Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

Unified Security Operation Sentinel Vs Defender Tables

Copper Contributor

I have a question regarding the Unified SOC portal. In the session below, they highlighted one advantage: the ability to use Defender and Sentinel Tables together. However, both the SignInLogs and DeviceLogonEvents tables are already accessible in Sentinel through the Defender connector. Am I missing something, or did they use an incorrect example to demonstrate an advantage that Sentinel already provides?


Unified Security Operations Platform GA launch and exclusive demo 

4 Replies
Bonjour j'ai un souci avec Windows 11 quand je les allumer et j'ai tapé le mot passe je les retrouver en mode échec Comment faire pourvoir trouver les font d'écran merci d'avance

@ahmad_zuhd hi,


Technically, this example is not wrong as you may not be feeding into Sentinel the DeviceLogonEvents tables. While all tables available in XDR can be forwarded to Sentinel, that doesn't mean you've checked the relevant boxes by default in the connector. On the other hand, having a common space for Sentinel and XDR (Unified SOC) allows building queries which would include both SignInLogs and DeviceLogonEvents tables.


On a broader perspective, through Unified Security Operations you may want to pivot between XDR and Sentinel far more less, you can build both detection rules (XDR) and analytics (Sentinel), have access to your workbooks, perform threat hunting and many other Sentinel functionalities into the XDR portal. 


I hope this answered your question.


If I have answered your question, please mark your post as Solved

If you like my response, please consider giving it a like



Echo to this, not all environment have the budget to ingest Device****** events into Sentinel, given the huge volume of events it produced. Thus you have an option right now to both save cost + correlating the information from Sentinel end, under the Unified SOC portal.
You need to look into the monetary benefits of this integration as well, not only technical feasibility.
Hope my 2 cent helps.

Logically, this makes sense regarding the cost, but it will reduce Microsoft's revenue from data ingestion. This suggests that Microsoft will need to find another revenue channel, which will hopefully come from increased sales, but could also come from charging per API call to the analytics workspace, which is not clear till now.


Can anyone from Microsoft clarify if there will be a cost when enabling Unified SOC by any way?