel content to use ASIM normalized data | https://learn.microsoft.com/en-us/azure/sentinel/normalization-modify-content |\n| Use ASIM Alert Events normalization schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-alert |\n| Use ASIM Audit Events normalization schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-audit |\n| Use ASIM Authentication normalization schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-authentication |\n| Use ASIM DHCP normalization schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-dhcp |\n| Use ASIM DNS normalization schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-dns |\n| Use ASIM File Event normalization schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-file-event |\n| Use ASIM Network Session normalization schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-network |\n| Use ASIM Process Event normalization schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-process-event |\n| Use ASIM Registry Event normalization schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-registry-event |\n| Use Sentinel user management normalization schema | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-user-management |\n| Use legacy Sentinel network normalization schema v0.1 | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-v1 |\n| Use ASIM Web Session normalization schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-web |\n| Configure Sentinel notebooks and MSTICPy basics | https://learn.microsoft.com/en-us/azure/sentinel/notebook-get-started |\n| Apply advanced MSTICPy and notebook settings in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/notebooks-msticpy-advanced |\n| Remove Microsoft Sentinel from a Log Analytics workspace | https://learn.microsoft.com/en-us/azure/sentinel/offboard |\n| Integrate Microsoft Purview solution with Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/purview-solution |\n| Restore archived Sentinel logs for high-performance queries | https://learn.microsoft.com/en-us/azure/sentinel/restore |\n| Configure SAP HANA audit log collection in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/sap/collect-sap-hana-audit-logs |\n| Prepare SAP systems for Sentinel SAP connector | https://learn.microsoft.com/en-us/azure/sentinel/sap/preparing-sap |\n| Review prerequisites for Sentinel SAP solution deployment | https://learn.microsoft.com/en-us/azure/sentinel/sap/prerequisites-for-deploying-sap-continuous-threat-monitoring |\n| Kickstart script parameters for SAP connector deployment | https://learn.microsoft.com/en-us/azure/sentinel/sap/reference-kickstart |\n| Legacy systemconfig.ini settings for Sentinel SAP agent | https://learn.microsoft.com/en-us/azure/sentinel/sap/reference-systemconfig |\n| systemconfig.json settings for Sentinel SAP agent | https://learn.microsoft.com/en-us/azure/sentinel/sap/reference-systemconfig-json |\n| Update script parameters for Sentinel SAP connector | https://learn.microsoft.com/en-us/azure/sentinel/sap/reference-update |\n| Use SAP Security Audit Controls workbook in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-audit-controls-workbook |\n| Use SAP Security Audit log workbook in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-audit-log-workbook |\n| Security content reference for Sentinel SAP BTP solution | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-btp-security-content |\n| Function reference for Sentinel SAP solution workspace | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-function-reference |\n| Log and table schema reference for Sentinel SAP solution | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-log-reference |\n| Reference for Sentinel SAP security content and rules | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-security-content |\n| Stop SAP log collection and disable Sentinel connector | https://learn.microsoft.com/en-us/azure/sentinel/sap/stop-collection |\n| Configure scheduled analytics rules in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/scheduled-rules-overview |\n| Use Microsoft Sentinel security alert schema | https://learn.microsoft.com/en-us/azure/sentinel/security-alert-schema |\n| Map Sentinel tables to their data connectors | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-tables-connectors-reference |\n| Use customizable anomaly detection in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/soc-ml-anomalies |\n| Prepare prerequisites for Microsoft Sentinel SIEM solutions | https://learn.microsoft.com/en-us/azure/sentinel/solution-setup-essentials |\n| Configure and use summary rules to aggregate Sentinel data | https://learn.microsoft.com/en-us/azure/sentinel/summary-rules |\n| Surface custom event details in Sentinel alerts | https://learn.microsoft.com/en-us/azure/sentinel/surface-custom-details-in-alerts |\n| Configure threat intelligence integrations in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/threat-intelligence-integration |\n| Configure filter and split transformations in Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/transformation-filter-split |\n| Reference for Sentinel UEBA entity enrichments | https://learn.microsoft.com/en-us/azure/sentinel/ueba-reference |\n| Configure unified connectors to integrate with Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/unified-connector-integration |\n| Apply built-in Sentinel watchlist template schemas | https://learn.microsoft.com/en-us/azure/sentinel/watchlist-schemas |\n| Select Windows security event sets for Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference |\n| Create and tune anomaly analytics rules in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/work-with-anomaly-rules |\n| Configure multiple Microsoft Sentinel workspaces in Defender portal | https://learn.microsoft.com/en-us/azure/sentinel/workspaces-defender-portal |\n\n### Integrations & Coding Patterns\n| Topic | URL |\n|-------|-----|\n| Create Sentinel Data Collection Rules via API examples | https://learn.microsoft.com/en-us/azure/sentinel/api-dcr-reference |\n| Use Sentinel Logic Apps triggers and actions in playbooks | https://learn.microsoft.com/en-us/azure/sentinel/automation/playbook-triggers-actions |\n| Integrate Sentinel incidents with Microsoft Teams collaboration | https://learn.microsoft.com/en-us/azure/sentinel/collaborate-in-microsoft-teams |\n| Build Azure Functions-based connectors to ingest data into Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-functions-template |\n| Use Logstash with DCR-based API to stream logs to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-logstash-data-connection-rules |\n| Enable Defender Threat Intelligence data connector in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-mdti-data-connector |\n| Connect STIX/TAXII threat intel feeds to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-taxii |\n| Connect threat intelligence platform to Sentinel (legacy connector) | https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-tip |\n| Connect TIP to Sentinel using Threat Intel upload API | https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-upload-api |\n| Create codeless connectors for Microsoft Sentinel with CCF | https://learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector |\n| Build push-based codeless connectors for Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/create-push-codeless-connector |\n| Configure GCP data connectors with Sentinel CCF | https://learn.microsoft.com/en-us/azure/sentinel/data-connection-rules-reference-gcp |\n| Define connector UIConfig JSON for Sentinel CCF | https://learn.microsoft.com/en-us/azure/sentinel/data-connector-ui-definitions-reference |\n| Build and manage custom security graphs with Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/datalake/create-custom-graphs |\n| Use GQL syntax to query Sentinel custom graphs | https://learn.microsoft.com/en-us/azure/sentinel/datalake/gql-reference-for-sentinel-custom-graph |\n| Call Sentinel custom graph REST APIs programmatically | https://learn.microsoft.com/en-us/azure/sentinel/datalake/graph-rest-api |\n| Run Sentinel data lake KQL queries via REST APIs | https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-queries-api |\n| Notebook code examples for querying Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/notebook-examples |\n| Use Jupyter notebooks with Sentinel data lake in VS Code | https://learn.microsoft.com/en-us/azure/sentinel/datalake/notebooks |\n| Use Sentinel graph provider API in Spark notebooks | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-graph-provider-reference |\n| Leverage Sentinel MCP agent creation tool collection | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-agent-creation-tool |\n| Enable and use Microsoft Sentinel MCP connector with ChatGPT or Claude | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-chatgpt-claude-connector |\n| Create custom Sentinel MCP tools from KQL queries | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-create-custom-tool |\n| Integrate Sentinel MCP tools into Azure Logic Apps | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-logic-apps |\n| Use Sentinel MCP triage tools for incident hunting | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-triage-tool |\n| Use SentinelProvider class to access Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-provider-class-reference |\n| Enrich Sentinel entities with geolocation REST API | https://learn.microsoft.com/en-us/azure/sentinel/geolocation-data-api |\n| Manage Microsoft Sentinel hunting queries via REST API | https://learn.microsoft.com/en-us/azure/sentinel/hunting-with-rest-api |\n| Author custom hunting KQL queries in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/hunts-custom-queries |\n| Ingest Defender for Cloud incidents via Defender XDR | https://learn.microsoft.com/en-us/azure/sentinel/ingest-defender-for-cloud-incidents |\n| Integrate Microsoft Defender XDR with Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration |\n| Use ASIM helper functions for normalized data in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-functions |\n| Build Power BI reports from Sentinel log data | https://learn.microsoft.com/en-us/azure/sentinel/powerbi |\n| Trigger Sentinel playbooks from entities during hunts | https://learn.microsoft.com/en-us/azure/sentinel/respond-threats-during-investigation |\n| Create analytics rules for Microsoft Sentinel solutions | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-analytic-rules-creation |\n| Create hunting queries for Microsoft Sentinel solutions | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-hunting-rules-creation |\n| Build and publish Microsoft Sentinel SIEM solutions | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-integration-guide |\n| Create and publish playbooks for Microsoft Sentinel solutions | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-playbook-creation |\n| Create summary rules and tables for Sentinel solutions | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-summary-rules-creation |\n| Create and publish workbooks for Microsoft Sentinel solutions | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-workbook-creation |\n| Configure Azure Storage Blob connector for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/setup-azure-storage-connector |\n| Call Microsoft Sentinel SOC optimization recommendations API | https://learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-api |\n| Import threat intelligence using Sentinel STIX upload API | https://learn.microsoft.com/en-us/azure/sentinel/stix-objects-api |\n| Enrich Sentinel incidents with IP reputation automation | https://learn.microsoft.com/en-us/azure/sentinel/tutorial-enrich-ip-information |\n| Extract non-native Sentinel entities using playbook actions | https://learn.microsoft.com/en-us/azure/sentinel/tutorial-extract-incident-entities |\n| Use legacy Sentinel upload indicators API | https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api |\n| Use Sentinel watchlists in KQL queries and rules | https://learn.microsoft.com/en-us/azure/sentinel/watchlists-queries |\n| Query STIX indicator and object tables in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/work-with-stix-objects-indicators |\n\n### Deployment\n| Topic | URL |\n|-------|-----|\n| Deploy Sentinel solution for Power Platform and CE | https://learn.microsoft.com/en-us/azure/sentinel/business-applications/deploy-power-platform-solution |\n| Create repository connections to deploy Sentinel content | https://learn.microsoft.com/en-us/azure/sentinel/ci-cd |\n| Use repositories and CI/CD for Microsoft Sentinel content | https://learn.microsoft.com/en-us/azure/sentinel/ci-cd-custom-content |\n| Customize CI/CD repository deployments for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/ci-cd-custom-deploy |\n| Onboard Azure Stack Hub VMs to Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-stack |\n| Deploy Sentinel solution for Dynamics 365 Finance and Operations | https://learn.microsoft.com/en-us/azure/sentinel/dynamics-365/deploy-dynamics-365-finance-operations-solution |\n| Import and export Sentinel analytics rules via ARM | https://learn.microsoft.com/en-us/azure/sentinel/import-export-analytics-rules |\n| Manage Sentinel automation rules as code with ARM templates | https://learn.microsoft.com/en-us/azure/sentinel/import-export-automation-rules |\n| Check Sentinel Defender XDR data support by cloud | https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-cloud-support |\n| Run Sentinel hunting notebooks in Azure ML workspaces | https://learn.microsoft.com/en-us/azure/sentinel/notebooks-hunt |\n| Package and publish Microsoft Sentinel platform solutions | https://learn.microsoft.com/en-us/azure/sentinel/package-platform-solution |\n| Publish Microsoft Sentinel SIEM solutions to marketplace | https://learn.microsoft.com/en-us/azure/sentinel/publish-sentinel-solutions |\n| Deploy SAP connector container via command line | https://learn.microsoft.com/en-us/azure/sentinel/sap/deploy-command-line |\n| Deploy SAP data connector container to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/sap/deploy-data-connector-agent-container |\n| Deploy Sentinel solution for SAP BTP systems | https://learn.microsoft.com/en-us/azure/sentinel/sap/deploy-sap-btp-solution |\n| Install Microsoft Sentinel solution for SAP applications | https://learn.microsoft.com/en-us/azure/sentinel/sap/deploy-sap-security-content |\n| Migrate Sentinel SAP container agent to agentless connector | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-agent-migrate |\n| Expert deployment options for Sentinel SAP connector | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-deploy-alternate |\n| Update Sentinel SAP data connector agent safely | https://learn.microsoft.com/en-us/azure/sentinel/sap/update-sap-data-connector |\n| Discover and deploy Sentinel content hub solutions | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-deploy |\n| Track Microsoft Sentinel solution status after publishing | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-post-publish-tracking |","tags":["azure","sentinel","agent","skills","microsoftdocs","agent-skills","agentic-skills","agentskill","ai-agents","ai-coding","azure-functions","azure-kubernetes-service"],"capabilities":["skill","source-microsoftdocs","skill-azure-sentinel","topic-agent","topic-agent-skills","topic-agentic-skills","topic-agentskill","topic-ai-agents","topic-ai-coding","topic-azure","topic-azure-functions","topic-azure-kubernetes-service","topic-azure-openai","topic-azure-sql-database","topic-azure-storage"],"categories":["Agent-Skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/MicrosoftDocs/Agent-Skills/azure-sentinel","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add MicrosoftDocs/Agent-Skills","source_repo":"https://github.com/MicrosoftDocs/Agent-Skills","install_from":"skills.sh"}},"qualityScore":"0.698","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 497 github stars · SKILL.md body (43,943 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-22T00:53:37.078Z","embedding":null,"createdAt":"2026-04-18T22:00:03.463Z","updatedAt":"2026-04-22T00:53:37.078Z","lastSeenAt":"2026-04-22T00:53:37.078Z","tsv":"'/en-us/azure/sentinel/add-advanced-conditions-to-automation-rules':1509 '/en-us/azure/sentinel/ama-migrate':805 '/en-us/azure/sentinel/api-dcr-reference':2859 '/en-us/azure/sentinel/audit-sentinel-data':1371 '/en-us/azure/sentinel/audit-table-reference':1519 '/en-us/azure/sentinel/audit-track-tasks':558 '/en-us/azure/sentinel/automate-incident-handling-with-automation-rules':568 '/en-us/azure/sentinel/automation-rule-reference':1529 '/en-us/azure/sentinel/automation/authenticate-playbooks-to-sentinel':1380 '/en-us/azure/sentinel/automation/automation':1173 '/en-us/azure/sentinel/automation/define-playbook-access-restrictions':1391 '/en-us/azure/sentinel/automation/migrate-playbooks-to-automation-rules':819 '/en-us/azure/sentinel/automation/playbook-triggers-actions':2871 '/en-us/azure/sentinel/automation/tutorial-respond-threats-playbook':579 '/en-us/azure/sentinel/aws-disruption':1402 '/en-us/azure/sentinel/aws-s3-troubleshoot':472 '/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot':482 '/en-us/azure/sentinel/basic-logs-use-cases':831 '/en-us/azure/sentinel/best-practices':589 '/en-us/azure/sentinel/best-practices-data':600 '/en-us/azure/sentinel/billing':842 '/en-us/azure/sentinel/billing-monitor-costs':853 '/en-us/azure/sentinel/billing-pre-purchase-plan':864 '/en-us/azure/sentinel/billing-reduce-costs':874 '/en-us/azure/sentinel/bring-your-own-ml':1183 '/en-us/azure/sentinel/business-applications/deploy-power-platform-solution':3390 '/en-us/azure/sentinel/business-applications/power-platform-solution-security-content':1540 '/en-us/azure/sentinel/business-continuity-disaster-recovery':1193 '/en-us/azure/sentinel/cef-name-mapping':1550 '/en-us/azure/sentinel/cef-syslog-ama-overview':1562 '/en-us/azure/sentinel/cef-syslog-ama-troubleshooting':493 '/en-us/azure/sentinel/ci-cd':3400 '/en-us/azure/sentinel/ci-cd-custom-content':3411 '/en-us/azure/sentinel/ci-cd-custom-deploy':3420 '/en-us/azure/sentinel/cisco-ftd-firewall':885 '/en-us/azure/sentinel/collaborate-in-microsoft-teams':2881 '/en-us/azure/sentinel/compare-analytics-rules-custom-detections':896 '/en-us/azure/sentinel/configure-connector-login-detection':1573 '/en-us/azure/sentinel/configure-data-retention-archive':1585 '/en-us/azure/sentinel/configure-data-transformation':1598 '/en-us/azure/sentinel/configure-fusion-rules':1607 '/en-us/azure/sentinel/connect-aws':1618 '/en-us/azure/sentinel/connect-aws-configure-environment':1629 '/en-us/azure/sentinel/connect-aws-s3-waf':1642 '/en-us/azure/sentinel/connect-azure-active-directory':1655 '/en-us/azure/sentinel/connect-azure-functions-template':2895 '/en-us/azure/sentinel/connect-azure-stack':3431 '/en-us/azure/sentinel/connect-azure-virtual-desktop':1666 '/en-us/azure/sentinel/connect-azure-windows-microsoft-services':1677 '/en-us/azure/sentinel/connect-cef-syslog-ama':1690 '/en-us/azure/sentinel/connect-custom-logs-ama':1704 '/en-us/azure/sentinel/connect-defender-for-cloud':1715 '/en-us/azure/sentinel/connect-dns-ama':1726 '/en-us/azure/sentinel/connect-google-cloud-platform':1738 '/en-us/azure/sentinel/connect-logstash-data-connection-rules':2910 '/en-us/azure/sentinel/connect-mdti-data-connector':2921 '/en-us/azure/sentinel/connect-microsoft-365-defender':1748 '/en-us/azure/sentinel/connect-microsoft-purview':1759 '/en-us/azure/sentinel/connect-services-api-based':1771 '/en-us/azure/sentinel/connect-services-diagnostic-setting-based':1782 '/en-us/azure/sentinel/connect-services-windows-based':1794 '/en-us/azure/sentinel/connect-threat-intelligence-taxii':2931 '/en-us/azure/sentinel/connect-threat-intelligence-tip':2942 '/en-us/azure/sentinel/connect-threat-intelligence-upload-api':2954 '/en-us/azure/sentinel/create-analytics-rule-from-template':1804 '/en-us/azure/sentinel/create-analytics-rules':1814 '/en-us/azure/sentinel/create-codeless-connector':2965 '/en-us/azure/sentinel/create-incidents-from-alerts':1824 '/en-us/azure/sentinel/create-manage-use-automation-rules':1834 '/en-us/azure/sentinel/create-nrt-rules':1845 '/en-us/azure/sentinel/create-push-codeless-connector':2977 '/en-us/azure/sentinel/create-tasks-automation-rule':1856 '/en-us/azure/sentinel/customer-managed-keys':1415 '/en-us/azure/sentinel/customize-alert-details':1866 '/en-us/azure/sentinel/customize-entity-activities':1875 '/en-us/azure/sentinel/data-connection-rules-reference-azure-storage':1886 '/en-us/azure/sentinel/data-connection-rules-reference-gcp':2987 '/en-us/azure/sentinel/data-connector-connection-rules-reference':1896 '/en-us/azure/sentinel/data-connector-ui-definitions-reference':2997 '/en-us/azure/sentinel/data-source-schema-reference':1906 '/en-us/azure/sentinel/data-type-cloud-support':907 '/en-us/azure/sentinel/datalake/asset-data-tables':1918 '/en-us/azure/sentinel/datalake/auditing-lake-activities':1428 '/en-us/azure/sentinel/datalake/create-custom-graphs':3008 '/en-us/azure/sentinel/datalake/data-federation-setup':1929 '/en-us/azure/sentinel/datalake/gql-reference-for-sentinel-custom-graph':3019 '/en-us/azure/sentinel/datalake/graph-rest-api':3029 '/en-us/azure/sentinel/datalake/kql-jobs':1941,1953 '/en-us/azure/sentinel/datalake/kql-jobs-summary-rules-search-jobs':919 '/en-us/azure/sentinel/datalake/kql-manage-jobs':1963 '/en-us/azure/sentinel/datalake/kql-queries':1975 '/en-us/azure/sentinel/datalake/kql-queries-api':3041 '/en-us/azure/sentinel/datalake/kql-troubleshoot':505 '/en-us/azure/sentinel/datalake/notebook-examples':3052 '/en-us/azure/sentinel/datalake/notebook-jobs':1985 '/en-us/azure/sentinel/datalake/notebooks':3065 '/en-us/azure/sentinel/datalake/sentinel-graph-provider-reference':3076 '/en-us/azure/sentinel/datalake/sentinel-lake-connectors':1997 '/en-us/azure/sentinel/datalake/sentinel-lake-onboard-defender':2007 '/en-us/azure/sentinel/datalake/sentinel-lake-onboarding':2019 '/en-us/azure/sentinel/datalake/sentinel-lake-service-limits':1283 '/en-us/azure/sentinel/datalake/sentinel-mcp-agent-creation-tool':3086 '/en-us/azure/sentinel/datalake/sentinel-mcp-billing':1293 '/en-us/azure/sentinel/datalake/sentinel-mcp-chatgpt-claude-connector':3100 '/en-us/azure/sentinel/datalake/sentinel-mcp-create-custom-tool':3111 '/en-us/azure/sentinel/datalake/sentinel-mcp-data-exploration-tool':2028 '/en-us/azure/sentinel/datalake/sentinel-mcp-get-started':2039 '/en-us/azure/sentinel/datalake/sentinel-mcp-logic-apps':3122 '/en-us/azure/sentinel/datalake/sentinel-mcp-triage-tool':3133 '/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-azure-ai-foundry':2051 '/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-copilot-studio':2062 '/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-security-copilot':2073 '/en-us/azure/sentinel/datalake/sentinel-provider-class-reference':3144 '/en-us/azure/sentinel/datalake/troubleshoot-sentinel-mcp':516 '/en-us/azure/sentinel/datalake/workbooks-for-data-lake':2084 '/en-us/azure/sentinel/deploy-side-by-side':931 '/en-us/azure/sentinel/detection-tuning':611 '/en-us/azure/sentinel/dns-ama-fields':2097 '/en-us/azure/sentinel/domain-based-essential-solutions':623 '/en-us/azure/sentinel/dynamics-365/deploy-dynamics-365-finance-operations-solution':3443 '/en-us/azure/sentinel/dynamics-365/dynamics-365-finance-operations-security-content':2108 '/en-us/azure/sentinel/enable-entity-behavior-analytics':2118 '/en-us/azure/sentinel/enable-monitoring':2130 '/en-us/azure/sentinel/enable-storage-network-security':1439 '/en-us/azure/sentinel/enroll-simplified-pricing-tier':941 '/en-us/azure/sentinel/entities-reference':2140 '/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants':1205 '/en-us/azure/sentinel/false-positives':633 '/en-us/azure/sentinel/feature-availability':952 '/en-us/azure/sentinel/geographical-availability-data-residency':963 '/en-us/azure/sentinel/geolocation-data-api':3154 '/en-us/azure/sentinel/health-audit':2151 '/en-us/azure/sentinel/health-table-reference':2161 '/en-us/azure/sentinel/hunting-with-rest-api':3165 '/en-us/azure/sentinel/hunts-custom-queries':3175 '/en-us/azure/sentinel/import-export-analytics-rules':3454 '/en-us/azure/sentinel/import-export-automation-rules':3466 '/en-us/azure/sentinel/incident-tasks':642 '/en-us/azure/sentinel/indicators-bulk-file-import':2172 '/en-us/azure/sentinel/ingest-defender-for-cloud-incidents':3186 '/en-us/azure/sentinel/ingestion-delay':652 '/en-us/azure/sentinel/investigate-large-datasets':1215 '/en-us/azure/sentinel/log-plans':1304 '/en-us/azure/sentinel/manage-analytics-rule-templates':2181 '/en-us/azure/sentinel/manage-data-overview':974 '/en-us/azure/sentinel/manage-platform-solutions':2192 '/en-us/azure/sentinel/manage-soc-with-incident-metrics':663 '/en-us/azure/sentinel/manage-table-tiers-retention':2203 '/en-us/azure/sentinel/map-data-fields-to-entities':2213 '/en-us/azure/sentinel/microsoft-365-defender-cloud-support':3477 '/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration':3196 '/en-us/azure/sentinel/microsoft-purview-record-types-activities':2225 '/en-us/azure/sentinel/microsoft-sentinel-defender-portal':984 '/en-us/azure/sentinel/migration':995 '/en-us/azure/sentinel/migration-arcsight-automation':1007 '/en-us/azure/sentinel/migration-arcsight-detection-rules':1018 '/en-us/azure/sentinel/migration-arcsight-historical-data':1028 '/en-us/azure/sentinel/migration-ingestion-target-platform':1040 '/en-us/azure/sentinel/migration-ingestion-tool':1052 '/en-us/azure/sentinel/migration-qradar-automation':1063 '/en-us/azure/sentinel/migration-qradar-detection-rules':1073 '/en-us/azure/sentinel/migration-qradar-historical-data':1083 '/en-us/azure/sentinel/migration-security-operations-center-processes':674 '/en-us/azure/sentinel/migration-splunk-automation':1094 '/en-us/azure/sentinel/migration-splunk-detection-rules':1105 '/en-us/azure/sentinel/migration-splunk-historical-data':1115 '/en-us/azure/sentinel/monitor-analytics-rule-integrity':686 '/en-us/azure/sentinel/monitor-automation-health':2235 '/en-us/azure/sentinel/monitor-data-connector-health':2246 '/en-us/azure/sentinel/monitor-optimize-analytics-rule-execution':697 '/en-us/azure/sentinel/monitor-sap-system-health':2256 '/en-us/azure/sentinel/mssp-protect-intellectual-property':707 '/en-us/azure/sentinel/multiple-tenants-service-providers':2268 '/en-us/azure/sentinel/multiple-workspace-view':1225 '/en-us/azure/sentinel/near-real-time-rules':2280 '/en-us/azure/sentinel/normalization-about-workspace-parsers':2291 '/en-us/azure/sentinel/normalization-common-fields':2301 '/en-us/azure/sentinel/normalization-develop-parsers':2312 '/en-us/azure/sentinel/normalization-entity-application':2322 '/en-us/azure/sentinel/normalization-entity-device':2332 '/en-us/azure/sentinel/normalization-entity-user':2342 '/en-us/azure/sentinel/normalization-functions':3208 '/en-us/azure/sentinel/normalization-known-issues':1315 '/en-us/azure/sentinel/normalization-manage-parsers':2353 '/en-us/azure/sentinel/normalization-modify-content':2364 '/en-us/azure/sentinel/normalization-schema-alert':2375 '/en-us/azure/sentinel/normalization-schema-audit':2386 '/en-us/azure/sentinel/normalization-schema-authentication':2396 '/en-us/azure/sentinel/normalization-schema-dhcp':2406 '/en-us/azure/sentinel/normalization-schema-dns':2416 '/en-us/azure/sentinel/normalization-schema-file-event':2427 '/en-us/azure/sentinel/normalization-schema-network':2438 '/en-us/azure/sentinel/normalization-schema-process-event':2449 '/en-us/azure/sentinel/normalization-schema-registry-event':2460 '/en-us/azure/sentinel/normalization-schema-user-management':2469 '/en-us/azure/sentinel/normalization-schema-v1':2479 '/en-us/azure/sentinel/normalization-schema-web':2490 '/en-us/azure/sentinel/notebook-get-started':2499 '/en-us/azure/sentinel/notebooks':1235 '/en-us/azure/sentinel/notebooks-hunt':3488 '/en-us/azure/sentinel/notebooks-msticpy-advanced':2510 '/en-us/azure/sentinel/offboard':2521 '/en-us/azure/sentinel/offboard-implications':1325 '/en-us/azure/sentinel/ops-guide':717 '/en-us/azure/sentinel/package-platform-solution':3498 '/en-us/azure/sentinel/partner-integrations':1245 '/en-us/azure/sentinel/powerbi':3219 '/en-us/azure/sentinel/publish-sentinel-solutions':3508 '/en-us/azure/sentinel/purview-solution':2531 '/en-us/azure/sentinel/resource-context-rbac':1452 '/en-us/azure/sentinel/respond-threats-during-investigation':3229 '/en-us/azure/sentinel/restore':2543 '/en-us/azure/sentinel/roles':1461 '/en-us/azure/sentinel/sap/collect-sap-hana-audit-logs':2554 '/en-us/azure/sentinel/sap/cross-workspace':1256 '/en-us/azure/sentinel/sap/deploy-command-line':3518 '/en-us/azure/sentinel/sap/deploy-data-connector-agent-container':3528 '/en-us/azure/sentinel/sap/deploy-sap-btp-solution':3538 '/en-us/azure/sentinel/sap/deploy-sap-security-content':3548 '/en-us/azure/sentinel/sap/deployment-solution-configuration':727 '/en-us/azure/sentinel/sap/preparing-sap':2564 '/en-us/azure/sentinel/sap/prerequisites-for-deploying-sap-continuous-threat-monitoring':2574 '/en-us/azure/sentinel/sap/reference-kickstart':2584 '/en-us/azure/sentinel/sap/reference-systemconfig':2594 '/en-us/azure/sentinel/sap/reference-systemconfig-json':2603 '/en-us/azure/sentinel/sap/reference-update':2613 '/en-us/azure/sentinel/sap/required-abap-authorizations':1472 '/en-us/azure/sentinel/sap/sap-agent-migrate':3559 '/en-us/azure/sentinel/sap/sap-audit-controls-workbook':2624 '/en-us/azure/sentinel/sap/sap-audit-log-workbook':2635 '/en-us/azure/sentinel/sap/sap-btp-security-content':2646 '/en-us/azure/sentinel/sap/sap-deploy-troubleshoot':525 '/en-us/azure/sentinel/sap/sap-solution-deploy-alternate':3569 '/en-us/azure/sentinel/sap/sap-solution-function-reference':2656 '/en-us/azure/sentinel/sap/sap-solution-log-reference':2668 '/en-us/azure/sentinel/sap/sap-solution-security-content':2679 '/en-us/azure/sentinel/sap/sap-suspicious-configuration-security-parameters':1482 '/en-us/azure/sentinel/sap/stop-collection':2690 '/en-us/azure/sentinel/sap/update-sap-data-connector':3579 '/en-us/azure/sentinel/scheduled-rules-overview':2699 '/en-us/azure/sentinel/scoping':1494 '/en-us/azure/sentinel/search-jobs':1337 '/en-us/azure/sentinel/security-alert-schema':2708 '/en-us/azure/sentinel/security-alert-schema-differences':1126 '/en-us/azure/sentinel/sentinel-analytic-rules-creation':3239 '/en-us/azure/sentinel/sentinel-hunting-rules-creation':3249 '/en-us/azure/sentinel/sentinel-integration-guide':3259 '/en-us/azure/sentinel/sentinel-playbook-creation':3270 '/en-us/azure/sentinel/sentinel-service-limits':1347 '/en-us/azure/sentinel/sentinel-solution':738 '/en-us/azure/sentinel/sentinel-solution-deprecation':747 '/en-us/azure/sentinel/sentinel-solution-quality-guidance':757 '/en-us/azure/sentinel/sentinel-solutions-catalog':1136 '/en-us/azure/sentinel/sentinel-solutions-deploy':3589 '/en-us/azure/sentinel/sentinel-solutions-post-publish-tracking':3599 '/en-us/azure/sentinel/sentinel-summary-rules-creation':3281 '/en-us/azure/sentinel/sentinel-tables-connectors-reference':2718 '/en-us/azure/sentinel/sentinel-workbook-creation':3292 '/en-us/azure/sentinel/setup-azure-storage-connector':3302 '/en-us/azure/sentinel/siem-migration':1147 '/en-us/azure/sentinel/soc-ml-anomalies':2727 '/en-us/azure/sentinel/soc-optimization/soc-optimization-access':1157 '/en-us/azure/sentinel/soc-optimization/soc-optimization-api':3312 '/en-us/azure/sentinel/solution-setup-essentials':2737 '/en-us/azure/sentinel/stix-objects-api':3323 '/en-us/azure/sentinel/summary-rules':2749 '/en-us/azure/sentinel/surface-custom-details-in-alerts':2759 '/en-us/azure/sentinel/threat-intelligence-integration':2768 '/en-us/azure/sentinel/transformation-filter-split':2779 '/en-us/azure/sentinel/troubleshoot-analytics-rules':535 '/en-us/azure/sentinel/troubleshoot-sentinel-solutions':544 '/en-us/azure/sentinel/tutorial-enrich-ip-information':3333 '/en-us/azure/sentinel/tutorial-extract-incident-entities':3345 '/en-us/azure/sentinel/ueba-reference':2788 '/en-us/azure/sentinel/unified-connector-integration':2799 '/en-us/azure/sentinel/upload-indicators-api':3354 '/en-us/azure/sentinel/watchlist-schemas':2810 '/en-us/azure/sentinel/watchlists':768 '/en-us/azure/sentinel/watchlists-create':1358 '/en-us/azure/sentinel/watchlists-manage':778 '/en-us/azure/sentinel/watchlists-queries':3365 '/en-us/azure/sentinel/windows-security-event-id-reference':2821 '/en-us/azure/sentinel/work-with-anomaly-rules':2832 '/en-us/azure/sentinel/work-with-stix-objects-indicators':3376 '/en-us/azure/sentinel/work-with-tasks':788 '/en-us/azure/sentinel/workspace-manager':1267 '/en-us/azure/sentinel/workspaces-defender-portal':2843 '/microsoftdocs/mcp/blob/main/readme.md)':163 '/resource-context':362 '/tenant':303 '3':134 '3.0':732 '365':2103,3437 'abap':1462 'accept':202 'access':168,363,1382,1449,3138 'across':1199,1220 'action':1396,2866,3342 'activ':1368,1425,1868 'add':1498,2063 'advanc':1499,2501 'agent':83,127,186,200,522,1559,1786,2048,2591,2600,3080,3553,3575 'agent-bas':1785 'agentless':3555 'aggreg':2744 'ai':2047 'alert':811,1122,1710,1819,1859,2253,2367,2704,2756 'alert-trigg':810 'ama':488,800,1680,1695,1717,2088 'ama-bas':1679 'anal':34 'analyst':667,784 'analyt':224,528,630,682,692,888,1102,1479,1797,1808,2175,2205,2274,2517,2693,2826,3231,3448 'analytics/automation':388 'analyz':843 'anomal':1568 'anomali':2721,2825 'api':420,1762,2855,2902,2951,3025,3038,3070,3151,3162,3309,3320,3351 'api-bas':1761 'app':418,2863,3119 'appli':580,590,601,708,748,1148,2292,2500,2800 'applic':2315,3545 'architect':297 'architectur':16,52,291,1158,1188,1250 'archiv':1334,2533 'arcsight':997,1011,1020 'arm':442,3451,3462 'asa/ftd':882 'asim':342,390,614,1306,2285,2293,2306,2314,2324,2334,2346,2359,2366,2377,2388,2398,2408,2418,2429,2440,2451,2481,3198 'asim-bas':613 'assess':897 'asset':1908 'attack':1394,1602 'audit':368,549,1362,1417,1513,2121,2142,2378,2547,2617,2628 'auth/restrictions':365 'authent':1373,2389 'author':1465,3166 'auto':227,531 'auto-dis':226 'autom':308,425,561,569,815,999,1056,1059,1087,1090,1167,1393,1505,1523,1827,1852,2228,3330,3457 'automation/playbooks':250 'avail':153,946,1290 'aw':466,1398,1609,1620,1631 'azur':2,7,35,44,454,476,948,1031,1434,1557,1657,1671,1880,2883,3117,3294,3422,3483 'azure-sentinel':1 'base':321,615,1681,1763,1776,1787,2886,2901,2969 'basic':2496 'bcdr':1185 'bcdr/resiliency':309 'best':12,48,235,240,506,545,582,593 'bi':3211 'bill':839,850 'blob':478,1882,3296 'bring':1174 'btp':2642,3534 'build':2074,2882,2966,2998,3209,3250 'built':2802 'built-in':2801 'bulk':2162 'call':3020,3303 'capabl':75 'categori':86,94,110,206,208 'ccf':1877,1893,2962,2984,2994 'ce':1537,3387 'cef':485,1542,1554,1684 'chang':555 'chatgpt':3095 'check':942,3467 'choic':287 'choos':820,875,908,964,1029,1116 'ci/cd':441,3404,3413 'cisco':881 'class':3136 'claud':3097 'cloud':904,949,1709,3179,3474 'code':24,60,401,2845,3043,3062,3460 'codeless':421,2956,2970 'collabor':417,2878 'collect':255,592,2549,2683,2852,3083 'combin':65 'command':3514 'common':2294 'commonsecuritylog':1546 'compar':886 'compon':1240 'compromis':573 'condit':1501,1526 'configur':22,30,58,352,375,379,718,877,1372,1440,1453,1483,1495,1520,1551,1563,1574,1586,1599,1608,1630,1643,1667,1678,1691,1716,1727,1739,1760,1772,1783,1815,1825,1876,1887,1919,1930,1942,1986,2029,2052,2085,2111,2141,2182,2193,2257,2269,2491,2544,2691,2738,2760,2769,2789,2833,2978,3293 'connect':1656,1669,1705,2250,2922,2932,2943,3393 'connector':32,221,284,385,422,468,479,521,879,899,1123,1436,1555,1566,1612,1634,1647,1718,1730,1743,1765,1777,1789,1883,1889,1922,1987,2089,2218,2240,2561,2580,2610,2687,2715,2791,2887,2916,2939,2957,2971,2981,2989,3093,3297,3511,3522,3556,3566,3574 'connectors/agents':448 'contain':3512,3523,3552 'content':70,172,440,443,1129,1531,2099,2356,2637,2674,3397,3408,3584 'context':1443 'control':2618 'convert':2354 'copilot':2058,2070 'correct':2137 'correl':764 'cost':278,848,861,868 'cover':46 'creat':1348,1795,1805,1835,1846,1976,2822,2849,2955,3101,3230,3240,3260,3271,3282,3391 'creation':1817,3081 'cross':311 'cross-workspac':310 'custom':892,1175,1406,1593,1692,1806,1857,1867,2305,2345,2751,3001,3015,3022,3102,3167,3412 'customer-manag':1405 'customiz':2720 'data':254,280,336,383,411,501,520,591,644,826,900,959,965,1022,1037,1043,1077,1109,1198,1279,1421,1448,1581,1590,1754,1764,1788,1901,1909,1914,1921,1925,1937,1949,1957,1971,1992,2000,2013,2023,2078,2114,2239,2361,2714,2746,2851,2890,2915,2980,3032,3048,3058,3140,3203,3216,3471,3521,3573 'data/incident':313 'dataset':1211,1332 'dcr':2900 'dcr-base':2899 'decid':806 'decis':14,50,260,270,789 'decision-mak':269 'defend':891,980,1707,1741,2003,2839,2912,3177,3182,3189,3469 'defin':1381,2988 'delay':646 