Connect Microsoft Sentinel to the Microsoft Defender portal

Microsoft Sentinel is generally available within Microsoft's unified security operations (SecOps) platform in the Microsoft Defender portal. When you onboard Microsoft Sentinel to the Defender portal with Microsoft Defender XDR, you unify capabilities like incident management and advanced hunting. Reduce tool switching and build a more context-focused investigation that expedites incident response and stops breaches faster. For more information, see:

For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license.

Prerequisites

Before you begin, review the feature documentation to understand the product changes and limitations.

The Microsoft Defender portal supports a single Microsoft Entra tenant and the connection to one workspace at a time. In the context of this article, a workspace is a Log Analytics workspace with Microsoft Sentinel enabled.

Microsoft Sentinel prerequisites

To onboard and use Microsoft Sentinel in the Defender portal, you must have the following resources and access:

  • A Log Analytics workspace that has Microsoft Sentinel enabled

  • The data connector for Microsoft Defender XDR enabled in Microsoft Sentinel for incidents and alerts. Install the Defender XDR solution and configure the data connector to connect Microsoft Sentinel to the Defender portal. For more information, see Discover and manage Microsoft Sentinel out-of-the-box content. Within the Defender XDR data connector, the configuration option to connect incident and alerts is turned off and disabled after you onboard Microsoft Sentinel to the Defender portal.

  • An Azure account with the appropriate roles to onboard, use, and create support requests for Microsoft Sentinel in the Defender portal. The following table highlights some of the key roles needed.

    Task Microsoft Entra or Azure built-in role required Scope
    Onboard Microsoft Sentinel to the Defender portal Global administrator or security administrator in Microsoft Entra ID Tenant
    Connect or disconnect a workspace with Microsoft Sentinel enabled Owner or
    User Access Administrator and Microsoft Sentinel Contributor
    - Subscription for Owner or User Access Administrator roles

    - Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor
    View Microsoft Sentinel in the Defender portal Microsoft Sentinel Reader Subscription, resource group, or workspace resource
    Query Sentinel data tables or view incidents Microsoft Sentinel Reader or a role with the following actions:
    - Microsoft.OperationalInsights/workspaces/read
    - Microsoft.OperationalInsights/workspaces/query/read
    - Microsoft.SecurityInsights/Incidents/read
    - Microsoft.SecurityInsights/incidents/comments/read
    - Microsoft.SecurityInsights/incidents/relations/read
    - Microsoft.SecurityInsights/incidents/tasks/read
    Subscription, resource group, or workspace resource
    Take investigative actions on incidents Microsoft Sentinel Contributor or a role with the following actions:
    - Microsoft.OperationalInsights/workspaces/read
    - Microsoft.OperationalInsights/workspaces/query/read
    - Microsoft.SecurityInsights/incidents/read
    - Microsoft.SecurityInsights/incidents/write
    - Microsoft.SecurityInsights/incidents/comments/read
    - Microsoft.SecurityInsights/incidents/comments/write
    - Microsoft.SecurityInsights/incidents/relations/read
    - Microsoft.SecurityInsights/incidents/relations/write
    - Microsoft.SecurityInsights/incidents/tasks/read
    - Microsoft.SecurityInsights/incidents/tasks/write
    Subscription, resource group, or workspace resource
    Create a support request Owner or
    Contributor or
    Support request contributor or a custom role with Microsoft.Support/*
    Subscription

    After you connect Microsoft Sentinel to the Defender portal, your existing Azure role-based access control (RBAC) permissions allow you to work with the Microsoft Sentinel features that you have access to. Continue to manage roles and permissions for your Microsoft Sentinel users from the Azure portal. Any Azure RBAC changes are reflected in the Defender portal. For more information about Microsoft Sentinel permissions, see Roles and permissions in Microsoft Sentinel | Microsoft Learn and Manage access to Microsoft Sentinel data by resource | Microsoft Learn.

Microsoft's unified SecOps platform prerequisites

To unify capabilities with Defender XDR in Microsoft's unified SecOps platform, you must have the following resources and access:

Onboard Microsoft Sentinel

To connect a Microsoft Sentinel workspace to the Defender portal, complete the following steps. If you're onboarding Microsoft Sentinel without Defender XDR (preview) there is an extra step to trigger the connection with Microsoft Sentinel and Defender portal.

  1. Go to the Microsoft Defender portal and sign in.

  2. To onboard Microsoft Sentinel without Defender XDR in the Defender portal:

    1. To trigger the connection with Microsoft Sentinel, select Investigation & response > Incidents.
    2. Wait a few minutes for the connection to complete.
  3. In the Defender portal, select Overview.

  4. Select Connect a workspace.

  5. Choose the workspace you want to connect and select Next.

  6. Read and understand the product changes associated with connecting your workspace. These changes include:

    • Log tables, queries, and functions in the Microsoft Sentinel workspace are also available in advanced hunting within the Defender portal.
    • The Microsoft Sentinel Contributor role is assigned to the Microsoft Threat Protection and WindowsDefenderATP apps within the subscription.
    • Active Microsoft security incident creation rules are deactivated to avoid duplicate incidents. This change only applies to incident creation rules for Microsoft alerts and not to other analytics rules.
    • All alerts related to Defender XDR products are streamed directly from the main Defender XDR data connector to ensure consistency. Make sure you have incidents and alerts from this connector turned on in the workspace.
  7. Select Connect.

After your workspace is connected, the banner on the Overview page shows that your environment is ready. The Overview page is updated with new sections that include metrics from Microsoft Sentinel like the number of data connectors and automation rules.

Explore Microsoft Sentinel features in the Defender portal

After you connect your workspace to the Defender portal, Microsoft Sentinel is on the left-hand side navigation pane. If you have Defender XDR enabled, pages like Overview, Incidents, and Advanced Hunting have unified data from Microsoft Sentinel and Defender XDR. If you don't have Defender XDR enabled, these pages just include data from Microsoft Sentinel (preview). For more information about the unified capabilities and differences between portals, see Microsoft Sentinel in the Microsoft Defender portal.

Many of the existing Microsoft Sentinel features are integrated into the Defender portal. For these features, notice that the experience between Microsoft Sentinel in the Azure portal and Defender portal are similar. Use the following articles to help you start working with Microsoft Sentinel in the Defender portal. When using these articles, keep in mind that your starting point in this context is the Defender portal instead of the Azure portal.

Find Microsoft Sentinel settings in the Defender portal under System > Settings > Microsoft Sentinel.

Offboard Microsoft Sentinel

You can only have one workspace connected to the Defender portal at a time. If you want to connect to a different workspace that has Microsoft Sentinel enabled, disconnect the current workspace and connect the other workspace.

  1. Go to the Microsoft Defender portal and sign in.

  2. In the Defender portal, under System, select Settings > Microsoft Sentinel.

  3. On the Workspaces page, select the connected workspace and Disconnect workspace.

  4. Provide a reason why you're disconnecting the workspace.

  5. Confirm your selection.

    When your workspace is disconnected, the Microsoft Sentinel section is removed from the left-hand side navigation of the Defender portal. Data from Microsoft Sentinel is no longer included on the Overview page.

If you want to connect to a different workspace, from the Workspaces page, select the workspace and Connect a workspace.