Become a Microsoft Unified SOC Platform Ninja

Josefa-Sepulveda · ‎Jan 02 2024

(Last updated April 2024)

** The integration of Microsoft Sentinel into the Defender portal is currently in public preview, with the eventual goal of a fully integrated and aligned user experience. The preview, specific feature information mentioned here is under development and therefore subject to change. Our recommendation is to regularly check for new developments and improvements. **

Update April 2024 
New enhancements in the Unified Security Operation Platform! 
Watch our latest webinar

Starting point

Getting started with XDR+SIEM Unified Experience? Watch the Ignite video:
Unifying XDR + SIEM: A new era in SecOps

What is happening to Microsoft Sentinel and Defender XDR?

We are bringing together these products to deliver the most optimized and unified security operations platform. This experience will combine the full power of Microsoft Sentinel with Microsoft Defender XDR into a single portal enhanced with more comprehensive features, AI, automation, guided experiences, and curated threat intelligence. Customers will enjoy a fully integrated toolset to protect, detect, investigate, and respond to threats across every layer of digital estate.

Microsoft has been on a mission to empower security operations teams by unifying the many tools essential for protecting a digital estate and delivering them into an effective solution driven by AI and automation.
Today, we help SOC teams build a powerful defense using the most comprehensive XDR platform on the market, Microsoft Defender XDR, by delivering unified visibility, investigation, response across endpoints, hybrid identities, emails, collaboration tools, cloud apps, and data.
We also help provide unparalleled visibility into the overall threat landscape with our cloud native SIEM solution, Microsoft Sentinel, to extend coverage to every edge and layer of the digital environment.
These experiences are natively integrated with bidirectional solutions, giving security operations teams an easy way to benefit from the comprehensiveness and flexibility of the SIEM and the threat driven approach of the XDR.
Microsoft is ready to continue this journey to delivering the most comprehensive offering for security operations, and by bringing together mature, market leading SIEM and XDR customers can stay safer, more easily than ever before.

Before continuing with the Ninja Training, we recommend reviewing the Unified SOC Platform FAQ
Watch the video on Microsoft Defender XDR, Security Copilot & Microsoft Sentinel now in one portal (youtube.com)
Already did the Unified SOC Platform Ninja Training? check what's new.

A Microsoft Entra tenant that’s allow-listed by Microsoft to connect a workspace through the Defender portal
A Log Analytics workspace that has Microsoft Sentinel enabled
The data connector for Microsoft Defender XDR (formerly named Microsoft Defender XDR) enabled in Microsoft Sentinel for incidents and alerts
Microsoft Defender XDR onboarded to the Microsoft Entra tenant
An Azure account with the appropriate roles to onboard and use Microsoft Sentinel in the Defender portal.

Read more about the onboarding process and requisites in our documentation

Module 3. Common use cases and scenarios

One-click connect of Microsoft Defender XDR incidents, including all alerts and entities from Microsoft Defender XDR components, into Microsoft Sentinel.
Bi-directional sync between Sentinel and Microsoft Defender XDR incidents on status, owner, and closing reason.
Application of Microsoft Defender XDR alert grouping and enrichment capabilities in Microsoft Sentinel, thus reducing time to resolve.
In-context deep link between a Microsoft Sentinel incident and its parallel Microsoft Defender XDR incident, to facilitate investigations across both portals.

Operating with XDR+SIEM Unified Experience

Module 1. Connecting to Microsoft Defender XDR

Install the Microsoft Defender XDR solution for Microsoft Sentinel and enable the Microsoft Defender XDR data connector to collect incidents and alerts. Microsoft Defender XDR incidents appear in the Microsoft Sentinel incidents queue, with Microsoft Defender XDR in the Product name field, shortly after they are generated in Microsoft Defender XDR.

It can take up to 10 minutes from the time an incident is generated in Microsoft Defender XDR to the time it appears in Microsoft Sentinel.
Alerts and incidents from Microsoft Defender XDR (those items which populate the SecurityAlert and SecurityIncident tables) are ingested into and synchronized with Microsoft Sentinel at no charge. For all other data types from individual Defender components (such as DeviceInfo, DeviceFileEvents, EmailEvents, and so on), ingestion will be charged.

Once the Microsoft Defender XDR integration is connected, the connectors for all the integrated components and services (Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps, Microsoft Entra ID Protection) will be automatically connected in the background if they weren't already. If any component licenses were purchased after Microsoft Defender XDR was connected, the alerts and incidents from the new product will still flow to

Microsoft Sentinel with no additional configuration or charge.

Watch this short overview of Microsoft Sentinel integration with Microsoft Defender XDR video (5 minutes).