'deploy':27,63,299,429,433,925,955,2284,2304,2571,2581,3377,3380,3395,3415,3432,3509,3519,3529,3561,3582 'deployment/geo':289 'deprec':742 'descript':210 'design':17,53,292,1159,1163,1184,1236,1246 'desktop':1659 'detail':2753 'detect':721,893,1012,1066,1097,1570,1603,1839,2722 'develop':9,2302 'devic':2325 'dhcp':2399 'diagnos':215 'diagnost':1773 'disabl':228,532,2685 'discov':3580 'disrupt':1395 'dns':1721,2086,2409 'doc':178 'document':73,171 'domain':617,1133 'dynam':453,2102,3436 'e.g':98,114 'edit':771 'enabl':1392,1429,2109,2119,2911,3087 'encrypt':366,1412 'enrich':762,2785,3145,3324 'enrol':932 'entiti':1871,2133,2210,2316,2326,2336,2784,3147,3224,3339 'entra':1645 'environ':1621 'essenti':616 'estim':834 'event':765,1565,2368,2379,2420,2442,2453,2752,2814 'exampl':2856,3044 'execut':694,795 'exist':927 'experi':1141 'expert':4,41,3560 'explor':2024 'export':1019,1074,1106,3446 'extern':410 'extract':3334 'f':2104 'fallback':190 'fals':625 'featur':871,945 'feder':1920 'feed':2926 'fetch':74,170,179,192 'field':1547,2090,2207,2296 'file':104,112,119,124,1353,1700,2167,2419 'filter':2770 'financ':3438 'fine':603 'fine-tun':602 'fix':217 'foundri':2046 'function':2647,2885,3200 'functions-bas':2884 'fusion':1600 'gcp':1728,2979 'geographi':957 'geoloc':3149 'github.com':162 'github.com/microsoftdocs/mcp/blob/main/readme.md)':161 'gql':3010 'graph':1424,2016,3003,3016,3023,3068 'group':1502 'guid':160,265 'guidanc':42 'guidelin':750 'hana':2546 'handl':637,643 'health':676,2123,2144,2157,2232,2241,2251 'helper':3199 'high':2538 'high-perform':2537 'histor':1021,1036,1048,1076,1108 'hub':444,456,1130,3424,3585 'hunt':322,458,1232,3130,3158,3168,3226,3241,3480 'id':1646 'ident':1399 'identifi':2136 'impact':346,1318 'implement':559,2313,2323,2333 'import':81,125,2163,3313,3444 'incid':251,553,636,655,781,1208,1219,1816,1830,1848,2874,3129,3180,3326 'includ':10 'index':87,207 'indic':2165,3350,3368 'inform':1752,2216 'ingest':220,386,489,540,645,1044,1588,1595,1636,1685,1697,1732,2243,2889,3176 'ingestion-tim':1587 'instal':157,159,2185,3539 'integr':23,59,233,395,400,406,678,2522,2763,2793,2844,2872,3112,3187 'intel':413,2925,2949 'intellectu':700 'intellig':2762,2914,2934,3315 'interact':1575 'interpret':2154 'investig':1206 'ip':3328 'issu':234,490,541,1308 'job':338,498,911,916,1329,1934,1946,1960,1982 'json':1878,1890,2991 'jupyt':320,1227,3054 'jupyter-bas':319 'key':367,1408,1543 'kickstart':2575 'knowledg':5 'known':1307 'kql':33,495,910,1933,1945,1959,1967,3034,3107,3169,3359 'kql/data':222 'kql/graph':423 'l112':264 'l113':295 'l113-l126':294 'l120':101 'l126':296 'l127':326 'l127-l138':325 'l138':327 'l139':349 'l139-l154':348 'l154':350 'l155':377 'l155-l283':376 'l283':378 'l284':404 'l284-l335':403 'l335':405 'l336':431 'l336-l359':430 'l35':100 'l35-l120':99 'l359':432 'l37':213 'l37-l48':212 'l48':214 'l49':238 'l49-l75':237 'l75':239 'l76':263 'l76-l112':262 'lake':223,384,502,827,1280,1422,1915,1926,1938,1950,1958,1972,1993,2001,2014,2079,3033,3049,3059,3141 'larg':1210,1331 'latest':142 'learn':185,199,1177 'learn-agent-skil':184,198 'learn.microsoft.com':471,481,492,504,515,524,534,543,557,567,578,588,599,610,622,632,641,651,662,673,685,696,706,716,726,737,746,756,767,777,787,804,818,830,841,852,863,873,884,895,906,918,930,940,951,962,973,983,994,1006,1017,1027,1039,1051,1062,1072,1082,1093,1104,1114,1125,1135,1146,1156,1172,1182,1192,1204,1214,1224,1234,1244,1255,1266,1282,1292,1303,1314,1324,1336,1346,1357,1370,1379,1390,1401,1414,1427,1438,1451,1460,1471,1481,1493,1508,1518,1528,1539,1549,1561,1572,1584,1597,1606,1617,1628,1641,1654,1665,1676,1689,1703,1714,1725,1737,1747,1758,1770,1781,1793,1803,1813,1823,1833,1844,1855,1865,1874,1885,1895,1905,1917,1928,1940,1952,1962,1974,1984,1996,2006,2018,2027,2038,2050,2061,2072,2083,2096,2107,2117,2129,2139,2150,2160,2171,2180,2191,2202,2212,2224,2234,2245,2255,2267,2279,2290,2300,2311,2321,2331,2341,2352,2363,2374,2385,2395,2405,2415,2426,2437,2448,2459,2468,2478,2489,2498,2509,2520,2530,2542,2553,2563,2573,2583,2593,2602,2612,2623,2634,2645,2655,2667,2678,2689,2698,2707,2717,2726,2736,2748,2758,2767,2778,2787,2798,2809,2820,2831,2842,2858,2870,2880,2894,2909,2920,2930,2941,2953,2964,2976,2986,2996,3007,3018,3028,3040,3051,3064,3075,3085,3099,3110,3121,3132,3143,3153,3164,3174,3185,3195,3207,3218,3228,3238,3248 'learn.microsoft.com/en-us/azure/sentinel/add-advanced-conditions-to-automation-rules':1507 'learn.microsoft.com/en-us/azure/sentinel/ama-migrate':803 'learn.microsoft.com/en-us/azure/sentinel/api-dcr-reference':2857 'learn.microsoft.com/en-us/azure/sentinel/audit-sentinel-data':1369 'learn.microsoft.com/en-us/azure/sentinel/audit-table-reference':1517 'learn.microsoft.com/en-us/azure/sentinel/audit-track-tasks':556 'learn.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules':566 'learn.microsoft.com/en-us/azure/sentinel/automation-rule-reference':1527 'learn.microsoft.com/en-us/azure/sentinel/automation/authenticate-playbooks-to-sentinel':1378 'learn.microsoft.com/en-us/azure/sentinel/automation/automation':1171 'learn.microsoft.com/en-us/azure/sentinel/automation/define-playbook-access-restrictions':1389 'learn.microsoft.com/en-us/azure/sentinel/automation/migrate-playbooks-to-automation-rules':817 'learn.microsoft.com/en-us/azure/sentinel/automation/playbook-triggers-actions':2869 'learn.microsoft.com/en-us/azure/sentinel/automation/tutorial-respond-threats-playbook':577 'learn.microsoft.com/en-us/azure/sentinel/aws-disruption':1400 'learn.microsoft.com/en-us/azure/sentinel/aws-s3-troubleshoot':470 'learn.microsoft.com/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot':480 'learn.microsoft.com/en-us/azure/sentinel/basic-logs-use-cases':829 'learn.microsoft.com/en-us/azure/sentinel/best-practices':587 'learn.microsoft.com/en-us/azure/sentinel/best-practices-data':598 'learn.microsoft.com/en-us/azure/sentinel/billing':840 'learn.microsoft.com/en-us/azure/sentinel/billing-monitor-costs':851 'learn.microsoft.com/en-us/azure/sentinel/billing-pre-purchase-plan':862 'learn.microsoft.com/en-us/azure/sentinel/billing-reduce-costs':872 'learn.microsoft.com/en-us/azure/sentinel/bring-your-own-ml':1181 'learn.microsoft.com/en-us/azure/sentinel/business-applications/deploy-power-platform-solution':3388 'learn.microsoft.com/en-us/azure/sentinel/business-applications/power-platform-solution-security-content':1538 'learn.microsoft.com/en-us/azure/sentinel/business-continuity-disaster-recovery':1191 'learn.microsoft.com/en-us/azure/sentinel/cef-name-mapping':1548 'learn.microsoft.com/en-us/azure/sentinel/cef-syslog-ama-overview':1560 'learn.microsoft.com/en-us/azure/sentinel/cef-syslog-ama-troubleshooting':491 'learn.microsoft.com/en-us/azure/sentinel/ci-cd':3398 'learn.microsoft.com/en-us/azure/sentinel/ci-cd-custom-content':3409 'learn.microsoft.com/en-us/azure/sentinel/ci-cd-custom-deploy':3418 'learn.microsoft.com/en-us/azure/sentinel/cisco-ftd-firewall':883 'learn.microsoft.com/en-us/azure/sentinel/collaborate-in-microsoft-teams':2879 'learn.microsoft.com/en-us/azure/sentinel/compare-analytics-rules-custom-detections':894 'learn.microsoft.com/en-us/azure/sentinel/configure-connector-login-detection':1571 'learn.microsoft.com/en-us/azure/sentinel/configure-data-retention-archive':1583 'learn.microsoft.com/en-us/azure/sentinel/configure-data-transformation':1596 'learn.microsoft.com/en-us/azure/sentinel/configure-fusion-rules':1605 'learn.microsoft.com/en-us/azure/sentinel/connect-aws':1616 'learn.microsoft.com/en-us/azure/sentinel/connect-aws-configure-environment':1627 'learn.microsoft.com/en-us/azure/sentinel/connect-aws-s3-waf':1640 'learn.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory':1653 'learn.microsoft.com/en-us/azure/sentinel/connect-azure-functions-template':2893 'learn.microsoft.com/en-us/azure/sentinel/connect-azure-stack':3429 'learn.microsoft.com/en-us/azure/sentinel/connect-azure-virtual-desktop':1664 'learn.microsoft.com/en-us/azure/sentinel/connect-azure-windows-microsoft-services':1675 'learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog-ama':1688 'learn.microsoft.com/en-us/azure/sentinel/connect-custom-logs-ama':1702 'learn.microsoft.com/en-us/azure/sentinel/connect-defender-for-cloud':1713 'learn.microsoft.com/en-us/azure/sentinel/connect-dns-ama':1724 'learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform':1736 'learn.microsoft.com/en-us/azure/sentinel/connect-logstash-data-connection-rules':2908 'learn.microsoft.com/en-us/azure/sentinel/connect-mdti-data-connector':2919 'learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender':1746 'learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-purview':1757 'learn.microsoft.com/en-us/azure/sentinel/connect-services-api-based':1769 'learn.microsoft.com/en-us/azure/sentinel/connect-services-diagnostic-setting-based':1780 'learn.microsoft.com/en-us/azure/sentinel/connect-services-windows-based':1792 'learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-taxii':2929 'learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-tip':2940 'learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-upload-api':2952 'learn.microsoft.com/en-us/azure/sentinel/create-analytics-rule-from-template':1802 'learn.microsoft.com/en-us/azure/sentinel/create-analytics-rules':1812 'learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector':2963 'learn.