Breyta

Deila með


Microsoft Sentinel in the Microsoft Defender portal

This article describes the Microsoft Sentinel experience in the Microsoft Defender portal. Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. For more information, see:

New and improved capabilities

The following table describes the new or improved capabilities available in the Defender portal with the integration of Microsoft Sentinel and Defender XDR.

Capabilities Description
Advanced hunting Query from a single portal across different data sets to make hunting more efficient and remove the need for context-switching. Use Copilot for Security to help generate your KQL. View and query all data including data from Microsoft security services and Microsoft Sentinel. Use all your existing Microsoft Sentinel workspace content, including queries and functions.

For more information, see the following articles:
- Advanced hunting in the Microsoft Defender portal
- Copilot for Security in advanced hunting
Attack disrupt Deploy automatic attack disruption for SAP with both the unified security operations platform and the Microsoft Sentinel solution for SAP applications. For example, contain compromised assets by locking suspicious SAP users in case of a financial process manipulation attack.

Attack disruption capabilities for SAP are available in the Defender portal only. To use attack disruption for SAP, update your data connector agent version and ensure that the relevant Azure role is assigned to your agent's identity.

For more information, see Automatic attack disruption for SAP.
SOC optimizations Get high-fidelity and actionable recommendations to help you identify areas to:
- Reduce costs
- Add security controls
- Add missing data
SOC optimizations are available in the Defender and Azure portals, are tailored to your environment, and are based on your current coverage and threat landscape.

For more information, see the following articles:
- Optimize your security operations
- SOC optimization reference of recommendations
Unified entities Entity pages for devices, users, IP addresses, and Azure resources in the Defender portal display information from Microsoft Sentinel and Defender data sources. These entity pages give you an expanded context for your investigations of incidents and alerts in the Defender portal.

For more information, see Investigate entities with entity pages in Microsoft Sentinel.
Unified incidents Manage and investigate security incidents in a single location and from a single queue in the Defender portal. Use Copilot for Security to summarize, respond and report. Incidents include:
- Data from the breadth of sources
- AI analytics tools of security information and event management (SIEM)
- Context and mitigation tools offered by extended detection and response (XDR)

For more information, see the following articles:
- Incident response in the Microsoft Defender portal
- Investigate Microsoft Sentinel incidents in Copilot for Security

Capability differences between portals

Most Microsoft Sentinel capabilities are available in both the Azure and Defender portals. In the Defender portal, some Microsoft Sentinel experiences open out to the Azure portal for you to complete a task.

This section covers the Microsoft Sentinel capabilities or integrations in the unified security operations platform that are only available in either the Azure portal or Defender portal or other significant differences between the portals. It excludes the Microsoft Sentinel experiences that open the Azure portal from the Defender portal.

Capability Availability Description
Advanced hunting using bookmarks Azure portal only Bookmarks aren't supported in the advanced hunting experience in the Microsoft Defender portal. In the Defender portal, they're supported in the Microsoft Sentinel > Threat management > Hunting.

For more information, see Keep track of data during hunting with Microsoft Sentinel.
Attack disruption for SAP Defender portal only This functionality is unavailable in the Azure portal.

For more information, see Automatic attack disruption in the Microsoft Defender portal.
Automation Some automation procedures are available only in the Azure portal.

Other automation procedures are the same in the Defender and Azure portals, but differ in the Azure portal between workspaces that are onboarded to the unified security operations platform and workspaces that aren't.


For more information, see Automation with the unified security operations platform.
Data connectors: visibility of connectors used by the unified security operations platform Azure portal only In the Defender portal, after you onboard Microsoft Sentinel, the following data connectors that are part of the unified security operations platform aren't shown in the Data connectors page:
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Office 365 (Preview)
  • Microsoft Defender XDR
  • Subscription-based Microsoft Defender for Cloud (Legacy)
  • Tenant-based Microsoft Defender for Cloud (Preview)

    In the Azure portal, these data connectors are still listed with the installed data connectors in Microsoft Sentinel.
  • Entities: Add entities to threat intelligence from incidents Azure portal only This functionality is unavailable in the unified security operations platform.

    For more information, see Add entity to threat indicators.
    Fusion: Advanced multistage attack detection Azure portal only The Fusion analytics rule, which creates incidents based on alert correlations made by the Fusion correlation engine, is disabled when you onboard Microsoft Sentinel to the unified security operations platform.

    The unified security operations platform uses Microsoft Defender XDR's incident-creation and correlation functionalities to replace those of the Fusion engine.

