Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender provides a unified cybersecurity solution that integrates endpoint protection, cloud security, identity protection, email security, threat intelligence, exposure management, and SIEM into a centralized platform. It uses AI-driven defense to help organizations anticipate and stop attacks, ensuring efficient and effective security operations.
Microsoft Sentinel is generally available in the Microsoft Defender portal, either with Microsoft Defender XDR, or on its own, delivering a unified experience across SIEM and XDR for faster and more accurate threat detection and response, simplified workflows, and enhanced operational efficiency.
This article describes the Microsoft Sentinel experience in the Defender portal. We recommend that customers using Microsoft Sentinel in the Azure portal move into Microsoft Defender to take advantage of the unified security operations available and the latest capabilities. For more information, see Transition your Microsoft Sentinel environment to the Defender portal.
New and improved capabilities
The following table describes the new or improved capabilities available in the Defender portal with the integration of Microsoft Sentinel. Microsoft continues to innovate in this new experience with features that might be exclusive to the Defender portal.
| Capabilities | Description | Learn more |
|---|---|---|
| Streamlined operations | Manage all security incidents, alerts, and investigations from a single, unified interface. - Unified entity pages for devices, users, IP addresses, and Azure resources in the Defender portal display information from Microsoft Sentinel and Defender data sources. These entity pages give you an expanded context for your investigations of incidents and alerts in the Defender portal. - Unified incidents let you manage and investigate security incidents in a single location and from a single queue in the Defender portal. Use Security Copilot to summarize, respond, and report. Unified incidents include data from the breadth of sources, AI analytics tools of security information and event management (SIEM), and context and mitigation tools offered by extended detection and response (XDR). - Use Advanced hunting to query from a single portal across different data sets to make hunting more efficient and remove the need for context-switching. Use Security Copilot to help generate your KQL, view and query all data including data from Microsoft security services and Microsoft Sentinel, and then use all your existing Microsoft Sentinel workspace content, including queries and functions, to investigate. |
- Investigate entities with entity pages in Microsoft Sentinel - Incident response in the Microsoft Defender portal - Investigate Microsoft Sentinel incidents in Security Copilot - Advanced hunting in the Microsoft Defender portal Security Copilot in advanced hunting |
| Enhanced threat detection | Use advanced AI and machine learning for faster and more accurate threat detection and response. Benefit from an improved signal-to-noise ratio and enhanced alert correlation, ensuring critical threats are addressed promptly. | Threat detection for unified security operations |
| New features | Access robust tools like Case management for organizing and managing security incidents, automatic attack disruption for remediating compromised entities on high-fidelity true positives, and an embedded Security Copilot experience for automated incident summary and guided response actions, and more. For example, when investigating incidents in the Defender portal, use Security Copilot to analyze scripts, analyze files, and create incident reports. When hunting for threats in advanced hunting, create ready-to-run KQL queries by using the query assistant. |
- Case management - Automatic attack disruption - Automated incident summary - Guided response actions - Analyze scripts - Analyze files - Create incident reports - Create ready-to-run KQL queries |
| Enhanced visibility and reduced risk exposure | Analyze attack paths to see how a cyber attacker could exploit vulnerabilities. Use guided SOC optimization recommendations to reduce costs and exposure, and prioritize actions based on potential impact. | - Optimize your security operations - Use SOC optimizations programmatically - SOC optimization reference of recommendations |
| Tailored post-incident recommendations | Prevent similar or repeat cyberattacks with tailored recommendations tied to Microsoft Security Exposure Management initiatives. | Microsoft Security Exposure Management for enhanced security posture |
| Cost and data optimization | Customers can access both Microsoft Sentinel and Defender XDR data in a unified and consistent schema in the Defender portal. Advanced hunting raw logs are available for 30 days for hunting free of charge without needing to ingest them into Microsoft Sentinel. |
What to expect to for Defender XDR tables streamed to Microsoft Sentinel |
Limited or unavailable capabilities with Microsoft Sentinel only in the Defender portal
When you onboard Microsoft Sentinel to the Defender portal without Defender XDR or other services enabled, the following capabilities are limited or unavailable:
- Microsoft Security Exposure Management
- Custom detection rules, provided by Microsoft Defender XDR
- The Action center, provided by Microsoft Defender XDR
Quick reference
Some Microsoft Sentinel capabilities, like the unified incident queue, are integrated with Microsoft Defender XDR in the Defender portal. Many other Microsoft Sentinel capabilities are available in the Microsoft Sentinel section of the Defender portal.
The following image shows the Microsoft Sentinel menu in the Defender portal:
The following sections describe where to find Microsoft Sentinel features in the Defender portal, and are intended for existing customers who are moving to the Defender portal. The sections are organized as Microsoft Sentinel is in the Azure portal.
For more information, see Transition your Microsoft Sentinel environment to the Defender portal.
General
The following table lists the changes in navigation between the Azure and Defender portals for the General section in the Azure portal.
| Azure portal | Defender portal |
|---|---|
| Overview | Overview |
| Logs | Investigation & response > Hunting > Advanced hunting |
| News & guides | Not available |
| Search | Microsoft Sentinel > Search |
Threat management
The following table lists the changes in navigation between the Azure and Defender portals for the Threat management section in the Azure portal.
| Azure portal | Defender portal |
|---|---|
| Incidents | Investigation & response > Incidents & alerts > Incidents |
| Workbooks | Microsoft Sentinel > Threat management > Workbooks |
| Hunting | Microsoft Sentinel > Threat management > Hunting |
| Notebooks | Microsoft Sentinel > Threat management > Notebooks |
| Entity behavior | User entity page: Assets > Identities > {user} > Sentinel events AND Device entity page: Assets > Devices > {device} > Sentinel events Also, find the entity pages for the user, device, IP, and Azure resource entity types from incidents and alerts as they appear. |
| Threat intelligence | Threat intelligence > Intel management |
| MITRE ATT&CK | Microsoft Sentinel > Threat management > MITRE ATT&CK |
Content management
The following table lists the changes in navigation between the Azure and Defender portals for the Content management section in the Azure portal.
| Azure portal | Defender portal |
|---|---|
| Content hub | Microsoft Sentinel > Content management > Content hub |
| Repositories | Microsoft Sentinel > Content management > Repositories |
| Community | Microsoft Sentinel > Content management > Community |
Configuration
The following table lists the changes in navigation between the Azure and Defender portals for the Configuration section in the Azure portal.
| Azure portal | Defender portal |
|---|---|
| Workspace manager | Not available |
| Data connectors | Microsoft Sentinel > Configuration > Data connectors |
| Analytics | Microsoft Sentinel > Configuration > Analytics AND Investigation and response > Hunting > Custom detection rules |
| Watchlists | Microsoft Sentinel > Configuration > Watchlists |
| Automation | Microsoft Sentinel > Configuration > Automation |
| Settings | System > Settings >Microsoft Sentinel |