Unified Security Operations Platform - Technical FAQ!

Introduction

 

If you are a security practitioner who uses Microsoft Sentinel in your daily workflows, and you have tried or are evaluating the unified security operations platform for your SOC – this blog is for you. With Microsoft Sentinel now Generally Available in the Microsoft Defender portal, as part of our unified security operations platform, it’s a great time to try and get started with a streamlined experience for the two products.

 

In this blog, we dive into some of the most common questions and share best practices to expedite resolution, bring more clarity, and save valuable troubleshooting time.

 

First, a brief overview if you are new to the unified security operations platform. Our vision of the platform is a solution that makes your job as a security practitioner easier, keeping you and your organizations safer. It is single pane of glass for all security operations – here you can seamlessly integrate SIEM, XDR, exposure management, and Copilot for Security. It’s your comprehensive hub for preventing, detecting, investigating, and responding to incidents across your digital estate—all from one centralized location.

 

Here are some of the most common questions and guidance when working with the unified platform.

 

Onboarding

1. What role/permissions are required to connect a Microsoft Sentinel workspace to the unified platform?

To connect or disconnect a Microsoft Sentinel workspace to the unified platform, you will need one of the following permissions and scopes:

a. Owner rights for the Subscription AND Microsoft Sentinel Contributor rights for the Subscription or Resource Group or Log Analytics workspace. OR

b. User Access Administrator for the Subscription AND Microsoft Sentinel Contributor for the Subscription or Resource Group or Log Analytics workspace.

 

2. I see the following error message when trying to connect my Microsoft Sentinel workspace with the unified platform “couldn’t connect the workspace. Turn on the Defender XDR connector for incidents in Microsoft Sentinel first”. What to do?

Onboard Sentinel error message

 

 

a. Microsoft Defender XDR (formerly named Microsoft 365 Defender) connector is one of the prerequisites for the onboarding, so if it hasn’t been configured, you will most likely see this message. The good thing is configuring the connector is a rather straightforward process. Follow these steps to configure the connector.

 

b. When configuring the connector, make sure to click on “Connect incidents & alerts” button. While Microsoft incident creation rules for the Microsoft Defender products will be turned off by default, if for some reason you don’t see them disabled, make sure to check this box “Turn off all Microsoft creation rules for these products. Recommended”.

Configuring Defender XDR connector

 

3. What happens when I enable the Microsoft Defender XDR connector in Microsoft Sentinel?

a. The Security incident creation rules are disabled by default. Incidents are created first in the unified portal, then synced back to Microsoft Sentinel.

b. You may notice a delay of up to 5 minutes for incidents to show up in Microsoft Sentinel. We are working on reducing this latency.

 

4. Why don’t I see all my Microsoft Sentinel workspaces in the unified portal?

You can only see Microsoft Sentinel workspaces that you have permission to onboard. Refer to question 1 for the specific permissions.

 

Alerts, Incidents, and Correlation

1. I noticed Microsoft Defender XDR incidents are delayed in Microsoft Sentinel. What is the expected delay for incidents to show up in Microsoft Sentinel?

It may take up to 5 minutes for Microsoft Defender incidents to show in Microsoft Sentinel. We are working on reducing this latency. Stay tuned through our customer connection program for the latest updates.

 

2. Does that delay in incidents also delay Automatic Attack Disruption?

No, it will not. The delay for incidents is from Microsoft Defender to Microsoft Sentinel. Attack Disruption occurs within the unified platform.  

 

3. Could that be up to 5 minutes delayed in the Microsoft Sentinel to trigger playbooks too?

Yes. Currently this delay affects both scenarios for playbooks - whether a playbook is automatically invoked from an automation rule or manually invoked. As mentioned, we are working on reducing the latency.

 

4. I am seeing duplication of incidents and alerts in Microsoft Sentinel and Microsoft Defender XDR. How to avoid this?

The duplication is likely due to the misconfiguration of the Microsoft Defender XDR connector. Please check the Microsoft Defender XDR connector configuration first to make sure the Microsoft incident creation rules are turned off for the Microsoft Defender products.

 

5. What are synced bi-directional for incidents?

Incident status, tags, resolution, closing reasons, closing comments are bi-directionally synced.

 

6. Microsoft Defender has 14 Incident Classifications; Microsoft Sentinel has 5.  How are they mapped?

We are working on aligning the classifications. Stay tuned through our customer connection program for the latest updates.

