Microsoft Sentinel in the Microsoft Defender portal
This article describes the Microsoft Sentinel experience in the Microsoft Defender portal. Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal with Microsoft Defender XDR. For more information, see:
- Blog post: General availability of the Microsoft unified security operations platform
- Blog post: Frequently asked questions about the unified security operations platform
- Connect Microsoft Sentinel to Microsoft Defender XDR
- Microsoft Sentinel feature support for Azure commercial/other clouds
For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license.
New and improved capabilities
The following table describes the new or improved capabilities available in the Defender portal with the integration of Microsoft Sentinel. Microsoft continues to innovate in this new experience with features that might be exclusive to the Defender portal.
| Capabilities | Description |
|---|---|
| Advanced hunting | Query from a single portal across different data sets to make hunting more efficient and remove the need for context-switching. Use Security Copilot to help generate your KQL. View and query all data including data from Microsoft security services and Microsoft Sentinel. Use all your existing Microsoft Sentinel workspace content, including queries and functions. For more information, see the following articles: - Advanced hunting in the Microsoft Defender portal - Security Copilot in advanced hunting |
| SOC optimizations | Get high-fidelity and actionable recommendations to help you identify areas to: - Reduce costs - Add security controls - Add missing data SOC optimizations are available in the Defender and Azure portals, are tailored to your environment, and are based on your current coverage and threat landscape. For more information, see the following articles: - Optimize your security operations - SOC optimization reference of recommendations |
| Microsoft Copilot in Microsoft Defender | When investigating incidents in the Defender portal, - Summarize incidents - Analyze scripts - Analyze files - Create incident reports When hunting for threats in advanced hunting, create ready-to-run KQL queries by using the query assistant. For more information, see Microsoft Security Copilot in advanced hunting. |
The following table describes the additional capabilities available in the Defender portal with the integration of Microsoft Sentinel and Microsoft Defender XDR as part of Microsoft's unified security operations platform.
| Capabilities | Description |
|---|---|
| Attack disrupt | Deploy automatic attack disruption for SAP with both the Defender portal and the Microsoft Sentinel solution for SAP applications. For example, contain compromised assets by locking suspicious SAP users in case of a financial process manipulation attack. Attack disruption capabilities for SAP are available in the Defender portal only. To use attack disruption for SAP, update your data connector agent version and ensure that the relevant Azure role is assigned to your agent's identity. For more information, see Automatic attack disruption for SAP. |
| Unified entities | Entity pages for devices, users, IP addresses, and Azure resources in the Defender portal display information from Microsoft Sentinel and Defender data sources. These entity pages give you an expanded context for your investigations of incidents and alerts in the Defender portal. For more information, see Investigate entities with entity pages in Microsoft Sentinel. |
| Unified incidents | Manage and investigate security incidents in a single location and from a single queue in the Defender portal. Use Security Copilot to summarize, respond, and report. Incidents include: - Data from the breadth of sources - AI analytics tools of security information and event management (SIEM) - Context and mitigation tools offered by extended detection and response (XDR) For more information, see the following articles: - Incident response in the Microsoft Defender portal - Investigate Microsoft Sentinel incidents in Security Copilot |
| Microsoft Copilot in Microsoft Defender | When investigating incidents with Microsoft Sentinel integrated with Defender XDR, - Triage and investigate incidents with guided responses - Summarize device information - Summarize identity information Summarize the relevant threats impacting your environment, to prioritize resolving threats based on your exposure levels, or to find threat actors that might be targeting your industry by using Security Copilot in threat intelligence. For more information, see Using Microsoft Security Copilot for threat intelligence. |
Capability differences between portals
Most Microsoft Sentinel capabilities are available in both the Azure and Defender portals. In the Defender portal, some Microsoft Sentinel experiences open out to the Azure portal for you to complete a task.
This section covers the Microsoft Sentinel capabilities or integrations that are only available in either the Azure portal or Defender portal or other significant differences between the portals. It excludes the Microsoft Sentinel experiences that open the Azure portal from the Defender portal.
