What You Need to Know About the New Microsoft Defender Portal

You probably already know that there have been some significant changes made to Microsoft Sentinel, the cloud-native security information and event management (SIEM) system designed to help organisations detect, prevent, and respond to security threats. As a SIEM, Sentinel empowers defenders to collect data sources and signals of their choosing.

However, until now the Defender portal has been largely used for extended detection and response (XDR) products like the Defender suite. Recently Microsoft brought them together to form a more unified Defender portal with Microsoft Sentinel. You can take a look at the Defender portal on the Microsoft Security site.

As a Microsoft Security MVP for three years running and with 18 years’ experience working for Microsoft, I’m passionate about advocating the huge benefits of Sentinel. And so I’ve been collaborating with Jon Shectman, Principal Program Manager for Security at Microsoft, on a very popular series of blogs all about the Defender portal, called A little slice of…

If you work with Sentinel, there’s a lot to get up to speed with, so in this short series of blogs I’ve tried to summarise the new key features of the Defender Portal, and any new developments in Microsoft Security. This isn’t a technical series so I’ve shared links where relevant so that you can access all the technical details on LinkedIn or on Microsoft’s website.

Why the Defender portal is a superior upgrade

Onboarding Sentinel to Defender offers four distinct advantages:

Centralised Threat Visibility and Incident Queue: You can achieve a unified view of threats across endpoints, networks, identities, and cloud environments – including a unified incident queue between Sentinel and XDR
Unified Threat Hunting: It’s no longer necessary to export data from Defender to Microsoft Sentinel. With Defender you simply use Advanced Hunting (which is very similar to the Logs blade in Sentinel) that spans all your data (Sentinel and XDR)
Security Operations Centre (SOC) Efficiency: Enhanced alert enrichment, improved incident correlation, and better entity mapping in Defender
Multi-Tenant Org: A dedicated Defender portal enables you to see and mange incident queues across tenants.

What’s new and improved with Defender?

The good news is that Sentinel is now available to onboard in Defender even without a Microsoft Defender XDR or an E5 licence. Microsoft also recently introduced the brand new concept of primary and secondary workspaces to fully support multiple workspaces within a single tenant. Jon and I have shared more details in our blog titled A Little Slice of…what’s new and improved with Defender.

If you need to know how to onboard Sentinel to Defender or Connect Microsoft Sentinel to the Microsoft Defender portal then visit Microsoft’s website which details everything so that your organisation gets the most value out of the platform.

Defender custom detection rules

One of the big advantages of Defender is that in advanced hunting you can query both Sentinel and Defender data (as well as that from other services). Well, custom detection rules give you the same advantage. Conceptually, these rules function similarly to analytics rules as scheduled Kusto Query Language (KQL) queries that return results (and could result in security alerts), allowing organisations to meet their specific organisational needs. They are particularly valuable for organisations that need to detect threats that may not be covered by standard detection rules or even analytic rules in Sentinel.

It’s important to gain the right permissions

To create and manage these rules, users must have appropriate permissions, which I won’t go into here. These typically include roles like Security Administrator, Security Operator, or users with Manage Security Settings permissions in the Microsoft Defender portal.

Key benefits of custom detections

Tailored Threat Detection: Organisations can define what constitutes a threat based on their specific context and environment – an approach we highly recommend at Quorum Cyber.

However be aware that you need to know your data sources and what you have to protect against, as it’s no good pointlessly monitoring or missing a valuable source of data (more on this in a SOC Optimisations blog in part two of this series). The MITRE ATT&CK® framework can help you identify tactics, techniques, and procedures (TTPs) to focus your detective efforts on.

To learn how to effectively craft a custom detection rule, have a look at what’s out there. The Microsoft Sentinel GitHub is a rich source of Microsoft – as well as community-generated detection rules. I recommend using third-party, independent sources of Sigma rules like SOC Prime and Unicoder IO to translate them.

Flexibility and Control: Security teams have full control over the detection logic. This flexibility allows them to respond quickly to emerging threats and adjust detection parameters as needed. With custom detection rules, you have total control over the logic and results. However, you also take on full responsibility for ensuring they work and continue to work on an ongoing basis. And it takes time and investment to learn how to produce and effectively manage these detections.

Enhanced Visibility: By creating detection rules that are specific to your organisation’s environment, you gain deeper visibility into activities that may otherwise go unnoticed.

How to create a custom detection

Creating a custom detection involves several steps, which Jon and I have outlined in A Little Slice of…Defender Custom Detection Rules. In a nutshell, with Defender custom detections, you have access to more data sources and greater flexibility to create insights tailored to your organisation’s needs. You can take advantage of these features to build new queries or adjust existing ones.