Microsoft Sentinel in the Microsoft Defender portal
This article describes the Microsoft Sentinel experience in the Microsoft Defender portal. Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. For more information, see:
- Blog post: General availability of the Microsoft unified security operations platform
- Blog post: Frequently asked questions about the unified security operations platform
- Connect Microsoft Sentinel to Microsoft Defender XDR
New and improved capabilities
The following table describes the new or improved capabilities available in the Defender portal with the integration of Microsoft Sentinel and Defender XDR.
| Capabilities | Description |
|---|---|
| Advanced hunting | Query from a single portal across different data sets to make hunting more efficient and remove the need for context-switching. Use Copilot for Security to help generate your KQL. View and query all data including data from Microsoft security services and Microsoft Sentinel. Use all your existing Microsoft Sentinel workspace content, including queries and functions. For more information, see the following articles: - Advanced hunting in the Microsoft Defender portal - Copilot for Security in advanced hunting |
| Attack disrupt | Deploy automatic attack disruption for SAP with both the unified security operations platform and the Microsoft Sentinel solution for SAP applications. For example, contain compromised assets by locking suspicious SAP users in case of a financial process manipulation attack. Attack disruption capabilities for SAP are available in the Defender portal only. To use attack disruption for SAP, update your data connector agent version and ensure that the relevant Azure role is assigned to your agent's identity. For more information, see Automatic attack disruption for SAP. |
| SOC optimizations | Get high-fidelity and actionable recommendations to help you identify areas to: - Reduce costs - Add security controls - Add missing data SOC optimizations are available in the Defender and Azure portals, are tailored to your environment, and are based on your current coverage and threat landscape. For more information, see the following articles: - Optimize your security operations - SOC optimization reference of recommendations |
| Unified entities | Entity pages for devices, users, IP addresses, and Azure resources in the Defender portal display information from Microsoft Sentinel and Defender data sources. These entity pages give you an expanded context for your investigations of incidents and alerts in the Defender portal. For more information, see Investigate entities with entity pages in Microsoft Sentinel. |
| Unified incidents | Manage and investigate security incidents in a single location and from a single queue in the Defender portal. Use Copilot for Security to summarize, respond and report. Incidents include: - Data from the breadth of sources - AI analytics tools of security information and event management (SIEM) - Context and mitigation tools offered by extended detection and response (XDR) For more information, see the following articles: - Incident response in the Microsoft Defender portal - Investigate Microsoft Sentinel incidents in Copilot for Security |
Capability differences between portals
Most Microsoft Sentinel capabilities are available in both the Azure and Defender portals. In the Defender portal, some Microsoft Sentinel experiences open out to the Azure portal for you to complete a task.
This section covers the Microsoft Sentinel capabilities or integrations in the unified security operations platform that are only available in either the Azure portal or Defender portal or other significant differences between the portals. It excludes the Microsoft Sentinel experiences that open the Azure portal from the Defender portal.
| Capability | Availability | Description |
|---|---|---|
| Advanced hunting using bookmarks | Azure portal only | Bookmarks aren't supported in the advanced hunting experience in the Microsoft Defender portal. In the Defender portal, they're supported in the Microsoft Sentinel > Threat management > Hunting. For more information, see Keep track of data during hunting with Microsoft Sentinel. |
| Attack disruption for SAP | Defender portal only | This functionality is unavailable in the Azure portal. For more information, see Automatic attack disruption in the Microsoft Defender portal. |
| Automation | Some automation procedures are available only in the Azure portal. Other automation procedures are the same in the Defender and Azure portals, but differ in the Azure portal between workspaces that are onboarded to the unified security operations platform and workspaces that aren't. |
For more information, see Automation with the unified security operations platform. |
| Data connectors: visibility of connectors used by the unified security operations platform | Azure portal only | In the Defender portal, after you onboard Microsoft Sentinel, the following data connectors that are part of the unified security operations platform aren't shown in the Data connectors page: In the Azure portal, these data connectors are still listed with the installed data connectors in Microsoft Sentinel. |
| Entities: Add entities to threat intelligence from incidents | Azure portal only | This functionality is unavailable in the unified security operations platform. For more information, see Add entity to threat indicators. |
