Microsoft Sentinel in the Microsoft Defender portal (2024)

Table of Contents
In this article New and improved capabilities Capability differences between portals Quick reference General Threat management Content management Configuration Related content FAQs
  • Article
  • Applies to:
    Microsoft Sentinel in the Microsoft Defender portal

This article describes the Microsoft Sentinel experience in the Microsoft Defender portal. Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. For more information, see:

See Also
Microsoft Defender for Cloud - Check Point SoftwareAzure Security Center vs Microsoft Defender VS Microsoft Sentinel: What to Choose | Cloud4C BlogEDR vs. XDR: What Is the Difference? | Microsoft SecurityMicrosoft Sentinel and the High Cost of “Free”

New and improved capabilities

The following table describes the new or improved capabilities available in the Defender portal with the integration of Microsoft Sentinel and Defender XDR.

CapabilitiesDescription
Advanced huntingQuery from a single portal across different data sets to make hunting more efficient and remove the need for context-switching. Use Copilot for Security to help generate your KQL. View and query all data including data from Microsoft security services and Microsoft Sentinel. Use all your existing Microsoft Sentinel workspace content, including queries and functions.

For more information, see the following articles:
- Advanced hunting in the Microsoft Defender portal
- Copilot for Security in advanced hunting

Attack disruptDeploy automatic attack disruption for SAP with both the unified security operations platform and the Microsoft Sentinel solution for SAP applications. For example, contain compromised assets by locking suspicious SAP users in case of a financial process manipulation attack.

Attack disruption capabilities for SAP are available in the Defender portal only. To use attack disruption for SAP, update your data connector agent version and ensure that the relevant Azure role is assigned to your agent's identity.

For more information, see Automatic attack disruption for SAP.

SOC optimizationsGet high-fidelity and actionable recommendations to help you identify areas to:
- Reduce costs
- Add security controls
- Add missing data
SOC optimizations are available in the Defender and Azure portals, are tailored to your environment, and are based on your current coverage and threat landscape.

For more information, see the following articles:
- Optimize your security operations
- SOC optimization reference of recommendations

Unified entitiesEntity pages for devices, users, IP addresses, and Azure resources in the Defender portal display information from Microsoft Sentinel and Defender data sources. These entity pages give you an expanded context for your investigations of incidents and alerts in the Defender portal.

For more information, see Investigate entities with entity pages in Microsoft Sentinel.

Unified incidentsManage and investigate security incidents in a single location and from a single queue in the Defender portal. Use Copilot for Security to summarize, respond and report. Incidents include:
- Data from the breadth of sources
- AI analytics tools of security information and event management (SIEM)
- Context and mitigation tools offered by extended detection and response (XDR)

For more information, see the following articles:
- Incident response in the Microsoft Defender portal
- Investigate Microsoft Sentinel incidents in Copilot for Security

Capability differences between portals

Most Microsoft Sentinel capabilities are available in both the Azure and Defender portals. In the Defender portal, some Microsoft Sentinel experiences open out to the Azure portal for you to complete a task.

This section covers the Microsoft Sentinel capabilities or integrations in the unified security operations platform that are only available in either the Azure portal or Defender portal or other significant differences between the portals. It excludes the Microsoft Sentinel experiences that open the Azure portal from the Defender portal.

See Also
Understanding the Renaming of Azure Security Center: A New Era in Cybersecurity | SubRosa

CapabilityAvailabilityDescription
Advanced hunting using bookmarksAzure portal onlyBookmarks aren't supported in the advanced hunting experience in the Microsoft Defender portal. In the Defender portal, they're supported in the Microsoft Sentinel > Threat management > Hunting.

For more information, see Keep track of data during hunting with Microsoft Sentinel.

Attack disruption for SAPDefender portal onlyThis functionality is unavailable in the Azure portal.

For more information, see Automatic attack disruption in the Microsoft Defender portal.

AutomationSome automation procedures are available only in the Azure portal.

Other automation procedures are the same in the Defender and Azure portals, but differ in the Azure portal between workspaces that are onboarded to the unified security operations platform and workspaces that aren't.

For more information, see Automation with the unified security operations platform.

