What Benefits Does Unified SecOps Deliver?
During Ignite 2023, Microsoft hyped the ‘Unified Security Operations Platform.’ The product’s goal is to deliver a simpler experience for security analysts working with the Microsoft Security stack. Sentinel will be integrated into the Defender portal to create a single pane of glass.
Besides a reworked UI, Microsoft is investigating integrating Defender XDR and Sentinel to ensure optimum usage of both. In this article, I introduce you to what is available right now, discuss what Microsoft is building, and ask whether you need this functionality.
Integration Gaps
If you work with both Defender XDR and Sentinel, you might know that they don’t always play well together. Here are some of the current limitations:
- If you receive a Defender incident in Sentinel, you must navigate to the Defender portal to execute the investigation as key investigation features like the alert story and device timeline, which are not available in Sentinel.
- While you can sync raw hunting data from Defender into Sentinel, I don’t recommend this because of the high cost (20 dollars per device per month).
- Automation capabilities within Defender are lacking compared to Sentinel. There is no easy way to add your own custom automation flows like there is with Playbooks in Sentinel.
- If you use Sentinel as the main incident queue, the Defender incidents are visible in the queue. The issue is that the bi-directional synchronization does not work 100% correctly. Properties like description and priority are not synchronized, meaning you must go to Defender to view the latest information.
- While you can create scheduled incidents using analytic rules in Sentinel, Defender uses custom detection rules. For me, analytic rules are superior because they support more capabilities and granularity. Features like dynamic alert stories, different entities, and incident generation properties are lacking in custom detection.
Available Capabilities in Unified SecOps
To add a Sentinel workspace into the unified platform, navigate to the settings pane in Defender XDR, select Microsoft Sentinel and connect your primary environment.
Currently, the integration is largely limited to a visual change. Instead of navigating to the Azure portal to visit Sentinel, you can use a dedicated blade within the Microsoft Security center.
As you can see in Figure 1, the blades available in the Azure Portal are available within Microsoft Defender XDR.
The main differentiator is the unified advanced hunting experience. A lot of organizations have data in both Defender and Sentinel. While Defender holds important identity and device data (originating from Defender for Endpoint), Sentinel has the capability to save third-party logs such as networking and applications logs. If you want to query across the two data sources, you have the option to synchronize all tables from Defender to Sentinel. With the new ‘unified hunting’ experience, it is now possible to hunt across Sentinel and Defender without needing to pay for the ingestion of Defender data into Sentinel.
Here’s a query that shows how unified hunting works. The query retrieves IPS (Intrusion Prevention System) hits from a FortiGate Firewall and connects it to processes running on a device identified using the IP address from the DeviceNetworkInfo table. This shows the strength of the integration: you can easily hunt across Sentinel and Defender data and connect both data sources.
CommonSecurityLog | where DeviceVendor == "Fortinet" and DeviceProduct startswith "Fortigate" | where DeviceEventCategory contains "utm:ips" | join (DeviceNetworkInfo | mv-expand todynamic(IPAddresses) | extend IPAddress=IPAddresses.IPAddress) on $left.SourceIP == $right.IPAddress | join (DeviceProcessEvents | summarize make_list(FileName) by DeviceName) on DeviceName
Microsoft also boasts that they have a new ‘unified incidents’ view. While it is true that such a view was previously unavailable in the Defender portal, Sentinel has always had the capability to display incidents from both Sentinel and Defender XDR. By having the unified SecOps platform, all previous limitations are not eliminated as the products boast a full integration where all fields are visible across Sentinel and Defender incidents.
The Goal of Unified SecOps
The current capabilities of Unified SecOps are a bit underwhelming. While the unified hunting experience is nice, it’s the only interesting feature delivered to date. All the other features are just a reskin of an existing portal.
That is why it’s important to focus on Microsoft’s end-goal. Microsoft wants to unite Microsoft Sentinel and Defender XDR into a single platform. Uniting them means that they include features across products and use those features to maximum effect.
If deployed correctly, Microsoft’s vision will have a positive impact on Defender and Sentinel because there aren’t many platforms that bring an XDR (Extended Detection and Response), SIEM (Security Information and Event Management), and SOAR (Security Orchestration, Automation and Response) system together into a single pane of glass. By integrating these components, we avoid the ‘portal’ spam that Microsoft has in their cloud eco-system.
The details of the ‘end-state’ are not known and it will take some time before we can assess what Microsoft is building. In announcements, Microsoft has mentioned the following capabilities:
- Uniform incident creation: Convergence of analytic rules and custom detections to use the best of both worlds. At RSA in May 2024, Microsoft announced the support for custom detections for both Defender and Sentinel data.
- Embedded support for Copilot for Security within the Security portal, including integrations for both Sentinel and Defender capabilities.
- Automatic attack disruption across both Defender and Sentinel, meaning it can stop attacks dead in their tracks – independent of the origin of the incident.
What Does Unified SecOps Mean for You?
At first, the Unified SecOps announcement seems like ‘Yet another portal change.’ However, the initiative has the potential to deliver real benefits to security administrators. I eagerly anticipate the following capabilities:
- Unified hunting and incident experience. By having both data sources (Sentinel and Defender) available in one place, we can stop switching portals when investigating an incident. Hunting, incident queue, and investigation capabilities will be shared across Defender and Sentinel.
- By applying Sentinel’s automation capabilities, we can augment existing workflows and have more native integrations between both products.
Before you enable Unified SecOps, it is important to understand the limitations of this preview. A full list is available on Microsoft Learn, here are the most important limitations:
- You can only add a single Sentinel workspace to your Defender instance. If you have multiple Sentinel workspaces, this is not a configuration I recommend.
- Configuration changes to Sentinel still must be done through the Azure portal. While the blades are available in the Defender portal, they are just links to the Azure portal.
- All current Microsoft incident creation rules will be disabled. This might be the most important limitation. At our SOC, we still use these rules for specific Identity Protection use cases.
Don’t Rush to Enable Unified SecOps
The limitations within this preview mean that you should take things slowly. The benefits are not large because the current feature set is limited. However, I like Microsoft’s vision and I look forward to where they will bring the product.
