Forum Discussion
Unified Security Operation Sentinel Vs Defender Tables
ahmad_zuhd hi,
Technically, this example is not wrong as you may not be feeding into Sentinel the DeviceLogonEvents tables. While all tables available in XDR can be forwarded to Sentinel, that doesn't mean you've checked the relevant boxes by default in the connector. On the other hand, having a common space for Sentinel and XDR (Unified SOC) allows building queries which would include both SignInLogs and DeviceLogonEvents tables.
On a broader perspective, through Unified Security Operations you may want to pivot between XDR and Sentinel far more less, you can build both detection rules (XDR) and analytics (Sentinel), have access to your workbooks, perform threat hunting and many other Sentinel functionalities into the XDR portal.
I hope this answered your question.
If I have answered your question, please mark your post as Solved
If you like my response, please consider giving it a like
- Echo to this, not all environment have the budget to ingest Device****** events into Sentinel, given the huge volume of events it produced. Thus you have an option right now to both save cost + correlating the information from Sentinel end, under the Unified SOC portal.
You need to look into the monetary benefits of this integration as well, not only technical feasibility.
Hope my 2 cent helps.Logically, this makes sense regarding the cost, but it will reduce Microsoft's revenue from data ingestion. This suggests that Microsoft will need to find another revenue channel, which will hopefully come from increased sales, but could also come from charging per API call to the analytics workspace, which is not clear till now.
Can anyone from Microsoft clarify if there will be a cost when enabling Unified SOC by any way?