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts':1822 'learn.microsoft.com/en-us/azure/sentinel/create-manage-use-automation-rules':1832 'learn.microsoft.com/en-us/azure/sentinel/create-nrt-rules':1843 'learn.microsoft.com/en-us/azure/sentinel/create-push-codeless-connector':2975 'learn.microsoft.com/en-us/azure/sentinel/create-tasks-automation-rule':1854 'learn.microsoft.com/en-us/azure/sentinel/customer-managed-keys':1413 'learn.microsoft.com/en-us/azure/sentinel/customize-alert-details':1864 'learn.microsoft.com/en-us/azure/sentinel/customize-entity-activities':1873 'learn.microsoft.com/en-us/azure/sentinel/data-connection-rules-reference-azure-storage':1884 'learn.microsoft.com/en-us/azure/sentinel/data-connection-rules-reference-gcp':2985 'learn.microsoft.com/en-us/azure/sentinel/data-connector-connection-rules-reference':1894 'learn.microsoft.com/en-us/azure/sentinel/data-connector-ui-definitions-reference':2995 'learn.microsoft.com/en-us/azure/sentinel/data-source-schema-reference':1904 'learn.microsoft.com/en-us/azure/sentinel/data-type-cloud-support':905 'learn.microsoft.com/en-us/azure/sentinel/datalake/asset-data-tables':1916 'learn.microsoft.com/en-us/azure/sentinel/datalake/auditing-lake-activities':1426 'learn.microsoft.com/en-us/azure/sentinel/datalake/create-custom-graphs':3006 'learn.microsoft.com/en-us/azure/sentinel/datalake/data-federation-setup':1927 'learn.microsoft.com/en-us/azure/sentinel/datalake/gql-reference-for-sentinel-custom-graph':3017 'learn.microsoft.com/en-us/azure/sentinel/datalake/graph-rest-api':3027 'learn.microsoft.com/en-us/azure/sentinel/datalake/kql-jobs':1939,1951 'learn.microsoft.com/en-us/azure/sentinel/datalake/kql-jobs-summary-rules-search-jobs':917 'learn.microsoft.com/en-us/azure/sentinel/datalake/kql-manage-jobs':1961 'learn.microsoft.com/en-us/azure/sentinel/datalake/kql-queries':1973 'learn.microsoft.com/en-us/azure/sentinel/datalake/kql-queries-api':3039 'learn.microsoft.com/en-us/azure/sentinel/datalake/kql-troubleshoot':503 'learn.microsoft.com/en-us/azure/sentinel/datalake/notebook-examples':3050 'learn.microsoft.com/en-us/azure/sentinel/datalake/notebook-jobs':1983 'learn.microsoft.com/en-us/azure/sentinel/datalake/notebooks':3063 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-graph-provider-reference':3074 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-connectors':1995 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-onboard-defender':2005 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-onboarding':2017 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-service-limits':1281 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-agent-creation-tool':3084 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-billing':1291 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-chatgpt-claude-connector':3098 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-create-custom-tool':3109 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-data-exploration-tool':2026 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-get-started':2037 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-logic-apps':3120 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-triage-tool':3131 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-azure-ai-foundry':2049 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-copilot-studio':2060 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-security-copilot':2071 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-provider-class-reference':3142 'learn.microsoft.com/en-us/azure/sentinel/datalake/troubleshoot-sentinel-mcp':514 'learn.microsoft.com/en-us/azure/sentinel/datalake/workbooks-for-data-lake':2082 'learn.microsoft.com/en-us/azure/sentinel/deploy-side-by-side':929 'learn.microsoft.com/en-us/azure/sentinel/detection-tuning':609 'learn.microsoft.com/en-us/azure/sentinel/dns-ama-fields':2095 'learn.microsoft.com/en-us/azure/sentinel/domain-based-essential-solutions':621 'learn.microsoft.com/en-us/azure/sentinel/dynamics-365/deploy-dynamics-365-finance-operations-solution':3441 'learn.microsoft.com/en-us/azure/sentinel/dynamics-365/dynamics-365-finance-operations-security-content':2106 'learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics':2116 'learn.microsoft.com/en-us/azure/sentinel/enable-monitoring':2128 'learn.microsoft.com/en-us/azure/sentinel/enable-storage-network-security':1437 'learn.microsoft.com/en-us/azure/sentinel/enroll-simplified-pricing-tier':939 'learn.microsoft.com/en-us/azure/sentinel/entities-reference':2138 'learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants':1203 'learn.microsoft.com/en-us/azure/sentinel/false-positives':631 'learn.microsoft.com/en-us/azure/sentinel/feature-availability':950 'learn.microsoft.com/en-us/azure/sentinel/geographical-availability-data-residency':961 'learn.microsoft.com/en-us/azure/sentinel/geolocation-data-api':3152 'learn.microsoft.com/en-us/azure/sentinel/health-audit':2149 'learn.microsoft.com/en-us/azure/sentinel/health-table-reference':2159 'learn.microsoft.com/en-us/azure/sentinel/hunting-with-rest-api':3163 'learn.microsoft.com/en-us/azure/sentinel/hunts-custom-queries':3173 'learn.microsoft.com/en-us/azure/sentinel/import-export-analytics-rules':3452 'learn.microsoft.com/en-us/azure/sentinel/import-export-automation-rules':3464 'learn.microsoft.com/en-us/azure/sentinel/incident-tasks':640 'learn.microsoft.com/en-us/azure/sentinel/indicators-bulk-file-import':2170 'learn.microsoft.com/en-us/azure/sentinel/ingest-defender-for-cloud-incidents':3184 'learn.microsoft.com/en-us/azure/sentinel/ingestion-delay':650 'learn.microsoft.com/en-us/azure/sentinel/investigate-large-datasets':1213 'learn.microsoft.com/en-us/azure/sentinel/log-plans':1302 'learn.microsoft.com/en-us/azure/sentinel/manage-analytics-rule-templates':2179 'learn.microsoft.com/en-us/azure/sentinel/manage-data-overview':972 'learn.microsoft.com/en-us/azure/sentinel/manage-platform-solutions':2190 'learn.microsoft.com/en-us/azure/sentinel/manage-soc-with-incident-metrics':661 'learn.microsoft.com/en-us/azure/sentinel/manage-table-tiers-retention':2201 'learn.microsoft.com/en-us/azure/sentinel/map-data-fields-to-entities':2211 'learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-cloud-support':3475 'learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration':3194 'learn.microsoft.com/en-us/azure/sentinel/microsoft-purview-record-types-activities':2223 'learn.microsoft.com/en-us/azure/sentinel/microsoft-sentinel-defender-portal':982 'learn.microsoft.com/en-us/azure/sentinel/migration':993 'learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-automation':1005 'learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-detection-rules':1016 'learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-historical-data':1026 'learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-target-platform':1038 'learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-tool':1050 'learn.microsoft.com/en-us/azure/sentinel/migration-qradar-automation':1061 'learn.microsoft.com/en-us/azure/sentinel/migration-qradar-detection-rules':1071 'learn.microsoft.com/en-us/azure/sentinel/migration-qradar-historical-data':1081 'learn.microsoft.com/en-us/azure/sentinel/migration-security-operations-center-processes':672 'learn.microsoft.com/en-us/azure/sentinel/migration-splunk-automation':1092 'learn.microsoft.com/en-us/azure/sentinel/migration-splunk-detection-rules':1103 'learn.microsoft.com/en-us/azure/sentinel/migration-splunk-historical-data':1113 'learn.microsoft.com/en-us/azure/sentinel/monitor-analytics-rule-integrity':684 'learn.microsoft.com/en-us/azure/sentinel/monitor-automation-health':2233 'learn.microsoft.com/en-us/azure/sentinel/monitor-data-connector-health':2244 'learn.microsoft.com/en-us/azure/sentinel/monitor-optimize-analytics-rule-execution':695 'learn.microsoft.com/en-us/azure/sentinel/monitor-sap-system-health':2254 'learn.microsoft.com/en-us/azure/sentinel/mssp-protect-intellectual-property':705 'learn.microsoft.com/en-us/azure/sentinel/multiple-tenants-service-providers':2266 'learn.microsoft.com/en-us/azure/sentinel/multiple-workspace-view':1223 'learn.microsoft.com/en-us/azure/sentinel/near-real-time-rules':2278 'learn.microsoft.com/en-us/azure/sentinel/normalization-about-workspace-parsers':2289 'learn.microsoft.com/en-us/azure/sentinel/normalization-common-fields':2299 'learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers':2310 'learn.microsoft.com/en-us/azure/sentinel/normalization-entity-application':2320 'learn.microsoft.com/en-us/azure/sentinel/normalization-entity-device':2330 'learn.microsoft.com/en-us/azure/sentinel/normalization-entity-user':2340 'learn.microsoft.com/en-us/azure/sentinel/normalization-functions':3206 'learn.microsoft.com/en-us/azure/sentinel/normalization-known-issues':1313 'learn.microsoft.com/en-us/azure/sentinel/normalization-manage-parsers':2351 'learn.microsoft.com/en-us/azure/sentinel/normalization-modify-content':2362 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-alert':2373 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-audit':2384 