Following Microsoft (Security) Technologies for an awfully long time now, I heard people often wondering how (former) Microsoft Threat Protection and Azure Sentinel fit into a single product-strategy.
At this year's first virtual Ignite, Microsoft made a statement on that:
- Satya Nadella made it clear that the one complements the other (see picture above)
- A quite radical rebranding of the most important Defender solutions took place:
In my opinion that makes it crystal clear that on the one side, Microsoft is merging and aligning the tools in Microsoft 365 Defender (formally known as "Microsoft Threat Protection"). This could already be witnessed in demos at Ignite, where Microsoft employees were working on a converged portal that included all security workloads.
Nadella's statement - on the other side, was important for customers to see that Microsoft is investing in both areas, SIEM & XDR, and sees both products, Azure Sentinel & Microsoft 365 Defender, side-by-side.
But what does this mean for the real world in your (cloud-) datacenters? Which data sources would you monitor with which of the Microsoft solutions?
First, we need to distinguish between 'raw data' which is directly coming from sensors (e.g. 'registry key XYZ has been modified to ABC') and 'curated data' that went through some threat intelligence system (e.g. 'ah, there was a registry change to that specific key and the computer talked to that IP address, that looks like a typical behavior of malware QWX, lets add some known info about the malware to the sensor data, and create an alert'):
Next, there are several data sources we need to monitor in a typical enterprise environment:
- Operating Systems (Endpoints) like, Windows 10, Windows Server, Linux, MacOS, iOS, Android
- Cloud Services like, Exchange Online, SharePoint Online, Dropbox, Salesforce etc
- Identity Services like Azure Active Directory or Active Directory
- From a Microsoft Perspective 3rd party clouds like AWS, Google Cloud, Zscaler
- Hardware Logs from Firewalls etc.
- Azure Infrastructure as a Service
Now, we can put everything together:
As you can see, Microsoft 365 Defender is good when it comes to Endpoints, Services and Identities. However, if you want to include 3rd party cloud systems, firewall logs or other log systems, you need Sentinel.
Azure Defender and Microsoft 365 Defender processes the collected data by their own. At the first sight, you could say, it might be enough to only forward the 'curated data' (=Alerts/Incidents) from those systems to Sentinel and for many organizations that will be sufficient.
However, there are reasons, why you would also ingest raw data from those systems into Sentinel or collect raw data from server systems with both, Azure Sentinel & Microsoft Defender for Endpoint:
- If you want to extend the retention of your raw data
- If you want to collect sensor data that is not collected by Microsoft Defender for Endpoint
- If you want to hunt over all available raw data in case of an incident
Conclusion
Make sure you do not implement certain functionality twice. Simplicity goes over 'I want it all'. If you implement Azure Sentinel and Microsoft 365 Defender to complement each other, you are well prepared for modern threats against your enterprise environment, both on-premises & in the cloud. If you need help during the implementation or operation, check out our offerings or let me know.
FAQs
Microsoft Defender also provides detailed threat intelligence. Azure Sentinel, on the other hand, is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution.
What is the difference between Azure Sentinel and Microsoft Sentinel? ›
As previously mentioned, both names refer to the same product. Microsoft renamed Azure Sentinel to Microsoft Sentinel in November 2021.
What is the difference between Azure defender and Microsoft Defender for Cloud? ›
I guess that at the simplest level, Defender for Cloud will help protect your Cloud (Azure) workloads (although it can also track and protect some outside resources) whereas Defender for Endpoint protects your devices (Windows clients, but also other platforms).
Is Azure Sentinel any good? ›
Favorable Review
My experience with Microsoft Sentinel has been positive. It offers excellent integration with various Microsoft services, providing robust threat detection and response capabilities. Cloud-native design ensures scalability and flexibility, while built-in AI and automation streamline incident response.
Why is Azure Sentinel so expensive? ›
Pricing is based on the types of logs ingested into a workspace. Analytics logs typically make up most of your high value security logs. Basic logs tend to be verbose with low security value. It's important to note that billing is done per workspace on a daily basis for all log types and tiers.
What is the benefit of Azure Sentinel? ›
Microsoft Sentinel provides cyberthreat detection, investigation, response, and proactive hunting, with a bird's-eye view across your enterprise. Microsoft Sentinel also natively incorporates proven Azure services, like Log Analytics and Logic Apps, and enriches your investigation and detection with AI.
What is the new name for Azure Sentinel? ›
Microsoft Sentinel (Formerly Azure Sentinel) Features and Capabilities.
Is Azure Sentinel a SIEM or a soar? ›
Azure Sentinel is a Microsoft cloud-native security SIEM (Security Information and Event Manager) and SOAR (Security Orchestration Automated Response) product.
What is the difference between Azure Sentinel and traditional SIEM? ›
The deployment process for an on-premises SIEM is manual and very lengthy. However, due to the nature of SaaS, high availability and ease of deployment comes as part of Microsoft Sentinel's design. Sentinel allows businesses to swiftly deploy and customise their SIEM.
Why choose Microsoft Defender? ›
Microsoft Defender Antivirus collects underlying system data used by threat analytics and Microsoft Secure Score for Devices. This provides your organization's security team with more meaningful information, such as recommendations and opportunities to improve your organization's security posture.
Microsoft Defender for Cloud
Microsoft Sentinel is a cloud-native security information and event management (SIEM) platform that uses built-in AI to help analyze large volumes of data across an enterprise—fast.
What is the difference between Azure Sentinel and defender? ›
In contrast to Azure Defender's more proactive approach, Azure Sentinel is a cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. It makes threat detection, response, and investigation simpler and cost-effective.
What do you dislike about Microsoft Sentinel? ›
What do you dislike about Microsoft Sentinel? It integrates well with other microsoft products but users find challenges when they have to integrate with non-microsoft products. Users with non technical background finds it difficult to use Microsoft Sentinel.
What is the best antivirus for Azure? ›
Help protect your virtual machines from viruses and malware
Use antimalware software from major security vendors such as Microsoft, Symantec, Trend Micro, McAfee, and Kaspersky to help protect your virtual machines from malicious files, adware, and other threats.
Is Azure security Center same as Defender? ›
While Azure Security Center provides a holistic view of your cloud security posture, Azure Defender takes a deeper dive, offering advanced threat protection for specific workloads within your Azure environment.
What is Microsoft Azure Sentinel? ›
Microsoft Sentinel is a cloud-based solution, and fees are based on the service tier and the amount of data the solution captures for analysis and stores in the Azure Monitor Log Analytics workspace. Log source cost should be weighted both against detection value as well as investigation value.
Is Microsoft 365 Defender part of Azure? ›
Yes. Microsoft Defender for Cloud is a multicloud security solution. It provides native CSPM capabilities for Azure, AWS, and Google Cloud environments and supports threat protection across these platforms. You can also connect non-Azure workloads in hybrid scenarios by using Azure Arc.
What is the difference between Azure Identity protection and Defender for Identity? ›
- [Instructor] Azure AD Identity Protection, and Microsoft Defender for Identity, provide very similar protection for identity and access. Azure AD Identity Protection is used for cloud-native users within Azure AD, while Microsoft Defender for Identity is used for on-premises Active Directory users.
