Control 3.9: Microsoft Sentinel Integration

Overview

Control ID: 3.9 Control Name: Microsoft Sentinel Integration Regulatory Reference: OCC Heightened Standards, Fed SR 11-7, FINRA 4370, SOX 404 Setup Time: 8-16 hours (requires Azure subscription)

Purpose

Microsoft Sentinel integration establishes enterprise-grade security monitoring for AI agents in financial services environments. By connecting Power Platform and Copilot Studio to Sentinel's SIEM/XDR capabilities, organizations gain real-time visibility into agent behavior, automated threat detection, and centralized incident response. This integration is essential for meeting regulatory requirements around security monitoring and demonstrating proactive risk management of AI deployments.

Description

Microsoft Sentinel provides SIEM (Security Information and Event Management) and XDR (Extended Detection and Response) capabilities for Power Platform and Copilot Studio agents. Integration enables advanced threat detection, security analytics, and automated incident response for enterprise AI deployments.

See What is Microsoft Sentinel for detailed capabilities.

Key Capabilities

Capability	Description	FSI Relevance
Centralized SIEM	Unified security monitoring	SOC integration
Threat detection	Analytics rules for AI threats	Proactive security
Incident management	Security incident workflow	Response coordination
Automation	Automated response playbooks	Rapid remediation
Hunting	Proactive threat hunting	Advanced investigation

Prerequisites

Primary Owner Admin Role: Entra Security Admin Supporting Roles: None

Licenses Required

License	Purpose	Required For
Microsoft Sentinel	SIEM/XDR platform	All implementations
Azure Subscription	Sentinel hosting	All implementations
Log Analytics Workspace	Data storage and query	All implementations
Microsoft 365 E5 or E5 Security	Advanced connectors and signals	Full integration
Microsoft Defender for Cloud Apps	Enhanced CASB integration	Zones 2-3 agents

Permissions Required

Role	Scope	Purpose
Microsoft Sentinel Contributor	Sentinel Workspace	Create/manage analytics rules, workbooks, incidents
Security Administrator	Azure AD	Configure security settings and policies
Log Analytics Contributor	Log Analytics Workspace	Manage data collection and workspace settings
Power Platform Administrator	Tenant	Configure Power Platform data connector
Azure Resource Manager Reader	Subscription	View Azure resources for Sentinel setup

Dependencies

Dependency	Description	Status Check
Azure AD Premium P2	User and entity behavior analytics	Check license assignment
Power Platform Audit Logging	Source data for Sentinel	Verify in PPAC → Tenant Settings
Office 365 Audit Logs	M365 integration data	Verify in Purview compliance portal
Network Connectivity	Azure to M365 connectivity	Test connector status

Pre-Setup Checklist

[ ] Azure subscription identified or created for Sentinel
[ ] Log Analytics workspace provisioned in appropriate region
[ ] Required Azure AD roles assigned to setup team
[ ] Power Platform audit logging enabled
[ ] Data residency requirements documented
[ ] Retention requirements defined (regulatory minimum)
[ ] SOC team notified of integration
[ ] Incident response procedures reviewed

Governance Levels

Level 1 - Baseline

Requirement	Configuration
Sentinel awareness	Understand capabilities
Basic logging	Power Platform audit logs retained
Documentation	Document security monitoring approach

Minimum requirements:

Understand Sentinel integration options
Ensure audit logging enabled in Power Platform
Document security monitoring requirements

Level 2-3 - Recommended

Requirement	Configuration
Sentinel workspace	Dedicated workspace for Power Platform
Data connector	Microsoft Sentinel solution for Microsoft Business Apps enabled
Basic analytics	Key detection rules enabled
Incident process	Defined incident handling

FSI recommendations:

Deploy Sentinel workspace for Power Platform logs
Enable Power Platform data connector
Create analytics rules for agent security
Define incident response procedures

