Control 3.9: Microsoft Sentinel Integration

Control ID: 3.9
Pillar: Reporting
Regulatory Reference: FINRA Rule 4511 (books and records), SEC Rules 17a-3 / 17a-4 (recordkeeping, WORM), NYDFS 23 NYCRR 500.06 (audit trail) / 500.16 (incident response plan) / 500.17 (notification), FFIEC IT Examination Handbook (Audit; Information Security), OCC Bulletin 2011-12 / Federal Reserve SR 11-7 (Model Risk Management — monitoring obligations on AI agents), CISA BOD 22-09 (event logging — informative benchmark for private-sector firms), FINRA Notice 25-07 (AI workflows, contextual RFC), SOX 404
Last UI Verified: February 2026
Governance Levels: Baseline / Recommended / Regulated

Objective

Integrate AI agent monitoring with Microsoft Sentinel SIEM/XDR capabilities for enterprise-grade security visibility, automated threat detection, and centralized incident response. This control supports proactive security monitoring of agent behavior patterns and rapid response to anomalies through connector-based ingestion, KQL analytics, workbooks, and Logic Apps playbooks.

Scope Limit — Operational Monitoring, Not Books-and-Records

Microsoft Sentinel and Azure Monitor support security monitoring, alerting, investigation, and incident-response evidence retention. They should not be treated as a substitute for Microsoft Purview retention / eDiscovery or for any immutable books-and-records controls required under FINRA Rule 4511 and SEC Rules 17a-3 / 17a-4. Sentinel alerts and workbook evidence complement — but do not replace — supervisory review (Control 2.12), model risk management (Control 2.6), incident reporting (Control 3.4), orphaned-agent remediation (Control 3.6), and content-level retention (Control 1.7 / Pillar 4).

Why This Matters for FSI

FINRA Rule 4511 / SEC 17a-3 / 17a-4: Sentinel ingested data supports reconstruction of supervisory events and access anomalies, but the firm's immutable books-and-records retention must be satisfied through Purview retention, WORM-backed archives, or an approved SEC 17a-4(f) vendor — not through Sentinel's operational retention alone.
NYDFS 23 NYCRR 500.06 (audit trail) / 500.16 (incident response) / 500.17 (notification): Sentinel analytics, Logic Apps playbooks, and workbook evidence help satisfy audit-trail, incident-response program, and 72-hour notification requirements for covered entities.
FFIEC IT Examination Handbook (Audit / Information Security): Examiners expect centralized logging, timely detection, and documented response — Sentinel is a primary pattern for meeting those expectations across M365, Entra, Power Platform, and Defender signals.
OCC Bulletin 2011-12 / Fed SR 11-7 (Model Risk Management): Continuous monitoring of AI agents (anomalous prompts, data exfiltration, tool-use drift) supports the ongoing-monitoring obligations in SR 11-7 §VI — monitoring findings should feed MRM re-validation in Control 2.6.
FINRA Notice 25-07 (AI workflows): Cited here as contextual industry consultation; it is an RFC and does not create binding obligations but reinforces that supervisory telemetry for AI agents is a near-term expectation.
CISA BOD 22-09 (event logging): Informative benchmark — the Binding Operational Directive applies to federal civilian agencies, but its EL1–EL3 logging maturity levels are a useful yardstick for private-sector FSI firms.
SOX 404: IT general controls for financial-reporting systems must include security monitoring with documented evidence of alert-to-resolution cycles.

No companion solution by design

Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.

Control Description

Microsoft Sentinel integration provides advanced security analytics for AI agents through data connectors, custom analytics rules, automated response playbooks, and proactive hunting capabilities.

Integration Options (February 2026)

The primary integration pattern for ingesting agent-related telemetry into Sentinel is connector-based ingestion into Log Analytics using Microsoft 365, Entra, Defender, Power Platform, and optional Application Insights / custom telemetry — governed by KQL analytics rules, workbooks, and Logic Apps playbooks. Sentinel MCP Server (GA November 2025) is an optional analyst/SOC augmentation path that enables natural-language queries over Sentinel data; it is not a foundational monitoring architecture and is not required.

