{"id":"e1e145bf-94a3-420e-b3db-95d8eba30976","shortId":"3CXzXx","kind":"skill","title":"azure-sentinel","tagline":"Expert knowledge for Azure Sentinel development including troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when configuring Sentinel data connectors, ana","description":"# Azure Sentinel Skill\n\nThis skill provides expert guidance for Azure Sentinel. Covers troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. It combines local quick-reference content with remote documentation fetching capabilities.\n\n## How to Use This Skill\n\n> **IMPORTANT for Agent**: Use the **Category Index** below to locate relevant sections. For categories with line ranges (e.g., `L35-L120`), use `read_file` with the specified lines. For categories with file links (e.g., `[security.md](security.md)`), use `read_file` on the linked reference file\n\n> **IMPORTANT for Agent**: If `metadata.generated_at` is more than 3 months old, suggest the user pull the latest version from the repository. If `mcp_microsoftdocs` tools are not available, suggest the user install it: [Installation Guide](https://github.com/MicrosoftDocs/mcp/blob/main/README.md)\n\nThis skill requires **network access** to fetch documentation content:\n- **Preferred**: Use `mcp_microsoftdocs:microsoft_docs_fetch` with query string `from=learn-agent-skill`. Returns Markdown.\n- **Fallback**: Use `fetch_webpage` with query string `from=learn-agent-skill&accept=text/markdown`. Returns Markdown.\n\n## Category Index\n\n| Category | Lines | Description |\n|----------|-------|-------------|\n| Troubleshooting | L37-L50 | Diagnosing and fixing Sentinel ingestion, connectors (AWS/S3, Blob, Syslog/CEF, SAP), KQL/jobs, ASIM, MCP tool, analytics rules (auto-disabled), and solution packaging issues. |\n| Best Practices | L51-L68 | Best practices for Sentinel workspace ops, data collection, analytics tuning (noise/false positives), ASIM/UEBA use, SAP/Zero Trust monitoring, watchlists, and solution lifecycle/quality. |\n| Decision Making | L69-L108 | Guidance on SIEM migration to Sentinel, cost and data tier planning, connector/solution selection, and choosing between Sentinel features (rules, jobs, playbooks, data lake) for optimal design. |\n| Architecture & Design Patterns | L109-L121 | Designing Sentinel workspace/tenant architectures, multi-workspace/SAP setups, BCDR planning, MSSP multi-tenant management, and cross-tenant/workspace integration patterns. |\n| Limits & Quotas | L122-L132 | Service limits, quotas, pricing and availability, data lake parameters, query timeouts, watchlist size/SLA, and implications/timing of disabling or removing Microsoft Sentinel. |\n| Security | L133-L147 | Security configuration for Sentinel: auth for playbooks, RBAC/roles, access restrictions, CMK & perimeters, SAP auth/params, MSSP IP protection, data residency, and AWS disruption actions. |\n| Configuration | L148-L290 | Configuring and managing Microsoft Sentinel: data connectors, analytics and automation rules, UEBA/Fusion, ASIM schemas, data lake/KQL jobs, SAP/AWS/GCP integrations, and health/auditing. |\n| Integrations & Coding Patterns | L291-L335 | APIs, code patterns, and tools for integrating Sentinel with data sources, threat intel, incidents, playbooks, MCP/Logic Apps, and querying/analyzing data via KQL, GQL, REST, and connectors. |\n| Deployment | L336-L356 | Deploying and managing Microsoft Sentinel solutions and connectors (SAP, Power Platform, Dynamics), CI/CD via repositories/ARM, environment support, and solution publishing/updates. |\n\n### Troubleshooting\n| Topic | URL |\n|-------|-----|\n| Troubleshoot AWS S3 log ingestion connector issues in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/aws-s3-troubleshoot |\n| Troubleshoot Microsoft Sentinel Azure Storage Blob connector | https://learn.microsoft.com/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot |\n| Troubleshoot Syslog and CEF ingestion via AMA in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/cef-syslog-ama-troubleshooting |\n| Troubleshoot KQL queries and jobs in Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-troubleshoot |\n| Resolve common Jupyter notebook errors in Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/notebooks-troubleshooting |\n| Troubleshoot and optimize Microsoft Sentinel MCP tool usage | https://learn.microsoft.com/en-us/azure/sentinel/datalake/troubleshoot-sentinel-mcp |\n| Resolve known issues with ASIM in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-known-issues |\n| Troubleshoot Sentinel SAP data connector agent | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-deploy-troubleshoot |\n| Troubleshoot Sentinel analytics rules and AUTO DISABLED | https://learn.microsoft.com/en-us/azure/sentinel/troubleshoot-analytics-rules |\n| Troubleshoot Microsoft Sentinel solution ingestion and packaging | https://learn.microsoft.com/en-us/azure/sentinel/troubleshoot-sentinel-solutions |\n\n### Best Practices\n| Topic | URL |\n|-------|-----|\n| Apply best practices for managing Sentinel workspaces | https://learn.microsoft.com/en-us/azure/sentinel/best-practices |\n| Apply best practices for data collection in Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/best-practices-data |\n| Fine-tune Sentinel analytics rules to reduce noise | https://learn.microsoft.com/en-us/azure/sentinel/detection-tuning |\n| Use ASIM-based essential domain solutions in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/domain-based-essential-solutions |\n| Reduce false positives in Microsoft Sentinel analytics | https://learn.microsoft.com/en-us/azure/sentinel/false-positives |\n| Handle data ingestion delay in Sentinel rules | https://learn.microsoft.com/en-us/azure/sentinel/ingestion-delay |\n| Use UEBA data to investigate Sentinel incidents | https://learn.microsoft.com/en-us/azure/sentinel/investigate-with-ueba |\n| Convert Sentinel content to use ASIM normalization | https://learn.microsoft.com/en-us/azure/sentinel/normalization-modify-content |\n| Apply operational best practices for Microsoft Sentinel SOCs | https://learn.microsoft.com/en-us/azure/sentinel/ops-guide |\n| Configure Sentinel SAP detections and threat protection | https://learn.microsoft.com/en-us/azure/sentinel/sap/deployment-solution-configuration |\n| Monitor Zero Trust TIC 3.0 architectures with Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solution |\n| Manage deprecated Microsoft Sentinel solutions lifecycle | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solution-deprecation |\n| Apply quality guidelines to Microsoft Sentinel solutions | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solution-quality-guidance |\n| Use watchlists to enrich and correlate Sentinel data | https://learn.microsoft.com/en-us/azure/sentinel/watchlists |\n\n### Decision Making\n| Topic | URL |\n|-------|-----|\n| Plan and execute migration from MMA to AMA for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate |\n| Migrate Sentinel alert-trigger playbooks to automation rules | https://learn.microsoft.com/en-us/azure/sentinel/automation/migrate-playbooks-to-automation-rules |\n| Decide when to use Sentinel data lake tier | https://learn.microsoft.com/en-us/azure/sentinel/basic-logs-use-cases |\n| Plan and estimate Microsoft Sentinel billing costs | https://learn.microsoft.com/en-us/azure/sentinel/billing |\n| Monitor and optimize Microsoft Sentinel costs | https://learn.microsoft.com/en-us/azure/sentinel/billing-monitor-costs |\n| Choose and use Sentinel pre-purchase cost plans | https://learn.microsoft.com/en-us/azure/sentinel/billing-pre-purchase-plan |\n| Reduce and control Microsoft Sentinel costs | https://learn.microsoft.com/en-us/azure/sentinel/billing-reduce-costs |\n| Choose and configure Cisco firewall connectors for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/cisco-ftd-firewall |\n| Choose between Sentinel analytics rules and custom detections | https://learn.microsoft.com/en-us/azure/sentinel/compare-analytics-rules-custom-detections |\n| Understand Sentinel connector data type cloud support | https://learn.microsoft.com/en-us/azure/sentinel/data-type-cloud-support |\n| Choose between KQL jobs, summary rules, and search jobs in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-jobs-summary-rules-search-jobs |\n| Decide which logs to ingest into Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-log-ingestion-guidance |\n| Deploy Sentinel alongside an existing SIEM platform | https://learn.microsoft.com/en-us/azure/sentinel/deploy-side-by-side |\n| Enroll Sentinel workspace in simplified pricing tier | https://learn.microsoft.com/en-us/azure/sentinel/enroll-simplified-pricing-tier |\n| Decide when to use search jobs and restore data in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/investigate-large-datasets |\n| Select Microsoft Sentinel log retention tiers | https://learn.microsoft.com/en-us/azure/sentinel/log-plans |\n| Plan Sentinel data tiers and retention strategy | https://learn.microsoft.com/en-us/azure/sentinel/manage-data-overview |\n| Assess Defender XDR connector data type support by cloud | https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-cloud-support |\n| Plan migration from legacy SIEMs to Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/migration |\n| Migrate ArcSight SOAR automation to Sentinel rules and playbooks | https://learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-automation |\n| Map and migrate ArcSight detection rules to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-detection-rules |\n| Export ArcSight historical data for Sentinel migration | https://learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-historical-data |\n| Choose Azure target platform for Sentinel historical data | https://learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-target-platform |\n| Select data ingestion tools for Sentinel historical logs | https://learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-tool |\n| Migrate QRadar SOAR automation to Sentinel automation | https://learn.microsoft.com/en-us/azure/sentinel/migration-qradar-automation |\n| Map and migrate QRadar detection rules to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/migration-qradar-detection-rules |\n| Export QRadar historical data for Sentinel migration | https://learn.microsoft.com/en-us/azure/sentinel/migration-qradar-historical-data |\n| Migrate Splunk SOAR automation to Sentinel automation rules | https://learn.microsoft.com/en-us/azure/sentinel/migration-splunk-automation |\n| Migrate Splunk detection rules to Microsoft Sentinel analytics | https://learn.microsoft.com/en-us/azure/sentinel/migration-splunk-detection-rules |\n| Export Splunk historical data for Sentinel migration | https://learn.microsoft.com/en-us/azure/sentinel/migration-splunk-historical-data |\n| Prioritize Microsoft Sentinel data connectors strategically | https://learn.microsoft.com/en-us/azure/sentinel/prioritize-data-connectors |\n| Migrate from SAP agent container to agentless | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-agent-migrate |\n| Select domain-specific Sentinel solutions from content hub | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog |\n| Use Sentinel SIEM migration tool for Splunk and QRadar | https://learn.microsoft.com/en-us/azure/sentinel/siem-migration |\n| Apply Sentinel SOC optimization recommendations | https://learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-access |\n| Use Sentinel SOC optimization reference recommendations | https://learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-reference |\n\n### Architecture & Design Patterns\n| Topic | URL |\n|-------|-----|\n| Plan Sentinel business continuity and disaster recovery | https://learn.microsoft.com/en-us/azure/sentinel/business-continuity-disaster-recovery |\n| Extend Sentinel across multiple workspaces and tenants | https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants |\n| Onboard and manage multiple Sentinel tenants as MSSP | https://learn.microsoft.com/en-us/azure/sentinel/multiple-tenants-service-providers |\n| Design integration patterns for Microsoft Sentinel solutions | https://learn.microsoft.com/en-us/azure/sentinel/partner-integrations |\n| Plan multi-workspace and multi-tenant Sentinel layouts | https://learn.microsoft.com/en-us/azure/sentinel/prepare-multiple-workspaces |\n| Choose Microsoft Sentinel workspace architecture patterns | https://learn.microsoft.com/en-us/azure/sentinel/sample-workspace-designs |\n| Design multi-workspace architecture for Sentinel SAP | https://learn.microsoft.com/en-us/azure/sentinel/sap/cross-workspace |\n| Implement multi-workspace and multi-tenant Sentinel setup | https://learn.microsoft.com/en-us/azure/sentinel/use-multiple-workspaces |\n| Use multiple Sentinel workspaces in Defender portal | https://learn.microsoft.com/en-us/azure/sentinel/workspaces-defender-portal |\n\n### Limits & Quotas\n| Topic | URL |\n|-------|-----|\n| Review Microsoft Sentinel data lake service limits and parameters | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-service-limits |\n| Understand Sentinel MCP pricing, limits, and availability | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-billing |\n| Understand implications and timing of removing Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/offboard-implications |\n| Run Sentinel search jobs with query timeout limits | https://learn.microsoft.com/en-us/azure/sentinel/search-jobs |\n| Review Microsoft Sentinel service limits and quotas | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-service-limits |\n| Create Microsoft Sentinel watchlists with size limits | https://learn.microsoft.com/en-us/azure/sentinel/watchlists-create |\n| Edit Microsoft Sentinel watchlists with ingestion SLA | https://learn.microsoft.com/en-us/azure/sentinel/watchlists-manage |\n\n### Security\n| Topic | URL |\n|-------|-----|\n| Configure secure authentication for Sentinel playbooks | https://learn.microsoft.com/en-us/azure/sentinel/automation/authenticate-playbooks-to-sentinel |\n| Define access restriction policies for Sentinel Standard playbooks | https://learn.microsoft.com/en-us/azure/sentinel/automation/define-playbook-access-restrictions |\n| Enable automated attack disruption actions on AWS from Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/aws-disruption |\n| Configure customer-managed keys for Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/customer-managed-keys |\n| Enable network security perimeters for Sentinel blob connectors | https://learn.microsoft.com/en-us/azure/sentinel/enable-storage-network-security |\n| Design Sentinel for data residency and compliance | https://learn.microsoft.com/en-us/azure/sentinel/geographical-availability-data-residency |\n| Protect MSSP intellectual property in Sentinel deployments | https://learn.microsoft.com/en-us/azure/sentinel/mssp-protect-intellectual-property |\n| Configure resource-context RBAC for Sentinel data access | https://learn.microsoft.com/en-us/azure/sentinel/resource-context-rbac |\n| Configure Microsoft Sentinel roles and permissions | https://learn.microsoft.com/en-us/azure/sentinel/roles |\n| ABAP authorizations required for Sentinel SAP logs | https://learn.microsoft.com/en-us/azure/sentinel/sap/required-abap-authorizations |\n| SAP security parameters monitored by Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-suspicious-configuration-security-parameters |\n\n### Configuration\n| Topic | URL |\n|-------|-----|\n| Configure advanced OR condition groups in Sentinel automation rules | https://learn.microsoft.com/en-us/azure/sentinel/add-advanced-conditions-to-automation-rules |\n| Understand anomalies detected by Sentinel ML engine | https://learn.microsoft.com/en-us/azure/sentinel/anomalies-reference |\n| Configure and query Microsoft Sentinel audit data | https://learn.microsoft.com/en-us/azure/sentinel/audit-sentinel-data |\n| Reference fields in Microsoft Sentinel audit tables | https://learn.microsoft.com/en-us/azure/sentinel/audit-table-reference |\n| Configure Microsoft Sentinel automation rules for SOAR | https://learn.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules |\n| Configure Microsoft Sentinel automation rule properties | https://learn.microsoft.com/en-us/azure/sentinel/automation-rule-reference |\n| Security content reference for Power Platform and CE | https://learn.microsoft.com/en-us/azure/sentinel/business-applications/power-platform-solution-security-content |\n| Map CEF keys to Sentinel CommonSecurityLog fields | https://learn.microsoft.com/en-us/azure/sentinel/cef-name-mapping |\n| Configure Security Events connector for RDP anomaly detection | https://learn.microsoft.com/en-us/azure/sentinel/configure-connector-login-detection |\n| Configure Sentinel connectors, analytics, and automation | https://learn.microsoft.com/en-us/azure/sentinel/configure-content |\n| Configure interactive and long-term Sentinel data retention | https://learn.microsoft.com/en-us/azure/sentinel/configure-data-retention-archive |\n| Configure ingestion-time data transformation for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/configure-data-transformation |\n| Configure Fusion multistage attack detection rules | https://learn.microsoft.com/en-us/azure/sentinel/configure-fusion-rules |\n| Configure AWS service log ingestion to Sentinel via S3 | https://learn.microsoft.com/en-us/azure/sentinel/connect-aws |\n| Prepare AWS environment to send logs to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-aws-configure-environment |\n| Configure AWS EKS S3 connector to ingest audit logs | https://learn.microsoft.com/en-us/azure/sentinel/connect-aws-eks |\n| Configure AWS WAF S3 connector to ingest logs to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-aws-s3-waf |\n| Configure Microsoft Entra ID log connector for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory |\n| Connect Azure Virtual Desktop diagnostics and logs to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-virtual-desktop |\n| Configure Syslog and CEF ingestion via AMA to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog-ama |\n| Configure Custom Logs via AMA to ingest text-file logs | https://learn.microsoft.com/en-us/azure/sentinel/connect-custom-logs-ama |\n| Configure Microsoft Defender for Cloud alerts connector to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-defender-for-cloud |\n| Stream and filter Windows DNS logs to Sentinel via AMA | https://learn.microsoft.com/en-us/azure/sentinel/connect-dns-ama |\n| Configure GCP Pub/Sub connectors to ingest logs into Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform |\n| Stream Microsoft Defender XDR incidents and events to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender |\n| Configure Microsoft Purview Information Protection connector for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-purview |\n| Configure API-based Microsoft service connectors for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-services-api-based |\n| Configure diagnostic settings-based connectors to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-services-diagnostic-setting-based |\n| Configure Windows agent-based data connectors with AMA | https://learn.microsoft.com/en-us/azure/sentinel/connect-services-windows-based |\n| Create scheduled analytics rules from templates | https://learn.microsoft.com/en-us/azure/sentinel/create-analytics-rule-from-template |\n| Create custom scheduled analytics rules in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/create-analytics-rules |\n| Configure incident creation from alerts in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts |\n| Create and manage Sentinel automation rules configuration | https://learn.microsoft.com/en-us/azure/sentinel/create-manage-use-automation-rules |\n| Create and manage NRT detection rules in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/create-nrt-rules |\n| Create incident task lists via Sentinel automation rules | https://learn.microsoft.com/en-us/azure/sentinel/create-tasks-automation-rule |\n| Customize alert names, severity, and tactics in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/customize-alert-details |\n| Customize activities on Sentinel entity timelines | https://learn.microsoft.com/en-us/azure/sentinel/customize-entity-activities |\n| Configure Azure Storage Blob CCF data connector | https://learn.microsoft.com/en-us/azure/sentinel/data-connection-rules-reference-azure-storage |\n| Configure GCP CCF data connector rules for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/data-connection-rules-reference-gcp |\n| Configure RestApiPoller CCF data connector JSON | https://learn.microsoft.com/en-us/azure/sentinel/data-connector-connection-rules-reference |\n| Define CCF data connector UIConfig JSON for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/data-connector-ui-definitions-reference |\n| Configure custom data ingestion and transformation for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/data-transformation |\n| Use asset data table mappings in Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/asset-data-tables |\n| Use audit log for Sentinel data lake activities | https://learn.microsoft.com/en-us/azure/sentinel/datalake/auditing-lake-activities |\n| Configure federated data connectors for Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/data-federation-setup |\n| Create and schedule KQL jobs in Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-jobs |\n| Configure KQL jobs to promote Sentinel data lake results | https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-jobs |\n| Manage and monitor KQL jobs in Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-manage-jobs |\n| Configure and run KQL queries and jobs in Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-queries |\n| Schedule and manage Sentinel notebook jobs for data processing | https://learn.microsoft.com/en-us/azure/sentinel/datalake/notebook-jobs |\n| Run and configure Jupyter notebooks on Sentinel data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/notebooks |\n| Onboard Sentinel data lake from Defender portal | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-onboard-defender |\n| Onboard to Microsoft Sentinel data lake and graph | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-onboarding |\n| Enable Sentinel MCP connector in ChatGPT or Claude | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-chatgpt-claude-connector |\n| Create and configure custom Sentinel MCP tools from KQL | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-create-custom-tool |\n| Use Sentinel MCP tools in Microsoft Foundry projects | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-azure-ai-foundry |\n| Add Sentinel MCP tools to Microsoft Copilot Studio agents | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-copilot-studio |\n| Configure Sentinel MCP tools in Microsoft Security Copilot | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-security-copilot |\n| Configure Sentinel MCP tools in Visual Studio Code | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-visual-studio-code |\n| Configure Sentinel workbooks to visualize data lake queries | https://learn.microsoft.com/en-us/azure/sentinel/datalake/workbooks-for-data-lake |\n| Configure DNS AMA connector fields and normalization | https://learn.microsoft.com/en-us/azure/sentinel/dns-ama-fields |\n| Security content reference for Dynamics 365 F&O | https://learn.microsoft.com/en-us/azure/sentinel/dynamics-365/dynamics-365-finance-operations-security-content |\n| Enable and configure UEBA in Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics |\n| Enable Sentinel auditing and health monitoring | https://learn.microsoft.com/en-us/azure/sentinel/enable-monitoring |\n| Enable Microsoft Sentinel SIEM and core features | https://learn.microsoft.com/en-us/azure/sentinel/enable-sentinel-features-content |\n| Reference Microsoft Sentinel entity types and identifiers | https://learn.microsoft.com/en-us/azure/sentinel/entities-reference |\n| Use Fusion multistage attack detection in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/fusion |\n| Review Fusion-detected multistage attack scenarios | https://learn.microsoft.com/en-us/azure/sentinel/fusion-scenario-reference |\n| Use Sentinel auditing and health monitoring features | https://learn.microsoft.com/en-us/azure/sentinel/health-audit |\n| Reference fields in Microsoft Sentinel health tables | https://learn.microsoft.com/en-us/azure/sentinel/health-table-reference |\n| Manage template versions for Sentinel analytics rules | https://learn.microsoft.com/en-us/azure/sentinel/manage-analytics-rule-templates |\n| Configure, update, and uninstall Sentinel platform solutions | https://learn.microsoft.com/en-us/azure/sentinel/manage-platform-solutions |\n| Use Sentinel incident metrics to manage SOC performance | https://learn.microsoft.com/en-us/azure/sentinel/manage-soc-with-incident-metrics |\n| Configure table retention and tiers in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/manage-table-tiers-retention |\n| Map data fields to Sentinel entities in rules | https://learn.microsoft.com/en-us/azure/sentinel/map-data-fields-to-entities |\n| Use Purview Information Protection connector record types | https://learn.microsoft.com/en-us/azure/sentinel/microsoft-purview-record-types-activities |\n| Use Microsoft Sentinel within the Defender portal | https://learn.microsoft.com/en-us/azure/sentinel/microsoft-sentinel-defender-portal |\n| Monitor health and integrity of Sentinel analytics rules | https://learn.microsoft.com/en-us/azure/sentinel/monitor-analytics-rule-integrity |\n| Monitor health of Sentinel automation rules and playbooks | https://learn.microsoft.com/en-us/azure/sentinel/monitor-automation-health |\n| Monitor Sentinel data connector health and performance | https://learn.microsoft.com/en-us/azure/sentinel/monitor-data-connector-health |\n| Monitor and optimize Sentinel scheduled analytics rule execution | https://learn.microsoft.com/en-us/azure/sentinel/monitor-optimize-analytics-rule-execution |\n| Monitor health of Sentinel–SAP connectivity | https://learn.microsoft.com/en-us/azure/sentinel/monitor-sap-system-health |\n| View and manage Sentinel incidents across workspaces | https://learn.microsoft.com/en-us/azure/sentinel/multiple-workspace-view |\n| Configure near-real-time analytics rules in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/near-real-time-rules |\n| Manage workspace-deployed ASIM parsers in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-workspace-parsers |\n| Use ASIM common schema fields in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-common-fields |\n| Implement ASIM Application Entity schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-entity-application |\n| Implement ASIM Device Entity schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-entity-device |\n| Implement ASIM User Entity schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-entity-user |\n| Configure and manage ASIM parsers in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-manage-parsers |\n| Use ASIM Alert Events normalization schema | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-alert |\n| Implement ASIM Asset Entity schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-asset |\n| Use ASIM Audit Events normalization schema | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-audit |\n| Use ASIM Authentication normalization schema | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-authentication |\n| Use ASIM DHCP normalization schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-dhcp |\n| Use ASIM DNS normalization schema in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-dns |\n| Use ASIM File Event normalization schema | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-file-event |\n| Use Microsoft Sentinel ASIM network session schema fields | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-network |\n| Use Microsoft Sentinel ASIM process event schema fields | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-process-event |\n| Use Microsoft Sentinel ASIM registry event schema fields | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-registry-event |\n| Use Microsoft Sentinel user management normalization schema | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-user-management |\n| Use legacy Microsoft Sentinel network normalization schema v0.1 | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-v1 |\n| Use Microsoft Sentinel ASIM web session schema fields | https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-web |\n| Configure MSTICPy and notebooks for Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/notebook-get-started |\n| Advanced MSTICPy and notebook configuration for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/notebooks-msticpy-advanced |\n| Integrate Microsoft Purview solution and logs with Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/purview-solution |\n| Configure SAP HANA audit log collection in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/sap/collect-sap-hana-audit-logs |\n| Prepare SAP systems for Sentinel SAP connector | https://learn.microsoft.com/en-us/azure/sentinel/sap/preparing-sap |\n| Kickstart script parameters for SAP connector deployment | https://learn.microsoft.com/en-us/azure/sentinel/sap/reference-kickstart |\n| Legacy systemconfig.ini reference for SAP connector | https://learn.microsoft.com/en-us/azure/sentinel/sap/reference-systemconfig |\n| systemconfig.json reference for SAP connector agent | https://learn.microsoft.com/en-us/azure/sentinel/sap/reference-systemconfig-json |\n| Update script parameters for Sentinel SAP connector | https://learn.microsoft.com/en-us/azure/sentinel/sap/reference-update |\n| Use SAP Security Audit Controls workbook in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-audit-controls-workbook |\n| Use SAP Security Audit log workbook in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-audit-log-workbook |\n| Security content reference for Sentinel SAP BTP | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-btp-security-content |\n| Expert configuration for Sentinel SAP connector agent | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-deploy-alternate |\n| Function reference for Sentinel SAP solution | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-function-reference |\n| Log and table reference for Sentinel SAP connector | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-log-reference |\n| Security content reference for Sentinel SAP solution | https://learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-security-content |\n| Stop SAP data collection in Microsoft Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/sap/stop-collection |\n| Configure scheduled analytics rules in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/scheduled-rules-overview |\n| Use Microsoft Sentinel security alert schema fields | https://learn.microsoft.com/en-us/azure/sentinel/security-alert-schema |\n| Map Sentinel alert schemas between standalone and XDR | https://learn.microsoft.com/en-us/azure/sentinel/security-alert-schema-differences |\n| Remove and restore Sentinel content hub solutions | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-delete |\n| Discover and deploy Sentinel content hub solutions | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-deploy |\n| Create and configure summary rules in Sentinel solutions | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-summary-rules-creation |\n| Build and publish Sentinel workbooks in solutions | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-workbook-creation |\n| Set up Azure Storage Blob connector using CCF | https://learn.microsoft.com/en-us/azure/sentinel/setup-azure-storage-connector |\n| Use customizable anomaly detection in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/soc-ml-anomalies |\n| Set up prerequisites for Microsoft Sentinel solutions | https://learn.microsoft.com/en-us/azure/sentinel/solution-setup-essentials |\n| Configure and use summary rules in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/summary-rules |\n| Surface custom event details in Sentinel alerts | https://learn.microsoft.com/en-us/azure/sentinel/surface-custom-details-in-alerts |\n| Configure threat intelligence feed integration in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/threat-intelligence-integration |\n| Configure filter and split transformations for Sentinel data | https://learn.microsoft.com/en-us/azure/sentinel/transformation-filter-split |\n| Reference for Sentinel UEBA entity enrichments | https://learn.microsoft.com/en-us/azure/sentinel/ueba-reference |\n| Use schemas for Microsoft Sentinel watchlist templates | https://learn.microsoft.com/en-us/azure/sentinel/watchlist-schemas |\n| Select Windows security event sets for Sentinel ingestion | https://learn.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference |\n| Configure anomaly detection analytics rules in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/work-with-anomaly-rules |\n| Configure and use Sentinel workspace manager | https://learn.microsoft.com/en-us/azure/sentinel/workspace-manager |\n\n### Integrations & Coding Patterns\n| Topic | URL |\n|-------|-----|\n| Create Sentinel Data Collection Rules via REST API | https://learn.microsoft.com/en-us/azure/sentinel/api-dcr-reference |\n| Use Sentinel playbook triggers and actions via Logic Apps | https://learn.microsoft.com/en-us/azure/sentinel/automation/playbook-triggers-actions |\n| Automate Sentinel incident response with playbooks | https://learn.microsoft.com/en-us/azure/sentinel/automation/tutorial-respond-threats-playbook |\n| Integrate Microsoft Sentinel incidents with Teams collaboration | https://learn.microsoft.com/en-us/azure/sentinel/collaborate-in-microsoft-teams |\n| Implement Azure Functions-based custom data connectors for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-functions-template |\n| Integrate Logstash with Sentinel using DCR-based API | https://learn.microsoft.com/en-us/azure/sentinel/connect-logstash-data-connection-rules |\n| Enable Defender Threat Intelligence data connector in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-mdti-data-connector |\n| Connect TAXII STIX threat feeds to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-taxii |\n| Connect threat intelligence platform to Sentinel (legacy connector) | https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-tip |\n| Connect TIP to Sentinel using Threat Intel upload API | https://learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-upload-api |\n| Create codeless data connectors with Sentinel CCF | https://learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector |\n| Build custom Sentinel connectors with AI agent in VS Code | https://learn.microsoft.com/en-us/azure/sentinel/create-custom-connector-builder-agent |\n| Implement push-based codeless connectors for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/create-push-codeless-connector |\n| Query Microsoft Sentinel graphs with GQL syntax reference | https://learn.microsoft.com/en-us/azure/sentinel/datalake/gql-reference-for-sentinel-custom-graph |\n| Call Sentinel custom graph REST APIs from clients | https://learn.microsoft.com/en-us/azure/sentinel/datalake/graph-rest-api |\n| Run Sentinel data lake KQL queries via REST APIs | https://learn.microsoft.com/en-us/azure/sentinel/datalake/kql-queries-api |\n| Query Sentinel data lake with notebook code examples | https://learn.microsoft.com/en-us/azure/sentinel/datalake/notebook-examples |\n| Use sentinel_graph API to build Sentinel security graphs | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-graph-provider-reference |\n| Leverage Sentinel MCP agent creation tools for Copilot agents | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-agent-creation-tool |\n| Use Sentinel MCP data exploration tools to query lake data | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-data-exploration-tool |\n| Integrate Sentinel MCP tools into Azure Logic Apps workflows | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-logic-apps |\n| Use Sentinel MCP triage tools for incident hunting | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-triage-tool |\n| Use MicrosoftSentinelProvider class to access data lake | https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-provider-class-reference |\n| Enrich Sentinel entities with geolocation via REST API | https://learn.microsoft.com/en-us/azure/sentinel/geolocation-data-api |\n| Manage Sentinel hunting queries using Log Analytics REST API | https://learn.microsoft.com/en-us/azure/sentinel/hunting-with-rest-api |\n| Bulk import threat intelligence files into Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/indicators-bulk-file-import |\n| Ingest Defender for Cloud incidents via Defender XDR | https://learn.microsoft.com/en-us/azure/sentinel/ingest-defender-for-cloud-incidents |\n| Integrate Microsoft Defender XDR with Sentinel incidents | https://learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration |\n| Use ASIM KQL parsers for normalized Sentinel queries | https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-parsers |\n| Develop and deploy custom ASIM parsers | https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers |\n| Apply ASIM helper functions in KQL queries | https://learn.microsoft.com/en-us/azure/sentinel/normalization-functions |\n| Create Power BI reports from Sentinel data | https://learn.microsoft.com/en-us/azure/sentinel/powerbi |\n| Trigger Sentinel playbooks from entities during investigations | https://learn.microsoft.com/en-us/azure/sentinel/respond-threats-during-investigation |\n| Call Sentinel SOC optimization recommendations API | https://learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-api |\n| Import threat intelligence STIX objects via Sentinel upload API | https://learn.microsoft.com/en-us/azure/sentinel/stix-objects-api |\n| Check IP reputation automatically with Sentinel playbooks | https://learn.microsoft.com/en-us/azure/sentinel/tutorial-enrich-ip-information |\n| Extract non-native incident entities using Sentinel playbooks | https://learn.microsoft.com/en-us/azure/sentinel/tutorial-extract-incident-entities |\n| Use legacy Sentinel upload indicators API for STIX IOCs | https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api |\n| Detect threats with Defender TI analytics rule | https://learn.microsoft.com/en-us/azure/sentinel/use-matching-analytics-to-detect-threats |\n| Use threat indicators in Sentinel analytics rules | https://learn.microsoft.com/en-us/azure/sentinel/use-threat-indicators-in-analytics-rules |\n| Query STIX objects and indicators in Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/work-with-stix-objects-indicators |\n\n### Deployment\n| Topic | URL |\n|-------|-----|\n| Deploy Sentinel solution for Power Platform and CE | https://learn.microsoft.com/en-us/azure/sentinel/business-applications/deploy-power-platform-solution |\n| Create repository connections to deploy Sentinel content | https://learn.microsoft.com/en-us/azure/sentinel/ci-cd |\n| Manage Sentinel custom content with repository connections | https://learn.microsoft.com/en-us/azure/sentinel/ci-cd-custom-content |\n| Customize CI/CD repository deployments for Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/ci-cd-custom-deploy |\n| Onboard Azure Stack Hub VMs to Sentinel using VM extensions | https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-stack |\n| Deploy Sentinel solution for Dynamics 365 Finance and Ops | https://learn.microsoft.com/en-us/azure/sentinel/dynamics-365/deploy-dynamics-365-finance-operations-solution |\n| Check Microsoft Sentinel feature support by cloud environment | https://learn.microsoft.com/en-us/azure/sentinel/feature-availability |\n| Import and export Sentinel analytics rules via ARM | https://learn.microsoft.com/en-us/azure/sentinel/import-export-analytics-rules |\n| Export and import Sentinel automation rules as ARM templates | https://learn.microsoft.com/en-us/azure/sentinel/import-export-automation-rules |\n| Package and publish Microsoft Sentinel platform solutions | https://learn.microsoft.com/en-us/azure/sentinel/package-platform-solution |\n| Publish Microsoft Sentinel SIEM solutions to marketplace | https://learn.microsoft.com/en-us/azure/sentinel/publish-sentinel-solutions |\n| Deploy SAP connector agent container via CLI | https://learn.microsoft.com/en-us/azure/sentinel/sap/deploy-command-line |\n| Deploy containerized SAP data connector to Sentinel | https://learn.microsoft.com/en-us/azure/sentinel/sap/deploy-data-connector-agent-container |\n| Deploy Microsoft Sentinel solution for SAP BTP | https://learn.microsoft.com/en-us/azure/sentinel/sap/deploy-sap-btp-solution |\n| Install Microsoft Sentinel solution for SAP applications | https://learn.microsoft.com/en-us/azure/sentinel/sap/deploy-sap-security-content |\n| Meet prerequisites for deploying Sentinel SAP solution | https://learn.microsoft.com/en-us/azure/sentinel/sap/prerequisites-for-deploying-sap-continuous-threat-monitoring |\n| Update Sentinel SAP data connector agent safely | https://learn.microsoft.com/en-us/azure/sentinel/sap/update-sap-data-connector |\n| Track Sentinel solution status after publishing | https://learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-post-publish-tracking |","tags":["azure","sentinel","agent","skills","microsoftdocs","agent-skills","agentic-skills","agentskill","ai-agents","ai-coding","azure-functions","azure-kubernetes-service"],"capabilities":["skill","source-microsoftdocs","skill-azure-sentinel","topic-agent","topic-agent-skills","topic-agentic-skills","topic-agentskill","topic-ai-agents","topic-ai-coding","topic-azure","topic-azure-functions","topic-azure-kubernetes-service","topic-azure-openai","topic-azure-sql-database","topic-azure-storage"],"categories":["Agent-Skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/MicrosoftDocs/Agent-Skills/azure-sentinel","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add MicrosoftDocs/Agent-Skills","source_repo":"https://github.com/MicrosoftDocs/Agent-Skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 549 github stars · SKILL.md body (43,297 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-05-18T18:53:58.854Z","embedding":null,"createdAt":"2026-04-18T22:00:03.463Z","updatedAt":"2026-05-18T18:53:58.854Z","lastSeenAt":"2026-05-18T18:53:58.854Z","tsv":"'/en-us/azure/sentinel/add-advanced-conditions-to-automation-rules':1423 '/en-us/azure/sentinel/ama-migrate':737 '/en-us/azure/sentinel/anomalies-reference':1433 '/en-us/azure/sentinel/api-dcr-reference':2894 '/en-us/azure/sentinel/audit-sentinel-data':1443 '/en-us/azure/sentinel/audit-table-reference':1453 '/en-us/azure/sentinel/automate-incident-handling-with-automation-rules':1463 '/en-us/azure/sentinel/automation-rule-reference':1472 '/en-us/azure/sentinel/automation/authenticate-playbooks-to-sentinel':1303 '/en-us/azure/sentinel/automation/define-playbook-access-restrictions':1314 '/en-us/azure/sentinel/automation/migrate-playbooks-to-automation-rules':749 '/en-us/azure/sentinel/automation/playbook-triggers-actions':2906 '/en-us/azure/sentinel/automation/tutorial-respond-threats-playbook':2915 '/en-us/azure/sentinel/aws-disruption':1326 '/en-us/azure/sentinel/aws-s3-troubleshoot':472 '/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot':482 '/en-us/azure/sentinel/basic-logs-use-cases':760 '/en-us/azure/sentinel/best-practices':582 '/en-us/azure/sentinel/best-practices-data':594 '/en-us/azure/sentinel/billing':770 '/en-us/azure/sentinel/billing-monitor-costs':779 '/en-us/azure/sentinel/billing-pre-purchase-plan':791 '/en-us/azure/sentinel/billing-reduce-costs':800 '/en-us/azure/sentinel/business-applications/deploy-power-platform-solution':3346 '/en-us/azure/sentinel/business-applications/power-platform-solution-security-content':1483 '/en-us/azure/sentinel/business-continuity-disaster-recovery':1127 '/en-us/azure/sentinel/cef-name-mapping':1493 '/en-us/azure/sentinel/cef-syslog-ama-troubleshooting':494 '/en-us/azure/sentinel/ci-cd':3356 '/en-us/azure/sentinel/ci-cd-custom-content':3366 '/en-us/azure/sentinel/ci-cd-custom-deploy':3375 '/en-us/azure/sentinel/cisco-ftd-firewall':811 '/en-us/azure/sentinel/collaborate-in-microsoft-teams':2925 '/en-us/azure/sentinel/compare-analytics-rules-custom-detections':822 '/en-us/azure/sentinel/configure-connector-login-detection':1504 '/en-us/azure/sentinel/configure-content':1513 '/en-us/azure/sentinel/configure-data-retention-archive':1525 '/en-us/azure/sentinel/configure-data-transformation':1536 '/en-us/azure/sentinel/configure-fusion-rules':1545 '/en-us/azure/sentinel/connect-aws':1557 '/en-us/azure/sentinel/connect-aws-configure-environment':1568 '/en-us/azure/sentinel/connect-aws-eks':1580 '/en-us/azure/sentinel/connect-aws-s3-waf':1593 '/en-us/azure/sentinel/connect-azure-active-directory':1604 '/en-us/azure/sentinel/connect-azure-functions-template':2938 '/en-us/azure/sentinel/connect-azure-stack':3388 '/en-us/azure/sentinel/connect-azure-virtual-desktop':1616 '/en-us/azure/sentinel/connect-cef-syslog-ama':1628 '/en-us/azure/sentinel/connect-custom-logs-ama':1642 '/en-us/azure/sentinel/connect-defender-for-cloud':1654 '/en-us/azure/sentinel/connect-dns-ama':1667 '/en-us/azure/sentinel/connect-google-cloud-platform':1679 '/en-us/azure/sentinel/connect-logstash-data-connection-rules':2950 '/en-us/azure/sentinel/connect-mdti-data-connector':2961 '/en-us/azure/sentinel/connect-microsoft-365-defender':1691 '/en-us/azure/sentinel/connect-microsoft-purview':1702 '/en-us/azure/sentinel/connect-services-api-based':1714 '/en-us/azure/sentinel/connect-services-diagnostic-setting-based':1725 '/en-us/azure/sentinel/connect-services-windows-based':1737 '/en-us/azure/sentinel/connect-threat-intelligence-taxii':2971 '/en-us/azure/sentinel/connect-threat-intelligence-tip':2982 '/en-us/azure/sentinel/connect-threat-intelligence-upload-api':2994 '/en-us/azure/sentinel/create-analytics-rule-from-template':1746 '/en-us/azure/sentinel/create-analytics-rules':1756 '/en-us/azure/sentinel/create-codeless-connector':3004 '/en-us/azure/sentinel/create-custom-connector-builder-agent':3017 '/en-us/azure/sentinel/create-incidents-from-alerts':1766 '/en-us/azure/sentinel/create-manage-use-automation-rules':1776 '/en-us/azure/sentinel/create-nrt-rules':1787 '/en-us/azure/sentinel/create-push-codeless-connector':3028 '/en-us/azure/sentinel/create-tasks-automation-rule':1798 '/en-us/azure/sentinel/customer-managed-keys':1337 '/en-us/azure/sentinel/customize-alert-details':1809 '/en-us/azure/sentinel/customize-entity-activities':1818 '/en-us/azure/sentinel/data-connection-rules-reference-azure-storage':1828 '/en-us/azure/sentinel/data-connection-rules-reference-gcp':1839 '/en-us/azure/sentinel/data-connector-connection-rules-reference':1848 '/en-us/azure/sentinel/data-connector-ui-definitions-reference':1859 '/en-us/azure/sentinel/data-transformation':1870 '/en-us/azure/sentinel/data-type-cloud-support':832 '/en-us/azure/sentinel/datalake/asset-data-tables':1882 '/en-us/azure/sentinel/datalake/auditing-lake-activities':1893 '/en-us/azure/sentinel/datalake/data-federation-setup':1904 '/en-us/azure/sentinel/datalake/gql-reference-for-sentinel-custom-graph':3039 '/en-us/azure/sentinel/datalake/graph-rest-api':3050 '/en-us/azure/sentinel/datalake/kql-jobs':1916,1928 '/en-us/azure/sentinel/datalake/kql-jobs-summary-rules-search-jobs':846 '/en-us/azure/sentinel/datalake/kql-manage-jobs':1940 '/en-us/azure/sentinel/datalake/kql-queries':1954 '/en-us/azure/sentinel/datalake/kql-queries-api':3062 '/en-us/azure/sentinel/datalake/kql-troubleshoot':506 '/en-us/azure/sentinel/datalake/notebook-examples':3073 '/en-us/azure/sentinel/datalake/notebook-jobs':1966 '/en-us/azure/sentinel/datalake/notebooks':1978 '/en-us/azure/sentinel/datalake/notebooks-troubleshooting':518 '/en-us/azure/sentinel/datalake/sentinel-graph-provider-reference':3085 '/en-us/azure/sentinel/datalake/sentinel-lake-log-ingestion-guidance':858 '/en-us/azure/sentinel/datalake/sentinel-lake-onboard-defender':1988 '/en-us/azure/sentinel/datalake/sentinel-lake-onboarding':1999 '/en-us/azure/sentinel/datalake/sentinel-lake-service-limits':1230 '/en-us/azure/sentinel/datalake/sentinel-mcp-agent-creation-tool':3097 '/en-us/azure/sentinel/datalake/sentinel-mcp-billing':1240 '/en-us/azure/sentinel/datalake/sentinel-mcp-chatgpt-claude-connector':2010 '/en-us/azure/sentinel/datalake/sentinel-mcp-create-custom-tool':2022 '/en-us/azure/sentinel/datalake/sentinel-mcp-data-exploration-tool':3110 '/en-us/azure/sentinel/datalake/sentinel-mcp-logic-apps':3122 '/en-us/azure/sentinel/datalake/sentinel-mcp-triage-tool':3133 '/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-azure-ai-foundry':2033 '/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-copilot-studio':2045 '/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-security-copilot':2056 '/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-visual-studio-code':2067 '/en-us/azure/sentinel/datalake/sentinel-provider-class-reference':3143 '/en-us/azure/sentinel/datalake/troubleshoot-sentinel-mcp':529 '/en-us/azure/sentinel/datalake/workbooks-for-data-lake':2078 '/en-us/azure/sentinel/deploy-side-by-side':868 '/en-us/azure/sentinel/detection-tuning':606 '/en-us/azure/sentinel/dns-ama-fields':2088 '/en-us/azure/sentinel/domain-based-essential-solutions':618 '/en-us/azure/sentinel/dynamics-365/deploy-dynamics-365-finance-operations-solution':3400 '/en-us/azure/sentinel/dynamics-365/dynamics-365-finance-operations-security-content':2099 '/en-us/azure/sentinel/enable-entity-behavior-analytics':2109 '/en-us/azure/sentinel/enable-monitoring':2118 '/en-us/azure/sentinel/enable-sentinel-features-content':2128 '/en-us/azure/sentinel/enable-storage-network-security':1348 '/en-us/azure/sentinel/enroll-simplified-pricing-tier':878 '/en-us/azure/sentinel/entities-reference':2138 '/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants':1137 '/en-us/azure/sentinel/false-positives':628 '/en-us/azure/sentinel/feature-availability':3411 '/en-us/azure/sentinel/fusion':2148 '/en-us/azure/sentinel/fusion-scenario-reference':2158 '/en-us/azure/sentinel/geographical-availability-data-residency':1358 '/en-us/azure/sentinel/geolocation-data-api':3154 '/en-us/azure/sentinel/health-audit':2168 '/en-us/azure/sentinel/health-table-reference':2178 '/en-us/azure/sentinel/hunting-with-rest-api':3166 '/en-us/azure/sentinel/import-export-analytics-rules':3422 '/en-us/azure/sentinel/import-export-automation-rules':3434 '/en-us/azure/sentinel/indicators-bulk-file-import':3176 '/en-us/azure/sentinel/ingest-defender-for-cloud-incidents':3187 '/en-us/azure/sentinel/ingestion-delay':638 '/en-us/azure/sentinel/investigate-large-datasets':892 '/en-us/azure/sentinel/investigate-with-ueba':648 '/en-us/azure/sentinel/log-plans':901 '/en-us/azure/sentinel/manage-analytics-rule-templates':2188 '/en-us/azure/sentinel/manage-data-overview':911 '/en-us/azure/sentinel/manage-platform-solutions':2198 '/en-us/azure/sentinel/manage-soc-with-incident-metrics':2209 '/en-us/azure/sentinel/manage-table-tiers-retention':2219 '/en-us/azure/sentinel/map-data-fields-to-entities':2230 '/en-us/azure/sentinel/microsoft-365-defender-cloud-support':923 '/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration':3197 '/en-us/azure/sentinel/microsoft-purview-record-types-activities':2240 '/en-us/azure/sentinel/microsoft-sentinel-defender-portal':2250 '/en-us/azure/sentinel/migration':934 '/en-us/azure/sentinel/migration-arcsight-automation':946 '/en-us/azure/sentinel/migration-arcsight-detection-rules':957 '/en-us/azure/sentinel/migration-arcsight-historical-data':967 '/en-us/azure/sentinel/migration-ingestion-target-platform':978 '/en-us/azure/sentinel/migration-ingestion-tool':989 '/en-us/azure/sentinel/migration-qradar-automation':999 '/en-us/azure/sentinel/migration-qradar-detection-rules':1010 '/en-us/azure/sentinel/migration-qradar-historical-data':1020 '/en-us/azure/sentinel/migration-splunk-automation':1031 '/en-us/azure/sentinel/migration-splunk-detection-rules':1042 '/en-us/azure/sentinel/migration-splunk-historical-data':1052 '/en-us/azure/sentinel/monitor-analytics-rule-integrity':2261 '/en-us/azure/sentinel/monitor-automation-health':2272 '/en-us/azure/sentinel/monitor-data-connector-health':2282 '/en-us/azure/sentinel/monitor-optimize-analytics-rule-execution':2293 '/en-us/azure/sentinel/monitor-sap-system-health':2302 '/en-us/azure/sentinel/mssp-protect-intellectual-property':1368 '/en-us/azure/sentinel/multiple-tenants-service-providers':1148 '/en-us/azure/sentinel/multiple-workspace-view':2312 '/en-us/azure/sentinel/near-real-time-rules':2324 '/en-us/azure/sentinel/normalization-about-parsers':3208 '/en-us/azure/sentinel/normalization-about-workspace-parsers':2335 '/en-us/azure/sentinel/normalization-common-fields':2345 '/en-us/azure/sentinel/normalization-develop-parsers':3217 '/en-us/azure/sentinel/normalization-entity-application':2355 '/en-us/azure/sentinel/normalization-entity-device':2365 '/en-us/azure/sentinel/normalization-entity-user':2375 '/en-us/azure/sentinel/normalization-functions':3227 '/en-us/azure/sentinel/normalization-known-issues':539 '/en-us/azure/sentinel/normalization-manage-parsers':2385 '/en-us/azure/sentinel/normalization-modify-content':658 '/en-us/azure/sentinel/normalization-schema-alert':2394 '/en-us/azure/sentinel/normalization-schema-asset':2404 '/en-us/azure/sentinel/normalization-schema-audit':2413 '/en-us/azure/sentinel/normalization-schema-authentication':2421 '/en-us/azure/sentinel/normalization-schema-dhcp':2431 '/en-us/azure/sentinel/normalization-schema-dns':2441 '/en-us/azure/sentinel/normalization-schema-file-event':2450 '/en-us/azure/sentinel/normalization-schema-network':2461 '/en-us/azure/sentinel/normalization-schema-process-event':2472 '/en-us/azure/sentinel/normalization-schema-registry-event':2483 '/en-us/azure/sentinel/normalization-schema-user-management':2493 '/en-us/azure/sentinel/normalization-schema-v1':2504 '/en-us/azure/sentinel/normalization-schema-web':2515 '/en-us/azure/sentinel/notebook-get-started':2525 '/en-us/azure/sentinel/notebooks-msticpy-advanced':2535 '/en-us/azure/sentinel/offboard-implications':1250 '/en-us/azure/sentinel/ops-guide':669 '/en-us/azure/sentinel/package-platform-solution':3444 '/en-us/azure/sentinel/partner-integrations':1158 '/en-us/azure/sentinel/powerbi':3237 '/en-us/azure/sentinel/prepare-multiple-workspaces':1171 '/en-us/azure/sentinel/prioritize-data-connectors':1061 '/en-us/azure/sentinel/publish-sentinel-solutions':3454 '/en-us/azure/sentinel/purview-solution':2546 '/en-us/azure/sentinel/resource-context-rbac':1380 '/en-us/azure/sentinel/respond-threats-during-investigation':3247 '/en-us/azure/sentinel/roles':1389 '/en-us/azure/sentinel/sample-workspace-designs':1180 '/en-us/azure/sentinel/sap/collect-sap-hana-audit-logs':2557 '/en-us/azure/sentinel/sap/cross-workspace':1191 '/en-us/azure/sentinel/sap/deploy-command-line':3464 '/en-us/azure/sentinel/sap/deploy-data-connector-agent-container':3474 '/en-us/azure/sentinel/sap/deploy-sap-btp-solution':3484 '/en-us/azure/sentinel/sap/deploy-sap-security-content':3494 '/en-us/azure/sentinel/sap/deployment-solution-configuration':679 '/en-us/azure/sentinel/sap/preparing-sap':2567 '/en-us/azure/sentinel/sap/prerequisites-for-deploying-sap-continuous-threat-monitoring':3504 '/en-us/azure/sentinel/sap/reference-kickstart':2577 '/en-us/azure/sentinel/sap/reference-systemconfig':2586 '/en-us/azure/sentinel/sap/reference-systemconfig-json':2595 '/en-us/azure/sentinel/sap/reference-update':2605 '/en-us/azure/sentinel/sap/required-abap-authorizations':1399 '/en-us/azure/sentinel/sap/sap-agent-migrate':1071 '/en-us/azure/sentinel/sap/sap-audit-controls-workbook':2616 '/en-us/azure/sentinel/sap/sap-audit-log-workbook':2627 '/en-us/azure/sentinel/sap/sap-btp-security-content':2637 '/en-us/azure/sentinel/sap/sap-deploy-troubleshoot':548 '/en-us/azure/sentinel/sap/sap-solution-deploy-alternate':2647 '/en-us/azure/sentinel/sap/sap-solution-function-reference':2656 '/en-us/azure/sentinel/sap/sap-solution-log-reference':2667 '/en-us/azure/sentinel/sap/sap-solution-security-content':2677 '/en-us/azure/sentinel/sap/sap-suspicious-configuration-security-parameters':1408 '/en-us/azure/sentinel/sap/stop-collection':2687 '/en-us/azure/sentinel/sap/update-sap-data-connector':3514 '/en-us/azure/sentinel/scheduled-rules-overview':2696 '/en-us/azure/sentinel/search-jobs':1261 '/en-us/azure/sentinel/security-alert-schema':2706 '/en-us/azure/sentinel/security-alert-schema-differences':2717 '/en-us/azure/sentinel/sentinel-service-limits':1271 '/en-us/azure/sentinel/sentinel-solution':690 '/en-us/azure/sentinel/sentinel-solution-deprecation':699 '/en-us/azure/sentinel/sentinel-solution-quality-guidance':709 '/en-us/azure/sentinel/sentinel-solutions-catalog':1083 '/en-us/azure/sentinel/sentinel-solutions-delete':2727 '/en-us/azure/sentinel/sentinel-solutions-deploy':2737 '/en-us/azure/sentinel/sentinel-solutions-post-publish-tracking':3523 '/en-us/azure/sentinel/sentinel-summary-rules-creation':2748 '/en-us/azure/sentinel/sentinel-workbook-creation':2758 '/en-us/azure/sentinel/setup-azure-storage-connector':2769 '/en-us/azure/sentinel/siem-migration':1095 '/en-us/azure/sentinel/soc-ml-anomalies':2778 '/en-us/azure/sentinel/soc-optimization/soc-optimization-access':1103 '/en-us/azure/sentinel/soc-optimization/soc-optimization-api':3256 '/en-us/azure/sentinel/soc-optimization/soc-optimization-reference':1112 '/en-us/azure/sentinel/solution-setup-essentials':2788 '/en-us/azure/sentinel/stix-objects-api':3268 '/en-us/azure/sentinel/summary-rules':2798 '/en-us/azure/sentinel/surface-custom-details-in-alerts':2808 '/en-us/azure/sentinel/threat-intelligence-integration':2818 '/en-us/azure/sentinel/transformation-filter-split':2829 '/en-us/azure/sentinel/troubleshoot-analytics-rules':558 '/en-us/azure/sentinel/troubleshoot-sentinel-solutions':568 '/en-us/azure/sentinel/tutorial-enrich-ip-information':3278 '/en-us/azure/sentinel/tutorial-extract-incident-entities':3290 '/en-us/azure/sentinel/ueba-reference':2838 '/en-us/azure/sentinel/upload-indicators-api':3302 '/en-us/azure/sentinel/use-matching-analytics-to-detect-threats':3312 '/en-us/azure/sentinel/use-multiple-workspaces':1204 '/en-us/azure/sentinel/use-threat-indicators-in-analytics-rules':3322 '/en-us/azure/sentinel/watchlist-schemas':2848 '/en-us/azure/sentinel/watchlists':720 '/en-us/azure/sentinel/watchlists-create':1281 '/en-us/azure/sentinel/watchlists-manage':1291 '/en-us/azure/sentinel/windows-security-event-id-reference':2859 '/en-us/azure/sentinel/work-with-anomaly-rules':2869 '/en-us/azure/sentinel/work-with-stix-objects-indicators':3332 '/en-us/azure/sentinel/workspace-manager':2878 '/en-us/azure/sentinel/workspaces-defender-portal':1214 '/microsoftdocs/mcp/blob/main/readme.md)':163 '/sap':308 '/workspace':321 '3':134 '3.0':684 '365':2094,3394 'abap':1390 'accept':202 'access':168,362,1305,1377,3138 'across':1130,2308 'action':376,1319,2900 'activ':1811,1890 'add':2034 'advanc':1413,2526 'agent':83,127,186,200,545,1065,1729,2042,2592,2644,3011,3089,3094,3458,3510 'agent-bas':1728 'agentless':1068 'ai':3010 'alert':741,1648,1761,1800,2388,2701,2709,2805 'alert-trigg':740 'alongsid':861 'ama':489,732,1623,1633,1664,1734,2081 'ana':34 'analyt':229,251,388,551,599,625,815,1039,1508,1740,1750,2184,2257,2288,2318,2690,2863,3161,3308,3318,3416 'anomali':1425,1500,2772,2861 'api':408,1705,2891,2947,2991,3045,3059,3077,3151,3163,3253,3265,3296 'api-bas':1704 'app':424,2903,3118 'appli':573,583,659,700,1096,3218 'applic':2348,3491 'architectur':16,52,295,304,685,1113,1176,1185 'arcsight':936,950,959 'arm':3419,3430 'asim':226,393,534,609,654,2329,2337,2347,2357,2367,2379,2387,2396,2406,2415,2423,2433,2443,2454,2465,2476,2508,3199,3213,3219 'asim-bas':608 'asim/ueba':255 'assess':912 'asset':1872,2397 'attack':1317,1540,2142,2154 'audit':1439,1449,1576,1884,2112,2161,2407,2550,2609,2620 'auth':358 'auth/params':367 'authent':1297,2416 'author':1391 'auto':232,554 'auto-dis':231 'autom':390,745,938,993,996,1024,1027,1316,1419,1457,1467,1510,1771,1794,2266,2907,3427 'automat':3272 'avail':153,334,1237 'aw':374,462,1321,1547,1559,1570,1582 'aws/s3':221 'azur':2,7,35,44,476,969,1606,1820,2761,2927,3116,3377 'azure-sentinel':1 'base':610,1706,1719,1730,2930,2946,3021 'bcdr':310 'best':12,48,238,243,569,574,584,661 'bi':3230 'bill':766 'blob':222,478,1344,1822,2763 'btp':2634,3481 'build':2749,3005,3079 'bulk':3167 'busi':1120 'call':3040,3248 'capabl':75 'categori':86,94,110,206,208 'ccf':1823,1831,1842,1850,2766,3001 'ce':1480,3343 'cef':486,1485,1620 'chatgpt':2005 'check':3269,3401 'choos':283,780,801,812,833,968,1172 'ci/cd':450,3368 'cisco':804 'class':3136 'claud':2007 'cli':3461 'client':3047 'cloud':828,920,1647,3180,3407 'cmk':364 'code':24,60,403,409,2064,2880,3014,3069 'codeless':2996,3022 'collabor':2922 'collect':250,588,2552,2681,2887 'combin':65 'common':508,2338 'commonsecuritylog':1489 'complianc':1355 'condit':1415 'configur':22,30,58,355,377,381,670,803,1295,1327,1369,1381,1409,1412,1434,1454,1464,1494,1505,1514,1526,1537,1546,1569,1581,1594,1617,1629,1643,1668,1692,1703,1715,1726,1757,1773,1819,1829,1840,1860,1894,1917,1941,1969,2013,2046,2057,2068,2079,2102,2189,2210,2313,2376,2516,2530,2547,2639,2688,2740,2789,2809,2819,2860,2870 'connect':1605,2299,2962,2972,2983,3349,3363 'connector':33,220,387,433,445,466,479,544,806,825,915,1057,1345,1497,1507,1573,1585,1599,1649,1671,1697,1709,1720,1732,1825,1833,1844,1852,1897,2003,2082,2235,2276,2564,2573,2583,2591,2602,2643,2664,2764,2933,2956,2979,2998,3008,3023,3457,3469,3509 'connector/solution':280 'contain':1066,3459 'container':3466 'content':70,172,651,1079,1474,2090,2629,2669,2722,2732,3353,3360 'context':1372 'continu':1121 'control':794,2610 'convert':649 'copilot':2040,2053,3093 'core':2124 'correl':715 'cost':275,767,776,787,797 'cover':46 'creat':1272,1738,1747,1767,1777,1788,1905,2011,2738,2884,2995,3228,3347 'creation':1759,3090 'cross':319 'cross-ten':318 'custom':818,1329,1630,1748,1799,1810,1861,2014,2800,2931,3006,3042,3212,3359,3367 