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-authentication':2394 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-dhcp':2404 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-dns':2414 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-file-event':2425 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-network':2436 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-process-event':2447 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-registry-event':2458 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-user-management':2467 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-v1':2477 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-web':2488 'learn.microsoft.com/en-us/azure/sentinel/notebook-get-started':2497 'learn.microsoft.com/en-us/azure/sentinel/notebooks':1233 'learn.microsoft.com/en-us/azure/sentinel/notebooks-hunt':3486 'learn.microsoft.com/en-us/azure/sentinel/notebooks-msticpy-advanced':2508 'learn.microsoft.com/en-us/azure/sentinel/offboard':2519 'learn.microsoft.com/en-us/azure/sentinel/offboard-implications':1323 'learn.microsoft.com/en-us/azure/sentinel/ops-guide':715 'learn.microsoft.com/en-us/azure/sentinel/package-platform-solution':3496 'learn.microsoft.com/en-us/azure/sentinel/partner-integrations':1243 'learn.microsoft.com/en-us/azure/sentinel/powerbi':3217 'learn.microsoft.com/en-us/azure/sentinel/publish-sentinel-solutions':3506 'learn.microsoft.com/en-us/azure/sentinel/purview-solution':2529 'learn.microsoft.com/en-us/azure/sentinel/resource-context-rbac':1450 'learn.microsoft.com/en-us/azure/sentinel/respond-threats-during-investigation':3227 'learn.microsoft.com/en-us/azure/sentinel/restore':2541 'learn.microsoft.com/en-us/azure/sentinel/roles':1459 'learn.microsoft.com/en-us/azure/sentinel/sap/collect-sap-hana-audit-logs':2552 'learn.microsoft.com/en-us/azure/sentinel/sap/cross-workspace':1254 'learn.microsoft.com/en-us/azure/sentinel/sap/deploy-command-line':3516 'learn.microsoft.com/en-us/azure/sentinel/sap/deploy-data-connector-agent-container':3526 'learn.microsoft.com/en-us/azure/sentinel/sap/deploy-sap-btp-solution':3536 'learn.microsoft.com/en-us/azure/sentinel/sap/deploy-sap-security-content':3546 'learn.microsoft.com/en-us/azure/sentinel/sap/deployment-solution-configuration':725 'learn.microsoft.com/en-us/azure/sentinel/sap/preparing-sap':2562 'learn.microsoft.com/en-us/azure/sentinel/sap/prerequisites-for-deploying-sap-continuous-threat-monitoring':2572 'learn.microsoft.com/en-us/azure/sentinel/sap/reference-kickstart':2582 'learn.microsoft.com/en-us/azure/sentinel/sap/reference-systemconfig':2592 'learn.microsoft.com/en-us/azure/sentinel/sap/reference-systemconfig-json':2601 'learn.microsoft.com/en-us/azure/sentinel/sap/reference-update':2611 'learn.microsoft.com/en-us/azure/sentinel/sap/required-abap-authorizations':1470 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-agent-migrate':3557 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-audit-controls-workbook':2622 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-audit-log-workbook':2633 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-btp-security-content':2644 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-deploy-troubleshoot':523 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-deploy-alternate':3567 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-function-reference':2654 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-log-reference':2666 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-security-content':2677 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-suspicious-configuration-security-parameters':1480 'learn.microsoft.com/en-us/azure/sentinel/sap/stop-collection':2688 'learn.microsoft.com/en-us/azure/sentinel/sap/update-sap-data-connector':3577 'learn.microsoft.com/en-us/azure/sentinel/scheduled-rules-overview':2697 'learn.microsoft.com/en-us/azure/sentinel/scoping':1492 'learn.microsoft.com/en-us/azure/sentinel/search-jobs':1335 'learn.microsoft.com/en-us/azure/sentinel/security-alert-schema':2706 'learn.microsoft.com/en-us/azure/sentinel/security-alert-schema-differences':1124 'learn.microsoft.com/en-us/azure/sentinel/sentinel-analytic-rules-creation':3237 'learn.microsoft.com/en-us/azure/sentinel/sentinel-hunting-rules-creation':3247 'learn.microsoft.com/en-us/azure/sentinel/sentinel-integration-guide':3257 'learn.microsoft.com/en-us/azure/sentinel/sentinel-playbook-creation':3268 'learn.microsoft.com/en-us/azure/sentinel/sentinel-service-limits':1345 'learn.microsoft.com/en-us/azure/sentinel/sentinel-solution':736 'learn.microsoft.com/en-us/azure/sentinel/sentinel-solution-deprecation':745 'learn.microsoft.com/en-us/azure/sentinel/sentinel-solution-quality-guidance':755 'learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog':1134 'learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-deploy':3587 'learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-post-publish-tracking':3597 'learn.microsoft.com/en-us/azure/sentinel/sentinel-summary-rules-creation':3279 'learn.microsoft.com/en-us/azure/sentinel/sentinel-tables-connectors-reference':2716 'learn.microsoft.com/en-us/azure/sentinel/sentinel-workbook-creation':3290 'learn.microsoft.com/en-us/azure/sentinel/setup-azure-storage-connector':3300 'learn.microsoft.com/en-us/azure/sentinel/siem-migration':1145 'learn.microsoft.com/en-us/azure/sentinel/soc-ml-anomalies':2725 'learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-access':1155 'learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-api':3310 'learn.microsoft.com/en-us/azure/sentinel/solution-setup-essentials':2735 'learn.microsoft.com/en-us/azure/sentinel/stix-objects-api':3321 'learn.microsoft.com/en-us/azure/sentinel/summary-rules':2747 'learn.microsoft.com/en-us/azure/sentinel/surface-custom-details-in-alerts':2757 'learn.microsoft.com/en-us/azure/sentinel/threat-intelligence-integration':2766 'learn.microsoft.com/en-us/azure/sentinel/transformation-filter-split':2777 'learn.microsoft.com/en-us/azure/sentinel/troubleshoot-analytics-rules':533 'learn.microsoft.com/en-us/azure/sentinel/troubleshoot-sentinel-solutions':542 'learn.microsoft.com/en-us/azure/sentinel/tutorial-enrich-ip-information':3331 'learn.microsoft.com/en-us/azure/sentinel/tutorial-extract-incident-entities':3343 'learn.microsoft.com/en-us/azure/sentinel/ueba-reference':2786 'learn.microsoft.com/en-us/azure/sentinel/unified-connector-integration':2797 'learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api':3352 'learn.microsoft.com/en-us/azure/sentinel/watchlist-schemas':2808 'learn.microsoft.com/en-us/azure/sentinel/watchlists':766 'learn.microsoft.com/en-us/azure/sentinel/watchlists-create':1356 'learn.microsoft.com/en-us/azure/sentinel/watchlists-manage':776 'learn.microsoft.com/en-us/azure/sentinel/watchlists-queries':3363 'learn.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference':2819 'learn.microsoft.com/en-us/azure/sentinel/work-with-anomaly-rules':2830 'learn.microsoft.com/en-us/azure/sentinel/work-with-stix-objects-indicators':3374 'learn.microsoft.com/en-us/azure/sentinel/work-with-tasks':786 'learn.microsoft.com/en-us/azure/sentinel/workspace-manager':1265 'learn.microsoft.com/en-us/azure/sentinel/workspaces-defender-portal':2841 'legaci':988,2471,2585,2938,3347 'level':361,1486 'leverag':3077 'lifecycl':257,740 'limit':19,55,323,328,1268,1273,1288,1301,1310,1342,1355 'line':96,108,209,3515 'link':113,122 'list':1850 'local':66 'locat':90 'log':369,1049,1297,1418,1469,1594,1611,1624,1637,1650,1693,1701,1722,1733,2127,2516,2535,2548,2629,2657,2682,2905,3215 'logic':2862,3118 'logstash':2897 'long':1578 'long-term':1577 'machin':1176 'maintain':769 'make':15,51,261,271,790 'manag':399,435,658,739,1196,1259,1352,1407,1837,1954,1966,2173,2184,2261,2281,2343,2464,3000,3155,3455 'map':1008,1144,1541,2204,2709 'markdown':189,205 'marketplac':445,3505 'mcp':148,175,229,340,512,1285,2022,2035,2042,2054,2065,3079,3092,3104,3114,3125 'mcp/ai':394 'mcp/llm':414 'metadata.generated':129 'metric':656 'microsoft':177,218,246,354,380,407,436,464,474,537,585,596,628,670,680,703,712,752,772,824,835,846,855,866,943,970,976,991,1069,1100,1153,1237,1277,1295,1320,1339,1363,1375,1410,1446,1454,1490,1511,1521,1614,1644,1662,1673,1706,1740,1750,1767,1912,1955,2011,2033,2045,2057,2068,2147,2155,2186,2237,2263,2349,2512,2523,2527,2701,2731,2775,2795,2817,2835,2876,2959,2973,3090,3156,3188,3192,3234,3244,3253,3265,3287,3304,3406,3427,3492,3500,3540,3591 'microsoftdoc':149,176 'migrat':273,796,808,986,996,1010,1025,1053,1064,1080,1084,1095,1112,1140,3549 'ml':316,3484 'mma':798 'model':317,1178 'monitor':396,675,687,728,1476,1516,1558,2124,2145,2226,2236,2247 'monitoring/health':259 'month':135 'mssp':305,699 'mssps':2265 'msticpi':2495,2502 'multi':301,1248,2259 'multi-ten':2258 'multi-workspac':300,1247 'multipl':1221,1262,2834 'multistag':1601 'name':1860 'nativ':3337 'near':2271 'near-real-tim':2270 'network':167,1430,2430,2473 'network/attack':373 'non':3336 'non-nat':3335 'normal':2360,2369,2380,2390,2400,2410,2421,2432,2443,2454,2465,2474,2484,3202 'notebook':459,1228,1981,2493,2504,3042,3055,3073,3481 'nrt':1838 'o':2105 'object':3370 'old':136 'onboard':1998,2008,3421 