Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Important
Attention: All Microsoft Sentinel features will be officially retired in Azure in China regions on August 18, 2026 per the announcement posted by 21Vianet.
This article describes the features available in Microsoft Sentinel across different Azure environments. Features are listed as GA (generally available), public preview, or shown as not available.
Important
All Microsoft Sentinel features will be officially retired in the Azure operated by 21Vianet region on August 18, 2026, per the announcement posted by 21Vianet. Due to this upcoming retirement, customers are no longer able to onboard new subscriptions to the service.
We recommend that customers work with their account representatives for Microsoft Azure operated by 21Vianet to assess the impact of this retirement on their own operations.
Analytics
| Feature | Feature stage | Azure commercial | Azure operated by 21Vianet |
|---|---|---|---|
| Analytics rules health | Public preview | Yes | No |
| MITRE ATT&CK dashboard | Public preview | Yes | Yes |
| NRT rules | GA | Yes | Yes |
| Recommendations | Public preview | Yes | No |
| Scheduled and Microsoft rules | GA | Yes | Yes |
Content and content management
| Feature | Feature stage | Azure commercial | Azure operated by 21Vianet |
|---|---|---|---|
| Content hub and solutions | GA | Yes | Yes |
| Repositories | Public preview | Yes | No |
| Workbooks | GA | Yes | Yes |
Data collection
| Feature | Feature stage | Azure commercial | Azure operated by 21Vianet |
|---|---|---|---|
| Amazon Web Services | GA | Yes | No |
| Amazon Web Services S3 | GA | Yes | No |
| Microsoft Entra ID | GA | Yes | Yes 1 |
| Microsoft Entra ID Protection | GA | Yes | No |
| Azure Activity | GA | Yes | Yes |
| Azure DDoS Protection | GA | Yes | No |
| Azure Firewall | GA | Yes | Yes |
| Azure Information Protection (Preview) | Deprecated | No | No |
| Azure Key Vault | Public preview | Yes | Yes |
| Azure Kubernetes Service (AKS) | Public preview | Yes | Yes |
| Azure SQL Databases | GA | Yes | Yes |
| Azure Web Application Firewall (WAF) | GA | Yes | Yes |
| Cisco ASA | GA | Yes | Yes |
| Codeless Connectors Platform | Public preview | Yes | No |
| Common Event Format (CEF) | GA | Yes | Yes |
| Common Event Format (CEF) via AMA | GA | Yes | Yes |
| DNS | Public preview | Yes | Yes |
| GCP Pub/Sub Audit Logs | Public preview | Yes | No |
| Microsoft Defender XDR | GA | Yes | No |
| Microsoft Purview Insider Risk Management (Preview) | Public preview | Yes | No |