| Capability | Availability | Description |
|---|---|---|
| Advanced hunting using bookmarks | Azure portal only | Bookmarks aren't supported in the advanced hunting experience in the Microsoft Defender portal. In the Defender portal, they're supported in the Microsoft Sentinel > Threat management > Hunting. For more information, see Keep track of data during hunting with Microsoft Sentinel. |
| Attack disruption for SAP | Defender portal only with Defender XDR | This functionality is unavailable in the Azure portal. For more information, see Automatic attack disruption in the Microsoft Defender portal. |
| Automation | Some automation procedures are available only in the Azure portal. Other automation procedures are the same in the Defender and Azure portals, but differ in the Azure portal between workspaces that are onboarded to the Defender portal and workspaces that aren't. |
For more information, see Automation with the unified security operations platform. |
| Data connectors: visibility of connectors used by the unified security operations platform | Azure portal only | In the Defender portal, after you onboard Microsoft Sentinel, the following data connectors that are part of the unified security operations platform aren't shown in the Data connectors page: In the Azure portal, these data connectors are still listed with the installed data connectors in Microsoft Sentinel. |
| Entities: Add entities to threat intelligence from incidents | Azure portal only | This functionality is unavailable in the Defender portal. For more information, see Add entity to threat indicators. |
| Fusion: Advanced multistage attack detection | Azure portal only | The Fusion analytics rule, which creates incidents based on alert correlations made by the Fusion correlation engine, is disabled when you onboard Microsoft Sentinel to the Defender portal. The Defender portal uses Microsoft Defender XDR's incident-creation and correlation functionalities to replace those of the Fusion engine. For more information, see Advanced multistage attack detection in Microsoft Sentinel |
| Incidents: Adding alerts to incidents / Removing alerts from incidents |
Defender portal only | After onboarding Microsoft Sentinel to the Defender portal, you can no longer add alerts to, or remove alerts from, incidents in the Azure portal. You can remove an alert from an incident in the Defender portal, but only by linking the alert to another incident (existing or new). |
| Incidents: editing comments | Azure portal only | After onboarding Microsoft Sentinel to the Defender portal, you can add comments to incidents in either portal, but you can't edit existing comments. Edits made to comments in the Azure portal don't synchronize to the Defender portal. |
| Incidents: Programmatic and manual creation of incidents | Azure portal only | Incidents created in Microsoft Sentinel through the API, by a Logic App playbook, or manually from the Azure portal, aren't synchronized to the Defender portal. These incidents are still supported in the Azure portal and the API. See Create your own incidents manually in Microsoft Sentinel. |
| Incidents: Reopening closed incidents | Azure portal only | In the Defender portal, you can't set alert grouping in Microsoft Sentinel analytics rules to reopen closed incidents if new alerts are added. Closed incidents aren't reopened in this case, and new alerts trigger new incidents. |
| Incidents: Tasks | Azure portal only | Tasks are unavailable in the Defender portal. For more information, see Use tasks to manage incidents in Microsoft Sentinel. |
| Multiple workspace management for Microsoft Sentinel | Defender portal: Limited to one Microsoft Sentinel workspace per tenant Azure portal: Centrally manage multiple Microsoft Sentinel workspaces for tenants |
Only one Microsoft Sentinel workspace per tenant is currently supported in the Defender portal. So, Microsoft Defender multitenant management supports one Microsoft Sentinel workspace per tenant. For more information, see the following articles: - Defender portal: Microsoft Defender multitenant management - Azure portal: Manage multiple Microsoft Sentinel workspaces with workspace manager |
Limited or unavailable capabilities
When you onboard Microsoft Sentinel to the Defender portal without Defender XDR or other services enabled, the following features that show in the Defender portal are currently limited or unavailable.
| Capability | Service required |
|---|---|
| Exposure management | Microsoft Security Exposure Management |
| Custom detection rules | Microsoft Defender XDR |
| Action center | Microsoft Defender XDR |
The following limitations also apply to Microsoft Sentinel in Defender portal without Defender XDR or other services enabled:
- New Microsoft Sentinel customers aren't eligible to onboard a Log Analytics workspace that's created in the Israel region. To onboard to the Defender portal, create another workspace for Microsoft Sentinel in a different region. This additional workspace doesn't need to contain any data.
- Customers that use Microsoft Sentinel user and entity behavior analytics (UEBA) are provided with a limited version of the IdentityInfo table.
Quick reference
Some Microsoft Sentinel capabilities, like the unified incident queue, are integrated with Microsoft Defender XDR in Microsoft's unified security operations platform. Many other Microsoft Sentinel capabilities are available in the Microsoft Sentinel section of the Defender portal.
The following image shows the Microsoft Sentinel menu in the Defender portal:
The following sections describe where to find Microsoft Sentinel features in the Defender portal. The sections are organized as Microsoft Sentinel is in the Azure portal.
General
The following table lists the changes in navigation between the Azure and Defender portals for the General section in the Azure portal.
| Azure portal | Defender portal |
|---|---|
| Overview | Overview |
| Logs | Investigation & response > Hunting > Advanced hunting |
| News & guides | Not available |
| Search | Microsoft Sentinel > Search |
Threat management
The following table lists the changes in navigation between the Azure and Defender portals for the Threat management section in the Azure portal.
| Azure portal | Defender portal |
|---|---|
| Incidents | Investigation & response > Incidents & alerts > Incidents |
| Workbooks | Microsoft Sentinel > Threat management> Workbooks |
| Hunting | Microsoft Sentinel > Threat management > Hunting |
| Notebooks | Microsoft Sentinel > Threat management > Notebooks |
| Entity behavior | User entity page: Assets > Identities > {user} > Sentinel events Device entity page: Assets > Devices > {device} > Sentinel events Also, find the entity pages for the user, device, IP, and Azure resource entity types from incidents and alerts as they appear. |
| Threat intelligence | Microsoft Sentinel > Threat management > Threat intelligence |
| MITRE ATT&CK | Microsoft Sentinel > Threat management > MITRE ATT&CK |
Content management
The following table lists the changes in navigation between the Azure and Defender portals for the Content management section in the Azure portal.
| Azure portal | Defender portal |
|---|---|
| Content hub | Microsoft Sentinel > Content management > Content hub |
| Repositories | Microsoft Sentinel > Content management > Repositories |
| Community | Microsoft Sentinel > Content management > Community |
Configuration
The following table lists the changes in navigation between the Azure and Defender portals for the Configuration section in the Azure portal.
| Azure portal | Defender portal |
|---|---|
| Workspace manager | Not available |
| Data connectors | Microsoft Sentinel > Configuration > Data connectors |
| Analytics | Microsoft Sentinel > Configuration > Analytics |
| Watchlists | Microsoft Sentinel > Configuration > Watchlists |
| Automation | Microsoft Sentinel > Configuration > Automation |
| Settings | System > Settings > Microsoft Sentinel |