Blog Post

Microsoft Sentinel Blog
2 MIN READ

Integrating SIEM + XDR: Azure Sentinel and Azure Defender bi-directional incident sync

Scott Woodgate's avatar
Scott Woodgate
Icon for Microsoft rankMicrosoft
Jul 26, 2021

To help defend against today’s evolving threats, SecOps teams need sophisticated tooling that provides both breadth of visibility across the entire enterprise and the depth needed to investigate threats.  At Microsoft, we have a unique vision for the future of threat protection. While other vendors offer only a SIEM or XDR, Microsoft’s perspective is that SecOps can benefit from both. A SIEM delivers visibility into the full kill chain across the entire organization, including third party data, while XDR delivers deeper insights with contextual alerts for multi-cloud and multi-platform resources to reduce false alerts. 

At Microsoft Ignite 2021 in March, we announced an important step in bringing you the most integrated SIEM and XDR on the market with the release of incident sharing between Microsoft 365 Defender and Azure Sentinel.  Today, we are continuing the journey by announcing the public preview of incident sharing for Azure Defender and Azure Sentinel.  Now, Microsoft delivers the only integrated SIEM and XDR with incident sharing across the full set of components.

Using this new capability, customers can use Azure Sentinel as their single pane of glass for incident triage, leverage Microsoft 365 Defender or Azure Defender for incident investigation and remediation, and stay seamlessly in-sync across all three products. This new capability helps reduce the overall time you spend on responding to incidents – giving you more time to focus on what’s important.

 

How does it work?

Azure Defender & Sentinel bi-directional status sync will automatically sync alerts and incidents statuses between the products:

  • Closing or updating incidents in Azure Sentinel containing Azure Defender alerts will automatically close/update the status of the alert in the Azure Defender portal.
  • Alerts closed in the Azure Defender will be reflected as closed in Sentinel, but the status of the incident containing them will remain unchanged.

 

How to enable it?

  1. In Azure Sentinel, navigate to the data connectors tab and open the Azure Defender data connector.
  2. You can configure on which subscriptions you would like the bi-directional sync to take effect by changing the drop down in the “Bi-directional sync (Preview)” column to “Enabled”.
    1. Notice – enabling bi-directional sync required contributor permission in the selected subscription.
  3. To enable bi-directional sync on several subscriptions at once, mark their check boxes and select the “Enable bi-directional sync” button on the bar above the list.

 

 

We are excited about these new capabilities and will continue our mission to help you protect your companies.  Stay tuned for more SIEM and XDR integration!

 

Further reading

Updated Nov 02, 2021
Version 3.0
hunting
microsoft defender for cloud
microsoft defender for iot
security
Scott Woodgate's avatar
Icon for Microsoft rankMicrosoft
Joined September 07, 2016
View Profile
Microsoft Sentinel Blog

Microsoft Sentinel is a cloud-native SIEM, enriched with AI and automation to provide expansive visibility across your digital environment.

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Microsoft Sentinel by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Here are the Privacy/Guideline links: Microsoft Privacy Statement, Gartner’s Community Guidelines & Gartner Peer Insights Review Guide.

3 Comments

Sort By
  • Alex Imbernon Quiros's avatar
    Alex Imbernon Quiros
    Copper Contributor
    Dec 22, 2021

    What about Azure AD Identity Protection? We have a lot of customers with Azure Sentinel and when they close incidents on sentinel, the alerts doesn't close on Identity protection and the same problem at viceversa. Do you have ETA for this kind of problem?

     

    This is a very big problem because our customers are thinking to go to other solutions like IBM Qradar, Splunk, etc...

     

    Please, I need an answer ASAP. Thanks.

  • tal_rosler's avatar
    tal_rosler
    Icon for Microsoft rankMicrosoft
    Jul 28, 2021

    Hi Greg,

    Thanks for your feedback.

     

    The feature should work for all alerts. Would appreciate if you can open support ticket with the exact information of the issue you encountered and we will work to resolve it.

     

    Thank,

    Tal Rosler,

    Product Manager - Azure Defender

  • gregoval's avatar
    gregoval
    Copper Contributor
    Jul 27, 2021

    Great news for such a very important integration.

     

    The question here is: "Does the bi-directional sync between ASC-Sentinel affect all ASC alert types?"
    After testing, we have noticed that we are not able to get all the ASC alerts dismissed after closing the corresponding Azure Sentinel Incidents. For example, we observed that some ASC alerts related to "Non-Azure resources" (e.g alerts related with Azure-Arc enabled servers) were not closing (status not changed to "Dismissed") after closing an Azure Sentinel Incident.

     

    Can you confirm the above issue or it something that happens due to the feature is currently in PREVIEW mode?

     

    Thank you very much.

    Greg