Microsoft Security Sentinel

Share this post

Microsoft Security Sentinel
Microsoft Security Sentinel
HOT OFF THE PRESS: Unified Security Operations Platform 🔥
Copy link
Facebook
Email
Notes
More

HOT OFF THE PRESS: Unified Security Operations Platform 🔥

José Lázaro Pinos
and
Marcus Burnap
Jul 12, 2024
3

Share this post

Microsoft Security Sentinel
Microsoft Security Sentinel
HOT OFF THE PRESS: Unified Security Operations Platform 🔥
Copy link
Facebook
Email
Notes
More
1
Share
microsoft-xdr-siem-sentinel

The simpler yet one of the most relevant pieces of documentation I have seen about the new Unified Security Operations Platform and Microsoft Sentinel. I love to see the investment and knowledge sharing with the Microsoft security community.

💡For me, these are the highlights:

📌What happens when I enable the Microsoft Defender XDR connector in Microsoft Sentinel?

🔹Security incident creation rules are disabled by default.

🔹Incidents are created in the unified portal and synced back to Microsoft Sentinel, with a potential delay of up to 10 minutes.

📌Alerts, Incidents, and Correlation

🔹Expected Alert Delay: Incidents may take up to 10 minutes to show up in Microsoft Sentinel. Microsoft is working on reducing this latency.

🔹Automatic Attack Disruption: Not affected by the delay.

🔹Triggering Playbooks: Both automatic and manual invocation are affected by the delay.

🔹Avoiding Duplication: Ensure incident creation rules are turned off in the Microsoft Defender XDR connector configuration.

📌Best Practices for Automation Rules

🔹Use "Analytic rule name" instead of the incident title or a condition on a Tag.

🔹Use Alert product names instead of Incident provider.

📌Custom Detection Rules

🔹Custom detection rules can trigger playbooks using the “When incident is created” trigger in Automation.

📌Data Retention

🔹Additional Actions: Existing retention configurations remain unchanged.

⚡Ingesting Microsoft Defender XDR Tables: Not necessary unless data retention beyond 30 days is needed. HUGE UPDATE - COST SAVINGS OPPORTUNITY HERE 💸

🔹Microsoft Sentinel E5 Benefit: No changes.

🔹Default Retention: Remains 30 days for XDR data and 90 days for Microsoft Sentinel data.

📌Copilot for Security

🔹Licensing: A Copilot for Security license includes the Microsoft Defender for Threat Intelligence (MDTI) license.

Want to learn more? 💡

FAQ Unified SOC platform (microsoft.com) 🔥🔥🔥

HUGE thanks for putting this blog together: @Tiander Turpijn @AlexKlaus @GBushey @Jeremy Tan @Sreedhar Ande 

Share

#SIEM #XDR #Microsoft #MicrosoftSecurity #SOC #Cybersecurity #AI #Copilot #MSPartnerUK #MicrosoftSentinel #Msftadvocate

3

Share this post

Microsoft Security Sentinel
Microsoft Security Sentinel
HOT OFF THE PRESS: Unified Security Operations Platform 🔥
Copy link
Facebook
Email
Notes
More
1
Share
A guest post by
Marcus Burnap
Marcus is a highly skilled technical specialist with expertise in Microsoft Technologies, working as a Senior consultant at a leading cybersecurity firm, Performanta. More recently, his focus has expanded to include SecDevOps and Security Copilot.
Subscribe to Marcus

Discussion about this post

No posts

Ready for more?

© 2024 José Lázaro Pinos
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More