| Fusion: Advanced multistage attack detection | Azure portal only | The Fusion analytics rule, which creates incidents based on alert correlations made by the Fusion correlation engine, is disabled when you onboard Microsoft Sentinel to the unified security operations platform. The unified security operations platform uses Microsoft Defender XDR's incident-creation and correlation functionalities to replace those of the Fusion engine. For more information, see Advanced multistage attack detection in Microsoft Sentinel |
| Incidents: Adding alerts to incidents / Removing alerts from incidents |
Defender portal only | After onboarding Microsoft Sentinel to the unified security operations platform, you can no longer add alerts to, or remove alerts from, incidents in the Azure portal. You can remove an alert from an incident in the Defender portal, but only by linking the alert to another incident (existing or new). |
| Incidents: editing comments | Azure portal only | After onboarding Microsoft Sentinel to the unified security operations platform, you can add comments to incidents in either portal, but you can't edit existing comments. Edits made to comments in the Azure portal don't synchronize to the unified security operations platform. |
| Incidents: Programmatic and manual creation of incidents | Azure portal only | Incidents created in Microsoft Sentinel through the API, by a Logic App playbook, or manually from the Azure portal, aren't synchronized to the unified security operations platform. These incidents are still supported in the Azure portal and the API. See Create your own incidents manually in Microsoft Sentinel. |
| Incidents: Reopening closed incidents | Azure portal only | In the unified security operations platform, you can't set alert grouping in Microsoft Sentinel analytics rules to reopen closed incidents if new alerts are added. Closed incidents aren't reopened in this case, and new alerts trigger new incidents. |
| Incidents: Tasks | Azure portal only | Tasks are unavailable in the unified security operations platform. For more information, see Use tasks to manage incidents in Microsoft Sentinel. |
| Multiple workspace management for Microsoft Sentinel | Defender portal: Limited to one Microsoft Sentinel workspace per tenant Azure portal: Centrally manage multiple Microsoft Sentinel workspaces for tenants |
Only one Microsoft Sentinel workspace per tenant is currently supported in the unified security operations platform. So, Microsoft Defender multitenant management supports one Microsoft Sentinel workspace per tenant. For more information, see the following articles: - Defender portal: Microsoft Defender multitenant management - Azure portal: Manage multiple Microsoft Sentinel workspaces with workspace manager |
Quick reference
Some Microsoft Sentinel capabilities, like the unified incident queue, are integrated with Microsoft Defender XDR in the unified security operations platform. Many other Microsoft Sentinel capabilities are available in the Microsoft Sentinel section of the Defender portal.
The following image shows the Microsoft Sentinel menu in the Defender portal:
The following sections describe where to find Microsoft Sentinel features in the Defender portal. The sections are organized as Microsoft Sentinel is in the Azure portal.
General
The following table lists the changes in navigation between the Azure and Defender portals for the General section in the Azure portal.
| Azure portal | Defender portal |
|---|---|
| Overview | Overview |
| Logs | Investigation & response > Hunting > Advanced hunting |
| News & guides | Not available |
| Search | Microsoft Sentinel > Search |
Threat management
The following table lists the changes in navigation between the Azure and Defender portals for the Threat management section in the Azure portal.
| Azure portal | Defender portal |
|---|---|
| Incidents | Investigation & response > Incidents & alerts > Incidents |
| Workbooks | Microsoft Sentinel > Threat management> Workbooks |
| Hunting | Microsoft Sentinel > Threat management > Hunting |
| Notebooks | Microsoft Sentinel > Threat management > Notebooks |
| Entity behavior | User entity page: Assets > Identities > {user} > Sentinel events Device entity page: Assets > Devices > {device} > Sentinel events Also, find the entity pages for the user, device, IP, and Azure resource entity types from incidents and alerts as they appear. |
| Threat intelligence | Microsoft Sentinel > Threat management > Threat intelligence |
| MITRE ATT&CK | Microsoft Sentinel > Threat management > MITRE ATT&CK |
Content management
The following table lists the changes in navigation between the Azure and Defender portals for the Content management section in the Azure portal.
| Azure portal | Defender portal |
|---|---|
| Content hub | Microsoft Sentinel > Content management > Content hub |
| Repositories | Microsoft Sentinel > Content management > Repositories |
| Community | Microsoft Sentinel > Content management > Community |
Configuration
The following table lists the changes in navigation between the Azure and Defender portals for the Configuration section in the Azure portal.
| Azure portal | Defender portal |
|---|---|
| Workspace manager | Not available |
| Data connectors | Microsoft Sentinel > Configuration > Data connectors |
| Analytics | Microsoft Sentinel > Configuration > Analytics |
| Watchlists | Microsoft Sentinel > Configuration > Watchlists |
| Automation | Microsoft Sentinel > Configuration > Automation |
| Settings | System > Settings > Microsoft Sentinel |