Here's how it works.

microsoft-365-defender-integration-with-azure-sentinel.png

Get a deeper understanding of Connecting to Microsoft Defender XDR

Module 2. Unified incidents

• For successful onboarding and integration, the M365D connector needs to be enabled. The separate Defender connectors will be disabled to avoid alert duplication. This means that your Microsoft Security Services based detection rules will be replaced by the M365D connector incidents creation rule. This can potentially impact any incident filtering or automation based on incident titles. To preserve filtering capabilities please use alert tuning or automation rules.
• Because the unified portal will provide correlations across all signals – which is the strength of our combined SIEM + XDR solution – alerts from a Sentinel incident with a custom incident title might be merged into a new incident with a new title to group all related alerts. An example is a multi-stage attack which contains all alerts related to the attacker’s lateral movement. This behavior impacts any automation against the custom incident title as a condition and visual triaging of the incident queue. Our proposed mitigation is to leverage tags which will be merged into the new incident to support automation and visual triaging of the incident queue.
• Incidents programmatically created in Microsoft Sentinel through the API, playbook, or manually from the incident creation interface are not synchronized to the unified portal. However, these incidents are still supported in the Microsoft Sentinel portal and the API.
• A Sentinel alert can no longer be removed from the Sentinel incident.
• Creating new incident comments within the new portal is supported but editing existing ones created at incident generation time is not.
• The ProviderName in the SecurityIncident table will be changed to Microsoft XDR for all incidents, including those created by Microsoft Sentinel analytic rules. This may affect automation rules (more information in the Automation section of this document) or queries which are leveraged from within Workbooks as an example.
• Tasks manually added, or created by automation rules or playbooks, will not be reflected in the unified portal.
• The option to set the grouping definition in analytic rules to reopen closed incidents in case of a new alert being added to the incident (documented here) will not be supported in the first release of this integration. Incidents that were closed will not re-open as is the case with M365 Defender correlations.

Module 3. Automation

• Triggering a Logic App playbook from an incident or an entity will become available at the end of this year (2023).
• Automation rules with a condition based on the ProviderName field (e.g., Incident provider equals Microsoft Sentinel) will continue to run, even after the incident provider name has changed to Microsoft XDR. The system, however, will ignore the

incident provider condition. This means that the automation rule with only the incident provider condition will run on ALL incidents, rather than only on Microsoft Sentinel or M365D incidents. The Incident provider condition will also not be available in the Unified Portal UI.
• Automation rules with a condition updated by will be changed to include more details (e.g., who/what updated the incident). Instead of reflecting M365 Defender as the update source (which is the case today), we will provide the name of the user or service

who performed the change. Values can include a username, alert grouping, AIR (automated investigation and response), application or others.
• It can take up to 10 minutes from alert creation to running an automation rule. This is because incidents are created first in the unified portal and then forwarded to Microsoft Sentinel. We are continuously working on eliminating this delay.

Module 4. Advanced Hunting

The Microsoft Defender XDR connector also lets you stream advanced hunting events - a type of raw event data - from Microsoft Defender XDR and its component services into Microsoft Sentinel. You can now (as of April 2022) collect advanced hunting events from all Microsoft Defender XDR components, and stream them straight into purpose-built tables in your Microsoft Sentinel workspace.

• Microsoft Defender XDR tables can be queried with a maximum lookback period of 30 days. To support longer retention periods, the recommendation is to ingest the required tables into the Sentinel workspace.
o Queries can be executed from the Unified Portal to cover Sentinel data but not from the Sentinel side to access XDR data unless raw data ingestion into Sentinel has been configured.
• Saved queries and functions from Sentinel cannot be edited. They can only be viewed and used.
• The IdentityInfo table from Sentinel is not available, as the IdentityInfo remains as is in Defender XDR. Sentinel features like analytics rules that query this table won’t be impacted as they are querying the Log Analytics workspace directly.
• The Sentinel SecurityAlert table is replaced by AlertInfo and AlertEvidence tables, which both contain all the alert data. While SecurityAlert is not available in the schema tab, you can still use it in queries using the advanced hunting editor. This provision is made to not break existing queries from Sentinel that use this table.
• Guided hunting mode is supported by Microsoft Defender XDR data only.
• Custom detections, links to incidents, and take actions capabilities are supported for Defender XDR data only.
• Right-clicking query results is not yet supported for columns in the JSON array format or lists.
• Bookmarks are not supported in the advanced hunting experience.

Get a deeper understanding of advanced hunting in this document.

Watch our video introductory on Unified Advanced Hunting

Quick overview & a short tutorial that will get you started fast on Defender XDR Advanced Hunting
Watch the Microsoft Sentinel Incident Investigation Experience webinar
Learn how to Hunt for threats with Microsoft Sentinel
Use Hunts to conduct end-to-end proactive threat hunting in Microsoft Sentinel

Module 5. SOC optimization

Tailored recommendations. The new SOC optimization feature will be available for Microsoft Sentinel customers in private preview, both in the unified SOC platform and in the Azure portal. New data ingestion analysis will provide recommendations to help manage costs, ensure value on all data ingested and better protect companies against threats. Tailored suggestions will be available to customers for things like recommended data log tiers, adding relevant content on top of data or ingesting new sources to protect against relevant threats.

Module 6. More learning and support options

Learn more:

1. Unified platform documentation: aka.ms/unifiedsiemxdrdocs

2. SIEM and XDR Solutions | Microsoft Security

3. Microsoft Sentinel: https://aka.ms/microsoftsentinel

4. Blogs: Microsoft Sentinel Blog - Microsoft Tech Community

5. Microsoft Sentinel solution for SAP: Microsoft Sentinel solution for SAP® applications – SAP Monitoring | Microsoft Azure

6. Microsoft Customer Stories

7. Microsoft Sentinel documentation | Microsoft Learn

8. Private preview community

9. Security Operations Platform FAQ