Level 4 - Regulated/High-Risk

Requirement	Configuration
Comprehensive monitoring	All Power Platform data in Sentinel
Advanced analytics	Full rule set for agent threats
Automation	Playbooks for automated response
SOC integration	24/7 monitoring coverage
Threat hunting	Regular proactive hunting

FSI requirements:

24/7 SOC monitoring of agent security events
Automated incident response for high-severity alerts
Regular threat hunting for AI-related threats
Integration with enterprise SIEM if not Sentinel
Quarterly security posture reviews

Setup & Configuration

Accessing Microsoft Sentinel

Open Azure Portal
Search for Microsoft Sentinel
Select workspace or create new

Workspace List

Column	Description
Name	Workspace identifier
Resource Group	Azure resource group
Location	Azure region
Subscription	Azure subscription
Directory	Azure AD tenant

Workspace Sections

General:

Overview - Dashboard with key metrics
Logs - Query and analyze data
Guides - Setup and configuration guides
Search - Search across data

Threat Management:

Incidents - Security incident management
Workbooks - Visual analytics dashboards
Hunting - Proactive threat hunting queries
Notebooks - Jupyter notebooks for investigation
Entity behavior - User and entity analytics
Threat intelligence - Threat intel integration
MITRE ATT&CK (Preview) - Framework mapping
SOC optimization - Efficiency recommendations

Content Management:

Content hub - Solutions and connectors
Repositories - Version-controlled content
Community - Community content

Configuration:

Workspace manager (Preview) - Multi-workspace management
Data connectors - Connect data sources
Analytics - Detection rules
Summary rules - Data summarization
Watchlist - Reference data lists
Automation - Response playbooks
Settings - Workspace configuration

Microsoft Sentinel Solution for Business Apps

Connecting Power Platform to Sentinel

Navigate to Sentinel workspace → Content hub
Search for "Microsoft Sentinel solution for Microsoft Business Apps"
Install the solution (includes data connectors, analytics rules, and workbooks)
Configure connection settings
Enable data collection

Data Available from Power Platform

Data Type	Description	Use Case
Admin activity	PPAC administrative actions	Admin monitoring
Maker activity	App/flow/agent creation	Shadow AI detection
DLP violations	Data loss prevention events	Compliance monitoring
Connector usage	Connector activity	Security analysis

Analytics Rules for Agents

Creating Detection Rules

Navigate to Analytics in Configuration
Click Create → Scheduled query rule
Define rule logic using KQL
Set alert threshold and frequency
Configure incident creation
Enable rule

Recommended Rules for FSI

Rule	Description	Severity
Unauthorized agent creation	Detect agents in ungoverned environments	High
Sensitive data in agent interactions	Alert on PII/financial data exposure	High
Agent sharing anomaly	Unusual sharing patterns	Medium
Failed agent authentications	Multiple auth failures	Medium
High-volume agent usage	Abnormal usage patterns	Low

Incident Management

Incident Dashboard

Metric	Description
Incidents (24h)	New incidents in last 24 hours
Severity breakdown	Incidents by severity level
Status	Open, In progress, Closed
Owner	Assigned analyst

Incident Workflow

Triage - Review and assign severity
Investigate - Analyze related data
Respond - Take remediation actions
Document - Record findings and actions
Close - Close with classification

Automation

Automation Rules

Create rules to automatically handle incidents:

Trigger	Action	Example
Incident created	Assign owner	Route agent incidents to AI team
Severity = High	Run playbook	Notify security on critical alerts
Source = Power Platform	Add tag	Tag for compliance tracking

Playbooks

Automated response using Logic Apps:

Playbook	Purpose
Notify SOC	Send Teams/email notification
Block user	Disable account for insider threat
Create ticket	Open ServiceNow ticket
Enrich data	Add context from threat intel

Integration with Defender Portal

Unified SecOps Platform

Sentinel integrates with Microsoft Defender for unified security:

Security Copilot - AI-assisted security investigation
Unified incidents - Cross-product incident correlation
XDR capabilities - Extended detection and response

