Zero Trust security with Microsoft Sentinel and Defender XDR
Microsoft Defender XDR is an XDR solution that complements Microsoft Sentinel. An XDR pulls raw telemetry data from multiple services like cloud applications, email security, identity, and access management.
Using artificial intelligence (AI) and machine learning, the XDR performs automatic analysis, investigation, and real-time response. It also correlates security alerts into larger incidents, giving security teams greater visibility into attacks and prioritizing incidents to help analysts gauge threat risk levels.
With Microsoft Sentinel, you can connect to many security sources using built-in connectors and industry standards. With its AI, you can correlate multiple low-fidelity signals spanning multiple sources to create a complete view of the ransomware kill chain and prioritized alerts.
Common attack order
This section covers a typical attack scenario involving a phishing attack and how to respond to the incident with Microsoft Sentinel and Microsoft Defender XDR.
The diagram shows the Microsoft security products that detect each attack step and how attack signals and SIEM data flow to Microsoft Defender XDR and Microsoft Sentinel.
Here's a summary of the attack.
| Attack step | Detection service and signal source | Defenses in place |
|---|---|---|
| 1. Attacker sends phishing email | Microsoft Defender for Office 365 | Protects mailboxes with advanced anti-phishing features that can protect against malicious impersonation-based phishing attacks. |
| 2. User opens attachment | Microsoft Defender for Office 365 | The Microsoft Defender for Office 365 Safe Attachments feature opens attachments in an isolated environment for more threat scanning (detonation). |
| 3. Attachment installs malware | Microsoft Defender for Endpoint | Protects endpoints from malware with its next generation protection features, such as cloud-delivered protection and behavior-based/heuristic/real-time antivirus protection. |
| 4. Malware steals user credentials | Microsoft Entra ID and Microsoft Entra ID Protection | Protects identities by monitoring user behavior and activities, detecting lateral movement, and alerting on anomalous activity. |
| 5. Attacker moves laterally across Microsoft 365 apps and data | Microsoft Defender for Cloud Apps | Can detect anomalous activity of users accessing cloud apps. |
| 6. Attacker downloads sensitive files from a SharePoint folder | Microsoft Defender for Cloud Apps | Can detect and respond to mass download events of files from SharePoint. |
If you onboarded your Microsoft Sentinel workspace to the Defender portal, SIEM data is available with Microsoft Sentinel directly in the Microsoft Defender portal.
Incident response using Microsoft Sentinel and Microsoft Defender XDR
After observing a common attack, use Microsoft Sentinel and Microsoft Defender XDR for incident response.
Select the relevant tab for your workspace depending on whether you onboarded it to the Defender portal.
After onboarding Microsoft Sentinel to the Defender portal, complete all incident response steps directly in the Microsoft Defender portal just as you do for other Microsoft Defender XDR incidents. Supported steps include everything from triage to investigation and resolution.
Use the Microsoft Sentinel area in the Microsoft Defender portal for features that aren't available with the Defender portal alone.
For more information, see Respond to an incident using Microsoft Sentinel and Microsoft Defender XDR.
Related content
For more information, see Incident response with integrated SIEM and XDR.
For more information about applying Zero Trust principles in Microsoft 365, see:
- Zero Trust deployment plan with Microsoft 365
- Deploy your identity infrastructure for Microsoft 365
- Zero Trust identity and device access configurations
- Manage devices with Microsoft Intune
- Pilot and deploy Microsoft Defender XDR
- Manage data privacy and data protection with Microsoft Priva and Microsoft Purview
- Integrate SaaS apps for Zero Trust with Microsoft 365