Unify SIEM and XDR for Enhanced Threat Detection

Posted by Harri Jaakkonen Posted on 04/04/2024
Posted in Azure, Defender, Microsoft Purview, Microsoft Sentinel, Security

Now when you open Defender portal (https://security.microsoft.com) you will see the above displayed, this feature is now in Public preview and let’s how the process works.

Defender XDR and Sentinel: Working Together

This table summarizes the key functionalities and considerations when connecting Microsoft Defender XDR and Microsoft Sentinel.

FeatureBenefitConsideration
One-Click XDR Incident ConnectionSimplifies integration, bringing all XDR incidents (including alerts and entities) into Sentinel for centralized management.
Bi-directional Incident SyncEnsures both platforms stay updated with the latest incident status, owner, and closing reason.Changes made in one platform are reflected in the other (near real-time).
Leverage XDR Alert Grouping & EnrichmentImproves efficiency by utilizing XDR’s advanced alert capabilities within Sentinel, leading to faster resolution times.Sentinel logic won’t be applied if using this method.
In-Context Deep LinkingEnables seamless investigation by providing a direct link between a Sentinel incident and its corresponding XDR incident, allowing for analysis across both platforms.

Avoiding Duplicate Incidents:

  • By default, both XDR and Sentinel create incidents from the same alerts using different logic, leading to duplicates.
  • Recommendation: Disable Microsoft Sentinel incident creation rules for XDR-integrated products (Defender for Endpoint, etc.) to prevent duplicates. This can be done in the connector page.
  • Note: Disabling these rules also disables any filters previously applied by them.

Important Note for Unified Security Operations Platform:

  • If using the unified security operations platform, all Microsoft incident creation rules must be turned off as they are not supported.

Working with XDR Incidents in Sentinel:

  • XDR incidents appear in Sentinel with the product name “Microsoft Defender XDR” and similar functionality to other Sentinel incidents.
  • Each incident includes a link back to the parallel incident in the Microsoft Defender Portal.
  • Incidents and their details synchronize bi-directionally between platforms (near real-time) with minimal delay.
  • Changes in status, closing reason, or assignment are reflected in both platforms.
  • Merging incidents in XDR will also be reflected in Sentinel, with one incident containing all alerts and the other being automatically closed.

Alert Limit:

  • Sentinel incidents can hold a maximum of 150 alerts.
  • If an XDR incident has more than 150 alerts, Sentinel will show “150+” and provide a link to the full set of alerts in XDR.

How to connect?

Click the connect a workspace on the main page and choose a workspace, only one is supported.

If everything isn’t correct, you will be displayed with an error that you can correct from Sentinel side

Connecting to Microsoft Defender XDR in Microsoft Sentinel

Here’s how to establish a connection between Microsoft Defender XDR and Microsoft Sentinel:

  1. Navigate to Data Connectors: Within Microsoft Sentinel, locate the section for “Data connectors.”
  2. Find Microsoft Defender XDR: Browse the data connector gallery and select “Microsoft Defender XDR.”
  3. Configure the Connection: Click “Open connector page” to access the configuration settings. Here, you can choose the level of integration you desire:
    • Connect incidents and alerts: This enables basic integration, synchronizing incidents and their alerts between both platforms.
    • Connect entities: This integrates on-premises Active Directory user identities into Microsoft Sentinel through Microsoft Defender for Identity.
    • Connect events: This enables the collection of raw advanced hunting events from Defender components for in-depth analysis.

Important Note: Disabling a specific component’s connector requires first disconnecting the main Microsoft Defender XDR connector.

Then you can continue the process and choose that workspace, you will be displayed what to expect when the process is done.

Well, it won’t take several minutes, it took about 30 seconds in my case.

And kaboom, connection made!

From the settings page you can disconnect the workspace easily.

And on the main page you can see the Start hunting box, that was easy!

You can now see the Sentinel tables and other entities under Defender portal.

See here for the announcement, hot from the press!

Get end-to-end protection with Microsoft’s unified security operations platform, now in public preview | Microsoft Security Blog
Microsoft’s unified security operations platform is now in public preview. Read on for details of how a comprehensive approach to cybersecurity can benefit your security operations center.

Closure

Excellent, Microsoft is really making an effort on Unifying the different portal. First for MDI and Cloud Apps into Defender portal and now you can connect Sentinel workspace to it too.

Microsoft is also unifying the Purview experience under https://purview.microsoft.com which is super cool. I will cover this feature also in my upcoming posts!

Learn about the Microsoft Purview portal (preview)
Learn more about the new experiences and data security, data governance, and risk and compliance solutions in the new Microsoft Purview portal (preview).

Happy unifying SOC and Data protectors in the community!

Author: Harri Jaakkonen