Integration Path	Role	Log Analytics Table
Power Platform Admin Activity (primary)	Monitor agent admin events, DLP changes, environment actions	`PowerPlatformAdminActivity`
Microsoft 365 / Purview Unified Audit Log (primary)	Copilot interactions, XPIA/jailbreak detections, resource access	`OfficeActivity` (CopilotInteraction)
Entra ID sign-in + audit (primary)	Human sign-ins in `SigninLogs`; agent / service-principal sign-ins in `AADServicePrincipalSignInLogs` (distinct table — do not assume `SigninLogs` covers workload identities); directory changes in `AuditLogs`	`SigninLogs`, `AADServicePrincipalSignInLogs`, `AuditLogs`
Microsoft 365 Defender / Defender for Cloud Apps (primary)	XDR alerts, AI-SPM detections, cloud app activity	`AlertInfo`, `DeviceEvents`, `CloudAppEvents`
Microsoft Copilot connector (primary)	Copilot-specific telemetry (prompt/response metadata), anomaly signals	Defender portal > Data connectors
Application Insights (optional)	Custom telemetry, conversation transcripts (when enabled), CSAT	`AppTraces`, `AppRequests`, custom tables
Sentinel MCP Server (optional augmentation)	Analyst natural-language queries against Sentinel data lake	Sentinel data lake

Capability	Description
Data Connectors	Ingest logs from M365, Power Platform, Entra ID
Analytics Rules	Detect unusual agent behavior patterns
Workbooks	Visualize agent security posture
Automation	Respond to threats automatically
Hunting	Proactive threat investigation

Key Detection Scenarios:

Scenario	Detection Method	Response
Unusual data access	Baseline deviation	Alert + review
DLP violation	Policy match	Alert + suspend
After-hours activity	Time-based rule	Alert + log
Mass data download	Volume threshold	Alert + block
Runtime protection block	XDR alert from Defender/AI-SPM	Alert + investigate

Key Configuration Points

Deploy Microsoft Sentinel workspace in dedicated resource group
Connect data sources: M365 Defender, Entra ID, Microsoft 365, Defender for Cloud Apps
Enable Power Platform Admin Activity connector for administrative events
Create analytics rules for agent anomalies: unusual access, DLP violations, after-hours activity
Build workbooks for agent activity visualization and security metrics
Configure automation rules for high-severity alerts (suspend agent, notify security)
Develop hunting queries for proactive investigation
Integrate incident management with Control 3.4

Three Data Ingestion Pathways

Organizations have three primary pathways for ingesting agent-related telemetry into Sentinel:

Pathway	Best For	Data Coverage	Setup Complexity
Power Platform Admin Activity	Administrative oversight	Environment changes, DLP policy events, agent metadata	Low
Purview Unified Audit Log	Compliance and interaction monitoring	CopilotInteraction events, XPIA/Jailbreak detections, resource access	Medium
Defender CloudAppEvents	Security operations	Runtime threat detections, cloud app activity, alert correlation	Medium

Pathway Selection

Most FSI organizations implement all three pathways: Power Platform Admin Activity for governance, Purview UAL for compliance evidence (FINRA 4511), and CloudAppEvents for security operations (OCC Heightened Standards).

Available Data Sources for Agent Monitoring

Data Source	Connector	Log Analytics Table	What's Captured
Power Platform Admin Activity	Power Platform Admin Activity	`PowerPlatformAdminActivity`	Admin actions, DLP changes, environment events, agent metadata changes
Purview Unified Audit Log	Microsoft 365	`OfficeActivity` (CopilotInteraction)	Agent interactions, XPIA/Jailbreak detections, resource access status, policy blocks
M365 Defender	Microsoft 365 Defender	`DeviceEvents`, `AlertInfo`	XDR alerts including AI-SPM detections
Entra ID	Entra ID	`SigninLogs`, `AADServicePrincipalSignInLogs`, `AuditLogs`	Human sign-ins (`SigninLogs`); agent / workload-identity sign-ins (`AADServicePrincipalSignInLogs`); directory and consent-grant changes (`AuditLogs`)
Defender for Cloud Apps	Defender for Cloud Apps	`CloudAppEvents`	Cloud app activity, shadow IT detection, UPIA/XPIA flags
Application Insights	Custom (Log Analytics workspace link)	`AppTraces`, `AppRequests`	Agent telemetry, conversation logs, CSAT (requires custom setup)

