Muokkaa

Jaa


Microsoft Sentinel in the Microsoft Defender portal

This article describes the Microsoft Sentinel experience in the Microsoft Defender portal. Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal with Microsoft Defender XDR. For more information, see:

For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license.

New and improved capabilities

The following table describes the new or improved capabilities available in the Defender portal with the integration of Microsoft Sentinel. Microsoft continues to innovate in this new experience with features that might be exclusive to the Defender portal.

Capabilities Description
Advanced hunting Query from a single portal across different data sets to make hunting more efficient and remove the need for context-switching. Use Security Copilot to help generate your KQL. View and query all data including data from Microsoft security services and Microsoft Sentinel. Use all your existing Microsoft Sentinel workspace content, including queries and functions.

For more information, see the following articles:
- Advanced hunting in the Microsoft Defender portal
- Security Copilot in advanced hunting
SOC optimizations Get high-fidelity and actionable recommendations to help you identify areas to:
- Reduce costs
- Add security controls
- Add missing data
SOC optimizations are available in the Defender and Azure portals, are tailored to your environment, and are based on your current coverage and threat landscape.

For more information, see the following articles:
- Optimize your security operations
- Use SOC optimizations programmatically
- SOC optimization reference of recommendations
Microsoft Copilot in Microsoft Defender When investigating incidents in the Defender portal,
- Summarize incidents
- Analyze scripts
- Analyze files
- Create incident reports

When hunting for threats in advanced hunting, create ready-to-run KQL queries by using the query assistant. For more information, see Microsoft Security Copilot in advanced hunting.

The following table describes the additional capabilities available in the Defender portal with the integration of Microsoft Sentinel and Microsoft Defender XDR as part of Microsoft's unified security operations platform.

Capabilities Description
Attack disrupt Deploy automatic attack disruption for SAP with both the Defender portal and the Microsoft Sentinel solution for SAP applications. For example, contain compromised assets by locking suspicious SAP users in case of a financial process manipulation attack.

Attack disruption capabilities for SAP are available in the Defender portal only. To use attack disruption for SAP, update your data connector agent version and ensure that the relevant Azure role is assigned to your agent's identity.

For more information, see Automatic attack disruption for SAP.
Unified entities Entity pages for devices, users, IP addresses, and Azure resources in the Defender portal display information from Microsoft Sentinel and Defender data sources. These entity pages give you an expanded context for your investigations of incidents and alerts in the Defender portal.

For more information, see Investigate entities with entity pages in Microsoft Sentinel.
Unified incidents Manage and investigate security incidents in a single location and from a single queue in the Defender portal. Use Security Copilot to summarize, respond, and report. Incidents include:
- Data from the breadth of sources
- AI analytics tools of security information and event management (SIEM)
- Context and mitigation tools offered by extended detection and response (XDR)

For more information, see the following articles:
- Incident response in the Microsoft Defender portal
- Investigate Microsoft Sentinel incidents in Security Copilot
Microsoft Copilot in Microsoft Defender When investigating incidents with Microsoft Sentinel integrated with Defender XDR,
- Triage and investigate incidents with guided responses
- Summarize device information
- Summarize identity information

Summarize the relevant threats impacting your environment, to prioritize resolving threats based on your exposure levels, or to find threat actors that might be targeting your industry by using Security Copilot in threat intelligence. For more information, see Using Microsoft Security Copilot for threat intelligence.

Capability differences between portals

Most Microsoft Sentinel capabilities are available in both the Azure and Defender portals. In the Defender portal, some Microsoft Sentinel experiences open out to the Azure portal for you to complete a task.

This section covers the Microsoft Sentinel capabilities or integrations that are only available in either the Azure portal or Defender portal or other significant differences between the portals. It excludes the Microsoft Sentinel experiences that open the Azure portal from the Defender portal.

Capability Availability Description
Advanced hunting using bookmarks Azure portal only Bookmarks aren't supported in the advanced hunting experience in the Microsoft Defender portal. In the Defender portal, they're supported in the Microsoft Sentinel > Threat management > Hunting.

For more information, see Keep track of data during hunting with Microsoft Sentinel.
Attack disruption for SAP Defender portal only with Defender XDR This functionality is unavailable in the Azure portal.

For more information, see Automatic attack disruption in the Microsoft Defender portal.
Automation Some automation procedures are available only in the Azure portal.

Other automation procedures are the same in the Defender and Azure portals, but differ in the Azure portal between workspaces that are onboarded to the Defender portal and workspaces that aren't.


For more information, see Automation with the unified security operations platform.
Data connectors: visibility of connectors used by the unified security operations platform Azure portal only In the Defender portal, after you onboard Microsoft Sentinel, the following data connectors that are part of the unified security operations platform aren't shown in the Data connectors page:
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Office 365 (Preview)
  • Microsoft Defender XDR
  • Subscription-based Microsoft Defender for Cloud (Legacy)
  • Tenant-based Microsoft Defender for Cloud (Preview)

    In the Azure portal, these data connectors are still listed with the installed data connectors in Microsoft Sentinel.
  • Entities: Add entities to threat intelligence from incidents Azure portal only This functionality is unavailable in the Defender portal.

    For more information, see Add entity to threat indicators.
    Fusion: Advanced multistage attack detection Azure portal only The Fusion analytics rule, which creates incidents based on alert correlations made by the Fusion correlation engine, is disabled when you onboard Microsoft Sentinel to the Defender portal.

