Microsoft's unified security operations platform planning overview
This article outlines activities to plan a deployment of Microsoft's security products to Microsoft's unified security operations platform for end-to-end security operations (SecOps). Unify your SecOps on Microsoft's platform to help you reduce risk, prevent attacks, detect and disrupt cyberthreats in real time, and respond faster with AI-enhanced security capabilities, all from the Microsoft Defender portal.
Plan your deployment
Microsoft's unified SecOps platform combines services like Microsoft Defender XDR, Microsoft Sentinel, Microsoft Security Exposure Management, and Microsoft Security Copilot in the Microsoft Defender portal.
The first step in planning your deployment is to select the services you want to use.
As a basic prerequisite, you'll need both Microsoft Defender XDR and Microsoft Sentinel to monitor and protect both Microsoft and non-Microsoft services and solutions, including both cloud and on-premises resources.
Deploy any of the following services to add security across your endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Microsoft Defender XDR services include:
| Service | Description |
|---|---|
| Microsoft Defender for Office 365 | Protects against threats posed by email messages, URL links, and Office 365 collaboration tools. |
| Microsoft Defender for Identity | Identifies, detects, and investigates threats from both on-premises Active Directory and cloud identities like Microsoft Entra ID. |
| Microsoft Defender for Endpoint | Monitors and protects endpoint devices, detects and investigates device breaches, and automatically responds to security threats. |
| Microsoft Defender for IoT | Provides both IoT device discovery and security value for IoT devices. |
| Microsoft Defender Vulnerability Management | Identifies assets and software inventory, and assesses device posture to find security vulnerabilities. |
| Microsoft Defender for Cloud Apps | Protects and controls access to SaaS cloud apps. |
Other services supported in the Microsoft Defender portal as part of Microsoft's unified SecOps platform, but not licensed with Microsoft Defender XDR, include:
| Service | Description |
|---|---|
| Microsoft Security Exposure Management | Provides a unified view of security posture across company assets and workloads, enriching asset information with security context. |
| Microsoft Security Copilot | Provides AI-driven insights and recommendations to enhance your security operations. |
| Microsoft Defender for Cloud | Protects multi-cloud and hybrid environments with advanced threat detection and response. |
| Microsoft Defender Threat Intelligence | Streamlines threat intelligence workflows by aggregating and enriching critical data sources to correlate indicators of compromise (IOCs) with related articles, actor profiles, and vulnerabilities. |
| Microsoft Entra ID Protection | Evaluates risk data from sign-in attempts to evaluate the risk of each sign-in to your environment. |
| Microsoft Purview Insider Risk Management | Correlates various signals to identify potential malicious or inadvertent insider risks, such as IP theft, data leakage and security violations. |
Review service prerequisites
Before you deploy Microsoft's unified security operations platform, review the prerequisites for each service you plan to use. The following table lists the services and links for more information:
| Security service | Prerequisites |
|---|---|
| Required for unified SecOps | |
| Microsoft Defender XDR | Microsoft Defender XDR prerequisites |
| Microsoft Sentinel | Prerequisites to deploy Microsoft Sentinel |
| Optional Microsoft Defender XDR services | |
| Microsoft Defender for Office | Microsoft Defender XDR prerequisites |
| Microsoft Defender for Identity | Microsoft Defender for Identity prerequisites |
| Microsoft Defender for Endpoint | Set up Microsoft Defender for Endpoint deployment |
| Enterprise monitoring with Microsoft Defender for IoT | Prerequisites for Defender for IoT in the Defender portal |
| Microsoft Defender Vulnerability Management | Prerequisites & Permissions for Microsoft Defender Vulnerability Management |
| Microsoft Defender for Cloud Apps | Get started with Microsoft Defender for Cloud Apps |
| Other services supported in the Microsoft Defender portal | |
| Microsoft Security Exposure Management | Prerequisites and support |
| Microsoft Security Copilot | Minimum requirements |
| Microsoft Defender for Cloud | Start planning multicloud protection and other articles in the same section. |
| Microsoft Defender Threat Intelligence | Prerequisites for Defender Threat Intelligence |
| Microsoft Entra ID Protection | Prerequisites for Microsoft Entra ID Protection |
| Microsoft Purview Insider Risk Management | Get started with insider risk management |
Review data security and privacy practices
Before you deploy Microsoft's unified security operations platform, make sure that you understand the data security and privacy practices for each service you plan to use. The following table lists the services and links for more information. Note that several services use the data security and retention practices for Microsoft Defender XDR instead of have separate practices of their own.
Plan your Log Analytics workspace architecture
To use Microsoft's unified SecOps platform, you need a Log Analytics workspace enabled for Microsoft Sentinel. A single Log Analytics workspace might be sufficient for many environments, but many organizations create multiple workspaces to optimize costs and better meet different business requirements. Microsoft's unified SecOps platform supports only a single workspace.
Design the Log Analytics workspace you want to enable for Microsoft Sentinel. Consider parameters such as any compliance requirements you have for data collection and storage and how to control access to Microsoft Sentinel data.
For more information, see:
Plan Microsoft Sentinel costs and data sources
Microsoft's unified SecOps platform ingests data from first-party Microsoft services, such as Microsoft Defender for Cloud Apps and Microsoft Defender for Cloud. We recommend expanding your coverage to other data sources in your environment by adding Microsoft Sentinel data connectors.