Microsoft Copilot Data Connector (GA)

Microsoft Sentinel now includes a dedicated Microsoft Copilot data connector that ingests Copilot-specific telemetry without requiring manual configuration of individual data sources. This connector provides:

Copilot prompt and response metadata (not content)
Agent interaction telemetry
Copilot usage patterns and anomaly detection signals
Integration with Sentinel analytics rules for automated threat detection

Configure at the Defender portal (security.microsoft.com) > Microsoft Sentinel > Data connectors > Microsoft Copilot.

Sentinel MCP Server Integration (Optional AI-Assisted Query Augmentation)

The Sentinel MCP (Model Context Protocol) Server provides an optional natural-language analyst augmentation for SOC teams. It is not the foundational monitoring path — connector-based ingestion with KQL analytics, workbooks, and Logic Apps playbooks remains the primary pattern.

Configuration Steps:

Navigate to Copilot Studio > Select agent > Tools
Add the Sentinel tool collection from available MCP servers
Configure Microsoft Entra authentication for the Sentinel workspace
Test with natural language queries (e.g., "Find the top 3 users at risk")

Capabilities:

Feature	Description
Natural language queries	Translate security questions to optimized data lake queries
Incident investigation	Agent assists with threat analysis and triage
Alert summarization	AI-powered summaries of security incidents
Hunting assistance	Guided threat hunting with Copilot

Requirements

Sentinel MCP Server requires Microsoft Entra authentication and incurs AI model costs. Data residency follows the connected Sentinel workspace region.

Custom Integration for Comprehensive Telemetry

For organizations requiring conversation-level monitoring beyond administrative events:

Copilot Studio Agent
       ↓
Application Insights (custom telemetry)
       ↓
Log Analytics Workspace
       ↓
Microsoft Sentinel (analytics rules, workbooks)

Implementation Steps:

Configure Application Insights in Copilot Studio agent settings
Enable sensitive activity property logging (see warning below)
Link Application Insights to Log Analytics workspace
Create custom analytics rules against AppTraces and custom event tables
Build Sentinel workbooks for conversation metrics and CSAT trends

Conversation transcript capture — legal, privacy, and records review required

By default, Copilot Studio's Application Insights integration sends sanitized telemetry — event metadata without conversation text. Some supervisory or evidence-collection scenarios may require capturing conversation content (prompts, responses, user IDs). Enabling this may be necessary for certain monitoring or evidence-collection scenarios, subject to legal, privacy, and records-governance review; it does not by itself satisfy FINRA Rule 4511 / SEC 17a-4 books-and-records obligations, which should be met through Purview retention, supervisory review workflow (Control 2.12), and firm records policy.

Where the firm determines that transcript capture is appropriate and legally supported:

Copilot Studio > Agent > Settings > Advanced > Application Insights > enable "Log sensitive activity properties" — includes PII and conversation text in telemetry payloads
Power Platform Admin Center > Environments > [Your Environment] > Settings > Product > Features > enable "Allow conversation transcripts" — tenant-level prerequisite that can block downstream telemetry if disabled

Without these settings, the customEvents table in Application Insights will show event occurrences (e.g., BotMessage, UserMessage) but with empty text fields.

PII Governance Note: Enabling sensitive properties routes PII into Application Insights. Ensure the Application Insights resource has appropriate access controls, data retention policies aligned with zone requirements (see Control 1.7), approved records classification, and is included in the organization's data governance scope.