'customer-manag':1328 'customiz':2771 'data':32,249,277,290,335,371,386,395,417,427,502,514,543,587,630,641,717,755,826,854,887,904,916,961,975,980,1014,1046,1056,1222,1352,1376,1440,1521,1530,1731,1824,1832,1843,1851,1862,1873,1878,1888,1896,1900,1912,1923,1936,1950,1962,1974,1981,1993,2073,2221,2275,2680,2826,2886,2932,2955,2997,3053,3065,3101,3107,3139,3234,3468,3508 'dcr':2945 'dcr-base':2944 'decid':750,847,879 'decis':14,50,264,721 'defend':913,1210,1645,1682,1984,2246,2952,3178,3183,3190,3306 'defin':1304,1849 'delay':632 'deploy':27,63,434,438,859,1365,2328,2574,2730,3211,3333,3336,3351,3370,3389,3455,3465,3475,3498 'deprec':692 'descript':210 'design':17,53,294,296,301,1114,1149,1181,1349 'desktop':1608 'detail':2802 'detect':673,819,951,1004,1034,1426,1501,1541,1781,2143,2152,2773,2862,3303 'develop':9,3209 'devic':2358 'dhcp':2424 'diagnos':215 'diagnost':1609,1716 'disabl':233,345,555 'disast':1123 'discov':2728 'disrupt':375,1318 'dns':1659,2080,2434 'doc':178 'document':73,171 'domain':612,1074 'domain-specif':1073 'dynam':449,2093,3393 'e.g':98,114 'edit':1282 'ek':1571 'enabl':1315,1338,2000,2100,2110,2119,2951 'engin':1430 'enrich':713,2835,3144 'enrol':869 'entiti':1814,2132,2225,2349,2359,2369,2398,2834,3146,3242,3284 'entra':1596 'environ':453,1560,3408 'error':511 'essenti':611 'estim':763 'event':1496,1686,2389,2408,2445,2467,2478,2801,2852 'exampl':3070 'execut':727,2290 'exist':863 'expert':4,41,2638 'explor':3102 'export':958,1011,1043,3414,3423 'extend':1128 'extens':3385 'extract':3279 'f':2095 'fallback':190 'fals':620 'featur':286,2125,2165,3404 'feder':1895 'feed':2812,2966 'fetch':74,170,179,192 'field':1445,1490,2083,2170,2222,2340,2458,2469,2480,2512,2703 'file':104,112,119,124,1638,2444,3171 'filter':1657,2820 'financ':3395 'fine':596 'fine-tun':595 'firewal':805 'fix':217 'foundri':2029 'function':2648,2929,3221 'functions-bas':2928 'fusion':1538,2140,2151 'fusion-detect':2150 'gcp':1669,1830 'geoloc':3148 'github.com':162 'github.com/microsoftdocs/mcp/blob/main/readme.md)':161 'gql':430,3034 'graph':1996,3032,3043,3076,3082 'group':1416 'guid':160 'guidanc':42,269 'guidelin':702 'hana':2549 'handl':629 'health':2114,2163,2174,2252,2263,2277,2295 'health/auditing':401 'helper':3220 'histor':960,974,985,1013,1045 'hub':1080,2723,2733,3379 'hunt':3130,3157 'id':1597 'identifi':2135 'implement':1192,2346,2356,2366,2395,2926,3018 'implic':1242 'implications/timing':343 'import':81,125,3168,3257,3412,3425 'incid':421,645,1684,1758,1789,2201,2307,2909,2919,3129,3181,3194,3283 'includ':10 'index':87,207 'indic':3295,3315,3327 'inform':1695,2233 'ingest':219,465,487,563,631,851,981,1287,1528,1550,1575,1587,1621,1635,1673,1863,2856,3177 'ingestion-tim':1527 'instal':157,159,3485 'integr':23,59,322,399,402,414,1150,2254,2536,2813,2879,2916,2939,3111,3188 'intel':420,2989 'intellectu':1361 'intellig':2811,2954,2974,3170,3259 'interact':1515 'investig':643,3244 'ioc':3299 'ip':369,3270 'issu':237,467,532 'job':288,397,499,836,841,884,1254,1909,1919,1933,1947,1960 'json':1845,1854 'jupyt':509,1970 'key':1331,1486 'kickstart':2568 'knowledg':5 'known':531 'kql':429,496,835,1908,1918,1932,1944,2019,3055,3200,3223 'kql/jobs':225 'l108':268 'l109':299 'l109-l121':298 'l120':101 'l121':300 'l122':327 'l122-l132':326 'l132':328 'l133':352 'l133-l147':351 'l147':353 'l148':379 'l148-l290':378 'l290':380 'l291':406 'l291-l335':405 'l335':407 'l336':436 'l336-l356':435 'l35':100 'l35-l120':99 'l356':437 'l37':213 'l37-l50':212 'l50':214 'l51':241 'l51-l68':240 'l68':242 'l69':267 'l69-l108':266 'lake':291,336,503,515,756,855,1223,1879,1889,1901,1913,1924,1937,1951,1975,1982,1994,2074,3054,3066,3106,3140 'lake/kql':396 'latest':142 'layout':1168 'learn':185,199 'learn-agent-skil':184,198 'learn.microsoft.com':471,481,493,505,517,528,538,547,557,567,581,593,605,617,627,637,647,657,668,678,689,698,708,719,736,748,759,769,778,790,799,810,821,831,845,857,867,877,891,900,910,922,933,945,956,966,977,988,998,1009,1019,1030,1041,1051,1060,1070,1082,1094,1102,1111,1126,1136,1147,1157,1170,1179,1190,1203,1213,1229,1239,1249,1260,1270,1280,1290,1302,1313,1325,1336,1347,1357,1367,1379,1388,1398,1407,1422,1432,1442,1452,1462,1471,1482,1492,1503,1512,1524,1535,1544,1556,1567,1579,1592,1603,1615,1627,1641,1653,1666,1678,1690,1701,1713,1724,1736,1745,1755,1765,1775,1786,1797,1808,1817,1827,1838,1847,1858,1869,1881,1892,1903,1915,1927,1939,1953,1965,1977,1987,1998,2009,2021,2032,2044,2055,2066,2077,2087,2098,2108,2117,2127,2137,2147,2157,2167,2177,2187,2197,2208,2218,2229,2239,2249,2260,2271,2281,2292,2301,2311,2323,2334,2344,2354,2364,2374,2384,2393,2403,2412,2420,2430,2440,2449,2460,2471,2482,2492,2503,2514,2524,2534,2545,2556,2566,2576,2585,2594,2604,2615,2626,2636,2646,2655,2666,2676,2686,2695,2705,2716,2726,2736,2747,2757,2768,2777,2787,2797,2807,2817,2828,2837,2847,2858,2868,2877,2893,2905,2914,2924,2937,2949,2960,2970,2981,2993,3003,3016,3027,3038,3049,3061,3072,3084,3096,3109,3121,3132,3142,3153,3165,3175,3186,3196,3207 'learn.microsoft.com/en-us/azure/sentinel/add-advanced-conditions-to-automation-rules':1421 'learn.microsoft.com/en-us/azure/sentinel/ama-migrate':735 'learn.microsoft.com/en-us/azure/sentinel/anomalies-reference':1431 'learn.microsoft.com/en-us/azure/sentinel/api-dcr-reference':2892 'learn.microsoft.com/en-us/azure/sentinel/audit-sentinel-data':1441 'learn.microsoft.com/en-us/azure/sentinel/audit-table-reference':1451 'learn.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules':1461 'learn.microsoft.com/en-us/azure/sentinel/automation-rule-reference':1470 'learn.microsoft.com/en-us/azure/sentinel/automation/authenticate-playbooks-to-sentinel':1301 'learn.microsoft.com/en-us/azure/sentinel/automation/define-playbook-access-restrictions':1312 'learn.microsoft.com/en-us/azure/sentinel/automation/migrate-playbooks-to-automation-rules':747 'learn.microsoft.com/en-us/azure/sentinel/automation/playbook-triggers-actions':2904 'learn.microsoft.com/en-us/azure/sentinel/automation/tutorial-respond-threats-playbook':2913 'learn.microsoft.com/en-us/azure/sentinel/aws-disruption':1324 'learn.microsoft.com/en-us/azure/sentinel/aws-s3-troubleshoot':470 'learn.microsoft.com/en-us/azure/sentinel/azure-storage-blob-connector-troubleshoot':480 'learn.microsoft.com/en-us/azure/sentinel/basic-logs-use-cases':758 'learn.microsoft.com/en-us/azure/sentinel/best-practices':580 'learn.microsoft.com/en-us/azure/sentinel/best-practices-data':592 'learn.microsoft.com/en-us/azure/sentinel/billing':768 'learn.microsoft.com/en-us/azure/sentinel/billing-monitor-costs':777 'learn.microsoft.com/en-us/azure/sentinel/billing-pre-purchase-plan':789 'learn.microsoft.com/en-us/azure/sentinel/billing-reduce-costs':798 'learn.microsoft.com/en-us/azure/sentinel/business-applications/deploy-power-platform-solution':3344 'learn.microsoft.com/en-us/azure/sentinel/business-applications/power-platform-solution-security-content':1481 'learn.microsoft.com/en-us/azure/sentinel/business-continuity-disaster-recovery':1125 'learn.microsoft.com/en-us/azure/sentinel/cef-name-mapping':1491 'learn.microsoft.com/en-us/azure/sentinel/cef-syslog-ama-troubleshooting':492 'learn.microsoft.com/en-us/azure/sentinel/ci-cd':3354 'learn.microsoft.com/en-us/azure/sentinel/ci-cd-custom-content':3364 'learn.microsoft.com/en-us/azure/sentinel/ci-cd-custom-deploy':3373 'learn.microsoft.com/en-us/azure/sentinel/cisco-ftd-firewall':809 'learn.microsoft.com/en-us/azure/sentinel/collaborate-in-microsoft-teams':2923 'learn.microsoft.com/en-us/azure/sentinel/compare-analytics-rules-custom-detections':820 'learn.microsoft.com/en-us/azure/sentinel/configure-connector-login-detection':1502 'learn.microsoft.com/en-us/azure/sentinel/configure-content':1511 'learn.microsoft.com/en-us/azure/sentinel/configure-data-retention-archive':1523 'learn.microsoft.com/en-us/azure/sentinel/configure-data-transformation':1534 'learn.microsoft.com/en-us/azure/sentinel/configure-fusion-rules':1543 'learn.microsoft.com/en-us/azure/sentinel/connect-aws':1555 'learn.microsoft.com/en-us/azure/sentinel/connect-aws-configure-environment':1566 'learn.microsoft.com/en-us/azure/sentinel/connect-aws-eks':1578 'learn.microsoft.com/en-us/azure/sentinel/connect-aws-s3-waf':1591 'learn.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory':1602 'learn.microsoft.com/en-us/azure/sentinel/connect-azure-functions-template':2936 'learn.microsoft.com/en-us/azure/sentinel/connect-azure-stack':3386 'learn.microsoft.com/en-us/azure/sentinel/connect-azure-virtual-desktop':1614 'learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog-ama':1626 'learn.microsoft.com/en-us/azure/sentinel/connect-custom-logs-ama':1640 'learn.microsoft.com/en-us/azure/sentinel/connect-defender-for-cloud':1652 'learn.microsoft.com/en-us/azure/sentinel/connect-dns-ama':1665 'learn.microsoft.com/en-us/azure/sentinel/connect-google-cloud-platform':1677 'learn.microsoft.com/en-us/azure/sentinel/connect-logstash-data-connection-rules':2948 'learn.microsoft.com/en-us/azure/sentinel/connect-mdti-data-connector':2959 'learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender':1689 'learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-purview':1700 'learn.microsoft.com/en-us/azure/sentinel/connect-services-api-based':1712 'learn.microsoft.com/en-us/azure/sentinel/connect-services-diagnostic-setting-based':1723 'learn.microsoft.com/en-us/azure/sentinel/connect-services-windows-based':1735 'learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-taxii':2969 'learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-tip':2980 'learn.microsoft.com/en-us/azure/sentinel/connect-threat-intelligence-upload-api':2992 'learn.microsoft.com/en-us/azure/sentinel/create-analytics-rule-from-template':1744 'learn.microsoft.com/en-us/azure/sentinel/create-analytics-rules':1754 'learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector':3002 'learn.microsoft.com/en-us/azure/sentinel/create-custom-connector-builder-agent':3015 'learn.microsoft.com/en-us/azure/sentinel/create-incidents-from-alerts':1764 'learn.microsoft.com/en-us/azure/sentinel/create-manage-use-automation-rules':1774 'learn.microsoft.com/en-us/azure/sentinel/create-nrt-rules':1785 'learn.microsoft.com/en-us/azure/sentinel/create-push-codeless-connector':3026 'learn.microsoft.com/en-us/azure/sentinel/create-tasks-automation-rule':1796 'learn.microsoft.com/en-us/azure/sentinel/customer-managed-keys':1335 'learn.microsoft.com/en-us/azure/sentinel/customize-alert-details':1807 'learn.microsoft.com/en-us/azure/sentinel/customize-entity-activities':1816 'learn.microsoft.com/en-us/azure/sentinel/data-connection-rules-reference-azure-storage':1826 'learn.microsoft.com/en-us/azure/sentinel/data-connection-rules-reference-gcp':1837 'learn.microsoft.com/en-us/azure/sentinel/data-connector-connection-rules-reference':1846 'learn.microsoft.com/en-us/azure/sentinel/data-connector-ui-definitions-reference':1857 'learn.microsoft.com/en-us/azure/sentinel/data-transformation':1868 'learn.microsoft.com/en-us/azure/sentinel/data-type-cloud-support':830 'learn.microsoft.com/en-us/azure/sentinel/datalake/asset-data-tables':1880 'learn.microsoft.com/en-us/azure/sentinel/datalake/auditing-lake-activities':1891 'learn.microsoft.com/en-us/azure/sentinel/datalake/data-federation-setup':1902 'learn.microsoft.com/en-us/azure/sentinel/datalake/gql-reference-for-sentinel-custom-graph':3037 'learn.microsoft.com/en-us/azure/sentinel/datalake/graph-rest-api':3048 'learn.microsoft.com/en-us/azure/sentinel/datalake/kql-jobs':1914,1926 'learn.microsoft.com/en-us/azure/sentinel/datalake/kql-jobs-summary-rules-search-jobs':844 'learn.microsoft.com/en-us/azure/sentinel/datalake/kql-manage-jobs':1938 'learn.microsoft.com/en-us/azure/sentinel/datalake/kql-queries':1952 'learn.microsoft.com/en-us/azure/sentinel/datalake/kql-queries-api':3060 'learn.microsoft.com/en-us/azure/sentinel/datalake/kql-troubleshoot':504 'learn.microsoft.com/en-us/azure/sentinel/datalake/notebook-examples':3071 'learn.microsoft.com/en-us/azure/sentinel/datalake/notebook-jobs':1964 'learn.microsoft.com/en-us/azure/sentinel/datalake/notebooks':1976 'learn.microsoft.com/en-us/azure/sentinel/datalake/notebooks-troubleshooting':516 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-graph-provider-reference':3083 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-log-ingestion-guidance':856 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-onboard-defender':1986 