PowerShell Configuration

Connect to Azure for Sentinel

# Connect to Azure with appropriate permissions
Connect-AzAccount

# Select subscription containing Sentinel workspace
$subscriptionId = "your-subscription-id"
Set-AzContext -SubscriptionId $subscriptionId

# Get Sentinel workspace information
$resourceGroupName = "rg-sentinel-fsi"
$workspaceName = "law-sentinel-copilot"

$workspace = Get-AzOperationalInsightsWorkspace `
    -ResourceGroupName $resourceGroupName `
    -Name $workspaceName

Write-Host "Workspace ID: $($workspace.CustomerId)"
Write-Host "Workspace Location: $($workspace.Location)"

Configure Data Connectors

# Install required modules
Install-Module -Name Az.SecurityInsights -Force -AllowClobber
Import-Module Az.SecurityInsights

# Get current data connector status
$connectors = Get-AzSentinelDataConnector `
    -ResourceGroupName $resourceGroupName `
    -WorkspaceName $workspaceName

Write-Host "Current Data Connectors:" -ForegroundColor Cyan
$connectors | ForEach-Object {
    Write-Host "  - $($_.Name): $($_.Kind)"
}

# Enable Office 365 Data Connector
$o365Connector = @{
    ResourceGroupName = $resourceGroupName
    WorkspaceName     = $workspaceName
    Kind              = 'Office365'
    Name              = 'Office365DataConnector'
    SharePoint        = $true
    Teams             = $true
    Exchange          = $true
}

New-AzSentinelDataConnector @o365Connector

# Enable Azure Active Directory connector
$aadConnector = @{
    ResourceGroupName = $resourceGroupName
    WorkspaceName     = $workspaceName
    Kind              = 'AzureActiveDirectory'
    Name              = 'AADDataConnector'
    Alerts            = 'Enabled'
}

New-AzSentinelDataConnector @aadConnector

Create Analytics Rules for Agent Monitoring

# Create scheduled analytics rule for unauthorized agent creation
$ruleParams = @{
    ResourceGroupName       = $resourceGroupName
    WorkspaceName           = $workspaceName
    Kind                    = 'Scheduled'
    DisplayName             = 'Unauthorized Copilot Agent Creation'
    Description             = 'Detects creation of agents outside managed environments'
    Severity                = 'High'
    Enabled                 = $true
    Query                   = @'
PowerPlatformAdminActivity
| where OperationName == "CreateAgent"
| where Environment !in ("Default-Production", "Default-Development")
| project TimeGenerated, UserPrincipalName, Environment, AgentName, ClientIP
| extend AccountName = tostring(split(UserPrincipalName, "@")[0])
'@
    QueryFrequency          = (New-TimeSpan -Hours 1)
    QueryPeriod             = (New-TimeSpan -Hours 1)
    TriggerOperator         = 'GreaterThan'
    TriggerThreshold        = 0
    SuppressionDuration     = (New-TimeSpan -Hours 5)
    SuppressionEnabled      = $false
}

New-AzSentinelAlertRule @ruleParams

# Create rule for sensitive data exposure
$sensitiveDataRule = @{
    ResourceGroupName       = $resourceGroupName
    WorkspaceName           = $workspaceName
    Kind                    = 'Scheduled'
    DisplayName             = 'Sensitive Data in Agent Interactions'
    Description             = 'Detects potential PII or financial data in agent conversations'
    Severity                = 'High'
    Enabled                 = $true
    Query                   = @'
CopilotInteractions
| where Message contains "SSN" or Message contains "account number"
    or Message contains "credit card" or Message contains "routing number"
| project TimeGenerated, UserId, AgentId, ConversationId
| summarize Count = count() by UserId, AgentId, bin(TimeGenerated, 1h)
| where Count > 5
'@
    QueryFrequency          = (New-TimeSpan -Minutes 30)
    QueryPeriod             = (New-TimeSpan -Hours 1)
    TriggerOperator         = 'GreaterThan'
    TriggerThreshold        = 0
}

