Event banner
Event details
41 Comments
- sarabischof
Microsoft
Enhance what you know and have learned through skilling modules and learning paths – visit Microsoft Learn for more!
- sarabischof
If you don’t have one yet, create your Tech Community profile today!
- For MSSPs that are using Lighthouse to access their clients Sentinel Workspace, what do they need to do to access this new combined experience in M365 XDR?
- GBusheyAs of right now, the use of multiple Sentinel instances will not work with M365 XDR. We are working to get that resolved.
In addition to the questions posted on this page, we also answer questions posted in reply to the event on LinkedIn and Twitter. Here are the questions we answered today:
- QUESTION -- We need to separate visibility on Sentinel vs XDR in the portal. Is that possible? Some users for example should not be able to see Sentinel data from 3rd party sources. - answered at 01:20.
- QUESTION -- Does onboarding to Unified portal bring changes to our connected workspace? - answered at 06:40.
- QUESTION -- Does the unification merge XDR Custom Detections and Analytics rules into one feature? If not, how does it work now? - answered at 11:20.
- Trevor_Rusher
Community Manager
That concludes the live stream for the Microsoft SIEM & XDR: unified security operations AMA. We’ll continue to answer your questions here in the chat for the rest of the hour and follow up after as needed. Up next: Leveraging Microsoft Entra ID (Azure AD) to counter Token Theft.
If you missed the live broadcast, don’t worry—you can watch it on demand. And we’ll continue to answer questions here in the chat through the end of the week. There's more great content in store at the Microsoft Security Tech Accelerator! What do you like about the event so far? Share your feedback and help shape the direction of future events on the Tech Community!
- @preeti thanks - my previous question was also a bit in the context that ingesting data into Sentinel is expensive when talking about several TB a day (even when using cheaper Tiers etc). I hope to believe that what is underneath XDR is more cost efficient (kusto clusters or whatever) @julian thanks for explaining these are two different pieces of value.
- GBusheyThere has not been any change to the underlying storage mechanism of any of the products, only the UI.
- I have a question regarding the API, currently the the Defender incidents/alerts API can be accessed through the Defender XDR endpoints and through Microsoft Graph API, which one will be recognized and what do you recommend to go for? The other question is Sentinel API feels more mature, like the filtering of the incidents and everything works so well but Defender is very limited will the Defender or Graph will support all the OData filtering options like the Sentinel API?
- GBusheyThe API ecosystem is still be worked on. There will be announcements regarding APIs in the future.
- MrsKellyCGreat questions! There is only a few more minutes left in the session so please make sure to ask your questions before the session ends.
Will the Advanced hunting shortcuts and other interface features in Sentinel advanced hunting be available XDR?
- GBusheyCan you clarify what you mean by "Sentinel advanced hunting"? Are you talking about threat hunting, notebooks, something else?
- An example in Sentinel Advanced Hunting "crtl+enter" starts a new line with the pipe, in XDR "ctrl+enter" runs the query. I am learning KQL using Kusto Explorer and Sentinel query interface shortcuts are closer to Kusto Explorer than XDR. Hope that makes sense.
- Will there be a moment where custom log sources can be onboarded (like firewall logs) on the Defender XDR side so without having the need for Sentinel at all? Or should I see it more that Sentinel will become a sub-feature of XDR that is taking care of all those external (non-Microsoft) log sources?
- GBusheySentinel will still have a purpose in the M365 XDR offering as it provides features not found in other products included in M365 and can gather information from different sources.
