Microsoft Sentinel Spotlight – December 2023

Microsoft Sentinel news

Each year that Microsoft holds Ignite (now back to being an in-person event), the big Microsoft Sentinel news (apart from Copilot, of course), is Microsoft Defender XDR (formally Microsoft 365 Defender).

So why mention another product in a Microsoft Sentinel news article? It’s all to do with unification. Microsoft is merging many security technologies into security.microsoft.com including Microsoft Sentinel. This feature is currently in Private Preview, but some other features were made available immediately after they were announced, such as Microsoft Defender for Cloud alerts going to this unified portal, and the announced planned retirement of the Microsoft Defender for Cloud Apps portal, which is also available in this unified view.

What does this mean in real terms? Fundamentally, if you have one or more Defender products and Microsoft Sentinel then you may end up spending more time in the unified portal. You can easily move between Defender for Endpoint, Microsoft Sentinel and Cloud Apps, you can also see an aggregated Incident and Alert view of every connected product without switching browser tabs.

Advanced Hunting, formally the query capability for Defender for Endpoint, now allows you to see more connected data, especially the data tables from Microsoft Sentinel. This is a new capability that allows correlation between most Defender technologies and Microsoft Sentinel within this portal. At this time there are no plans for Microsoft to allow this data query from Microsoft Sentinel into Microsoft Defender XDR, you will still have to export the data to Microsoft Sentinel if you need that capability. There could be some data storage cost savings with this new feature, if you are happy to not have it available on the Microsoft Sentinel portal. The data connectors for Defender are still needed to link and synchronise the two products.

So, how will this affect a Security Operations Centre (SOC) and processes? It may mean that in the future analysts will pivot to security.microsoft.com first, as it has more data and products available in one place (less hops to start to find, analyse and resolve issues). However, there will still be a need for a Microsoft Sentinel portal, and there are no plans to retire this. I can see a scenario where we must provide the right portal link in any ITSM tool (Jira, ServiceNow etc…), to make sure any analyst gets to the data quickly and to the right place.

If you are already a power user of security.microsoft.com then you’ll probably appreciate the unification work. If you are mainly a Microsoft Sentinel-centric organisation you will want to learn to find your way around this new portal.