Incident response with integrated SIEM and XDR
This solution guide shows you how to set up Microsoft extended detection and response (XDR) tools with Microsoft Sentinel so your organization can respond to and remediate cybersecurity attacks faster.
Microsoft Defender XDR is an XDR solution that automatically collects, correlates, and analyzes signal, threat, and alert data from across your Microsoft 365 environment.
Microsoft Sentinel is a cloud-native solution that provides security information and event management (SIEM) and security orchestration, automation, and response (SOAR) capabilities. Together, Microsoft Sentinel and Microsoft Defender XDR provide a comprehensive solution to help organizations defend against modern attacks.
This guidance helps you improve your Zero Trust architecture by mapping the principles of Zero Trust in the following ways:
| Zero Trust Principle | Met by |
|---|---|
| Verify explicitly | Microsoft Sentinel collects data from across the environment and analyzes threats and anomalies so your organization and any automation can act on verified data. Microsoft Defender XDR provides extended detection and response across users, identities, devices, apps, and emails. Configure Microsoft Sentinel automation to use risk-based signals captured by Microsoft Defender XDR to take action, such as blocking or authorizing traffic based on risk. |
| Use least privileged access | Microsoft Sentinel detects anomalous activity through its UEBA engine. As security scenarios change rapidly, its threat intelligence imports data from Microsoft and third-party providers to detect and contextualize emerging threats. Microsoft Defender XDR includes Microsoft Entra ID Protection to block users based on identity risk. Feed related data into Microsoft Sentinel for further analysis and automation. |
| Assume breach | Microsoft Defender XDR continuously scans the environment for threats and vulnerabilities. Microsoft Sentinel analyzes collected data and behavioral trends to detect suspicious activity, anomalies, and multistage threats across the enterprise. Both Microsoft Defender XDR and Microsoft Sentinel implement automated remediation tasks, including investigations, device isolation, and data quarantine. Use device risk as a signal for Microsoft Entra Conditional Access. |
Microsoft Sentinel and XDR architecture
Microsoft Sentinel customers can use one of these methods to integrate Microsoft Sentinel with Microsoft Defender XDR services:
Onboard Microsoft Sentinel to the Defender portal to merge Microsoft Sentinel and Microsoft Defender XDR into a unified SecOps platform. View Sentinel data directly in the Defender portal alongside your Defender incidents, alerts, vulnerabilities, and security data.
Use Microsoft Sentinel data connectors to ingest Microsoft Defender XDR service data into Microsoft Sentinel. View Microsoft Sentinel data in the Azure portal.
This guidance center provides information for both methods. If you've onboarded your workspace to the Defender portal, use it; if not, use the Azure portal unless otherwise indicated.
The following illustration shows how Microsoft's XDR solution integrates with Microsoft Sentinel in the Defender portal.
In this diagram:
- Insights from signals across your entire organization feed into Microsoft Defender XDR and Microsoft Defender for Cloud.
- Microsoft Sentinel provides support for multicloud environments and integrates with third-party apps and partners.
- Microsoft Sentinel data is ingested together with your organization's data into the Microsoft Defender portal.
- SecOps teams can analyze and respond to threats identified by Microsoft Sentinel and Microsoft Defender XDR in the Microsoft Defender portal.
Key capabilities
Implement a Zero Trust approach for managing incidents using Microsoft Sentinel and Defender XDR features. For workspaces onboarded to the Defender portal, use Microsoft Sentinel in the Defender portal.