New-AzSentinelAlertRule @sensitiveDataRule

Export Sentinel Configuration

# Export all analytics rules for documentation/backup
$rules = Get-AzSentinelAlertRule `
    -ResourceGroupName $resourceGroupName `
    -WorkspaceName $workspaceName

$exportPath = "C:\SentinelExport\AnalyticsRules_$(Get-Date -Format 'yyyyMMdd').json"
$rules | ConvertTo-Json -Depth 10 | Out-File -FilePath $exportPath

Write-Host "Exported $($rules.Count) analytics rules to: $exportPath" -ForegroundColor Green

# Export automation rules
$automationRules = Get-AzSentinelAutomationRule `
    -ResourceGroupName $resourceGroupName `
    -WorkspaceName $workspaceName

$autoExportPath = "C:\SentinelExport\AutomationRules_$(Get-Date -Format 'yyyyMMdd').json"
$automationRules | ConvertTo-Json -Depth 10 | Out-File -FilePath $autoExportPath

Sample KQL Queries for AI Events

// Query 1: Agent Creation Activity Summary
PowerPlatformAdminActivity
| where TimeGenerated > ago(30d)
| where OperationName contains "Agent"
| summarize
    TotalOperations = count(),
    UniqueUsers = dcount(UserPrincipalName),
    Environments = make_set(Environment)
    by OperationName
| order by TotalOperations desc

// Query 2: High-Volume Agent Usage Detection
CopilotInteractions
| where TimeGenerated > ago(24h)
| summarize
    InteractionCount = count(),
    UniqueConversations = dcount(ConversationId)
    by UserId, AgentId
| where InteractionCount > 100
| order by InteractionCount desc

// Query 3: DLP Violations Related to Agents
DLPViolations
| where TimeGenerated > ago(7d)
| where Application contains "Copilot" or Application contains "PowerPlatform"
| summarize ViolationCount = count() by PolicyName, SensitiveInfoType
| order by ViolationCount desc

// Query 4: Agent Authentication Failures
SigninLogs
| where TimeGenerated > ago(7d)
| where AppDisplayName contains "Copilot" or AppDisplayName contains "Power Platform"
| where ResultType != 0
| summarize FailureCount = count() by UserPrincipalName, ResultDescription
| where FailureCount > 5
| order by FailureCount desc

// Query 5: Cross-Zone Agent Sharing Detection
PowerPlatformAdminActivity
| where OperationName == "ShareAgent"
| join kind=inner (
    EnvironmentMetadata
  // Governance zones are Zones 1-3 (Personal Productivity / Team Collaboration / Enterprise Managed).
  // Sentinel-specific severity/retention tiers should use a separate tag (e.g., RiskTier, RetentionProfile).
  | project Environment, GovernanceZone = tostring(Tags["GovernanceZone"])
) on Environment
| where GovernanceZone == "Zone3" and SharedWith !contains "@internal.company.com"
| project TimeGenerated, UserPrincipalName, AgentName, SharedWith, GovernanceZone

Financial Sector Considerations

Regulatory Context

Primary Regulations: OCC Heightened Standards, Fed SR 11-7, FINRA 4370, SOX 404

Regulation	Sentinel Support
OCC Heightened Standards	Enterprise security monitoring
Fed SR 11-7	Model risk monitoring
FINRA 4370	Business continuity security
SOX 404	IT security controls

Examination Considerations

Regulators may request:

Security monitoring architecture documentation
Incident response procedures
Detection rule inventory
Incident history and resolution
Evidence of proactive threat hunting