| Microsoft Defender for Cloud | GA | Yes | Yes |
| Microsoft Defender for IoT | GA | Yes | No |
| Microsoft Power BI (Preview) | Public preview | Yes | No |
| Microsoft Project (Preview) | Public preview | Yes | No |
| Microsoft Purview (Preview) | Public preview | Yes | No |
| Microsoft Purview Information Protection | Public preview | Yes | No |
| Office 365 | GA | Yes | Yes |
| Syslog | GA | Yes | Yes |
| Syslog via AMA | GA | Yes | Yes |
| Windows DNS Events via AMA | GA | Yes | Yes |
| Windows Firewall | GA | Yes | Yes |
| Windows Forwarded Events | GA | Yes | Yes |
| Windows Security Events via AMA | GA | Yes | Yes |
1 Supports only sign-in logs and audit logs.
Hunting
| Feature | Feature stage | Azure commercial | Azure operated by 21Vianet |
|---|---|---|---|
| Bookmarks | GA | Yes | Yes |
| Hunts | Public preview | Yes | No |
| Livestream | GA | Yes | Yes |
| Queries | GA | Yes | Yes |
| Restore historical data | GA | Yes | Yes |
| Search large datasets | GA | Yes | Yes |
Incidents
| Feature | Feature stage | Azure commercial | Azure operated by 21Vianet |
|---|---|---|---|
| Add entities to threat intelligence | Public preview | Yes | Yes |
| Advanced and/or conditions | GA | Yes | Yes |
| Automation rules | GA | Yes | Yes |
| Automation rules health | Public preview | Yes | No |
| Create incidents manually | GA | Yes | Yes |
| Cross-tenant/Cross-workspace incidents view | GA | Yes | Yes |
| Incident advanced search | GA | Yes | Yes |
| Incident tasks | GA | Yes | Yes |
| Microsoft 365 Defender incident integration | GA | Yes | No |
| Microsoft Teams integrations | Public preview | Yes | No |
| Playbook template gallery | Public preview | Yes | No |
| Run playbooks on entities | GA | Yes | Yes |
| Run playbooks on incidents | GA | Yes | Yes |
| SOC incident audit metrics | GA | Yes | Yes |
Machine Learning
| Feature | Feature stage | Azure commercial | Azure operated by 21Vianet |
|---|---|---|---|
| Anomalous RDP login detection - built-in ML detection | Public preview | Yes | No |
| Anomalous SSH login detection - built-in ML detection | Public preview | Yes | No |
| Fusion - advanced multistage attack detections 1 | GA | Yes | Yes |
1 Partially GA: The ability to disable specific findings from vulnerability scans is in public preview.
Managing Microsoft Sentinel
| Feature | Feature stage | Azure commercial | Azure China 21Vianet |
|---|---|---|---|
| Workspace manager | Public preview | Yes | No |
| SIEM migration experience | GA | Yes | No |
Normalization
| Feature | Feature stage | Azure commercial | Azure operated by 21Vianet |
|---|---|---|---|
| Advanced Security Information Model (ASIM) | Public preview | Yes | Yes |
Notebooks
| Feature | Feature stage | Azure commercial | Azure operated by 21Vianet |
|---|---|---|---|
| Notebooks | GA | Yes | Yes |
| Notebook integration with Azure Synapse | Public preview | Yes | Yes |
SAP
| Feature | Feature stage | Azure commercial | Azure operated by 21Vianet |
|---|---|---|---|
| Threat protection for SAP | GA | Yes | Yes |
Threat intelligence support
| Feature | Feature stage | Azure commercial | Azure operated by 21Vianet |
|---|---|---|---|
| GeoLocation and WhoIs data enrichment | Public preview | Yes | No |
| Import TI from flat file | Public preview | Yes | Yes |
| Threat Intelligence Platform data connector | Public preview | Yes | No |
| Threat Intelligence Research page | GA | Yes | Yes |
| Threat Intelligence - TAXII data connector | GA | Yes | Yes |
| Microsoft Defender for Threat Intelligence connector | Public preview | Yes | No |
| Microsoft Defender Threat intelligence matching analytics | Public preview | Yes | No |
| Threat Intelligence workbook | GA | Yes | Yes |
| URL detonation | Public preview | Yes | No |
| Threat Intelligence Upload Indicators API | Public preview | Yes | No |
UEBA
| Feature | Feature stage | Azure commercial | Azure operated by 21Vianet |
|---|---|---|---|
| Active Directory sync via MDI | Public preview | Yes | No |
| Azure resource entity pages | Public preview | Yes | No |
| Entity insights | GA | Yes | Yes |
| Entity pages | GA | Yes | Yes |
| Identity info table data ingestion | GA | Yes | Yes |
| IoT device entity page | Public preview | Yes | No |
| Peer/Blast radius enrichments | Public preview | Yes | No |
| SOC-ML anomalies | GA | Yes | No |
| UEBA anomalies | GA | Yes | No |
| UEBA enrichments\insights | GA | Yes | Yes |
Watchlists
| Feature | Feature stage | Azure commercial | Azure operated by 21Vianet |
|---|---|---|---|
| Large watchlists from Azure Storage | Public preview | Yes | Yes |
| Watchlists | GA | Yes | Yes |
| Watchlist templates | Public preview | Yes | Yes |
Next steps
In this article, you learned about available features in Microsoft Sentinel.