| Capability or feature | Description | Product |
|---|---|---|
| Automated Investigation & Response (AIR) | AIR capabilities are designed to examine alerts and take immediate action to resolve breaches. AIR capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. | Microsoft Defender XDR |
| Advanced hunting | Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events on your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. | Microsoft Defender XDR |
| Custom file indicators | Prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. | Microsoft Defender XDR |
| Cloud discovery | Cloud Discovery analyzes traffic logs collected by Defender for Endpoint and assesses identified apps against the cloud app catalog to provide compliance and security information. | Microsoft Defender for Cloud Apps |
| Custom network indicators | By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. | Microsoft Defender XDR |
| Endpoint detection and response (EDR) Block | Provides added protection from malicious artifacts when Microsoft Defender Antivirus (MDAV) isn't the primary antivirus product and is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that were detected by EDR capabilities. | Microsoft Defender XDR |
| Device response capabilities | Quickly respond to detected attacks by isolating devices or collecting an investigation package | Microsoft Defender XDR |
| Live response | Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time. | Microsoft Defender XDR |
| Secure cloud applications | A development security operations (DevSecOps) solution that unifies security management at the code level across multicloud and multiple-pipeline environments. | Microsoft Defender for Cloud |
| Improve your security posture | A cloud security posture management (CSPM) solution that surfaces actions that you can take to prevent breaches. | Microsoft Defender for Cloud |
| Protect cloud workloads | A cloud workload protection platform (CWPP) with specific protections for servers, containers, storage, databases, and other workloads. | Microsoft Defender for Cloud |
| User and Entity Behavioral Analytics (UEBA) | Analyzes behavior of organization entities such as users, hosts, IP addresses, and applications | Microsoft Sentinel |
| Fusion | A correlation engine based on scalable machine learning algorithms. Automatically detects multistage attacks also known as advanced persistent threats (APT) by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. | Microsoft Sentinel |
| Threat Intelligence | Use Microsoft third-party providers to enrich data to provide extra context around activities, alerts, and logs in your environment. | Microsoft Sentinel |
| Automation | Automation rules are a way to centrally manage automation with Microsoft Sentinel, by allowing you to define and coordinate a small set of rules that can apply across different scenarios. | Microsoft Sentinel |
| Anomaly rules | Anomaly rule templates use machine learning to detect specific types of anomalous behavior. | Microsoft Sentinel |
| Scheduled queries | Built-in rules written by Microsoft security experts that search through logs collected by Microsoft Sentinel for suspicious activity chains, known threats. | Microsoft Sentinel |
| Near-real-time (NRT) rules | NRT rules are limited set of scheduled rules, designed to run once every minute, in order to supply you with information as up-to-the-minute as possible. | Microsoft Sentinel |
| Hunting | To help security analysts look proactively for new anomalies that weren't detected by your security apps or even by your scheduled analytics rules, Microsoft Sentinel's built-in hunting queries guide you into asking the right questions to find issues in the data you already have on your network. | Microsoft Sentinel For workspaces onboarded to the Defender portal, use the Microsoft Defender portal advanced hunting functionality. |
| Microsoft Defender XDR Connector | The Microsoft Defender XDR connector synchronizes logs and incidents to Microsoft Sentinel. | Microsoft Defender XDR and Microsoft Sentinel |
| Data connectors | Allow for the ingestion of data for analysis in Microsoft Sentinel. | Microsoft Sentinel |
| Content hub solution -Zero Trust (TIC 3.0) | Zero Trust (TIC 3.0) includes a workbook, analytics rules, and a playbook, which provide an automated visualization of Zero Trust principles, cross-walked to the Trust Internet Connections framework, helping organizations to monitor configurations over time. | Microsoft Sentinel |
| Security orchestration, automation, and response (SOAR) | Using automation rules and playbooks in response to security threats increases your SOC's effectiveness and saves you time and resources. | Microsoft Sentinel |
| SOC optimizations | Close coverage gaps against specific threats and tighten your ingestion rates against data that doesn't provide security value. | Microsoft Sentinel For workspaces onboarded to the Defender portal, use SOC optimization in the Microsoft Defender portal. |
What's in this solution
This solution helps your security operations team remediate incidents using a Zero Trust approach by guiding you through Microsoft Sentinel and Microsoft Defender XDR implementation. The implementation includes these phases:
| Phase | Description |
|---|---|
| 1. Pilot and deploy Microsoft Defender XDR services | Start by piloting Microsoft Defender XDR services so you can evaluate their features and capabilities before you complete the deployment across your organization. |
| 2. Plan your deployment | Then, plan your full SIEM and XDR deployment, including the XDR services and the workspace for Microsoft Sentinel. |
| 3. Set up XDR tools and architect your workspace | In this phase, deploy the XDR services you decided to use across your environment, deploy Microsoft Sentinel and other services to support your SIEM and XDR solution. If you plan to work from the Azure portal, skip the step to connect Microsoft Sentinel to the Microsoft Defender portal. This step is only relevant if you want to use Microsoft Sentinel Defender portal, and is not relevant if you want to respond to incidents in the Azure portal. |
| 4. Respond to incidents | Finally, respond to incidents based on whether you onboarded to the Defender portal: - Respond to an incident from the Defender portal - Respond to an incident from the Azure portal |
Related content
For more information, see Zero Trust security with Microsoft Sentinel and Defender XDR and related content for your portal:
For more information about applying Zero Trust principles in Microsoft 365, see:
- Zero Trust deployment plan with Microsoft 365
- Deploy your identity infrastructure for Microsoft 365
- Zero Trust identity and device access configurations
- Manage devices with Microsoft Intune
- Manage data privacy and data protection with Microsoft Priva and Microsoft Purview
- Integrate SaaS apps for Zero Trust with Microsoft 365