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-onboarding':1997 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-service-limits':1228 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-agent-creation-tool':3095 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-billing':1238 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-chatgpt-claude-connector':2008 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-create-custom-tool':2020 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-data-exploration-tool':3108 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-logic-apps':3120 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-triage-tool':3131 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-azure-ai-foundry':2031 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-copilot-studio':2043 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-security-copilot':2054 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-mcp-use-tool-visual-studio-code':2065 'learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-provider-class-reference':3141 'learn.microsoft.com/en-us/azure/sentinel/datalake/troubleshoot-sentinel-mcp':527 'learn.microsoft.com/en-us/azure/sentinel/datalake/workbooks-for-data-lake':2076 'learn.microsoft.com/en-us/azure/sentinel/deploy-side-by-side':866 'learn.microsoft.com/en-us/azure/sentinel/detection-tuning':604 'learn.microsoft.com/en-us/azure/sentinel/dns-ama-fields':2086 'learn.microsoft.com/en-us/azure/sentinel/domain-based-essential-solutions':616 'learn.microsoft.com/en-us/azure/sentinel/dynamics-365/deploy-dynamics-365-finance-operations-solution':3398 'learn.microsoft.com/en-us/azure/sentinel/dynamics-365/dynamics-365-finance-operations-security-content':2097 'learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics':2107 'learn.microsoft.com/en-us/azure/sentinel/enable-monitoring':2116 'learn.microsoft.com/en-us/azure/sentinel/enable-sentinel-features-content':2126 'learn.microsoft.com/en-us/azure/sentinel/enable-storage-network-security':1346 'learn.microsoft.com/en-us/azure/sentinel/enroll-simplified-pricing-tier':876 'learn.microsoft.com/en-us/azure/sentinel/entities-reference':2136 'learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants':1135 'learn.microsoft.com/en-us/azure/sentinel/false-positives':626 'learn.microsoft.com/en-us/azure/sentinel/feature-availability':3409 'learn.microsoft.com/en-us/azure/sentinel/fusion':2146 'learn.microsoft.com/en-us/azure/sentinel/fusion-scenario-reference':2156 'learn.microsoft.com/en-us/azure/sentinel/geographical-availability-data-residency':1356 'learn.microsoft.com/en-us/azure/sentinel/geolocation-data-api':3152 'learn.microsoft.com/en-us/azure/sentinel/health-audit':2166 'learn.microsoft.com/en-us/azure/sentinel/health-table-reference':2176 'learn.microsoft.com/en-us/azure/sentinel/hunting-with-rest-api':3164 'learn.microsoft.com/en-us/azure/sentinel/import-export-analytics-rules':3420 'learn.microsoft.com/en-us/azure/sentinel/import-export-automation-rules':3432 'learn.microsoft.com/en-us/azure/sentinel/indicators-bulk-file-import':3174 'learn.microsoft.com/en-us/azure/sentinel/ingest-defender-for-cloud-incidents':3185 'learn.microsoft.com/en-us/azure/sentinel/ingestion-delay':636 'learn.microsoft.com/en-us/azure/sentinel/investigate-large-datasets':890 'learn.microsoft.com/en-us/azure/sentinel/investigate-with-ueba':646 'learn.microsoft.com/en-us/azure/sentinel/log-plans':899 'learn.microsoft.com/en-us/azure/sentinel/manage-analytics-rule-templates':2186 'learn.microsoft.com/en-us/azure/sentinel/manage-data-overview':909 'learn.microsoft.com/en-us/azure/sentinel/manage-platform-solutions':2196 'learn.microsoft.com/en-us/azure/sentinel/manage-soc-with-incident-metrics':2207 'learn.microsoft.com/en-us/azure/sentinel/manage-table-tiers-retention':2217 'learn.microsoft.com/en-us/azure/sentinel/map-data-fields-to-entities':2228 'learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-cloud-support':921 'learn.microsoft.com/en-us/azure/sentinel/microsoft-365-defender-sentinel-integration':3195 'learn.microsoft.com/en-us/azure/sentinel/microsoft-purview-record-types-activities':2238 'learn.microsoft.com/en-us/azure/sentinel/microsoft-sentinel-defender-portal':2248 'learn.microsoft.com/en-us/azure/sentinel/migration':932 'learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-automation':944 'learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-detection-rules':955 'learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-historical-data':965 'learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-target-platform':976 'learn.microsoft.com/en-us/azure/sentinel/migration-ingestion-tool':987 'learn.microsoft.com/en-us/azure/sentinel/migration-qradar-automation':997 'learn.microsoft.com/en-us/azure/sentinel/migration-qradar-detection-rules':1008 'learn.microsoft.com/en-us/azure/sentinel/migration-qradar-historical-data':1018 'learn.microsoft.com/en-us/azure/sentinel/migration-splunk-automation':1029 'learn.microsoft.com/en-us/azure/sentinel/migration-splunk-detection-rules':1040 'learn.microsoft.com/en-us/azure/sentinel/migration-splunk-historical-data':1050 'learn.microsoft.com/en-us/azure/sentinel/monitor-analytics-rule-integrity':2259 'learn.microsoft.com/en-us/azure/sentinel/monitor-automation-health':2270 'learn.microsoft.com/en-us/azure/sentinel/monitor-data-connector-health':2280 'learn.microsoft.com/en-us/azure/sentinel/monitor-optimize-analytics-rule-execution':2291 'learn.microsoft.com/en-us/azure/sentinel/monitor-sap-system-health':2300 'learn.microsoft.com/en-us/azure/sentinel/mssp-protect-intellectual-property':1366 'learn.microsoft.com/en-us/azure/sentinel/multiple-tenants-service-providers':1146 'learn.microsoft.com/en-us/azure/sentinel/multiple-workspace-view':2310 'learn.microsoft.com/en-us/azure/sentinel/near-real-time-rules':2322 'learn.microsoft.com/en-us/azure/sentinel/normalization-about-parsers':3206 'learn.microsoft.com/en-us/azure/sentinel/normalization-about-workspace-parsers':2333 'learn.microsoft.com/en-us/azure/sentinel/normalization-common-fields':2343 'learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers':3215 'learn.microsoft.com/en-us/azure/sentinel/normalization-entity-application':2353 'learn.microsoft.com/en-us/azure/sentinel/normalization-entity-device':2363 'learn.microsoft.com/en-us/azure/sentinel/normalization-entity-user':2373 'learn.microsoft.com/en-us/azure/sentinel/normalization-functions':3225 'learn.microsoft.com/en-us/azure/sentinel/normalization-known-issues':537 'learn.microsoft.com/en-us/azure/sentinel/normalization-manage-parsers':2383 'learn.microsoft.com/en-us/azure/sentinel/normalization-modify-content':656 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-alert':2392 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-asset':2402 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-audit':2411 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-authentication':2419 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-dhcp':2429 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-dns':2439 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-file-event':2448 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-network':2459 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-process-event':2470 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-registry-event':2481 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-user-management':2491 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-v1':2502 'learn.microsoft.com/en-us/azure/sentinel/normalization-schema-web':2513 'learn.microsoft.com/en-us/azure/sentinel/notebook-get-started':2523 'learn.microsoft.com/en-us/azure/sentinel/notebooks-msticpy-advanced':2533 'learn.microsoft.com/en-us/azure/sentinel/offboard-implications':1248 'learn.microsoft.com/en-us/azure/sentinel/ops-guide':667 'learn.microsoft.com/en-us/azure/sentinel/package-platform-solution':3442 'learn.microsoft.com/en-us/azure/sentinel/partner-integrations':1156 'learn.microsoft.com/en-us/azure/sentinel/powerbi':3235 'learn.microsoft.com/en-us/azure/sentinel/prepare-multiple-workspaces':1169 'learn.microsoft.com/en-us/azure/sentinel/prioritize-data-connectors':1059 'learn.microsoft.com/en-us/azure/sentinel/publish-sentinel-solutions':3452 'learn.microsoft.com/en-us/azure/sentinel/purview-solution':2544 'learn.microsoft.com/en-us/azure/sentinel/resource-context-rbac':1378 'learn.microsoft.com/en-us/azure/sentinel/respond-threats-during-investigation':3245 'learn.microsoft.com/en-us/azure/sentinel/roles':1387 'learn.microsoft.com/en-us/azure/sentinel/sample-workspace-designs':1178 'learn.microsoft.com/en-us/azure/sentinel/sap/collect-sap-hana-audit-logs':2555 'learn.microsoft.com/en-us/azure/sentinel/sap/cross-workspace':1189 'learn.microsoft.com/en-us/azure/sentinel/sap/deploy-command-line':3462 'learn.microsoft.com/en-us/azure/sentinel/sap/deploy-data-connector-agent-container':3472 'learn.microsoft.com/en-us/azure/sentinel/sap/deploy-sap-btp-solution':3482 'learn.microsoft.com/en-us/azure/sentinel/sap/deploy-sap-security-content':3492 'learn.microsoft.com/en-us/azure/sentinel/sap/deployment-solution-configuration':677 'learn.microsoft.com/en-us/azure/sentinel/sap/preparing-sap':2565 'learn.microsoft.com/en-us/azure/sentinel/sap/prerequisites-for-deploying-sap-continuous-threat-monitoring':3502 'learn.microsoft.com/en-us/azure/sentinel/sap/reference-kickstart':2575 'learn.microsoft.com/en-us/azure/sentinel/sap/reference-systemconfig':2584 'learn.microsoft.com/en-us/azure/sentinel/sap/reference-systemconfig-json':2593 'learn.microsoft.com/en-us/azure/sentinel/sap/reference-update':2603 'learn.microsoft.com/en-us/azure/sentinel/sap/required-abap-authorizations':1397 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-agent-migrate':1069 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-audit-controls-workbook':2614 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-audit-log-workbook':2625 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-btp-security-content':2635 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-deploy-troubleshoot':546 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-deploy-alternate':2645 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-function-reference':2654 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-log-reference':2665 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-solution-security-content':2675 'learn.microsoft.com/en-us/azure/sentinel/sap/sap-suspicious-configuration-security-parameters':1406 'learn.microsoft.com/en-us/azure/sentinel/sap/stop-collection':2685 'learn.microsoft.com/en-us/azure/sentinel/sap/update-sap-data-connector':3512 'learn.microsoft.com/en-us/azure/sentinel/scheduled-rules-overview':2694 'learn.microsoft.com/en-us/azure/sentinel/search-jobs':1259 'learn.microsoft.com/en-us/azure/sentinel/security-alert-schema':2704 'learn.microsoft.com/en-us/azure/sentinel/security-alert-schema-differences':2715 'learn.microsoft.com/en-us/azure/sentinel/sentinel-service-limits':1269 'learn.microsoft.com/en-us/azure/sentinel/sentinel-solution':688 'learn.microsoft.com/en-us/azure/sentinel/sentinel-solution-deprecation':697 'learn.microsoft.com/en-us/azure/sentinel/sentinel-solution-quality-guidance':707 'learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-catalog':1081 'learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-delete':2725 'learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-deploy':2735 'learn.microsoft.com/en-us/azure/sentinel/sentinel-solutions-post-publish-tracking':3521 'learn.microsoft.com/en-us/azure/sentinel/sentinel-summary-rules-creation':2746 'learn.microsoft.com/en-us/azure/sentinel/sentinel-workbook-creation':2756 'learn.microsoft.com/en-us/azure/sentinel/setup-azure-storage-connector':2767 'learn.microsoft.com/en-us/azure/sentinel/siem-migration':1093 'learn.microsoft.com/en-us/azure/sentinel/soc-ml-anomalies':2776 'learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-access':1101 'learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-api':3254 'learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-reference':1110 'learn.microsoft.com/en-us/azure/sentinel/solution-setup-essentials':2786 'learn.microsoft.com/en-us/azure/sentinel/stix-objects-api':3266 'learn.microsoft.com/en-us/azure/sentinel/summary-rules':2796 'learn.microsoft.com/en-us/azure/sentinel/surface-custom-details-in-alerts':2806 'learn.microsoft.com/en-us/azure/sentinel/threat-intelligence-integration':2816 'learn.microsoft.com/en-us/azure/sentinel/transformation-filter-split':2827 'learn.microsoft.com/en-us/azure/sentinel/troubleshoot-analytics-rules':556 'learn.microsoft.com/en-us/azure/sentinel/troubleshoot-sentinel-solutions':566 'learn.microsoft.com/en-us/azure/sentinel/tutorial-enrich-ip-information':3276 'learn.microsoft.com/en-us/azure/sentinel/tutorial-extract-incident-entities':3288 'learn.microsoft.com/en-us/azure/sentinel/ueba-reference':2836 'learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api':3300 'learn.microsoft.com/en-us/azure/sentinel/use-matching-analytics-to-detect-threats':3310 'learn.microsoft.com/en-us/azure/sentinel/use-multiple-workspaces':1202 'learn.microsoft.com/en-us/azure/sentinel/use-threat-indicators-in-analytics-rules':3320 'learn.microsoft.com/en-us/azure/sentinel/watchlist-schemas':2846 'learn.microsoft.com/en-us/azure/sentinel/watchlists':718 'learn.microsoft.com/en-us/azure/sentinel/watchlists-create':1279 'learn.microsoft.com/en-us/azure/sentinel/watchlists-manage':1289 'learn.