Microsoft Sentinel Blog

12 MIN READ

Anatomy of the change

Mohit_Kumar1

Microsoft

Jun 17, 2026

Part 2 of 6 - The USX Transition Series

Co-authored with Lizet Pena, Caroline Mutua, Alvin Kua and Marco Sudahl

Incidents, alerts, correlation, and data—what actually changes with the new platform, and why it works in your favor.

When you open Microsoft Sentinel in Microsoft Defender for the first time, the shift feels immediate: investigations are cleaner, workflows are more connected, and analysts can move through incidents with far less context switching.

Instead of pivoting between multiple queues, disconnected investigations, or duplicated alerts, SOC teams gain:

One unified incident queue
One attack story
One place to investigate and respond
One connected experience across Microsoft security signals

But the biggest improvements happen behind the scenes. The move from the Azure portal to Defender brings together incident correlation, alert handling, automation, and data investigation in ways that help SOC teams reduce manual work, improve visibility, and accelerate response.

This post breaks down the core changes, what remains familiar, and the practical steps teams can take now to prepare.

What we will cover

In this post we’ll guide you through some changes as you begin using Defender:

A more connected incident experience
Alerts and schemas evolve for easier investigations
Your underlying data architecture stays intact
Content hub and existing investments continue to work

We’ll also cover:

What these changes mean for different SOC roles
Common misconceptions
A practical “do this week” checklist
For a complete overview of the new experience, visit the Microsoft Defender portal overview on Microsoft Learn.

A more connected incident experience

Incidents are the center of security operations. This is where many teams will immediately notice the benefits of Defender.

In Defender:

Correlation is no longer done by “Fusion” and now is managed through Defender’s correlation engine, creating alerts once across Defender and Sentinel data
Correlation is richer and more connected
Related activity is grouped together more effectively
Analysts investigate through an attack story instead of isolated alerts

The result is a more streamlined investigation flow where one campaign or attack chain can be represented as a single incident instead of several disconnected records that must be manually stitched together.

Analysts gain access to:

Attack story visualization
Related assets and evidence
Investigation timelines
Correlated activities
Cross-domain context
Integrated hunting experiences

For organizations using Sentinel data lake and graph capabilities, analysts can also better visualize attack propagation paths and understand how activity may spread across environments. This helps reduce investigation time while improving clarity and confidence during triage.