Regulatory Mapping

Regulation	Requirement	Sentinel Capability	Implementation Notes
FINRA 4511	Supervisory records retention	Log retention and archival	Configure 7-year retention for agent interaction logs
SOX 404	IT general controls monitoring	Real-time security analytics	Deploy analytics rules for control monitoring
GLBA 501(b)	Safeguards for customer information	Threat detection and response	Enable DLP violation monitoring and automated alerts
SEC 17a-4	Electronic records preservation	Immutable log storage	Configure WORM storage for compliance data
OCC Heightened Standards	Risk management framework	Comprehensive SIEM integration	24/7 SOC monitoring with documented procedures
Fed SR 11-7	Model risk management	AI behavior monitoring	Track agent decision patterns and anomalies

Monitoring Tiers (Independent of Agent Governance Zones)

This control uses three monitoring tiers for SIEM/SOC operations. These tiers are not the same thing as the Agent Governance zones (Zones 1-3).

Tier	Monitoring Level	Data Retention	Alert Response SLA	SOC Coverage
Tier 1	Basic	90 days	4 hours	Business hours
Tier 2	Standard	1 year	2 hours	Extended hours
Tier 3	Enhanced	3 years	1 hour	24/7

FSI Example Configuration

# fsi-sentinel-config.yaml
# Microsoft Sentinel Configuration for FSI Copilot Governance

sentinel_workspace:
  name: "law-sentinel-copilot-fsi"
  resource_group: "rg-sentinel-fsi-prod"
  location: "eastus2"
  retention_days: 730  # 2 years minimum for FSI
  sku: "PerGB2018"

data_connectors:
  - name: "PowerPlatform"
    enabled: true
    data_types:
      - admin_activity
      - maker_activity
      - dlp_violations
      - connector_usage
  - name: "Office365"
    enabled: true
    data_types:
      - exchange
      - sharepoint
      - teams
  - name: "AzureActiveDirectory"
    enabled: true
    data_types:
      - signin_logs
      - audit_logs
      - provisioning_logs
  - name: "MicrosoftDefenderForCloudApps"
    enabled: true

analytics_rules:
  agent_security:
    - name: "Unauthorized Agent Creation"
      severity: "High"
      frequency: "PT1H"
      enabled: true
    - name: "Sensitive Data Exposure"
      severity: "High"
      frequency: "PT30M"
      enabled: true
    - name: "Cross-Zone Sharing Violation"
      severity: "Critical"
      frequency: "PT15M"
      enabled: true
    - name: "Agent Authentication Anomaly"
      severity: "Medium"
      frequency: "PT1H"
      enabled: true

automation:
  incident_assignment:
    - trigger: "severity == 'High' AND source == 'PowerPlatform'"
      action: "assign_to_ai_security_team"
    - trigger: "labels contains 'FSI-7yr-retention'"
      action: "page_on_call_analyst"
  playbooks:
    - name: "NotifySOC-HighSeverity"
      trigger: "incident_created"
      condition: "severity >= High"
    - name: "CreateServiceNowTicket"
      trigger: "incident_created"
      condition: "status == 'New'"
    - name: "EnrichWithThreatIntel"
      trigger: "incident_created"
      condition: "entities contains 'IP'"

retention_policy:
  tier1_data: 90
  tier2_data: 365
  tier3_data: 1095
  regulated_data: 2555  # 7 years
  security_incidents: 2555

Zone-Specific Configuration

Zone 1 (Personal Productivity):

Apply a baseline minimum of SIEM integration (Microsoft Sentinel) that impacts tenant-wide safety (where applicable), and document any exceptions for personal agents.
Avoid expanding scope beyond the user’s own data unless explicitly justified.
Rationale: reduces risk from personal use while keeping friction low; legal/compliance can tighten later.

Zone 2 (Team Collaboration):

Apply forward and correlate agent/security events for monitoring for shared agents and shared data sources; require an identified owner and an approval trail.
Validate configuration in a pilot environment before broader rollout; retain connector config + sample alerts.
Rationale: shared agents increase blast radius; controls must be consistently applied and provable.

