We recently announced the GA of Microsoft Sentinel in the Defender portal, as part of the unified security operations platform. In this blog we offer answers to many of the questions we’ve heard from our customers and partners, which can be used, along with our documentation , to get started with our new experience.
What is a unified security operations platform?
A unified security operations platform brings the tools a security team needs to do their job into a single experience, with a single data model and unified features to increase protection, reduce response time and improve overall efficiency of the security operation center (SOC)
While other security vendors may claim to offer a unified security operations platform, only Microsoft delivers one with a leading SIEM and leading XDR, embedded generative AI and posture management, and cloud security with robust, underlying threat intelligence all in a single experience.
Why is Microsoft Security well positioned to deliver a unified security operations platform?
Microsoft is on a mission to empower security operations teams by unifying the many tools essential for protecting a digital estate and delivering them into an effective solution driven by AI and automation.
We’ve already empowered SOC teams to build a powerful defense using the most comprehensive XDR platform on the market, Microsoft Defender XDR, by delivering unified visibility, investigation, response across endpoints, hybrid identities, emails, collaboration tools, cloud apps, and data.
We also help provide unparalleled visibility into the overall threat landscape with our cloud-native SIEM solution, Microsoft Sentinel, to extend coverage to every edge and layer of the digital environment.
These experiences were already natively integrated with bi-directional connectors, giving security operations teams an easy way to benefit from the comprehensiveness and flexibility of the SIEM and the threat driven approach of the XDR.
Now, Microsoft is continuing on this journey, by delivering a more comprehensive offering for security operations that brings SIEM, XDR, exposure management, GenAI and threat intelligence all into a single experience.
Is “unified security operation platform” a new product?
No. Our security operations platform is a single experience we are offering for users of Microsoft Sentinel, Defender XDR, and Copilot for Security in the Defender portal. This doesn’t impact the products we have today. We will continue to invest in Microsoft Sentinel and Defender XDR, as well as features that stretch across the two of them.
What is GA now (August 2024)?
Microsoft Sentinel in the Defender portal for commercial cloud customers using Microsoft Sentinel and at least one Defender XDR workload is already generally available. We support the on-boarding of a single workspace, single tenant at this time. We will continue to expand availability and use cases to address the needs of all customers.
Is Microsoft Sentinel going away?
Absolutely not. Sentinel is a product not a portal. We are delivering a new way to use Microsoft Sentinel and Defender XDR together in a unified portal to ensure customers get a more valuable and an easier experience. Microsoft Sentinel will continue to exist in Azure as a standalone experience for customers not yet ready to switch to the unified platform for some time although new investment will be in the unified portal.
Can I still use Microsoft Sentinel in the Azure portal?
Yes, Microsoft Sentinel is still available in the Azure portal and can be used side by side with the unified portal.
Does Defender XDR data need to be ingested into Microsoft Sentinel to get insights across the two products in the unified security operations platform?
No. With unification, customers can query and correlate alerts to incidents without the need to ingest XDR data into Microsoft Sentinel for up to 30 dats. Many customers may still ingest data into Microsoft Sentinel if they need extended retention or compliance reasons.
What will be unified between Microsoft Sentinel and Defender?
Our goal is to unify all experiences across the two products in the near future. At the time of GA some of the features unified include (but are not limited to):
- Overview page: The overview dashboard will provide insights across all data.
- Incident queue: The incident queue will now be unified across all data, giving you a single place to prioritize work.
- Incident page: Now, customers will be able to see all information about their incident, from data sources that are brought in through Microsoft Sentinel and those monitored by my Microsoft Defender XDR in one place.
- Entities: The user, device and IP entity pages will now combine information from Microsoft Sentinel and Defender XDR, improving entity and incident investigation.
- Advanced hunting: one place will now cover data, queries and functions across your Microsoft Sentinel and Defender XDR data.
- Data model: Now, a normalized and consistent data model across Microsoft Sentinel and Defender XDR.
- Automatic attack disruption on SAP: Attack disruption already exists for accounts that are monitored by Microsoft Defender XDR. Now, customers who have the Microsoft Sentinel Solution for SAP can benefit from enhanced coverage with automated response to stop lateral movement of attackers by using security signals and research to detect the breach and automatically disable an account.
- Global search: ability to search across all entities in SIEM and XDR
- Out of the box settings: Microsoft Sentinel customers will benefit from more turnkey setting, including analytics ,rules on their log data
- We continue to add additional capabilities.
Will the embedded Copilot for Security experience work on my Microsoft Sentinel data if I connect my Microsoft Sentinel workspace to Defender portal?
Yes, Copilot for Security skills that exist in the embedded Defender portal will work on Microsoft Sentinel data if a customer selects to connect their workspace to the unified security operations platform.
What do I need to have to onboard?
To onboard and use Microsoft Sentinel in the Microsoft Defender portal, you must have the following resources and access:
- At least one Defender XDR workload deployed and an existing Microsoft Sentinel workspace
- A Microsoft Entra tenant that's allow-listed by Microsoft to connect a workspace through the Defender portal
- A Log Analytics workspace that has Microsoft Sentinel enabled
- The data connector for Microsoft Defender XDR (formerly named Microsoft 365 Defender) enabled in Microsoft Sentinel for incidents and alerts
- Microsoft Defender XDR onboarded to the Microsoft Entra tenant
- An Azure account with the appropriate roles to onboard and use Microsoft Sentinel in the Defender portal. The following table highlights some of the key roles needed.