Data connectors: visibility of connectors used by the unified security operations platformAzure portal onlyIn the Defender portal, after you onboard Microsoft Sentinel, the following data connectors that are part of the unified security operations platform aren't shown in the Data connectors page:
  • Microsoft Defender for Cloud Apps
  • Microsoft Defender for Endpoint
  • Microsoft Defender for Identity
  • Microsoft Defender for Office 365 (Preview)
  • Microsoft Defender XDR
  • Subscription-based Microsoft Defender for Cloud (Legacy)
  • Tenant-based Microsoft Defender for Cloud (Preview)

    In the Azure portal, these data connectors are still listed with the installed data connectors in Microsoft Sentinel.

    • Entities: Add entities to threat intelligence from incidentsAzure portal onlyThis functionality is unavailable in the unified security operations platform.

    For more information, see Add entity to threat indicators.

    Fusion: Advanced multistage attack detectionAzure portal onlyThe Fusion analytics rule, which creates incidents based on alert correlations made by the Fusion correlation engine, is disabled when you onboard Microsoft Sentinel to the unified security operations platform.

    The unified security operations platform uses Microsoft Defender XDR's incident-creation and correlation functionalities to replace those of the Fusion engine.

    For more information, see Advanced multistage attack detection in Microsoft Sentinel

    Incidents: Adding alerts to incidents /
    Removing alerts from incidents    		Defender portal onlyAfter onboarding Microsoft Sentinel to the unified security operations platform, you can no longer add alerts to, or remove alerts from, incidents in the Azure portal.

    You can remove an alert from an incident in the Defender portal, but only by linking the alert to another incident (existing or new).

    Incidents: editing commentsAzure portal onlyAfter onboarding Microsoft Sentinel to the unified security operations platform, you can add comments to incidents in either portal, but you can't edit existing comments.

    Edits made to comments in the Azure portal don't synchronize to the unified security operations platform.

    Incidents: Programmatic and manual creation of incidentsAzure portal onlyIncidents created in Microsoft Sentinel through the API, by a Logic App playbook, or manually from the Azure portal, aren't synchronized to the unified security operations platform. These incidents are still supported in the Azure portal and the API.See Create your own incidents manually in Microsoft Sentinel.
    Incidents: Reopening closed incidentsAzure portal onlyIn the unified security operations platform, you can't set alert grouping in Microsoft Sentinel analytics rules to reopen closed incidents if new alerts are added.
    Closed incidents aren't reopened in this case, and new alerts trigger new incidents.
    Incidents: TasksAzure portal onlyTasks are unavailable in the unified security operations platform.

    For more information, see Use tasks to manage incidents in Microsoft Sentinel.

    Multiple workspace management for Microsoft SentinelDefender portal: Limited to one Microsoft Sentinel workspace per tenant

    Azure portal: Centrally manage multiple Microsoft Sentinel workspaces for tenants

    		Only one Microsoft Sentinel workspace per tenant is currently supported in the unified security operations platform. So, Microsoft Defender multitenant management supports one Microsoft Sentinel workspace per tenant.

    For more information, see the following articles:
    - Defender portal: Microsoft Defender multitenant management
    - Azure portal: Manage multiple Microsoft Sentinel workspaces with workspace manager

    Quick reference

    Some Microsoft Sentinel capabilities, like the unified incident queue, are integrated with Microsoft Defender XDR in the unified security operations platform. Many other Microsoft Sentinel capabilities are available in the Microsoft Sentinel section of the Defender portal.

    The following image shows the Microsoft Sentinel menu in the Defender portal:

    The following sections describe where to find Microsoft Sentinel features in the Defender portal. The sections are organized as Microsoft Sentinel is in the Azure portal.

    General

    The following table lists the changes in navigation between the Azure and Defender portals for the General section in the Azure portal.

    Azure portalDefender portal
    OverviewOverview
    LogsInvestigation & response > Hunting > Advanced hunting
    News & guidesNot available
    SearchMicrosoft Sentinel > Search

    Threat management

    The following table lists the changes in navigation between the Azure and Defender portals for the Threat management section in the Azure portal.

    Azure portalDefender portal
    IncidentsInvestigation & response > Incidents & alerts > Incidents
    WorkbooksMicrosoft Sentinel > Threat management> Workbooks
    HuntingMicrosoft Sentinel > Threat management > Hunting
    NotebooksMicrosoft Sentinel > Threat management > Notebooks
    Entity behaviorUser entity page: Assets > Identities > {user} > Sentinel events
    Device entity page: Assets > Devices > {device} > Sentinel events

    Also, find the entity pages for the user, device, IP, and Azure resource entity types from incidents and alerts as they appear.