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference':2857 'learn.microsoft.com/en-us/azure/sentinel/work-with-anomaly-rules':2867 'learn.microsoft.com/en-us/azure/sentinel/work-with-stix-objects-indicators':3330 'learn.microsoft.com/en-us/azure/sentinel/workspace-manager':2876 'learn.microsoft.com/en-us/azure/sentinel/workspaces-defender-portal':1212 'legaci':927,2495,2578,2978,3292 'leverag':3086 'lifecycl':696 'lifecycle/quality':263 'limit':19,55,324,330,1215,1225,1235,1258,1266,1278 'line':96,108,209 'link':113,122 'list':1791 'local':66 'locat':90 'log':464,849,896,986,1396,1549,1563,1577,1588,1598,1611,1631,1639,1660,1674,1885,2541,2551,2621,2657,3160 'logic':2902,3117 'logstash':2940 'long':1518 'long-term':1517 'make':15,51,265,722 'manag':316,383,440,577,691,1140,1330,1769,1779,1929,1957,2179,2204,2305,2325,2378,2488,2875,3155,3357 'map':947,1000,1484,1875,2220,2707 'markdown':189,205 'marketplac':3451 'mcp':148,175,227,524,1233,2002,2016,2025,2036,2048,2059,3088,3100,3113,3125 'mcp/logic':423 'meet':3495 'metadata.generated':129 'metric':2202 'microsoft':177,348,384,441,474,522,560,590,623,664,693,704,764,774,795,894,930,1037,1054,1153,1173,1220,1263,1273,1283,1333,1382,1437,1447,1455,1465,1595,1644,1681,1693,1707,1991,2028,2039,2051,2105,2120,2130,2172,2242,2452,2463,2474,2485,2496,2506,2521,2537,2683,2698,2783,2842,2917,3030,3189,3402,3438,3446,3476,3486 'microsoftdoc':149,176 'microsoftsentinelprovid':3135 'migrat':272,728,738,925,935,949,964,990,1002,1017,1021,1032,1049,1062,1087 'ml':1429 'mma':730 'monitor':259,680,771,1403,1931,2115,2164,2251,2262,2273,2283,2294 'month':135 'mssp':312,368,1145,1360 'msticpi':2517,2527 'multi':306,314,1161,1165,1183,1194,1198 'multi-ten':313,1164,1197 'multi-workspac':305,1160,1182,1193 'multipl':1131,1141,1206 'multistag':1539,2141,2153 'name':1801 'nativ':3282 'near':2315 'near-real-tim':2314 'network':167,1339,2455,2498 'nois':603 'noise/false':253 'non':3281 'non-nat':3280 'normal':655,2085,2390,2409,2417,2425,2435,2446,2489,2499,3203 'notebook':510,1959,1971,2519,2529,3068 'nrt':1780 'o':2096 'object':3261,3325 'old':136 'onboard':1138,1979,1989,3376 'op':248,3397 'oper':660 'optim':293,521,773,1099,1107,2285,3251 'packag':236,565,3435 'paramet':337,1227,1402,2570,2598 'parser':2330,2380,3201,3214 'pattern':18,25,54,61,297,323,404,410,1115,1151,1177,2881 'perform':2206,2279 'perimet':365,1341 'permiss':1386 'plan':279,311,725,761,788,902,924,1118,1159 'platform':448,865,971,1478,2194,2975,3341,3440 'playbook':289,360,422,743,943,1300,1311,2269,2897,2912,3240,3275,3287 'polici':1307 'portal':1211,1985,2247 'posit':254,621 'power':447,1477,3229,3340 'practic':13,49,239,244,570,575,585,662 'pre':785 'pre-purchas':784 'prefer':173 'prepar':1558,2558 'prerequisit':2781,3496 'price':332,874,1234 'priorit':1053 'process':1963,2466 'project':2030 'promot':1921 'properti':1362,1469 'protect':370,676,1359,1696,2234 'provid':40 'pub/sub':1670 'publish':2751,3437,3445,3520 'publishing/updates':457 'pull':140 'purchas':786 'purview':1694,2232,2538 'push':3020 'push-bas':3019 'qradar':991,1003,1012,1092 'qualiti':701 'queri':181,195,338,497,1256,1436,1945,2075,3029,3056,3063,3105,3158,3205,3224,3323 'querying/analyzing':426 'quick':68 'quick-refer':67 'quota':20,56,325,331,1216,1268 'rang':97 'rbac':1373 'rbac/roles':361 'rdp':1499 'read':103,118 'real':2316 'recommend':1100,1109,3252 'record':2236 'recoveri':1124 'reduc':602,619,792 'refer':69,123,1108,1444,1475,2091,2129,2169,2580,2588,2630,2649,2660,2670,2830,3036 'registri':2477 'relev':91 'remot':72 'remov':347,1246,2718 'report':3231 'repositori':146,3348,3362,3369 'repositories/arm':452 'reput':3271 'requir':166,1392 'resid':372,1353 'resolv':507,530 'resourc':1371 'resource-context':1370 'respons':2910 'rest':431,2890,3044,3058,3150,3162 'restapipol':1841 'restor':886,2720 'restrict':363,1306 'result':1925 'retent':897,907,1522,2212 'return':188,204 'review':1219,1262,2149 'role':1384 'rule':230,287,391,552,600,635,746,816,838,941,952,1005,1028,1035,1420,1458,1468,1542,1741,1751,1772,1782,1795,1834,2185,2227,2258,2267,2289,2319,2691,2742,2793,2864,2888,3309,3319,3417,3428 'run':1251,1943,1967,3051 's3':463,1554,1572,1584 'safe':3511 'sap':224,366,446,542,672,1064,1188,1395,1400,2298,2548,2559,2563,2572,2582,2590,2601,2607,2618,2633,2642,2652,2663,2673,2679,3456,3467,3480,3490,3500,3507 'sap/aws/gcp':398 'sap/zero':257 'scenario':2155 'schedul':1739,1749,1907,1955,2287,2689 'schema':394,2339,2350,2360,2370,2391,2399,2410,2418,2426,2436,2447,2457,2468,2479,2490,2500,2511,2702,2710,2840 'script':2569,2597 'search':840,883,1253 'section':92 'secur':21,57,350,354,1292,1296,1340,1401,1473,1495,2052,2089,2608,2619,2628,2668,2700,2851,3081 'security.md':115,116 'select':281,893,979,1072,2849 'send':1562 'sentinel':3,8,31,36,45,218,246,274,285,302,349,357,385,415,442,469,475,491,501,513,523,536,541,550,561,578,591,598,615,624,634,644,650,665,671,687,694,705,716,734,739,754,765,775,783,796,808,814,824,843,853,860,870,889,895,903,931,940,954,963,973,984,995,1007,1016,1026,1038,1048,1055,1076,1085,1097,1105,1119,1129,1142,1154,1167,1174,1187,1200,1207,1221,1232,1247,1252,1264,1274,1284,1299,1309,1323,1334,1343,1350,1364,1375,1383,1394,1405,1418,1428,1438,1448,1456,1466,1488,1506,1520,1533,1552,1565,1590,1601,1613,1625,1651,1662,1676,1688,1699,1711,1722,1753,1763,1770,1784,1793,1806,1813,1836,1856,1867,1877,1887,1899,1911,1922,1935,1949,1958,1973,1980,1992,2001,2015,2024,2035,2047,2058,2069,2106,2111,2121,2131,2145,2160,2173,2183,2193,2200,2216,2224,2243,2256,2265,2274,2286,2297,2306,2321,2332,2342,2352,2362,2372,2382,2401,2428,2438,2453,2464,2475,2486,2497,2507,2522,2532,2543,2554,2562,2600,2613,2624,2632,2641,2651,2662,2672,2684,2693,2699,2708,2721,2731,2744,2752,2775,2784,2795,2804,2815,2825,2832,2843,2855,2866,2873,2885,2896,2908,2918,2935,2942,2958,2968,2977,2986,3000,3007,3025,3031,3041,3052,3064,3075,3080,3087,3099,3112,3124,3145,3156,3173,3193,3204,3233,3239,3249,3263,3274,3286,3293,3317,3329 'servic':329,1224,1265,1548,1708 'session':2456,2510 'set':1718,2759,2779,2853 'settings-bas':1717 'setup':309,1201 'sever':1802 'siem':271,864,928,1086,2122,3448 'simplifi':873 'size':1277 'size/sla':341 'skill':37,39,80,165,187,201 'skill-azure-sentinel' 'sla':1288 'soar':937,992,1023,1460 'soc':666,1098,1106,2205,3250 'solut':235,262,443,456,562,613,695,706,1077,1155,2195,2539,2653,2674,2724,2734,2745,2755,2785,3338,3391,3441,3449,3478,3488,3501,3517 'sourc':418 'source-microsoftdocs' 'specif':1075 'specifi':107 'split':2822 'splunk':1022,1033,1044,1090 'stack':3378 'standalon':2712 'standard':1310 'status':3518 'stix':2964,3260,3298,3324 'stop':2678 'storag':477,1821,2762 'strateg':1058 'strategi':908 'stream':1655,1680 'string':182,196 'studio':2041,2063 'suggest':137,154 'summari':837,2741,2792 'support':454,829,918,3405 'surfac':2799 'syntax':3035 'syslog':484,1618 'syslog/cef':223 'system':2560 'systemconfig.ini':2579 'systemconfig.json':2587 'tabl':1450,1874,2175,2211,2659 'tactic':1804 'target':970 'task':1790 'taxii':2963 'team':2921 'templat':1743,2180,2845,3431 'tenant':315,320,1134,1143,1166,1199 'term':1519 'text':1637 'text-fil':1636 'text/markdown':203 'threat':419,675,2810,2953,2965,2973,2988,3169,3258,3304,3314 'ti':3307 'tic':683 'tier':278,757,875,898,905,2214 'time':1244,1529,2317 'timelin':1815 'timeout':339,1257 'tip':2984 'tool':150,228,412,525,982,1088,2017,2026,2037,2049,2060,3091,3103,3114,3127 'topic':459,571,723,1116,1217,1293,1410,2882,3334 'topic-agent' 'topic-agent-skills' 'topic-agentic-skills' 'topic-agentskill' 'topic-ai-agents' 'topic-ai-coding' 'topic-azure' 'topic-azure-functions' 'topic-azure-kubernetes-service' 'topic-azure-openai' 'topic-azure-sql-database' 'topic-azure-storage' 'track':3515 'transform':1531,1865,2823 'triag':3126 'trigger':742,2898,3238 'troubleshoot':11,47,211,458,461,473,483,495,519,540,549,559 'trust':258,682 'tune':252,597 'type':827,917,2133,2237 'ueba':640,2103,2833 'ueba/fusion':392 'uiconfig':1853 'understand':823,1231,1241,1424 'uninstal':2192 'updat':2190,2596,3505 'upload':2990,3264,3294 'url':460,572,724,1117,1218,1294,1411,2883,3335 'usag':526 'use':28,78,84,102,117,174,191,256,607,639,653,710,753,782,882,1084,1104,1205,1871,1883,2023,2139,2159,2199,2231,2241,2336,2386,2405,2414,2422,2432,2442,2451,2462,2473,2484,2494,2505,2606,2617,2697,2765,2770,2791,2839,2872,2895,2943,2987,3074,3098,3123,3134,3159,3198,3285,3291,3313,3383 'user':139,156,2368,2487 'v0.1':2501 'version':143,2181 'via':428,451,488,1553,1622,1632,1663,1792,2889,2901,3057,3149,3182,3262,3418,3460 'view':2303 'virtual':1607 'visual':2062,2072 'vm':3384 'vms':3380 'vs':3013 'waf':1583 'watchlist':260,340,711,1275,1285,2844 'web':2509 'webpag':193 'window':1658,1727,2850 'within':2244 'workbook':2070,2611,2622,2753 'workflow':3119 'workspac':247,307,579,871,1132,1162,1175,1184,1195,1208,2309,2327,2874 'workspace-deploy':2326 'workspace/tenant':303 'xdr':914,1683,2714,3184,3191 'zero':681","prices":[{"id":"6881f70c-514d-4dc8-be45-48b810cf8d79","listingId":"e1e145bf-94a3-420e-b3db-95d8eba30976","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"MicrosoftDocs","category":"Agent-Skills","install_from":"skills.sh"},"createdAt":"2026-04-18T22:00:03.463Z"}],"sources":[{"listingId":"e1e145bf-94a3-420e-b3db-95d8eba30976","source":"github","sourceId":"MicrosoftDocs/Agent-Skills/azure-sentinel","sourceUrl":"https://github.com/MicrosoftDocs/Agent-Skills/tree/main/skills/azure-sentinel","isPrimary":false,"firstSeenAt":"2026-04-18T22:00:03.463Z","lastSeenAt":"2026-05-18T18:53:58.854Z"}],"details":{"listingId":"e1e145bf-94a3-420e-b3db-95d8eba30976","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"MicrosoftDocs","slug":"azure-sentinel","github":{"repo":"MicrosoftDocs/Agent-Skills","stars":549,"topics":["agent","agent-skills","agentic-skills","agentskill","ai","ai-agents","ai-coding","azure","azure-functions","azure-kubernetes-service","azure-openai","azure-sql-database","azure-storage","azure-virtual-machine","claude-code","github-copilot","microsoft-learn","openai-codex","skills"],"license":"cc-by-4.0","html_url":"https://github.com/MicrosoftDocs/Agent-Skills","pushed_at":"2026-05-17T02:50:05Z","description":"Curated Agent Skills for Microsoft & Azure – giving AI coding assistants structured, real-time expertise from Microsoft Learn docs.","skill_md_sha":"1b483a85f8556ddf30396170a1402f4ea776d2e1","skill_md_path":"skills/azure-sentinel/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/MicrosoftDocs/Agent-Skills/tree/main/skills/azure-sentinel"},"layout":"multi","source":"github","category":"Agent-Skills","frontmatter":{"name":"azure-sentinel","description":"Expert knowledge for Azure Sentinel development including troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when configuring Sentinel data connectors, analytics rules, UEBA/Fusion, ASIM/KQL jobs, or multi-tenant MSSP setups, and other Azure Sentinel related development tasks. Not for Azure Defender For Cloud (use azure-defender-for-cloud), Azure Security (use azure-security), Azure Monitor (use azure-monitor), Azure Network Watcher (use azure-network-watcher).","compatibility":"Requires network access. Uses mcp_microsoftdocs:microsoft_docs_fetch or fetch_webpage to retrieve documentation."},"skills_sh_url":"https://skills.sh/MicrosoftDocs/Agent-Skills/azure-sentinel"},"updatedAt":"2026-05-18T18:53:58.854Z"}}