The simpler yet one of the most relevant pieces of documentation I have seen about the new Unified Security Operations Platform and Microsoft Sentinel. I love to see the investment and knowledge sharing with the Microsoft security community.
For me, these are the highlights:
What happens when I enable the Microsoft Defender XDR connector in Microsoft Sentinel?
Security incident creation rules are disabled by default.
Incidents are created in the unified portal and synced back to Microsoft Sentinel, with a potential delay of up to 10 minutes.
Alerts, Incidents, and Correlation
Expected Alert Delay: Incidents may take up to 10 minutes to show up in Microsoft Sentinel. Microsoft is working on reducing this latency.
Automatic Attack Disruption: Not affected by the delay.
Triggering Playbooks: Both automatic and manual invocation are affected by the delay.
Avoiding Duplication: Ensure incident creation rules are turned off in the Microsoft Defender XDR connector configuration.
Best Practices for Automation Rules
Use "Analytic rule name" instead of the incident title or a condition on a Tag.
Use Alert product names instead of Incident provider.
Custom Detection Rules
Custom detection rules can trigger playbooks using the “When incident is created” trigger in Automation.
Data Retention
Additional Actions: Existing retention configurations remain unchanged.
Ingesting Microsoft Defender XDR Tables: Not necessary unless data retention beyond 30 days is needed. HUGE UPDATE - COST SAVINGS OPPORTUNITY HERE
Microsoft Sentinel E5 Benefit: No changes.
Default Retention: Remains 30 days for XDR data and 90 days for Microsoft Sentinel data.
Copilot for Security
Licensing: A Copilot for Security license includes the Microsoft Defender for Threat Intelligence (MDTI) license.
Want to learn more?
BY:
José Lázaro Pinos,
Global Head of Consulting - VP,
Performanta
Marcus Burnap
Principal Microsoft Consultant,
Performanta
Commenti