Incident management – side by side

Aspect	Azure portal	Defender
Incident list	Time range picker for filtering incidents by date Filter and sort by status, severity and product name Auto-refresh every 30 seconds Product name (Sentinel or Defender) and alert count visibility	Centralized list of incidents with Defender incidents that have a retention period of 180 days while the Sentinel incidents have a retention period that depends on the underlying data retention settings in log analytics (hot interactive retention) In Defender, incidents can be sourced from different services and the retention of the data related to these incidents depends on the default data retention period for these services If you need to retain Defender incident data for longer than 180 days, you must explicitly extend the retention period in the Sentinel workspace settings Incidents and alerts are now shown under the investigation and response menu and can be filtered based on source service The incidents page has a tab with alerts grouped into the incident, as well as a tab showing similar incidents Customizable columns and sortable incidents by ML-powered priority score Exporting and link copying options
Incident details	Overview tab with timeline showing alerts and bookmarks Entities and similar incidents matching UEBA insights Comments and tasks for SOC processes	Sections for attack story, alerts, assets, investigations, evidence and responses, and always-visible incident detail pane Actions include triggering Sentinel playbooks, exporting incident details in PDF, merging or linking incidents Activities tab indicates if automation rules or playbooks were run as part of the incident response An alert can be promoted to incident Blast radius analysis of propagation path (requires Sentinel data lake and graph) is a graph-based visualization in Microsoft Defender that shows how an attack can spread from a compromised entity to other critical assets Security Copilot integration optimizes incident investigation and response
Incident creation	Created by Sentinel analytic rules, or Fusion from bookmarks/hunting queries	Each connected Microsoft Sentinel workspace is treated as a separate data source In multi-workspace setups, you designate one primary workspace and only the primary workspace will receive Defender incidents and alerts and correlation with Defender alerts will also only occur in the primary Secondary workspaces can continue to ingest Defender tables if configured in the table menu in Defender, while correlation in the secondary workspaces is scoped to data within the secondary workspace Fusion will be replaced by correlation in the primary and secondary workspaces Defender can still merge similar incidents based on detected commonalities Incidents can be created by analytic rules, custom detections, or alerts from different data sources—including Sentinel—while manual incident creation is on the roadmap
Management actions	Owner assignment, status (new/active/closed), severity, comments, tags, investigation graph, run playbook	Stays the same, plus: update name, change severity, assign to users/teams, add tags, update status (active/in progress/resolved), close with resolution classification, run Sentinel playbooks directly, request Defender experts, export PDF, merge/link incidents AI-generated playbooks (with Security Copilot) with enhanced automation rules allow you to complete automation when a security alert is created
Collaboration	Comments (HTML/markdown), bookmarks	Activity log for tracked comments and audits, tasks feature with assignments and due dates
Closing	Classification required (true positive, benign positive, false positive, undetermined)	Resolution classification required for closure
Querying	KQL through log analytics	KQL through advanced hunting or Sentinel data lake exploration, where advanced hunting allows querying Sentinel and Defender data in a single unified experience
Security alerts	Visible as part of an incident	Can be promoted to incident, and also part of an incident
Alert details	Alert sub-menus from incident Alert details include severity, status, analytics rule, etc. Entity profile pages	Full alert properties with MITRE tactics mapping Entities and evidence with contextual actions Activities timeline, alert tuning tool, and links to correlated incidents Customizable alert timeframe filter up to 180 days of alert history
Attack story	Legacy investigation graph requiring entity mapping in analytics rules Limited to incidents up to 30 days old Greater context switching required	Chronological attack story with replay capability Graph filtering (Preview) by severity, status, service source and entity type Incident graph with full attack scope and spread Entity pivoting from attack graph “Go hunt” for direct advanced hunting across devices, files, etc. Immediate remediation actions without losing context

What remains the same

Incident properties (title, description, severity, MITRE ATT&CK enterprise framework, tactics and techniques mapping) are preserved. Incidents still aggregate alerts and entities as evidence. Manual incident creation from hunting queries is still supported. Alerts and incidents can still be created by API or Logic App.
The Microsoft Sentinel Responder role is the minimum least privilege role required by a SOC analyst to manage incidents, cases, tasks, threat intelligence, and automation rules related to incident management. This role maps to the security Operator in URBAC (Unified RBAC).

Correlation becomes more connected

One of the most important evolutions is the move from Fusion correlation to the Defender correlation engine.

This shift helps:

Reduce duplicate incidents
Improve multi-stage attack correlation
Consolidate related activity into richer investigations
Reduce manual merging work for analysts

The goal is simple: give analysts fewer, higher-quality incidents with more context attached.

Existing analytics rules continue to work, while newer custom detection experiences continue to evolve alongside them.

Microsoft Security alert rules are no longer displayed. With Sentinel in the Azure portal, security alerts are individual detections generated when Sentinel or integrated Microsoft security services identify suspicious or malicious activity in your environment. When Defender products are connected to Sentinel in the Azure Portal, their alerts flow into Sentinel as security alerts. These alerts are produced by Microsoft managed detection logic and surfaced in Sentinel for unified triage. After enabling Sentinel in Defender, analytic rules do not trigger alerts. These security alerts can be seen and queried on the SecurityAlert table; the analytic rules that previously triggered the security alerts in the Azure portal won’t be visible in Defender.

The custom detection rules blade in Defender displays both analytics rules and custom detections in a single view.

Why this lands well: One correlation engine instead of two means fewer duplicate incidents, fewer manual merges, and an investigation surface (attack story + blast radius) that’s richer than the legacy investigation graph it replaces.