Retention and Recordkeeping Boundary

Sentinel retention is an operational monitoring / investigation control and is not a replacement for immutable books-and-records retention under FINRA Rule 4511 and SEC Rules 17a-3 / 17a-4 where applicable. A common FSI operating pattern is:

Tier	Typical Target	Purpose
Interactive / Hot	~180 days	Active investigation, KQL analytics, workbook dashboards, near-real-time alerting
Archive / Long-term	Up to 12 years per table (Sentinel) or exported to firm-approved archive	Retrospective investigation, incident reconstruction, regulatory inquiry response
Records-scope retention	≥ 6 years WORM (FINRA 4511 / SEC 17a-4(b)(4); first two years immediately accessible)	Immutable books-and-records — maintained in Purview retention and/or an SEC 17a-4(f) vendor archive; not in Sentinel

Exact retention depends on workspace/table settings, cloud availability, cost approvals, and firm records schedule. Document the chosen pattern in the firm's written supervisory procedures (Control 2.12) and records policy.

Example AI-Specific Analytics Rules

The table below is a starting catalog; each rule should be tuned to the firm's environment and formalized in the Sentinel workspace with KQL, severity, and Logic Apps playbook wiring.

Detection Scenario	Signal / Source	Logic Apps Playbook Response
Prompt injection / jailbreak attempt	`OfficeActivity` (CopilotInteraction with XPIA / jailbreak flag), Defender AI-SPM alert	Tag incident, notify SOC + Agent Owner, attach transcript context to Control 2.12 supervisory queue
Anomalous connector / plugin / MCP tool use	`PowerPlatformAdminActivity`, `CloudAppEvents`	Open incident, enrich with Agent Registry metadata (Control 1.2), block connector if high-severity
After-hours privileged agent activity	`AADServicePrincipalSignInLogs` + `AuditLogs` with time-of-day condition	Alert + require sponsor attestation (Control 2.26)
DLP policy changes or bypass attempts	`PowerPlatformAdminActivity` with DLP policy delta, `CloudAppEvents` DLP alerts	Revert + alert Compliance Officer
Unusual consent grants / service principal changes	`AuditLogs` (consent grant, app role assignment)	Alert + feed Control 2.8 access-review queue
Orphan / shadow agent signals	Agent Registry delta vs `PowerPlatformAdminActivity` / `AADServicePrincipalSignInLogs`	Cascade to Control 3.6 remediation register
Mass data download by agent	`AADServicePrincipalSignInLogs` + `OfficeActivity` volume threshold	Suspend agent, notify Agent Owner + SOC

Sovereign cloud availability (GCC / GCC High / DoD)

Microsoft Sentinel exists across commercial and government clouds, but connector and preview-feature parity varies by cloud. Preview features, Copilot-specific connectors, the Microsoft Copilot connector, certain Defender data types, and Sentinel MCP Server may lag or be unavailable in GCC High or DoD tenants. Organizations should:

Verify current Microsoft Learn support tables before depending on a given connector or preview feature
Maintain a separate feature / connector catalog per cloud
Document unavailable capabilities as product unavailability, not as policy exceptions or compensating controls
Use parallel patterns in Controls 2.25 and 3.6 for sovereign-cloud evidence discipline

Zone-Specific Requirements

Zone	Requirement	Rationale
Zone 1 (Personal)	Basic logging; monthly review	Low-risk, minimal monitoring
Zone 2 (Team)	Analytics rules; weekly workbook review	Team data exposure
Zone 3 (Enterprise)	Full detection suite; real-time alerting; automated response	Customer-facing, highest security need

Roles & Responsibilities

Role	Responsibility
Sentinel Admin	Workspace deployment, connector configuration, analytics rule authoring, workbook deployment
Entra Security Admin	Ensure Entra sign-in (`SigninLogs`, `AADServicePrincipalSignInLogs`) and audit-log connectors are healthy; Identity Protection signal wiring
SOC Analyst / Security Operations	Monitor alerts, triage incidents, run Logic Apps playbooks, investigate agent anomalies
Purview Compliance Admin / Purview Audit Admin	Ensure Sentinel alerts and evidence align with Purview retention and eDiscovery holds; preserve books-and-records separately under 4511/17a-4
AI Governance Lead	Define AI-specific detection requirements, review workbooks quarterly, approve KQL rule changes
Power Platform Admin	Ensure `PowerPlatformAdminActivity` ingestion is healthy; feed agent metadata for enrichment
Compliance Officer	Map Sentinel evidence to FINRA / SEC / NYDFS obligations; coordinate with Designated Principal on supervisory incidents
CISO	Approve Zone 3 detection posture, sovereign-cloud compensating patterns, retention schedule