'op':314 'oper':244,565,581,709,1261,3440 'optim':279,689,845,1150,3307 'option':3562 'packag':428,3489 'paramet':1475,2577,2606 'parser':2286,2307,2347 'pattern':18,25,54,61,293,304,402,1160,1242,2846 'perform':660,2539 'permiss':1458 'plan':267,793,832,858,920,953,985 'platform':286,452,1033,1535,2188,2935,3385,3494 'playbook':364,576,813,1004,1170,1377,1388,2231,2868,3222,3263,3341 'plus':419 'polici':1384 'portal':981,2004,2840 'posit':626 'power':451,1534,3210,3384 'practic':13,49,236,241,507,546,583,594 'prefer':173 'prepar':1619,2555,2728 'prepurchas':857 'prerequisit':2566,2729 'price':276,330,837,937,1287 'problem':469 'process':668,2441 'product':870 'programmat':3026 'properti':701 'protect':374,698,724,1753,2217 'provid':40,3069 'pub/sub':1729 'publish':3252,3262,3284,3491,3499,3596 'pull':140 'purview':1751,2215,2524 'push':2968 'push-bas':2967 'qradar':1054,1065,1075 'qualiti':749 'queri':181,195,424,496,1194,1365,1968,2126,2152,2540,3013,3035,3046,3108,3159,3170,3242,3360,3366 'quick':68 'quick-refer':67 'quota':20,56,324,329,1269,1275,1344 'rang':97 'rbac':356,1444,1487 'rdp':1569 'read':103,118 'real':2272 'recommend':605,710,1151,3308 'record':2219 'reduc':624,865 'refer':69,123,1532,1897,2100,2638,2648,2661,2669,2780 'registri':2452 'relev':91 'remot':72 'remov':345,1317,2511 'report':3212 'repositori':146,3392,3402,3414 'reput':3329 'requir':166 'resid':960 'resili':1187 'resourc':1442 'resource-context':1441 'respons':571,1831 'rest':3024,3037,3150,3161 'restapipol':1888 'restor':2532 'restrict':1383 'retent':283,332,387,968,1298,1582,1989,2195 'return':188,204 'review':1305,1338,2565 'role':358,1456,1463 'roles/params':371 'row':360,1485 'row-level':359,1484 'rule':225,248,389,529,562,608,649,683,693,816,889,913,1002,1013,1060,1067,1091,1098,1143,1168,1506,1524,1604,1798,1809,1828,1840,1853,2176,2206,2229,2275,2676,2694,2742,2827,2853,3232,3273,3362,3449,3458 'run':1326,1964,3030,3478 's3':467,1633 'safe':775,3576 'sap':315,370,393,450,519,720,1253,1468,1473,2248,2545,2556,2560,2569,2579,2590,2599,2609,2615,2626,2641,2651,2664,2672,2681,3510,3520,3533,3544,3551,3565,3572 'sap/aws/blob/cef/syslog':232 'save':860 'schedul':691,1796,1807,1932,1944,1978,2692 'schema':391,1903,2092,2295,2317,2327,2337,2370,2381,2391,2401,2411,2422,2433,2444,2455,2466,2475,2485,2660,2705,2807 'scope':1488 'script':2576,2605 'search':337,915,1212,1328 'section':92 'secur':21,57,347,351,1359,1431,1474,1530,1564,2069,2098,2616,2627,2636,2673,2703,2813,3002 'security.md':115,116 'select':1041,1127,1294,2811 'send':1623,1649 'sentinel':3,8,31,36,45,219,247,275,298,335,355,381,408,437,465,475,484,500,511,518,527,538,552,560,570,586,597,607,620,629,635,648,654,671,681,690,704,713,719,734,743,753,759,773,780,802,809,825,836,847,856,867,878,887,898,933,944,954,971,977,992,1001,1015,1024,1035,1047,1058,1070,1079,1089,1101,1111,1118,1128,1138,1154,1164,1180,1190,1197,1207,1218,1230,1238,1252,1263,1278,1284,1296,1312,1321,1327,1340,1349,1364,1376,1386,1411,1420,1433,1447,1455,1467,1478,1491,1504,1512,1522,1545,1580,1615,1626,1639,1652,1663,1668,1687,1712,1735,1745,1756,1768,1779,1791,1800,1811,1821,1826,1842,1847,1858,1870,1892,1899,1913,1924,1936,1948,1956,1970,1979,1991,1999,2012,2021,2034,2041,2053,2064,2075,2094,2112,2120,2132,2148,2156,2169,2174,2187,2200,2209,2222,2227,2238,2249,2264,2277,2288,2298,2309,2319,2329,2339,2350,2355,2372,2383,2393,2403,2413,2424,2435,2446,2457,2462,2472,2487,2492,2507,2513,2528,2534,2551,2559,2568,2589,2598,2608,2621,2632,2640,2650,2663,2671,2686,2696,2702,2710,2724,2732,2745,2755,2765,2776,2782,2796,2804,2818,2829,2836,2850,2861,2873,2892,2907,2918,2928,2937,2946,2960,2974,2983,2993,3005,3014,3021,3031,3047,3057,3067,3078,3091,3103,3113,3124,3139,3146,3157,3172,3193,3205,3214,3221,3235,3245 'sentinel-support':1898 'sentinelprovid':3135 'server':341,1286,2036 'servic':1272,1341,1610,1674 'session':2431,2483 'set':1403,1775,2198,2505,2587,2596,2815 'settings-bas':1774 'setup':306 'sever':1861 'side':922,924 'side-by-sid':921 'siem':928,989,1139,2733,3255,3502 'siem/soar':272 'simplifi':936 'size':1354 'skill':37,39,80,165,187,201 'skill-azure-sentinel' 'soar':307,564,998,1055,1086,1165 'soc':243,659,665,714,1149,3306 'solut':256,427,438,539,618,735,744,754,1131,1239,2189,2525,2570,2643,2652,2665,2734,3236,3246,3256,3267,3278,3289,3382,3434,3495,3503,3531,3542,3586,3593 'sourc':1902,2081,2115 'source-microsoftdocs' 'spark':1980,3072 'special':447 'specifi':107 'split':2772 'splunk':1085,1096,1107 'stack':455,3423 'standalon':1119 'standard':634,1387 'status':3594 'stix':3318,3367 'stix/taxii':2923 'stop':2680 'storag':477,1435,1881,3295 'strategi':290 'stream':1723,1749,2904 'string':182,196 'studio':2059 'suggest':137,154 'summari':912,2741,3272 'support':902,1900,3472 'surfac':2750 'syntax':3011 'syslog':487,1552,1682 'system':2557,3535 'systemconfig.ini':2586 'systemconfig.json':2595 'tabl':1514,1910,2158,2194,2659,2711,3275,3371 'tactic':1863 'target':1032 'task':554,639,782,1849 'tasks/metrics':252 'team':2877 'telemetri':1660 'templat':1801,2177,2806,3463 'tenant':1202,2009,2260 'term':1579 'text':1699 'text-fil':1698 'text/markdown':203 'threat':412,723,1231,2164,2761,2913,2924,2933,2948,3314 'tic':731 'tier':281,333,828,938,966,1299,1994,2197 'time':1589,2273 'timelin':1872 'tip':2944 'tool':150,230,415,513,1045,2025,2043,2055,2066,3082,3105,3115,3127 'topic':461,547,791,1161,1270,1360,1496,2847,3378 'topic-agent' 'topic-agent-skills' 'topic-agentic-skills' 'topic-agentskill' 'topic-ai-agents' 'topic-ai-coding' 'topic-azure' 'topic-azure-functions' 'topic-azure-kubernetes-service' 'topic-azure-openai' 'topic-azure-sql-database' 'topic-azure-storage' 'track':551,3590 'transform':1591,2773 'triag':3126 'trigger':812,2864,3220 'troubleshoot':11,47,211,460,463,473,483,494,509,517,526,536 'trust':730 'tune':249,604,2824 'type':901,2134,2220 'ueba':392,2113,2783 'uiconfig':2990 'understand':1316 'unifi':2790 'updat':664,2604,3570 'upload':2950,3319,3349 'url':462,548,792,1162,1271,1361,1497,2848,3379 'use':28,78,84,102,117,174,191,612,653,758,779,823,854,975,1137,1209,1226,1257,1416,1510,1907,2020,2031,2040,2077,2131,2214,2358,2365,2376,2387,2397,2407,2417,2428,2439,2450,2461,2470,2480,2614,2625,2700,2719,2740,2860,2896,2947,3009,3053,3066,3089,3123,3134,3197,3316,3340,3346,3355,3401 'user':139,156,574,1367,2335,2463 'v0.1':2476 'version':143,2178 'via':1556,1694,1851,2854,3036,3160,3181,3450,3513 'virtual':1658 'vms':3425 'vs':890,3061 'waf':1632 'watchlist':253,339,760,774,1350,2805,3357 'web':2482 'webpag':193 'window':1720,1784,2812 'within':978 'work':1216 'workbook':2076,2619,2630,3285 'workflow':785 'workspac':302,312,344,398,934,1200,1222,1249,1258,1264,1322,2283,2518,2653,2837,3485 'workspace-deploy':2282 'xdr':1121,1742,3183,3190,3470 'zero':729","prices":[{"id":"6881f70c-514d-4dc8-be45-48b810cf8d79","listingId":"e1e145bf-94a3-420e-b3db-95d8eba30976","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"MicrosoftDocs","category":"Agent-Skills","install_from":"skills.sh"},"createdAt":"2026-04-18T22:00:03.463Z"}],"sources":[{"listingId":"e1e145bf-94a3-420e-b3db-95d8eba30976","source":"github","sourceId":"MicrosoftDocs/Agent-Skills/azure-sentinel","sourceUrl":"https://github.com/MicrosoftDocs/Agent-Skills/tree/main/skills/azure-sentinel","isPrimary":false,"firstSeenAt":"2026-04-18T22:00:03.463Z","lastSeenAt":"2026-04-22T00:53:37.078Z"}],"details":{"listingId":"e1e145bf-94a3-420e-b3db-95d8eba30976","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"MicrosoftDocs","slug":"azure-sentinel","github":{"repo":"MicrosoftDocs/Agent-Skills","stars":497,"topics":["agent","agent-skills","agentic-skills","agentskill","ai","ai-agents","ai-coding","azure","azure-functions","azure-kubernetes-service","azure-openai","azure-sql-database","azure-storage","azure-virtual-machine","claude-code","github-copilot","microsoft-learn","openai-codex","skills"],"license":"cc-by-4.0","html_url":"https://github.com/MicrosoftDocs/Agent-Skills","pushed_at":"2026-04-19T02:43:40Z","description":"Curated Agent Skills for Microsoft & Azure – giving AI coding assistants structured, real-time expertise from Microsoft Learn docs.","skill_md_sha":"d76b0845efc8ecd99b6f5dc7e29605306fa7a817","skill_md_path":"skills/azure-sentinel/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/MicrosoftDocs/Agent-Skills/tree/main/skills/azure-sentinel"},"layout":"multi","source":"github","category":"Agent-Skills","frontmatter":{"name":"azure-sentinel","description":"Expert knowledge for Azure Sentinel development including troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when configuring Sentinel connectors, KQL analytics rules, SOAR playbooks, UEBA/SAP data, or multi-workspace setups, and other Azure Sentinel related development tasks. Not for Azure Defender For Cloud (use azure-defender-for-cloud), Azure Security (use azure-security), Azure Monitor (use azure-monitor), Azure Network Watcher (use azure-network-watcher).","compatibility":"Requires network access. Uses mcp_microsoftdocs:microsoft_docs_fetch or fetch_webpage to retrieve documentation."},"skills_sh_url":"https://skills.sh/MicrosoftDocs/Agent-Skills/azure-sentinel"},"updatedAt":"2026-04-22T00:53:37.078Z"}}