 

7. Why and when does the incident auto-merging happen?

a. Microsoft Defender XDR’s correlation activities don’t stop when incidents are created. Microsoft Defender XDR continues to detect commonalities and relationships between incidents, and between alerts across incidents. When two or more incidents are determined to be sufficiently alike, Microsoft Defender XDR merges the incidents into a single incident.

b. The correlation engine merges the incident when common elements are detected, like:

- Entities – like users, devices, mailboxes, and others

- Artifacts – like files, processes, email senders, and others

- Time frames

- Sequence of events: For example, a malicious email click event that follows closely on a phishing email detection

c. Refer to the documentation for more details on incident merging and correlation.

 

8. How does incident and alert correlation work in the unified platform?

a. When the alert is sufficiently unique across all alert sources within a particular time frame, Microsoft Defender XDR creates a new incident and adds the alert to it.

b. When the alert is sufficiently related to other alerts from the same source or across sources within a particular time frame, Microsoft Defender XDR adds the alert to an existing incident.

 

9. What happens when incidents are merged?

- Alerts contained in the abandoned incident are moved to the consolidated incident

- Entities (assets etc.) follow the alerts they’re linked to

- Tags are aggregated into the consolidated incident

- Analytics rules recorded as involved in the creation of the abandoned incident are added to the rules recorded in the consolidated incident

- Currently, comments and activity log entries in the abandoned incident are not moved to the consolidated incident and remain in the abandoned incident.

 

10. When is incident correlation not happening?

- One of the incidents has the status of "Closed". Incidents that are resolved will not be reopened.

- The two incidents eligible for merging are assigned to two different people.

- Merging the two incidents would raise the number of entities in the merged incident above the maximum allowed.

- The two incidents contain devices in different device groups as defined by the organization.

(Note: this condition is not in effect by default; it must be enabled.)

 

11. When should I unlink an alert?

When you decide that the alert does not belong to the correlated incident, link the alert to another incident or create a new one. This will also help improve the correlation engine (in case of unexpected correlations).

link or unlink an alert

 

Analytics/Custom Detections

1. Does custom detection support entity mappings like in Analytics rules in Microsoft Sentinel?

Currently no, but we are adding the features of analytic rules from Microsoft Sentinel such as more flexible entity mappings. Stay tuned through our customer connection program for the latest updates.

 

2. Does the unified platform support Fusion rules?

The Fusion analytics rule, which creates incidents based on alert correlations made by the Fusion correlation engine, is disabled when you onboard Microsoft Sentinel to the unified security operations platform.

The unified security operations platform uses Microsoft Defender XDR's incident-creation and correlation functionalities to replace those of the Fusion engine.

 

3. How can I create detection rules across Microsoft Sentinel and Defender XDR data?

a. You can now create Custom Detection rules across the two datasets without having to ingest Microsoft Defender data into Sentinel, unless you need longer data retention. Advanced hunting in Microsoft Defender - Microsoft Defender XDR | Microsoft Learn.

b. If your Defender XDR data is ingested into Microsoft Sentinel, you have the option to choose between Create custom detection and Create analytics rule.

 

Automation and Playbooks

1. Will Automation rules work as normal?

Automation rules will continue to work in the unified experience. However, there are some differences in the way automation functions work in the new experience. Please refer to the documentation for more information on the differences and changes.

 

2. What are some best practices for using automation rules in the unified platform?

a. Use the condition “Analytic rule name” instead of the incident title or use the condition on a Tag.

Automation condition 1

 

b. In both the Azure portal and the unified security operations platform, for automation rule condition, use Alert product names instead of Incident provider. The reason is that in Sentinel standalone experience, all incidents have Microsoft XDR as the incident provider (the value in the providerName field).

 

Automation condition 2

 

3. Will we be able to run a playbook as part of the actions of a custom detection rule?

Yes, incidents created by custom detection rules are part of the Microsoft Defender XDR incidents which is supported by the “When incident is created” trigger in Automation. Please take note of some of the best practices documented when configuring the trigger condition.

 

APIs

1. Can I still use the Microsoft Sentinel REST APIs with the unified platform?

You can use most of the existing Microsoft Sentinel REST APIs; however, you should use the Microsoft Graph REST API queries for alerts and incidents

List alerts_v2 - Microsoft Graph v1.0 | Microsoft Learn

List incidents - Microsoft Graph v1.0 | Microsoft Learn

 

 

Advanced hunting

1. How do I bookmark a query in Advanced Hunting?

There will be a new capability which is similar to bookmarks coming soon in the unified experience. Stay tuned through our customer connection program for the latest updates.

