To help defend against today’s evolving threats, SecOps teams need sophisticated tooling that provides both breadth of visibility across the entire enterprise and the depth needed to investigate threats. At Microsoft, we have a unique vision for the future of threat protection. While other vendors offer only a SIEM or XDR, Microsoft’s perspective is that SecOps can benefit from both. A SIEM delivers visibility into the full kill chain across the entire organization, including third party data, while XDR delivers deeper insights with contextual alerts for multi-cloud and multi-platform resources to reduce false alerts.
At Microsoft Ignite 2021 in March, we announced an important step in bringing you the most integrated SIEM and XDR on the market with the release of incident sharing between Microsoft 365 Defender and Azure Sentinel. Today, we are continuing the journey by announcing the public preview of incident sharing for Azure Defender and Azure Sentinel. Now, Microsoft delivers the only integrated SIEM and XDR with incident sharing across the full set of components.
Using this new capability, customers can use Azure Sentinel as their single pane of glass for incident triage, leverage Microsoft 365 Defender or Azure Defender for incident investigation and remediation, and stay seamlessly in-sync across all three products. This new capability helps reduce the overall time you spend on responding to incidents – giving you more time to focus on what’s important.
How does it work?
Azure Defender & Sentinel bi-directional status sync will automatically sync alerts and incidents statuses between the products:
- Closing or updating incidents in Azure Sentinel containing Azure Defender alerts will automatically close/update the status of the alert in the Azure Defender portal.
- Alerts closed in the Azure Defender will be reflected as closed in Sentinel, but the status of the incident containing them will remain unchanged.
How to enable it?
- In Azure Sentinel, navigate to the data connectors tab and open the Azure Defender data connector.
- You can configure on which subscriptions you would like the bi-directional sync to take effect by changing the drop down in the “Bi-directional sync (Preview)” column to “Enabled”.
- Notice – enabling bi-directional sync required contributor permission in the selected subscription.
- To enable bi-directional sync on several subscriptions at once, mark their check boxes and select the “Enable bi-directional sync” button on the bar above the list.
We are excited about these new capabilities and will continue our mission to help you protect your companies. Stay tuned for more SIEM and XDR integration!
