Microsoft Sentinel feature support for Azure commercial/other clouds
This article describes the features available in Microsoft Sentinel across different Azure environments. Features are listed as GA (generally available), public preview, or shown as not available.
Note
These lists and tables do not include feature or bundle availability in the Azure Government Secret or Azure Government Top Secret clouds. For more information about specific availability for air-gapped clouds, please contact your account team.
Experience in the Defender portal
Microsoft Sentinel is also available in the Microsoft Defender portal as Microsoft's unified security operations (SecOps) platform. In the Defender portal, all features in general availability are available in both commercial and GCC High and DoD clouds. Features still in preview are available only in the commercial cloud.
While attack disruption in the Defender portal is generally available, SAP support for attack disruption with Microsoft's unified SecOps platform is available only in the commercial cloud.
For more information, see Microsoft Defender XDR for US Government customers.
Analytics
Feature | Feature stage | Azure commercial | Azure Government | Azure China 21Vianet |
---|---|---|---|---|
Analytics rules health | Public preview | ✅ | ❌ | ❌ |
MITRE ATT&CK dashboard | Public preview | ✅ | ✅ | ✅ |
NRT rules | GA | ✅ | ✅ | ✅ |
Recommendations | Public preview | ✅ | ✅ | ❌ |
Scheduled and Microsoft rules | GA | ✅ | ✅ | ✅ |
Content and content management
Feature | Feature stage | Azure commercial | Azure Government | Azure China 21Vianet |
---|---|---|---|---|
Content hub and solutions | GA | ✅ | ✅ | ✅ |
Repositories | Public preview | ✅ | ❌ | ❌ |
Workbooks | GA | ✅ | ✅ | ✅ |
Data collection
1 Supports only sign-in logs and audit logs.
Hunting
Feature | Feature stage | Azure commercial | Azure Government | Azure China 21Vianet |
---|---|---|---|---|
Bookmarks | GA | ✅ | ✅ | ✅ |
Hunts | Public preview | ✅ | ❌ | ❌ |
Livestream | GA | ✅ | ✅ | ✅ |
Queries | GA | ✅ | ✅ | ✅ |
Restore historical data | GA | ✅ | ✅ | ✅ |
Search large datasets | GA | ✅ | ✅ | ✅ |
Incidents
Feature | Feature stage | Azure commercial | Azure Government | Azure China 21Vianet |
---|---|---|---|---|
Add entities to threat intelligence | Public preview | ✅ | ✅ | ✅ |
Advanced and/or conditions | GA | ✅ | ✅ | ✅ |
Automation rules | GA | ✅ | ✅ | ✅ |
Automation rules health | Public preview | ✅ | ✅ | ❌ |
Create incidents manually | GA | ✅ | ✅ | ✅ |
Cross-tenant/Cross-workspace incidents view | GA | ✅ | ✅ | ✅ |
Incident advanced search | GA | ✅ | ✅ | ✅ |
Incident tasks | GA | ✅ | ✅ | ✅ |
Microsoft 365 Defender incident integration | GA | ✅ | ✅ | ❌ |
Microsoft Teams integrations | Public preview | ✅ | ✅ | ❌ |
Playbook template gallery | Public preview | ✅ | ✅ | ❌ |
Run playbooks on entities | GA | ✅ | ✅ | ✅ |
Run playbooks on incidents | GA | ✅ | ✅ | ✅ |
SOC incident audit metrics | GA | ✅ | ✅ | ✅ |
Machine Learning
Feature | Feature stage | Azure commercial | Azure Government | Azure China 21Vianet |
---|---|---|---|---|
Anomalous RDP login detection - built-in ML detection | Public preview | ✅ | ✅ | ❌ |
Anomalous SSH login detection - built-in ML detection | Public preview | ✅ | ✅ | ❌ |
Fusion - advanced multistage attack detections 1 | GA | ✅ | ✅ | ✅ |
1 Partially GA: The ability to disable specific findings from vulnerability scans is in public preview.
Managing Microsoft Sentinel
Feature | Feature stage | Azure commercial | Azure Government | Azure China 21Vianet |
---|---|---|---|---|
Workspace manager | Public preview | ✅ | ✅ | ❌ |
SIEM migration experience | GA | ✅ | ❌ | ❌ |
Normalization
Feature | Feature stage | Azure commercial | Azure Government | Azure China 21Vianet |
---|---|---|---|---|
Advanced Security Information Model (ASIM) | Public preview | ✅ | ✅ | ✅ |
Notebooks
Feature | Feature stage | Azure commercial | Azure Government | Azure China 21Vianet |
---|---|---|---|---|
Notebooks | GA | ✅ | ✅ | ✅ |
Notebook integration with Azure Synapse | Public preview | ✅ | ✅ | ✅ |
SOC optimizations
Feature | Feature stage | Azure commercial | Azure Government | Azure China 21Vianet |
---|---|---|---|---|
SOC optimizations | Supported for production use | ✅ | ❌ | ❌ |
SAP
Feature | Feature stage | Azure commercial | Azure Government | Azure China 21Vianet |
---|---|---|---|---|
Threat protection for SAP | GA | ✅ | ✅ | ✅ |
Agentless data connector | Limited preview | ✅ | ❌ | ❌ |
Threat intelligence support
Feature | Feature stage | Azure commercial | Azure Government | Azure China 21Vianet |
---|---|---|---|---|
GeoLocation and WhoIs data enrichment | Public preview | ✅ | ❌ | ❌ |
Import TI from flat file | Public preview | ✅ | ✅ | ✅ |
Threat Intelligence Platform data connector | Public preview | ✅ | ❌ | ❌ |
Threat Intelligence Research page | GA | ✅ | ✅ | ✅ |
Threat Intelligence - TAXII data connector | GA | ✅ | ✅ | ✅ |
Microsoft Defender for Threat Intelligence connector | Public preview | ✅ | ❌ | ❌ |
Microsoft Defender Threat intelligence matching analytics | Public preview | ✅ | ❌ | ❌ |
Threat Intelligence workbook | GA | ✅ | ✅ | ✅ |
URL detonation | Public preview | ✅ | ❌ | ❌ |
Threat Intelligence Upload Indicators API | Public preview | ✅ | ❌ | ❌ |
UEBA
Feature | Feature stage | Azure commercial | Azure Government | Azure China 21Vianet |
---|---|---|---|---|
Active Directory sync via MDI | Public preview | ✅ | ✅ | ❌ |
Azure resource entity pages | Public preview | ✅ | ✅ | ❌ |
Entity insights | GA | ✅ | ✅ | ✅ |
Entity pages | GA | ✅ | ✅ | ✅ |
Identity info table data ingestion | GA | ✅ | ✅ | ✅ |
IoT device entity page | Public preview | ✅ | ✅ | ❌ |
Peer/Blast radius enrichments | Public preview | ✅ | ❌ | ❌ |
SOC-ML anomalies | GA | ✅ | ✅ | ❌ |
UEBA anomalies | GA | ✅ | ✅ | ❌ |
UEBA enrichments\insights | GA | ✅ | ✅ | ✅ |
Watchlists
Feature | Feature stage | Azure commercial | Azure Government | Azure China 21Vianet |
---|---|---|---|---|
Large watchlists from Azure Storage | Public preview | ✅ | ❌ | ❌ |
Watchlists | GA | ✅ | ✅ | ✅ |
Watchlist templates | Public preview | ✅ | ❌ | ❌ |
Next steps
In this article, you learned about available features in Microsoft Sentinel.