    Threat intelligenceMicrosoft Sentinel > Threat management > Threat intelligence
    MITRE ATT&CKMicrosoft Sentinel > Threat management > MITRE ATT&CK

    Content management

    The following table lists the changes in navigation between the Azure and Defender portals for the Content management section in the Azure portal.

    Azure portalDefender portal
    Content hubMicrosoft Sentinel > Content management > Content hub
    RepositoriesMicrosoft Sentinel > Content management > Repositories
    CommunityMicrosoft Sentinel > Content management > Community

    Configuration

    The following table lists the changes in navigation between the Azure and Defender portals for the Configuration section in the Azure portal.

    Azure portalDefender portal
    Workspace managerNot available
    Data connectorsMicrosoft Sentinel > Configuration > Data connectors
    AnalyticsMicrosoft Sentinel > Configuration > Analytics
    WatchlistsMicrosoft Sentinel > Configuration > Watchlists
    AutomationMicrosoft Sentinel > Configuration > Automation
    SettingsSystem > Settings > Microsoft Sentinel

    Related content

    • Microsoft Defender XDR integration with Microsoft Sentinel
    • Connect Microsoft Sentinel to Microsoft Defender XDR
    • Microsoft Defender XDR documentation
    Microsoft Sentinel in the Microsoft Defender portal (2024)

    FAQs

    What is the difference between defender portal and sentinel? ›

    You can remove an alert from an incident in the Defender portal, but only by linking the alert to another incident (existing or new). After onboarding Microsoft Sentinel to the unified security operations platform, you can add comments to incidents in either portal, but you can't edit existing comments.

    Read On
    How to connect Microsoft Defender to Sentinel? ›

    Onboard Microsoft Sentinel
    1. Go to the Microsoft Defender portal and sign in.
    2. In Microsoft Defender XDR, select Overview.
    3. Select Connect a workspace.
    4. Choose the workspace you want to connect and select Next.
    5. Read and understand the product changes associated with connecting your workspace. ...
    6. Select Connect.
    Jul 10, 2024

    Discover More Details
    What is the difference between Microsoft Sentinel and Defender XDR? ›

    Microsoft Defender XDR continuously scans the environment for threats and vulnerabilities. Microsoft Sentinel analyzes collected data and each entity's behavioral trends to detect suspicious activity, anomalies, and multi-stage threats across enterprise.

    Continue Reading
    What is Microsoft Sentinel for? ›

    What is Microsoft Sentinel, and how does it work? Microsoft Sentinel is a cloud-native security information and event management (SIEM) platform that uses built-in AI to help analyze large volumes of data across an enterprise—fast.

    See Details
    Is Microsoft Sentinel worth it? ›

    My experience with Microsoft Sentinel has been positive. It offers excellent integration with various Microsoft services, providing robust threat detection and response capabilities. Cloud-native design ensures scalability and flexibility, while built-in AI and automation streamline incident response.

    Find Out More
    Is Microsoft Sentinel the same as SentinelOne? ›

    One is owned by Microsoft, while the other is a standalone solution by SentinelOne. They provide different solutions regarding data protection and threat intelligence. Both are robust security solutions to help protect data. The way they protect against threats vary.

    Tell Me More
    Which two types of security systems make up Microsoft Sentinel? ›

    Azure Sentinel, renamed to Microsoft Sentinel, is a cloud native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) solution that runs in the Azure cloud.

    Show Me More
    What is Windows Defender called now? ›

    Microsoft Defender Antivirus (formerly Windows Defender) is an antivirus software component of Microsoft Windows.

    Explore More
    Is Microsoft Defender an EDR or XDR? ›

    Microsoft Defender XDR: Is an XDR solution that combines the information on cyberattacks for identities, endpoints, email, and cloud apps in one place. It leverages artificial intelligence (AI) and automation to automatically stop some types of attacks and remediate affected assets to a safe state.

    Continue Reading
    What is the new name of Microsoft Sentinel? ›

    Product Name Changes
    Previous nameNew nameDate
    Azure Security CenterMicrosoft Defender for CloudNovember 2021
    Azure SentinelMicrosoft SentinelNovember 2021
    Microsoft Cloud App SecurityMicrosoft Defender for Cloud AppsNovember 2021
    Windows Virtual DesktopAzure Virtual DesktopJune 2021
    56 more rows

    Show Me More

    What do you dislike about Microsoft Sentinel? ›

    Fine-tuning Microsoft Sentinel can be a complex and time-consuming process. If you dont have the team to facilitate good usage of this product, you wont very much out of it.