Control	Relationship
1.7 - Audit Logging	Data source for Sentinel; Sentinel complements but does not substitute for Purview / books-and-records retention
1.8 - Runtime Protection	Threat signals integration (Defender XDR, AI-SPM)
1.9 - Data Retention and Deletion Policies	Books-and-records retention governed here; Sentinel retention is operational, not immutable
1.24 - AI-SPM	AI security alerts, attack paths, and posture signals feed Sentinel analytics
2.6 - Model Risk Management	SR 11-7 ongoing monitoring — Sentinel findings feed MRM re-validation
2.12 - Supervision and Oversight (FINRA Rule 3110)	Supervisory incidents surfaced via Sentinel feed the designated-principal review queue
3.4 - Incident Reporting and Root Cause Analysis	Sentinel incidents are the primary trigger for 3.4 IR/RCA workflow and NYDFS 500.17 notification timer
3.6 - Orphaned Agent Detection and Remediation	Sentinel signals for ownerless, abandoned, or anomalous agents cascade into the 3.6 remediation register
3.7 - Security Posture	Complementary security view — posture metrics and alerting workbooks
3.14 - Agent 365 Observability SDK	Observability SDK telemetry is a parallel data source and can be routed to Sentinel for unified alerting

Implementation Playbooks

Step-by-Step Implementation

This control has detailed playbooks for implementation, automation, testing, and troubleshooting:

Portal Walkthrough — Step-by-step portal configuration
PowerShell Setup — Automation scripts
Verification & Testing — Test cases and evidence collection
Troubleshooting — Common issues and resolutions

Agent Usage & Performance Workbook

The Agent Usage & Performance Workbook uses Application Insights as its data source — the same telemetry pipeline that feeds Sentinel integration. Organizations using both tools gain complementary visibility: the workbook provides operational dashboards while Sentinel handles security alerting and incident response. See the Telemetry Schema Reference for data field mappings.

Verification Criteria

Confirm control effectiveness by verifying:

All required data connectors show "Connected" status with recent data (M365, Entra sign-in + AADServicePrincipalSignInLogs, Power Platform Admin Activity, Microsoft Copilot, Defender, optional App Insights)
Analytics rules for agent anomalies are enabled and generating alerts (prompt injection/jailbreak, anomalous connector/MCP use, after-hours privileged activity, DLP change, consent-grant anomaly, mass-download)
Workbooks display agent activity and security posture without errors; reviewed on documented cadence (weekly Z2, real-time Z3)
Logic Apps automation playbooks execute successfully on test alerts with signed incident evidence
Hunting queries return results from recent agent activity
Incidents integrate with incident-tracking system (cascades to Control 3.4); NYDFS 500.17 72-hour notification timer wired where applicable
Orphan / shadow agent signals cascade into Control 3.6 remediation register
Retention schedule documented: interactive (~180d) vs archive (up to 12y) vs books-and-records (≥6y WORM via Purview / 17a-4(f) archive, not Sentinel)
Sovereign cloud parity verified for the deployment cloud (Commercial / GCC / GCC High / DoD); unavailable connectors documented as product unavailability
Quarterly evidence package signed by Sentinel Admin + AI Governance Lead + Compliance Officer

Additional Resources

Portal Transition Update (February 2026)

Microsoft extended the Sentinel Azure portal deprecation timeline. Sentinel will no longer be supported in the Azure portal after March 31, 2027 (previously July 2026). Organizations should plan their transition to the Microsoft Defender portal accordingly.

Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current