Introducing the Unified Device Timeline Experience in Microsoft SIEM + XDR

We are thrilled to announce the launch of the Unified Device Timeline, a feature that integrates device activity timelines from Microsoft Sentinel and Defender XDR into a single, cohesive view. This feature streamlines security investigations by enabling analysts to access all relevant device activities in one place, reducing the need to switch between platforms and accelerating incident response times.

By bringing these activities together, we are delivering a more powerful experience, empowering customers to investigate and respond to threats with unmatched context and efficiency.

The Vision Behind the Unified Device Timeline

Modern security teams face significant challenges due to the complexity of navigating multiple tools and fragmented data. By consolidating the timeline experiences from Microsoft Sentinel and Defender XDR, we aim to:

1. Simplify Investigations: Provide a unified view of device alerts, anomalies (coming soon), and now, device activities including network-based activities.
2. Enhance Efficiency: Eliminate the need to toggle between separate platforms, enabling faster decision-making.

This initiative is a key milestone in our journey to merge Microsoft Sentinel into the Defender XDR portal, creating a unified SIEM + XDR platform that streamlines workflows and improves security outcomes.

 

Device Timeline as displayed on the Device entity page in Sentinel:

 

What’s New in This Release

Network Activities Added to the Unified Timeline

As part of our commitment to delivering more actionable insights, we have introduced a new type of Device Activity based on Sentinel’s 3rd-party network data. This feature showcases dropped, blocked, or denied network traffic originating from a specific host, leveraging logs from leading vendors such as Zscaler, Palo Alto, Fortinet, and Check Point. These logs provide security teams with critical information to quickly identify and address potential threats.

Example Query

Here’s a snapshot of the query powering this new activity:

let CommonSecurityEvents = (v_Host_HostName:string) {

    CommonSecurityLog

    | where TimeGenerated > ago(1h)

    | where tolower(DeviceAction) in ("drop", "dropped", "deny", "denied", "block", "blocked")

    | extend hostname = iff(tolower(DeviceVendor) == "zscaler", extract(@"devicehostname=([^;]+)", 1, AdditionalExtensions),

                  iff(tolower(DeviceVendor) == "palo alto" and isnotempty(SourceHostName), SourceHostName,

                  iff(tolower(DeviceVendor) == "fortinet" and isnotempty(SourceHostName), SourceHostName,

                  iff(tolower(DeviceVendor) == "check point" and isnotempty(SourceHostName), SourceHostName,

                  "Unknown"))))

    | where hostname != "Unknown" and hostname != "NA"

    | extend hostname = case(

        SourceHostName has '@', tostring(split(SourceHostName, '@')[0]),

        SourceHostName has '\\', tostring(split(SourceHostName, '\\')[1]),

        SourceHostName has '.', tostring(split(SourceHostName, '.')[0]),

        hostname

    )

    | where hostname == v_Host_HostName

    | summarize Count = count() by DestinationIP, DestinationPort, SourceIP, SourcePort, hostname, DeviceAction, DeviceVendor, bin(TimeGenerated, 1h), Protocol

    | order by Count desc

};

CommonSecurityEvents('{{Host_HostName}}')

| project DestinationIP, DestinationPort, SourceIP, SourcePort, hostname, DeviceAction, DeviceVendor, TimeGenerated, Count, Protocol

 

Device Timeline as displayed on the unified Device entity page in the USX portal:

 

 

 

Key Benefits for Security Teams

1. Unified Workflow: Access all device activities from Sentinel and Defender XDR in one timeline.
2. Comprehensive Insights: Gain visibility into critical network activities, including dropped and blocked traffic.
3. Enhanced User Experience: Seamlessly integrate Sentinel data without the need to navigate to the Ibiza portal.

 

Next Steps

Following this milestone, we are excited to share our roadmap for further enhancements:

1. Adding Anomalies to the Unified Device Timeline: The next update will complete the unification of device events by incorporating device Anomalies into the timeline. This addition will provide an even more comprehensive view of device activity.
2. Unifying the User Timeline: Building on the success of the Unified Device Timeline, we will begin work on merging the User Timeline experiences from Sentinel and Defender XDR. This effort will extend the benefits of unification to user-centric investigations, enabling holistic insights into user activities across platforms.

 

Join the Conversation

We would love to hear your thoughts on the Unified Device Timeline. What do you find most valuable? What improvements would you like to see? Please share any feedback in the comments section below to help us shape the future of Microsoft’s unified SIEM + XDR platform.

Stay tuned for more updates and thank you for being part of this journey towards a more seamless and powerful security experience!