    Read The Full Story
    Is Microsoft Sentinel a SIEM or SOAR? ›

    Microsoft Sentinel is a scalable, cloud-native security information and event management (SIEM) that delivers an intelligent and comprehensive solution for SIEM and security orchestration, automation, and response (SOAR).

    See Details
    Is defender the same as sentinel? ›

    Like Microsoft Defender for Cloud, Microsoft Sentinel embraces hybrid cloud/multi-cloud, enabling you to monitor servers regardless of where they're located. However, Sentinel goes further than MDC in terms of its data connector model.

    Get More Info Here
    What is the defender portal? ›

    The Microsoft Defender portal helps security teams investigate and respond to attacks by bringing in signals from different workloads into a set of unified experiences for: Incidents & alerts. Hunting. Actions & submissions.

    Continue Reading
    What is sentinel portal? ›

    Microsoft Sentinel provides security content packaged in SIEM solutions that enable you to ingest data, monitor, alert, hunt, investigate, respond, and connect with different products, platforms, and services. Azure portal. Defender portal.

    View More
    What is the difference between Microsoft Defender and EDR? ›

    Is Microsoft Defender an EDR? Microsoft Defender for Endpoint is an enterprise EDR designed to help organizations prevent, detect, investigate, and respond to advanced threats. It integrates with many other Microsoft solutions to provide holistic, best-in-class security.

    View Details
    Top Articles
    What Does the Office of Foreign Assets Control (OFAC) Do?
    From Debt to Distress: What Happens When the Cost of College Diminishes Students' Mental Health?
    Katie Pavlich Bikini Photos
    Gamevault Agent
    Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
    Free Atm For Emerald Card Near Me
    Craigslist Mexico Cancun
    Hendersonville (Tennessee) – Travel guide at Wikivoyage
    Doby's Funeral Home Obituaries
    Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
    Select Truck Greensboro
    Things To Do In Atlanta Tomorrow Night
    Non Sequitur
    How To Cut Eelgrass Grounded
    Pac Man Deviantart
    Alexander Funeral Home Gallatin Obituaries
    Craigslist In Flagstaff
    Shasta County Most Wanted 2022
    Energy Healing Conference Utah
    Testberichte zu E-Bikes & Fahrrädern von PROPHETE.
    Aaa Saugus Ma Appointment
    Geometry Review Quiz 5 Answer Key
    Walgreens Alma School And Dynamite
    Bible Gateway passage: Revelation 3 - New Living Translation
    Yisd Home Access Center
    Home
    Shadbase Get Out Of Jail
    Gina Wilson Angle Addition Postulate
    Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
    Walmart Pharmacy Near Me Open
    A Christmas Horse - Alison Senxation
    Ou Football Brainiacs
    Access a Shared Resource | Computing for Arts + Sciences
    Pixel Combat Unblocked
    Cvs Sport Physicals
    Mercedes W204 Belt Diagram
    Rogold Extension
    'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
    Teenbeautyfitness
    Where Can I Cash A Huntington National Bank Check
    Facebook Marketplace Marrero La
    Nobodyhome.tv Reddit
    Topos De Bolos Engraçados
    Gregory (Five Nights at Freddy's)
    Grand Valley State University Library Hours
    Holzer Athena Portal
    Hampton In And Suites Near Me
    Stoughton Commuter Rail Schedule
    Bedbathandbeyond Flemington Nj
    Free Carnival-themed Google Slides & PowerPoint templates
    Otter Bustr
    Selly Medaline
    Latest Posts
    What are early signs of financial abuse?
    Tackling the 5 Biggest Challenges of the Data Center Industry
    Article information

    Author: Ray Christiansen

    Last Updated:

    Views: 6619

    Rating: 4.9 / 5 (49 voted)

    Reviews: 80% of readers found this page helpful

    Author information

    Name: Ray Christiansen

    Birthday: 1998-05-04

    Address: Apt. 814 34339 Sauer Islands, Hirtheville, GA 02446-8771

    Phone: +337636892828

    Job: Lead Hospitality Designer

    Hobby: Urban exploration, Tai chi, Lockpicking, Fashion, Gunsmithing, Pottery, Geocaching

    Introduction: My name is Ray Christiansen, I am a fair, good, cute, gentle, vast, glamorous, excited person who loves writing and wants to share my knowledge and understanding with you.