Zone 3 (Enterprise Managed):

Require the strictest configuration for SIEM integration (Microsoft Sentinel) and enforce it via policy where possible (not manual-only).
Treat changes as controlled (change ticket + documented testing); retain connector config + sample alerts.
Rationale: enterprise agents handle the most sensitive content and are the highest audit/regulatory risk.

Verification & Testing

Step	Action	Expected Result
1	Navigate to Azure Portal → Microsoft Sentinel	Sentinel accessible
2	Verify workspace exists	Workspace listed
3	Check Data connectors	Microsoft Business Apps solution connector available
4	Review Analytics rules	Rules configured and enabled
5	Test incident creation	Test alert generates incident
6	Verify automation	Playbooks execute correctly

Troubleshooting & Validation

Common Issues and Solutions

Issue	Symptoms	Root Cause	Solution
Data connector not ingesting	No Power Platform data in Sentinel	Connector misconfiguration or permissions	Verify Power Platform admin permissions; re-authenticate connector; check Activity Log in PPAC
Analytics rule not triggering	No incidents despite known events	Query syntax error or time window mismatch	Test query in Logs blade; verify QueryPeriod covers event timeframe; check rule is enabled
High ingestion costs	Unexpected Azure billing	Verbose logging or duplicate data sources	Review data volume by table; implement data collection rules to filter unnecessary logs
Delayed alerts	Incidents created hours after events	Query frequency too long or service delays	Reduce QueryFrequency; check Sentinel health in Azure Monitor; verify no service issues
Playbook failures	Automation not executing	Logic App connection expired or permissions	Check Logic App run history; re-authorize connections; verify managed identity permissions

Diagnostic Commands

# Check Sentinel workspace health
Get-AzOperationalInsightsWorkspace -ResourceGroupName $resourceGroupName -Name $workspaceName |
    Select-Object Name, ProvisioningState, Sku, RetentionInDays

# Verify data connector status
Get-AzSentinelDataConnector -ResourceGroupName $resourceGroupName -WorkspaceName $workspaceName |
    Select-Object Name, Kind

# Check recent ingestion volume
Invoke-AzOperationalInsightsQuery -WorkspaceId $workspace.CustomerId -Query @"
Usage
| where TimeGenerated > ago(24h)
| summarize TotalGB = sum(Quantity)/1024 by DataType
| order by TotalGB desc
"@

Additional Resources

Topic	URL	Description
Microsoft Sentinel Overview	https://learn.microsoft.com/azure/sentinel/overview	Core Sentinel concepts and architecture
Power Platform Connector	https://learn.microsoft.com/en-us/azure/sentinel/business-applications/solution-overview	Connect Power Platform to Sentinel
Analytics Rules	https://learn.microsoft.com/azure/sentinel/detect-threats-built-in	Create and manage detection rules
Automation with Playbooks	https://learn.microsoft.com/azure/sentinel/automate-responses-with-playbooks	Configure automated incident response
KQL for Sentinel	https://learn.microsoft.com/azure/sentinel/kusto-overview	Query language for log analysis
Workbooks and Dashboards	https://learn.microsoft.com/azure/sentinel/monitor-your-data	Create visual security dashboards

Control	Relationship	Integration Point
Control 3.2: Usage Analytics	Data Source	Power Platform activity feeds into Sentinel
Control 1.7: Audit Logging	Prerequisite	Audit logs provide source data for Sentinel analytics
Control 1.8: Runtime Protection	Complementary	Defender signals enrich Sentinel threat detection
Control 3.4: Incident Reporting	Integration	Sentinel incidents flow to incident management process
Control 1.12: Insider Risk	Data Sharing	Insider Risk alerts correlate with Sentinel analytics
Control 3.1: Activity Dashboard	Visualization	Sentinel workbooks provide security KPI dashboards

Support & Questions

For implementation support or questions about this control, contact:

Security Operations Center (SOC monitoring)
Azure Administrator (Sentinel setup)
AI Governance Lead (agent security requirements)

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification