What's New: Global Search in Unified Security Operations platform includes Sentinel user and devices
Published Sep 25 2024 07:40 PM 2,041 Views
Microsoft

We are thrilled to announce a significant enhancement to our Unified Security Operations (SecOps) platform. The Global Search feature in the Defender XDR portal now supports searching for Microsoft Sentinel users and devices, providing a more comprehensive and unified search experience for the customers using Microsoft’s Unified Security Operations platform. This powerful feature allows you to search for devices, users, and other information by typing full or partial search terms. With this update, you can now search for Microsoft Sentinel entities directly within the Unified security operations platform, streamlining your workflow and improving efficiency.

 

 

Key Benefits

  • Unified Search Results: Microsoft Sentinel devices and users are now merged with Microsoft Defender XDR portal entities, providing a single, unified search result. This eliminates the need to switch between different tools.
  • Increased efficiency and Time saving - The ability to search across Sentinel incidents and other data in the Defender portal cuts down investigation time, leading to faster resolution of security incidents.
  • Comprehensive Identifier Support: The search feature supports various identifiers, ensuring that devices and users from Microsoft Sentinel and Defender with matching identifiers are merged into a single result. This includes identifiers such as HostName, NTDomain, DnsDomain, and NetBiosName.
  • Improved User Experience: The integration simplifies the search experience, making it easier for security professionals to find the information they need quickly and efficiently. This enhancement is part of our ongoing effort to consolidate Microsoft Sentinel entities within the comprehensive XDR+SIEM platform.

How to Get Started

Getting started with the Global Search feature is simple:

  1. Access the Microsoft Defender XDR Portal: Log in to the Microsoft Defender XDR portal using your credentials.
  2. Navigate to Global Search: Locate the Global Search bar at the top of the portal.
  3. Enter Search Terms: Type in the full or partial search terms for the device or user you are looking for. The search will now include Sentinel entities along with Defender entities.
  4. Review Unified Results: The search results will display a unified view of Microsoft Sentinel and Defender entities, allowing you to quickly find the information you need.

 

Use-Cases & Scenarios 

  1. Incident Investigation: An analyst can use Global Search to quickly find all affected devices related to an incident. This allows for a faster and more efficient investigation. This makes it easier to investigate the scope of the issue and prioritize the appropriate response.
  2. Threat Hunting: Threat hunters can use Global Search to locate suspicious user activity or specific files that have been flagged as malicious, correlating these findings with other related alerts in the system.
  3. Device Tracking: Security teams can use Global Search to track a compromised device, checking for alerts, users associated with the device, and any incidents that might involve it.

   

Aman_Kaur_0-1727277678667.png

 

Supported Sentinel Host Identifiers 

Sentinel devices with the following strong identifiers can be searched and merged with Defender devices with matching identifiers: 

  • HostName+NTDomain 
  • HostName+DnsDomain 
  • NetBiosName+NTDomain 
  • NetBiosName+DnsDomain 

Supported Account Identifiers 

Sentinel accounts with the following strong identifiers can be merged with Defender user with matching identifiers: 

  • Name+UPNSuffix 
  • AADUserId 
  • Sid 

 

Moving Forward with Global Search

With Global Search for Sentinel entities now available in the Microsoft Defender XDR portal, organizations can significantly enhance their security operations. This feature empowers security teams with the tools they need to efficiently search, investigate, and respond to threats—all from a single interface.

By bringing together a unified search across incidents, alerts, users, devices, and files, the Global Search feature streamlines threat hunting, investigation, and response workflows. This ultimately helps organizations stay ahead of evolving threats and ensures they have the necessary context to protect their environment effectively.

For more detailed information and documentation on how to use Global Search, visit the official Microsoft 365 Defender portal documentation

 

 

1 Comment
Version history
Last update:
‎Sep 25 2024 01:02 PM
Updated by: