Post

Microsoft Defender XDR, Microsoft Defender for Cloud and Microsoft Sentinel: A Single Pane of Glass for Unified Security Management

Posted Updated
Microsoft Unified Security Operations platform
Microsoft Unified Security Operations platform
By Vedran Brodar
3 min read
Microsoft Defender XDR, Microsoft Defender for Cloud and Microsoft Sentinel: A Single Pane of Glass for Unified Security Management

In a previous article, I discussed the Microsoft Defender XDR suite, its benefits, coverage, and different aspects. In this article, I will explain how you can have one pane of glass consisting of SIEM/SOAR, CNAPP, and the XDR suite.

Microsoft Unified Security Operations platform — image courtesy of Marcus Burnap Microsoft Unified Security Operations platform — image courtesy of Marcus Burnap

Short overview of services

Microsoft Defender XDR — One portal to rule them all

Is a comprehensive security solution designed to provide unified threat protection across different endpoints, identities, emails, and cloud applications to respond to advanced cyber threats.

Defender XDR architecture — image courtesy of Microsoft Defender XDR architecture — image courtesy of Microsoft

If you want to read in more detail, check my article:

Microsoft Defender Extended Detection and Response (XDR) — Unified investigation and response experience

Microsoft Sentinel — Big brother watching over your log sources

Microsoft Sentinel, the cloud-native Security Information and Event Management (SIEM) platform, plays a pivotal role in the XDR integration. As a comprehensive SIEM solution, Sentinel collects data from all your security resources — whether they’re on-premises, hybrid, or in the cloud — and provides actionable insights to enhance detection, investigation, and response.

Microsoft Sentinel data ingestion architecture — image courtesy of My Faber Security Microsoft Sentinel data ingestion architecture — image courtesy of My Faber Security

More in depth about Microsoft Sentinel:

Unlock the Power of Proactive Security: Why You Need Microsoft Sentinel

And if you are interested in learning the language of Microsoft Sentinel — Kusto Query Language (KQL), this one is for you:

Stop Drowning in Data: Tame Your Azure Logs with KQL

Microsoft Defender for Cloud — Shield for your cloud workloads

Microsoft Defender for Cloud is a cloud-native application protection platform (CNAPP) that is made up of security measures and practices that are designed to protect cloud-based applications from various cyber threats and vulnerabilities across your tenant and multi-cloud environments.

Multicloud Defender for Cloud Overview — image courtesy of Microsoft Multicloud Defender for Cloud Overview — image courtesy of Microsoft

For more in-depth information about Microsoft Defender for Cloud, check the article below:

Defend your Azure environment with Microsoft Defender for Cloud

The ultimate synergy: Defender XDR + Microsoft Sentinel + Microsoft Defender for Cloud

Defender XDR, Microsoft Sentinel and Microsoft Defender for Cloud integration architecture — image courtesy of Microsoft Defender XDR, Microsoft Sentinel and Microsoft Defender for Cloud integration architecture — image courtesy of Microsoft

Microsoft Defender for Cloud enrollment in Defender XDR

If you already have Defender for Cloud enabled on one of your Subscriptions in your tenant — it is automatically enrolled into the integration with Microsoft Defender XDR.

Defender for Cloud alert inside Defender XDR Portal Defender for Cloud alert inside Defender XDR Portal

Alerts and incidents are visible and can be filtered by Product Name “Microsoft Defender for Cloud” as shown on the image above.

If you want to change the alert settings from Defender for Cloud inside Defender XDR go to:

  1. Open security.microsoft.com and login

  2. System and click on Settings

  3. Select Microsoft Defender XDR

  4. Select Alert Service Settings

  5. Choose “All alerts (default)” or select “No alerts” if you don’t want them

Microsoft Defender XDR — Defender for Cloud alert settings Microsoft Defender XDR — Defender for Cloud alert settings

Microsoft Sentinel integration with Defender XDR

If you have Global Administrator/Security Administrator (Entra ID roles) + Subscription Owner — or both Microsoft Sentinel Contributor and a User Access Administrator (Azure resource roles) — you can integrate Microsoft Sentinel with your Defender XDR portal following the next steps:

  1. Open security.microsoft.com

  2. Click on System and open the Settings menu

  3. Select Microsoft Sentinel and Workspaces

  4. Choose the workspace you want to connect and select Next.

  5. Read and understand the product changes associated with connecting your workspace.

  6. Select Connect

Microsoft Sentinel Data connectors tab on Microsoft Defender portal Microsoft Sentinel Data connectors tab on Microsoft Defender portal

Voila, once connected, you have most of the Microsoft Sentinel functionalities on the Microsoft Defender portal (Data connectors, analytics, watchlist, automation, etc.)

Useful documentation & links

What is Microsoft Defender XDR?

Microsoft Defender for Cloud in Microsoft Defender portal

Microsoft Defender XDR integration with Microsoft Sentinel

Microsoft Applied Skills: Defend against cyberthreats with Microsoft Defender XDR

Become a Microsoft Defender XDR Ninja

Microsoft Defender XDR Blog

Conclusion

Combining the Microsoft Defender for Cloud CNAPP workload protection with the Microsoft Sentinel SIEM/SOAR capabilities and the Defender XDR portal gives you and your SOC teams one unified pane of glass to monitor everything across your organization seamlessly, with far more enriched data and context.

If you want to read more, please follow me and my colleagues on our Cyberdnevnik website and publication.

Thank you for reading, please leave us your thoughts and comments.

We appreciate all your feedback.

Cheers,

Vedran.

Articles, Cybersecurity
Azure Microsoft XDR Unified Defender for Cloud Sentinel
This post is licensed under CC BY 4.0 by the author.