    The Defender portal uses Microsoft Defender XDR's incident-creation and correlation functionalities to replace those of the Fusion engine.

    For more information, see Advanced multistage attack detection in Microsoft Sentinel
    Incidents: Adding alerts to incidents /
    Removing alerts from incidents
    Defender portal only After onboarding Microsoft Sentinel to the Defender portal, you can no longer add alerts to, or remove alerts from, incidents in the Azure portal.

    You can remove an alert from an incident in the Defender portal, but only by linking the alert to another incident (existing or new).
    Incidents: editing comments Azure portal only After onboarding Microsoft Sentinel to the Defender portal, you can add comments to incidents in either portal, but you can't edit existing comments.

    Edits made to comments in the Azure portal don't synchronize to the Defender portal.
    Incidents: Programmatic and manual creation of incidents Azure portal only Incidents created in Microsoft Sentinel through the API, by a Logic App playbook, or manually from the Azure portal, aren't synchronized to the Defender portal. These incidents are still supported in the Azure portal and the API. See Create your own incidents manually in Microsoft Sentinel.
    Incidents: Reopening closed incidents Azure portal only In the Defender portal, you can't set alert grouping in Microsoft Sentinel analytics rules to reopen closed incidents if new alerts are added.
    Closed incidents aren't reopened in this case, and new alerts trigger new incidents.
    Incidents: Tasks Azure portal only Tasks are unavailable in the Defender portal.

    For more information, see Use tasks to manage incidents in Microsoft Sentinel.
    Multiple workspace management for Microsoft Sentinel Defender portal: Limited to one Microsoft Sentinel workspace per tenant

    Azure portal: Centrally manage multiple Microsoft Sentinel workspaces for tenants
    Only one Microsoft Sentinel workspace per tenant is currently supported in the Defender portal. So, Microsoft Defender multitenant management supports one Microsoft Sentinel workspace per tenant.

    For more information, see the following articles:
    - Defender portal: Microsoft Defender multitenant management
    - Azure portal: Manage multiple Microsoft Sentinel workspaces with workspace manager

    Limited or unavailable capabilities

    When you onboard Microsoft Sentinel to the Defender portal without Defender XDR or other services enabled, the following features that show in the Defender portal are currently limited or unavailable.

    Capability Service required
    Exposure management Microsoft Security Exposure Management
    Custom detection rules Microsoft Defender XDR
    Action center Microsoft Defender XDR

    The following limitations also apply to Microsoft Sentinel in Defender portal without Defender XDR or other services enabled:

    • New Microsoft Sentinel customers aren't eligible to onboard a Log Analytics workspace that's created in the Israel region. To onboard to the Defender portal, create another workspace for Microsoft Sentinel in a different region. This additional workspace doesn't need to contain any data.
    • Customers that use Microsoft Sentinel user and entity behavior analytics (UEBA) are provided with a limited version of the IdentityInfo table.

    Quick reference

    Some Microsoft Sentinel capabilities, like the unified incident queue, are integrated with Microsoft Defender XDR in Microsoft's unified security operations platform. Many other Microsoft Sentinel capabilities are available in the Microsoft Sentinel section of the Defender portal.

    The following image shows the Microsoft Sentinel menu in the Defender portal:

    Screenshot of the Defender portal left navigation with the Microsoft Sentinel section.

    The following sections describe where to find Microsoft Sentinel features in the Defender portal. The sections are organized as Microsoft Sentinel is in the Azure portal.

    General

    The following table lists the changes in navigation between the Azure and Defender portals for the General section in the Azure portal.

    Azure portal Defender portal
    Overview Overview
    Logs Investigation & response > Hunting > Advanced hunting
    News & guides Not available
    Search Microsoft Sentinel > Search

    Threat management

    The following table lists the changes in navigation between the Azure and Defender portals for the Threat management section in the Azure portal.

    Azure portal Defender portal
    Incidents Investigation & response > Incidents & alerts > Incidents
    Workbooks Microsoft Sentinel > Threat management> Workbooks
    Hunting Microsoft Sentinel > Threat management > Hunting
    Notebooks Microsoft Sentinel > Threat management > Notebooks
    Entity behavior User entity page: Assets > Identities > {user} > Sentinel events
    Device entity page: Assets > Devices > {device} > Sentinel events

    Also, find the entity pages for the user, device, IP, and Azure resource entity types from incidents and alerts as they appear.
    Threat intelligence Microsoft Sentinel > Threat management > Threat intelligence
    MITRE ATT&CK Microsoft Sentinel > Threat management > MITRE ATT&CK

    Content management

    The following table lists the changes in navigation between the Azure and Defender portals for the Content management section in the Azure portal.

    Azure portal Defender portal
    Content hub Microsoft Sentinel > Content management > Content hub
    Repositories Microsoft Sentinel > Content management > Repositories
    Community Microsoft Sentinel > Content management > Community

    Configuration

    The following table lists the changes in navigation between the Azure and Defender portals for the Configuration section in the Azure portal.

    Azure portal Defender portal
    Workspace manager Not available
    Data connectors Microsoft Sentinel > Configuration > Data connectors
    Analytics Microsoft Sentinel > Configuration > Analytics
    Watchlists Microsoft Sentinel > Configuration > Watchlists
    Automation Microsoft Sentinel > Configuration > Automation
    Settings System > Settings > Microsoft Sentinel