    For more information, see Advanced multistage attack detection in Microsoft Sentinel
    Incidents: Adding alerts to incidents /
    Removing alerts from incidents
    Defender portal only After onboarding Microsoft Sentinel to the unified security operations platform, you can no longer add alerts to, or remove alerts from, incidents in the Azure portal.

    You can remove an alert from an incident in the Defender portal, but only by linking the alert to another incident (existing or new).
    Incidents: editing comments Azure portal only After onboarding Microsoft Sentinel to the unified security operations platform, you can add comments to incidents in either portal, but you can't edit existing comments.

    Edits made to comments in the Azure portal don't synchronize to the unified security operations platform.
    Incidents: Programmatic and manual creation of incidents Azure portal only Incidents created in Microsoft Sentinel through the API, by a Logic App playbook, or manually from the Azure portal, aren't synchronized to the unified security operations platform. These incidents are still supported in the Azure portal and the API. See Create your own incidents manually in Microsoft Sentinel.
    Incidents: Reopening closed incidents Azure portal only In the unified security operations platform, you can't set alert grouping in Microsoft Sentinel analytics rules to reopen closed incidents if new alerts are added.
    Closed incidents aren't reopened in this case, and new alerts trigger new incidents.
    Incidents: Tasks Azure portal only Tasks are unavailable in the unified security operations platform.

    For more information, see Use tasks to manage incidents in Microsoft Sentinel.
    Multiple workspace management for Microsoft Sentinel Defender portal: Limited to one Microsoft Sentinel workspace per tenant

    Azure portal: Centrally manage multiple Microsoft Sentinel workspaces for tenants
    Only one Microsoft Sentinel workspace per tenant is currently supported in the unified security operations platform. So, Microsoft Defender multitenant management supports one Microsoft Sentinel workspace per tenant.

    For more information, see the following articles:
    - Defender portal: Microsoft Defender multitenant management
    - Azure portal: Manage multiple Microsoft Sentinel workspaces with workspace manager

    Quick reference

    Some Microsoft Sentinel capabilities, like the unified incident queue, are integrated with Microsoft Defender XDR in the unified security operations platform. Many other Microsoft Sentinel capabilities are available in the Microsoft Sentinel section of the Defender portal.

    The following image shows the Microsoft Sentinel menu in the Defender portal:

    Screenshot of the Defender portal left navigation with the Microsoft Sentinel section.

    The following sections describe where to find Microsoft Sentinel features in the Defender portal. The sections are organized as Microsoft Sentinel is in the Azure portal.

    General

    The following table lists the changes in navigation between the Azure and Defender portals for the General section in the Azure portal.

    Azure portal Defender portal
    Overview Overview
    Logs Investigation & response > Hunting > Advanced hunting
    News & guides Not available
    Search Microsoft Sentinel > Search

    Threat management

    The following table lists the changes in navigation between the Azure and Defender portals for the Threat management section in the Azure portal.

    Azure portal Defender portal
    Incidents Investigation & response > Incidents & alerts > Incidents
    Workbooks Microsoft Sentinel > Threat management> Workbooks
    Hunting Microsoft Sentinel > Threat management > Hunting
    Notebooks Microsoft Sentinel > Threat management > Notebooks
    Entity behavior User entity page: Assets > Identities > {user} > Sentinel events
    Device entity page: Assets > Devices > {device} > Sentinel events

    Also, find the entity pages for the user, device, IP, and Azure resource entity types from incidents and alerts as they appear.
    Threat intelligence Microsoft Sentinel > Threat management > Threat intelligence
    MITRE ATT&CK Microsoft Sentinel > Threat management > MITRE ATT&CK

    Content management

    The following table lists the changes in navigation between the Azure and Defender portals for the Content management section in the Azure portal.

    Azure portal Defender portal
    Content hub Microsoft Sentinel > Content management > Content hub
    Repositories Microsoft Sentinel > Content management > Repositories
    Community Microsoft Sentinel > Content management > Community

    Configuration

    The following table lists the changes in navigation between the Azure and Defender portals for the Configuration section in the Azure portal.

    Azure portal Defender portal
    Workspace manager Not available
    Data connectors Microsoft Sentinel > Configuration > Data connectors
    Analytics Microsoft Sentinel > Configuration > Analytics
    Watchlists Microsoft Sentinel > Configuration > Watchlists
    Automation Microsoft Sentinel > Configuration > Automation
    Settings System > Settings > Microsoft Sentinel