- We will be expanding eligibility and support for customers requiring multi-tenancy, multi-workspace, Government Cloud and Microsoft Sentinel only in the coming months.
Does anything change for the Microsoft Defender XDR experience?
- No – customers using Microsoft Defender XDR will continue to use it in the Defender portal as they do today.
- Just as customers can’t access features for XDR workloads that aren’t yet deployed, this will be the same for customers who do not have Microsoft Sentinel onboarded.
Can customers switch the Microsoft Sentinel experience back and forth between the Defender and Azure portal?
- Yes, Microsoft Sentinel will continue to exist as a standalone experience, so customers will be able to switch back and forth between the two portals if needed.
- Some experiences in the Defender portal will link back to the Azure portal when necessary.
Will any settings be changed?
- Customers who use the Microsoft Defender XDR connector today will not need to make changes.
- Those not yet using the connector will need to turn it on to benefit from the new unified platform. Learn more about the connector here.
- Analytics rules, automation rules and playbooks will continue to work exactly as they are without any changes.
What is the benefit of a unified incident queue alert correlation?
We’ve seen up to 80% (based on internal Microsoft research) reduction of Microsoft Sentinel incidents for early customers as out-of-the-box rules available in the unified platform help to ensure better correlation, reducing the noise that security teams often struggle with.
With the new unified incident experience, context-rich incidents are generated, modeling attacker behavior across all available signals available in Microsoft Sentinel, Microsoft Defender XDR and Microsoft Defender for Cloud. This will allow us to describe attacks across the entire digital estate more accurately and fully, including cloud, on-prem and custom applications.
What is the benefit of a unified hunting experience?
With the unified hunting experience customers have a single place to explore all data available, for hunting and investigation purposes, a user can:
- Query all data from the Sentinel workspace and Microsoft Defender XDR
- Access all Logs content of the workspace, including queries and functions.
Is pricing changing? Are the benefits changing?
- Business models for Microsoft Defender XDR and Microsoft Sentinel are not changing.
- Microsoft Sentinel and Defender XDR will continue to be sold as separate products.
- The E5 benefit continues to be in place for customers ingesting Microsoft Defender XDR data into Microsoft Sentinel, which is useful for extended retention and compliance.
How do I extend retention of Defender XDR data past 30 days?
- There are no changes to the way we charge for extended data retention for XDR – we continue to recommend customers ingest their data into Microsoft Sentinel if it needs to be retained past 90 days.
- E5, A5, F5, and G5 customers may be eligible for a data ingestion benefit (See the Microsoft Sentinel benefit offer page for details.)
- Customers not eligible for the Microsoft Sentinel benefit (those without E5, A5, F5 or G5 licenses), but who choose to extend Microsoft Defender XDR data retention with Microsoft Sentinel beyond the default 30 days will incur standard Microsoft Sentinel ingestion and retention charges.
- See the Microsoft Sentinel pricing page for details.
Will Microsoft Sentinel APIs continue to work?
Yes- all Microsoft Sentinel APIs will continue to work. There are no changes needed.
Will customers need to rearchitect their Microsoft Sentinel workspace in the unified portal?
No – we have made it easy to connect your Microsoft Sentinel workspace into the defender portal with minimal impact to your existing set up.
Can I still access Microsoft Sentinel instance in the Azure portal?
Yes, you can still use your Microsoft Sentinel experience in the Azure portal.
Are there any capabilities that customers will need the Microsoft Sentinel in Azure portal for today?
Customers will be able to manage their operations on the unified security operations platform. In certain instances, Microsoft Sentinel scenarios within the Defender portal may necessitate the execution of actions in Azure. Actions would be initiated in the Defender portal, but may open a new browser tab, directing them to the Azure portal to complete the required tasks.
Will I be forced to move to the unified security operations platform?
We understand not all customers are to use the new experience today and we will continue to expand availability to cover all customer scenarios over time. You will still be able to access your Microsoft Sentinel in the Azure portal, even if you have connected the two products.
We do recommend that customers product try out the new experience, which has been built to optimize the way they protect their organizations with streamlined workflows and additional features.
What is the process for onboarding a Microsoft Sentinel workspace into the Defender portal?
- Customers shouldn’t hold off on setting up their Microsoft Sentinel workspace until they have access. They will still need to architect their workspace in the Azure portal, and it will be very easy for them to move it into the Defender portal.
- As an eligible customer entering the Defender portal, there will be a prompt in the top banner to start the onboarding journey by bringing in a Microsoft Sentinel workspace.
- This will bring customers through a wizard to start the onboarding process:
- Customers will select their primary Microsoft Sentinel workspace to onboard.
- Initiating the connection will trigger a series of actions.
- The wizard will describe all changes that will occur after unifying the portal.
- In Microsoft Sentinel today, incidents are created through rules or integrations defined by the customer. This changes in the unified platform, which automatically creates context-rich incidents across MS and non-MS products. To exclude certain incidents or alerts from your queue, you will need to filter out what you want using Alert Tuning, which has been enhanced to support more granularity.
Learn more:
- Unified security operations platform technical FAQ
- Unified platform documentation: https://aka.ms/onboard-microsoft-sentinel, https://aka.ms/microsoft-sentinel-defender-portal
- Mechanics video: Microsoft Defender XDR, Copilot for Security & Microsoft Sentinel now in one portal - YouTube
- Set up the Defender XDR connector: Aka.ms/onboard-microsoft-sentinel
- SIEM and XDR Solutions | Microsoft Security