If you are a Microsoft Cloud or security enthusiast, you’ve probably heard of Microsoft Sentinel. You might even actively use it, are currently testing it, or looking into the benefits. I often hear confusion around what Microsoft Sentinel does, and why you would use it. During these conversations, Microsoft 365 Defender often comes up as an alternative. In this article, I will describe the main capabilities of Microsoft Sentinel, how it differs from Microsoft 365 Defender, and why you would enable it.

Why should you care?

Before we jump into Microsoft Sentinel and compare it to Microsoft 365 Defender, we should first explain why you need to monitor your cloud infrastructure. Unfortunately, I see many companies buying security products with the mindset that simply by purchasing these products, they are ‘unhackable.’ The real work starts when you implement your chosen product.

No security product will detect 100% of the threats; the detection mechanism of any security product will fail eventually. It might classify active ransomware as a low severity threat or not detect it at all. Every security product requires constant tweaking. You need to tweak the security policies to make sure it’s configured correctly for your environment, and you need to feed it with data (detections and Indicators of compromise) specific to your organization.

Besides tweaking how a security product works, you also need to investigate the alerts or incidents it generates. While tools like Microsoft Defender for Endpoint include automated remediation, it doesn’t cover everything. You need to perform an in-depth investigation of an incident and verify how the threat entered your environment and if it was fully remediated. Without doing that due diligence, an end-user might click on another suspicious email, or a code planted by the attacker laying dormant in your environment, avoiding detection and waiting to strike.

Introducing Microsoft Sentinel

Microsoft Sentinel (renamed from Azure Sentinel during Ignite 2021) is Microsoft’s SIEM and SOAR product. SIEM stands for Security Information and Event Management, but an easier term to understand Sentinel’s functionality is ‘Log Aggregator’. Microsoft Sentinel can ingest a ton of logs and will parse and store the data. By using a specific query language called KQL (Kusto Query Language), an IT analyst can write queries to retrieve data. Using the same language, they can also create alerts and visualize data.

SOAR stands for Security Orchestration, Automation, and Response, which means Microsoft Sentinel can integrate with other systems and provide automation capabilities for those systems. Within Microsoft Sentinel, this happens through Azure Logic Apps.

By using Microsoft Sentinel, you can easily connect all your security tools and retain your logs in a central repository. From there you can query the data, set up rules to generate incidents, and automate responses to these incidents. This makes Microsoft Sentinel the perfect tool to get a bird’s eye view across your entire infrastructure and respond to incidents.

It’s important to note that Microsoft Sentinel is built on top of Azure ARM and is billed per use. Therefore, you need an Azure subscription to use Sentinel, or Microsoft will bill you for every gigabyte of data you ingest into Sentinel. However, a few exceptions exist. Ingesting alerts and incidents from other Microsoft security products is free, which makes it appealing for customers who primarily use the Microsoft security stack.

What about Microsoft 365 Defender?

You could argue that Microsoft 365 Defender fulfills the same roles as Microsoft Sentinel while focusing on Microsoft cloud security products. It’s important to note that Microsoft 365 Defender is Microsoft’s XDR tool. XDR stands for Extended Detection and Response, meaning it will detect threats across multiple security layers (such as email, endpoints, and identity).

While XDR is Microsoft 365 Defender’s primary use case use (correlating events across products and combining them into a single incident), the side benefit is that it also provides a single pane of glass across the current incidents over all Microsoft 365 Security products. This makes it a terrific way to get a bird’s eye view across Microsoft 365 without needing to pivot to individual workload portals. Many Microsoft 365 plans include Microsoft 365 Defender, and it isn’t billed based on usage like Microsoft Sentinel.

Is Microsoft 365 Defender enough?

A lot of organizations look at Microsoft Sentinel and think ‘Why would I need that when I have Microsoft 365 Defender?’ Microsoft Sentinel provides a ton of added value on top of Microsoft 365 Defender and every organization should consider using Sentinel. A few of these advantages are:

  • External data source. This might be the biggest advantage of them all. Microsoft 365 Defender only integrates with other Microsoft cloud products, while Microsoft Sentinel allows you to add third-party (on-premises) products. For example, how can you secure your environment if you can’t correlate data from the cloud with your firewall logs?
  • Incident handling. While Microsoft 365 Defender allows you to assign incidents and change the status, Microsoft Sentinel goes further and has a few useful capabilities when it comes to updating and documenting incidents. This includes the ability for additional statuses, assignment to groups, and support for markdown comments.
  • Automation. The APIs available for Microsoft 365 security products have a poor track record of accessibility and capabilities. While it includes some automation capabilities, Microsoft Sentinel is the champion here. Not only does it have many more API capabilities, but it also allows you to use Azure Logic Apps to automate incident handling. By using Logic Apps, you can easily automate some mundane tasks that happen within your environment. Logic Apps allow a wide range of automation capabilities, from enrichment data with third-party data sources to automatically quarantining devices in Microsoft Defender.
  • Support for Managed Security Service Providers (MSSP). Microsoft Sentinel includes some capabilities specifically targeted to MSSPs which provides an easier way of management across multiple tenants. Using Azure Lighthouse enables MSSPs to manage tenants at scale. One example is the ability to view the incidents from all customers in a single view, something that is currently not possible for Microsoft 365 Defender. Another is the ability to update the detection rules through a single Azure DevOps pipeline.

Microsoft Sentinel is not perfect, and one of my biggest gripes is the integration with Microsoft 365 Defender. While incidents will synchronize between Microsoft Sentinel and Microsoft 365 Defender, any investigation of an incident still needs to happen in Microsoft 365 Defender. This means you need to change context between the different portals as you track the course of problems.

Making the choice

Of course, whether you use Microsoft Sentinel is your choice. If you decide to use Sentinel, it is an additional product you need to understand, manage, and maintain. Although the setup and management of Microsoft Sentinel is simple, it deters many administrators. The advantages it provides on top of Microsoft 365 Defender (even if you only have Microsoft security products) outweigh the disadvantages and potential pitfalls. But it’s worth it to give Sentinel a trial and see how it works within your environment, and for your organization.

About the Author

Thijs Lecomte

Thijs is a security consultant out of Belgium, working at The Collective, an MSSP with a Microsoft-focused Security Operations Center. His work consists out of leading the SOC team and implementing Microsoft Security solutions (such as Microsoft Sentinel and Defender) as a consultant. He is an MVP in the Security category and is a regular speaker at events and user groups. His best-known publication is as co-author of the 'Microsoft 365 Security for the IT Pro' ebook.

Leave a Reply