Microsoft Sentinel feature support for Azure commercial/other clouds

This article describes the features available in Microsoft Sentinel across different Azure environments. Features are listed as GA (generally available), public preview, or shown as not available.

Note

These lists and tables do not include feature or bundle availability in the Azure Government Secret or Azure Government Top Secret clouds. For more information about specific availability for air-gapped clouds, please contact your account team.

Experience in the Defender portal

Microsoft Sentinel is also available in the Microsoft Defender portal as Microsoft's unified security operations (SecOps) platform. In the Defender portal, all features in general availability are available in both commercial and GCC High and DoD clouds. Features still in preview are available only in the commercial cloud.

While attack disruption in the Defender portal is generally available, SAP support for attack disruption with Microsoft's unified SecOps platform is available only in the commercial cloud.

For more information, see Microsoft Defender XDR for US Government customers.

Analytics

Feature Feature stage Azure commercial Azure Government Azure China 21Vianet
Analytics rules health Public preview
MITRE ATT&CK dashboard Public preview
NRT rules GA
Recommendations Public preview
Scheduled and Microsoft rules GA

Content and content management

Feature Feature stage Azure commercial Azure Government Azure China 21Vianet
Content hub and solutions GA
Repositories Public preview
Workbooks GA

Data collection

Feature Feature stage Azure commercial Azure Government Azure China 21Vianet
Amazon Web Services GA
Amazon Web Services S3 GA
Microsoft Entra ID GA 1
Microsoft Entra ID Protection GA
Azure Activity GA
Azure DDoS Protection GA
Azure Firewall GA
Azure Information Protection (Preview) Deprecated
Azure Key Vault Public preview
Azure Kubernetes Service (AKS) Public preview
Azure SQL Databases GA
Azure Web Application Firewall (WAF) GA
Cisco ASA GA
Codeless Connectors Platform Public preview
Common Event Format (CEF) GA
Common Event Format (CEF) via AMA GA
DNS Public preview
GCP Pub/Sub Audit Logs Public preview
Microsoft Defender XDR GA
Microsoft Purview Insider Risk Management (Preview) Public preview
Microsoft Defender for Cloud GA
Microsoft Defender for IoT GA
Microsoft Power BI (Preview) Public preview
Microsoft Project (Preview) Public preview
Microsoft Purview (Preview) Public preview
Microsoft Purview Information Protection Public preview
Office 365 GA
Summary rules Public preview
Syslog GA
Syslog via AMA GA
Windows DNS Events via AMA GA
Windows Firewall GA
Windows Forwarded Events GA
Windows Security Events via AMA GA

1 Supports only sign-in logs and audit logs.

Hunting

Feature Feature stage Azure commercial Azure Government Azure China 21Vianet
Bookmarks GA
Hunts Public preview
Livestream GA
Queries GA
Restore historical data GA
Search large datasets GA

Incidents

Feature Feature stage Azure commercial Azure Government Azure China 21Vianet
Add entities to threat intelligence Public preview
Advanced and/or conditions GA
Automation rules GA
Automation rules health Public preview
Create incidents manually GA
Cross-tenant/Cross-workspace incidents view GA
Incident advanced search GA
Incident tasks GA
Microsoft 365 Defender incident integration GA
Microsoft Teams integrations Public preview
Playbook template gallery Public preview
Run playbooks on entities GA
Run playbooks on incidents GA
SOC incident audit metrics GA

Machine Learning

Feature Feature stage Azure commercial Azure Government Azure China 21Vianet
Anomalous RDP login detection - built-in ML detection Public preview
Anomalous SSH login detection - built-in ML detection Public preview
Fusion - advanced multistage attack detections 1 GA

1 Partially GA: The ability to disable specific findings from vulnerability scans is in public preview.

Managing Microsoft Sentinel

Feature Feature stage Azure commercial Azure Government Azure China 21Vianet
Workspace manager Public preview
SIEM migration experience GA

Normalization

Feature Feature stage Azure commercial Azure Government Azure China 21Vianet
Advanced Security Information Model (ASIM) Public preview

Notebooks

Feature Feature stage Azure commercial Azure Government Azure China 21Vianet
Notebooks GA
Notebook integration with Azure Synapse Public preview

SOC optimizations

Feature Feature stage Azure commercial Azure Government Azure China 21Vianet
SOC optimizations Supported for production use

SAP

Feature Feature stage Azure commercial Azure Government Azure China 21Vianet
Threat protection for SAP GA
Agentless data connector Limited preview

Threat intelligence support

Feature Feature stage Azure commercial Azure Government Azure China 21Vianet
GeoLocation and WhoIs data enrichment Public preview
Import TI from flat file Public preview
Threat Intelligence Platform data connector Public preview
Threat Intelligence Research page GA
Threat Intelligence - TAXII data connector GA
Microsoft Defender for Threat Intelligence connector Public preview
Microsoft Defender Threat intelligence matching analytics Public preview
Threat Intelligence workbook GA
URL detonation Public preview
Threat Intelligence Upload Indicators API Public preview

UEBA

Feature Feature stage Azure commercial Azure Government Azure China 21Vianet
Active Directory sync via MDI Public preview
Azure resource entity pages Public preview
Entity insights GA
Entity pages GA
Identity info table data ingestion GA
IoT device entity page Public preview
Peer/Blast radius enrichments Public preview
SOC-ML anomalies GA
UEBA anomalies GA
UEBA enrichments\insights GA

Watchlists

Feature Feature stage Azure commercial Azure Government Azure China 21Vianet
Large watchlists from Azure Storage Public preview
Watchlists GA
Watchlist templates Public preview

Next steps

In this article, you learned about available features in Microsoft Sentinel.