 

2. Can we query ADX data (with KQL adx() function) in Advanced Hunting?

You can run a query that correlates Microsoft Sentinel data with ADX data using adx() in Advanced Hunting. Please note that the query of adx() needs to be correlated with tables from Microsoft Sentinel. This is in parity with what customers could run in Microsoft Sentinel today.

 

Data Retention

1. Do I need to do anything additional with Retention in either Microsoft Sentinel or Microsoft Defender?

The existing Sentinel data retention configurations remain unchanged.

 

2. Do I still need to ingest my Microsoft Defender XDR tables into Microsoft Sentinel?

With the unified experience, you can query and correlate your Defender XDR logs with third-party logs from Microsoft Sentinel without ingesting the Microsoft Defender XDR logs into Microsoft Sentinel. Additionally, the same query of Microsoft Defender XDR and Microsoft Sentinel tables can be used in Microsoft Defender’s custom detection. Therefore, the primary reason for ingesting Microsoft Defender XDR data into Sentinel would be for data retention needs beyond 30 days.

 

3.  Would there be any changes in the Microsoft Sentinel E5 benefit?

There is no change in the existing Microsoft Sentinel E5 benefit.

 

4. Are there any changes in the default retention?

No change in the default retention in the unified SOC platform. You will still be getting the 30 days of default retention for XDR data and 90 days for Microsoft Sentinel data at no additional retention cost.

 

Role Based Access Control (RBAC)

1. What happens if the analyst has RBAC in place which filters Microsoft Defender XDR alerts, but has read access to the Microsoft Sentinel workspace? Will they see all the alerts, or the Microsoft Defender ones they have access to and all the Microsoft Sentinel ones? Or will they see all alerts regardless of the source?

Since we unify two RBAC models: Azure/Sentinel RBAC and Defender RBAC, we apply a consolidated RBAC view to the unified portal incident queue, filtering out the service source(s) that they analyst is not allowed to see.

However, if the analyst has Sentinel reader permissions, they still can access the SecurityIncident and SecurityAlert tables directly through Advanced Hunting or in Sentinel’s log search which contains the data that is filtered out in the unified portal.

 

For example, let's say a user has RBAC configured to view everything except for MDC alerts. The user won't be able to see the MDC alerts/incidents in the unified portal Also, if there is a multi-stage incident involving Sentinel, MDE, MDI and MDC alerts, the user can still see the incidents but not the individual MDC alerts that got correlated. However, take note that the user will be able to see the MDC alerts in Microsoft Sentinel portal since the user has read access to the workspace.

 

Copilot for Security in embedded experience

1. Do I need to purchase Microsoft Defender for Threat Intelligence (MDTI) license if I want to use the Copilot for Security embedded experience?

No, if you have a Copilot for Security license, that should automatically include MDTI license.

2. Do I need another license for Copilot for Security?

Yes, Copilot for Security is sold separately from SIEM and XDR. Find out more here Microsoft Copilot for Security - Pricing | Microsoft Azure.

 

Threat Intelligence

1. With the unification, how should we be handling threat intel? Before we'd ingest it via the Security API for Microsoft Sentinel and Microsoft Defender, and then Microsoft Sentinel branched off into its own ingestion API. Are these being consolidated? (E.g. If you ingest threat intel into Microsoft Sentinel, can Microsoft Defender use it?)

The Threat Intelligence experience remains the same and separated in the unified experience. However, we are considering making the experience more seamless. Stay tuned through our customer connection program for the latest updates.

 

UEBA

1. Are there plans to consolidate UEBA components with unified platform?

Entity pages for devices, users, IP addresses, and Azure resources in the Microsoft Defender portal display information from Microsoft Sentinel and Microsoft Defender data sources. These entity pages give you an expanded context for your investigations of incidents and alerts in the Defender portal.

 

Additional Resources

1. Onboard Microsoft Sentinel to Microsoft Defender XDR
2. Alerts, incidents, and correlation in Microsoft Defender XDR
3. Advanced Hunting in Microsoft Defender XDR
4. Automation in the unified security operation platform
5. The unified security operations platform GA announcement
6. Non-technical FAQ for Unified SOC platform 

 

Many thanks to my colleagues for reviewing and contributing to this article Tiander Turpijn

AlexKlaus GBushey Jeremy Tan Sreedhar Ande