Considerations for incidents and correlation

Verify that any SOC automation closing or updating incidents using the Sentinel API is redirected to the Microsoft Graph security API.
Incident IDs, AlertIDs and URLs will change (Defender uses its own identifiers).
Incident names are auto generated by the Defender correlation engine and may differ from Sentinel analytics rule names. Update triage routing or SLA workflows that rely on the name of the incident. Customers can apply correlation exclusions at the analytic rule level or at the tenant level which will not affect the incident title and will then not merge alerts.
Review any workflow that depends on Fusion-generated incidents, since Fusion is replaced by Defender correlation.
In Defender, teams can use tags, saved queries, and custom hunting tables to capture and organize investigation context after a hunting exercise, providing flexible ways to carry forward important findings.

Alerts and schemas evolve for easier investigation

As Sentinel continues to evolve within Defender, incident management becomes more streamlined, connected, and cost-efficient. Instead of relying on separate “Microsoft security alerts” analytics rules to generate incidents from Defender workloads including endpoint, identity and cloud applications now are automatically correlated by the Defender engine into a unified incident queue.

This new approach helps eliminate duplicate incidents and gives security teams a cleaner, more consolidated investigation experience by bringing related alerts together into a single incident. It also enables organizations to modernize their operations by shifting from alert-level automation to incident-centric workflows, while taking advantage of Defender-native automation capabilities.

Beyond operational simplicity, this model can also help optimize costs. Since alert data is available without requiring additional log analytics ingestion, organizations can be more selective about ingesting raw logs and focus instead on scenarios where deeper investigations, long-term retention, or compliance requirements make it necessary.

Key transition actions

To transition effectively organizations should first retire legacy “Microsoft incident creation rules” analytics rules and rely on the individual Defender connectors for alert ingestion. Automation strategies should then be reviewed and adjusted, as incident handling shifts from multiple alert-driven records to a single, correlated incident model—often requiring incident-level workflows.

The integration also introduces bi-directional incident synchronization between Sentinel and Defender, enabling consistent state management across both environments, although the operational focus should move to Defender. Additionally, the new alert schema separates alert metadata and evidence. Organizations are encouraged to adopt the AlertInfo and AlertEvidence tables in place of the legacy SecurityAlert schema (supported in Advance Hunting) to support richer investigation scenarios.

Field-level differences – alert metadata

Concept	Azure (SecurityAlert)	Defender (AlertInfo)
Alert ID	SystemAlertId	AlertId
Name	AlertName	Title
Severity	Severity	Severity
Product / Provider	ProviderName	DetectionSource / ServiceSource
Description	Description	Title / Description equivalent
Time	TimeGenerated	TimeGenerated

The key shift here is naming normalization standardized across Defender signals.

Field-level differences – entity/evidence modeling

Concept	Azure (SecurityAlert)	Defender (AlertEvidence)
Entities	JSON (Entities)	Rows (1 row per entity)
Entity type	Inside JSON	EntityType column
Host	JSON field	DeviceName, DeviceId
User	JSON field	AccountName, AccountSid
IP	JSON field	IPAddress
File	JSON field	FileName, SHA256

The key shift here is denormalized JSON pivoting to strongly typed columns for easier joins, filters, and aggregations.

Querying differences – before and after

Azure (classic):

SecurityAlert | extend Entities = parse_json(Entities) | mv -expand Entities | where Entities.Type == "account"

Defender (recommended):

AlertInfo | join AlertEvidence on AlertId | where EntityType == "Account"

By leveraging the unified Microsoft Defender connector, your SOC gains efficiency (no double handling of the same threat), clarity (one incident is just one campaign or attack chain), and potential cost savings.

Why this lands well: The new schema isn’t a migration tax, it’s a query model that’s easier to write against, easier to teach new analysts, and avoids the JSON parsing Sentinel detection engineers have previously managed.

Your underlying data architecture stays intact

In this process, you can be assured that your log analytics workspace, retention settings, data export, and governance controls all carry forward.