Determine your data sources
Determine the full set of data sources you'll be ingesting data from, and the data size requirements to help you accurately project your deployment's budget and timeline. You might determine this information during your business use case review, or by evaluating a current SIEM that you already have in place. If you already have a SIEM in place, analyze your data to understand which data sources provide the most value and should be ingested into Microsoft Sentinel.
For example, you might want to use any of the following recommended data sources:
Azure services: If any of the following services are deployed in Azure, use the following connectors to send these resources' Diagnostic Logs to Microsoft Sentinel:
- Azure Firewall
- Azure Application Gateway
- Keyvault
- Azure Kubernetes Service
- Azure SQL
- Network Security Groups
- Azure-Arc Servers
We recommend that you set up Azure Policy to require that their logs be forwarded to the underlying Log Analytics workspace. For more information, see Create diagnostic settings at scale using Azure Policy.
Virtual machines: For virtual machines hosted on-premises or in other clouds that require their logs collected, use the following data connectors:
- Windows Security Events using AMA
- Events via Defender for Endpoint (for server)
- Syslog
Network virtual appliances / on-premises sources: For network virtual appliances or other on-premises sources that generate Common Event Format (CEF) or SYSLOG logs, use the following data connectors:
- Syslog via AMA
- Common Event Format (CEF) via AMA
For more information, see Prioritize data connectors.
Plan your budget
Plan your Microsoft Sentinel budget, considering cost implications for each planned scenario. Make sure that your budget covers the cost of data ingestion for both Microsoft Sentinel and Azure Log Analytics, any playbooks that will be deployed, and so on. For more information, see:
- Log retention plans in Microsoft Sentinel
- Plan costs and understand Microsoft Sentinel pricing and billing
Understand Microsoft security portals and admin centers
While the Microsoft Defender portal is the home for monitoring and managing security across your identities, data, devices, and apps, you need to access various portals for certain specialized tasks.
Microsoft security portals include:
| Portal name | Description | Link |
|---|---|---|
| Microsoft Defender portal | Monitor and respond to threat activity and strengthen security posture across your identities, email, data, endpoints, and apps with Microsoft Defender XDR](../defender-xdr/microsoft-365-defender.md) | security.microsoft.com The Microsoft Defender portal is where you view and manage alerts, incidents, settings, and more. |
| Defender for Cloud portal | Use Microsoft Defender for Cloud to strengthen the security posture of your data centers and your hybrid workloads in the cloud | portal.azure.com/#blade/Microsoft_Azure_Security |
| Microsoft Security Intelligence portal | Get security intelligence updates for Microsoft Defender for Endpoint, submit samples, and explore the threat encyclopedia | microsoft.com/wdsi |
The following table describes portals for other workloads that can impact your security. Visit these portals to manage identities, permissions, device settings, and data handling policies.
| Portal name | Description | Link |
|---|---|---|
| Microsoft Entra admin center | Access and administer the Microsoft Entra family to protect your business with decentralized identity, identity protection, governance, and more, in a multicloud environment | entra.microsoft.com |
| Azure portal | View and manage all your Azure resources | portal.azure.com |
| Microsoft Purview portal | Manage data handling policies and ensure compliance with regulations | purview.microsoft.com |
| Microsoft 365 admin center | Configure Microsoft 365 services; manage roles, licenses, and track updates to your Microsoft 365 services | admin.microsoft.com |
| Microsoft Intune admin center | Use Microsoft Intune to manage and secure devices. Can also combine Intune and Configuration Manager capabilities. | intune.microsoft.com |
| Microsoft Intune portal | Use Microsoft Intune to deploy device policies and monitor devices for compliance | intune.microsoft.com |
Plan roles and permissions
Use Microsoft Entra role based access control (RBAC) to create and assign roles within your security operations team to grant appropriate access to services included in Microsoft's unified SecOps platform.
The Microsoft Defender XDR Unified role-based access control (RBAC) model provides a single permissions management experience that provides one central location for administrators to control user permissions across several security solutions. For more information, see Microsoft Defender XDR Unified role-based access control (RBAC).
For the following services, use the different roles available, or create custom roles, to give you fine-grained control over what users can see and do. For more information, see:
Plan Zero Trust activities
Microsoft's unified SecOps platform is part of Microsoft's Zero Trust security model, which includes the following principles:
| Security principle | Description |
|---|---|
| Verify explicitly | Always authenticate and authorize based on all available data points. |
| Use least privilege access | Limit user access with Just-In-Time and Just-Enough-Access (JIT/JEA), risk-based adaptive policies, and data protection. |
| Assume breach | Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses. |
Zero Trust security is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing least-privileged access, and using advanced analytics to detect and respond to threats.
For more information about implementing Zero Trust principles in Microsoft's unified SecOps platform, see Zero Trust content for the following services:
- Microsoft Defender XDR
- Microsoft Sentinel
- Microsoft Defender for Identity
- Microsoft Defender for Office 365
- Microsoft Defender for Endpoint
- Microsoft Defender for Cloud Apps
- Microsoft Security Exposure Management
- Microsoft Defender for Cloud
- Microsoft Security Copilot
- Microsoft Entra ID Protection
- Microsoft Purview
For more information, see the Zero Trust Guidance Center.