Introduction
In today’s complex threat landscape, security teams face an uphill battle. They grapple with vast amounts of data from various sources, leading to slower threat response, increased learning curves, and fragmented insights. Managing the costs associated with data handling remains a significant challenge.
Enter Microsoft’s Unified Security Operations Platform, a game-changer that consolidates essential tools into a single, effective solution powered by AI and automation. Let’s dive into what this platform offers (since today in public preview), how it works, and the benefits it brings to security operations.
Have been in the private preview and to be honest I really loved the feature <3.
What is the Unified Security Operations Platform?
The Unified Security Operations Platform combines and integrates the best of two powerful Microsoft solutions: Microsoft Defender XDR (formerly Microsoft 365 Defender) and Microsoft Sentinel.
If you need to refresh your memory, here’s what Microsoft Defender XDR and Microsoft Sentinel do:
- Microsoft Defender XDR:
- Provides unified visibility, investigation, and response across endpoints, hybrid identities, emails, collaboration tools, cloud apps, and workloads.
- Natively integrated with bidirectional connectors for comprehensive threat coverage.
- Microsoft Sentinel:
- A cloud-native SIEM solution offering unparalleled visibility into the overall threat landscape.
- Extends coverage to every edge and layer of the digital environment.
The challenge (and solution)
In the dynamic landscape of cybersecurity, Security Operations Centers (SOCs) grapple with an overwhelming influx of alerts and security data scattered across various locations (we faced this a lot). Analysts and engineers find themselves navigating complex workflows, sifting through low-level alerts, and struggling to consolidate, normalize, analyze, enrich, and act on insights across different environments of customers.
Here’s why the new Unified Security Operations Platform is a real game-changer:
- Unified Views:
- Analysts access incidents, exposure, threat intelligence, assets, and security reporting from a single pane of glass.
- No more switching between portals—streamlined workflows enhance efficiency.
- Comprehensive Capabilities:
- Cover the entire cyberattack lifecycle—from prevention to detection, investigation, and response.
- Unify SIEM and XDR for robust security operations.
- Attack Disruption with AI:
- The platform leverages AI to automatically disrupt advanced attacks like ransomware.
- Predictive analytics and automated responses stop attacks in near real-time.
- Unified Incident Queue:
- Reduce investigation time with a single incident queue.
- Improved alert correlation accelerates triage and response.
- Intelligent Assistant: Copilot for Security (optional):
- Analysts benefit from incident summaries, MITRE framework mapping, code translation, and multistage attack remediation.
- Copilot for Security streamlines workflows and provides relevant recommendations.
Licensing Requirements
To benefit from the Unified Security Operations Platform, ensure you have:
- A single Microsoft Sentinel workspace.
- At least one Defender XDR workload deployed.
Permissions needed
| Task | Azure built-in role required | Scope |
|---|---|---|
| Connect or disconnect a workspace with Microsoft Sentinel enabled | Owner or User Access Administrator and Microsoft Sentinel Contributor | – Subscription for Owner or User Access Administrator roles – Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor |
| Query Sentinel data tables or view incidents | Microsoft Sentinel Reader or a role with the following actions: – Microsoft.OperationalInsights/workspaces/read – Microsoft.OperationalInsights/workspaces/query/read – Microsoft.SecurityInsights/Incidents/read – Microsoft.SecurityInsights/incidents/comments/read – Microsoft.SecurityInsights/incidents/relations/read – Microsoft.SecurityInsights/incidents/tasks/read | Subscription, resource group, or workspace resource |
| Take investigative actions on incidents | Microsoft Sentinel Contributor or a role with the following actions: – Microsoft.OperationalInsights/workspaces/read – Microsoft.OperationalInsights/workspaces/query/read – Microsoft.SecurityInsights/incidents/read – Microsoft.SecurityInsights/incidents/write – Microsoft.SecurityInsights/incidents/comments/read – Microsoft.SecurityInsights/incidents/comments/write – Microsoft.SecurityInsights/incidents/relations/read – Microsoft.SecurityInsights/incidents/relations/write – Microsoft.SecurityInsights/incidents/tasks/read – Microsoft.SecurityInsights/incidents/tasks/write | Subscription, resource group, or workspace resource |
| Create a support request | Owner or Contributor or Support request contributor or a custom role with Microsoft.Support/* | Subscription |
Connecting Your Workspace
- Go to the Microsoft Defender portal (security.microsoft.com) and sign in.
- Select Overview in Microsoft Defender XDR.
- Choose the workspace you want to connect and follow the prompt:
(takes a few minutes – depends if you already have MS Sentinel up- and running – otherwise set that up first 😉 )
These changes have been pushed, when you completed the connection within Unified Security Operations Platform :
- Log tables, queries, and functions in the Microsoft Sentinel workspace are also available in advanced hunting within Defender XDR.
- The Microsoft Sentinel Contributor role is assigned to the Microsoft Threat Protection and WindowsDefenderATP apps within the subscription.
- Active Microsoft security incident creation rules are deactivated to avoid duplicate incidents. This change only applies to incident creation rules for Microsoft alerts and not to other analytics rules.
- All alerts related to Defender XDR products are streamed directly from the main Defender XDR data connector to ensure consistency (enable the connector for Microsoft Defender XDR in Sentinel)
Benefits of Using the Unified Platform
After you connect your workspace to the Defender portal, Microsoft Sentinel is on the left-hand side navigation pane. Pages like Overview, Incidents, and Advanced Hunting have unified data from Microsoft Sentinel and Defender XDR.
Use the following articles to help you start working with Microsoft Sentinel in the Defender portal. When using these articles, keep in mind that your starting point in this context is the Defender XDR portal instead of the Azure portal.:
Search
Threat management
- Visualize and monitor your data by using workbooks
- Conduct end-to-end threat hunting with Hunts
- Use hunting bookmarks for data investigations
- Use hunting Livestream in Microsoft Sentinel to detect threat
- Hunt for security threats with Jupyter notebooks
- Add indicators in bulk to Microsoft Sentinel threat intelligence from a CSV or JSON file
- Work with threat indicators in Microsoft Sentinel
- Understand security coverage by the MITRE ATT&CK framework
Content management
- Discover and manage Microsoft Sentinel out-of-the-box content
- Microsoft Sentinel content hub catalog
- Deploy custom content from your repository
Configuration
- Find your Microsoft Sentinel data connector
- Create custom analytics rules to detect threats
- Work with near-real-time (NRT) detection analytics rules in Microsoft Sentinel
- Create watchlists
- Manage watchlists in Microsoft Sentinel
- Create automation rules
- Create and customize Microsoft Sentinel playbooks from content templates
Sources
Need extra information? Check out the Documentation pages from Microsoft regarding Unified Security Operations Platform:
Conclusion
The Unified Security Operations Platform empowers defenders to prevent, detect, investigate, and respond effectively. As said above, I really love this feature. Although it’s in public preview now, I might add extra insights to my blog post later on, with handy tips, experience and information.
For the time being, play around with Unified Security Operations Platform to get your hands on the comprehensive view and the automated threat neutralization technology. Now your security specialists can address threats with unmatched speed and efficiency.