Aspect	Azure portal	Defender
Storage	Log analytics workspace in Azure	Log analytics workspace in Azure (unchanged)
Storage tiers	Analytic logs, Basic logs, Auxiliary logs, Archive	· Analytics logs, Basic logs, Auxiliary logs, Archive (unchanged) · Changing the tier for Basic logs or Auxiliary logs requires you to go to the log analytics workspace experience in the Azure portal. Sentinel data lake for long-term retention onboarding is optional and available once Sentinel is configured in the Defender portal · If the primary workspace is onboarded to Sentinel data lake, the Basic logs and Auxiliary log tables are converted to the data lake tier
Workspace default retention	Configured in log analytics workspace settings	Workspace default retention continues to be configured in the Azure portal or through CLI/API (unchanged)
Per-table retention	Configured per table in log analytics	Per-table retention and tier management is available directly in Defender

Note on data lake availability: Microsoft Sentinel data lake is not yet available in every Azure region. Check current region coverage on Microsoft Learn before planning onboarding: Geographical availability and data residency in Microsoft Sentinel. Your data lake is provisioned in the same region as your primary Sentinel workspace.

Content hub and existing investments continue to work

Content Hub remains the mechanism for discovering and deploying solution packages (connectors, analytics rules, workbooks, playbooks) for Sentinel. Over 450+ solution templates from Microsoft, partners, and community contributors are available in the Sentinel solutions catalog.

Transition considerations

Content hub is fully available in Defender. There is no need to switch back to the Azure portal for content management.
Repositories (CI/CD for Sentinel content) and Community continue to function in Defender.
No changes to content update mechanisms. Solutions continue to receive updates through Content Hub as before.

What this means for each persona

Persona	What changes in this part
SOC analyst	One unified incident queue. Attack story replaces the legacy investigation graph. “Go hunt” is one click away. Bookmarks are gone—use tags and saved queries instead.
Detection engineer	“Microsoft security alerts” analytics rules retire. AlertInfo + AlertEvidence become the canonical schema for new detections and hunting queries. Fusion-dependent logic moves to XDR correlation behavior.
Automation/SOAR owner	Re-point any incident-update automation to the Microsoft Graph security API. Shift triggers from alert-level to incident-level. Review SLA and routing workflows that key on incident names.
Architect	Decide your primary workspace explicitly—only the primary receives Defender incidents and alerts and gets XDR correlation. Plan retention deltas (Defender XDR 180 days versus Sentinel-extended).
Compliance / Data owner	Log analytics, retention, and per-table controls are unchanged. Data lake onboarding is optional. Document the data residency story for any auditor questions—the storage layer hasn’t moved.

Clearing up common misconceptions

“Fusion still runs in the background.”
It does not. Fusion is replaced by the Defender correlation engine on the primary workspace.
“My Sentinel data has to migrate.”
It does not. The log analytics workspace is unchanged. Storage, retention, and per-table settings carry forward.
“I lose my existing analytics rules.”
Sentinel analytics rules continue to function and are visible in the unified custom detection rules blade alongside custom detections. The roadmap converges them only when custom detections reach full parity.
“Incident IDs will stay the same, so my tickets won’t break.”
Incident IDs and URLs change in Defender. Update any external ticketing or webhook integration.
“My Content Hub solutions need to be re-installed.”
They don’t. Content Hub is still available in Defender. Solutions, repositories, and community all continue to work.

Get started

Designate your primary Sentinel workspace and document the decision. Only the primary receives Defender incidents/alerts and gets XDR correlation.
Inventory automations that update or close incidents through the Sentinel API. Mark them for re-pointing to the Microsoft Graph security API.
Identify external systems keyed on incident IDs, URLs, or incident names. Flag for update.
Pilot one new hunting query using AlertInfo + AlertEvidence to build team familiarity with the new schema.
Confirm Content Hub solutions and repositories pipelines are visible and operational from Defender.
If long-term retention is on your roadmap, confirm your primary workspace region is supported by the data lake before planning onboarding: Geographical availability and data residency.