Implement Microsoft Sentinel and Microsoft Defender XDR for Zero Trust
This solution guide walks through the process of setting up Microsoft extended detection and response (XDR) tools together with Microsoft Sentinel to accelerate your organization’s ability to respond to and remediate cybersecurity attacks.
Microsoft Defender XDR is an XDR solution that automatically collects, correlates, and analyzes signal, threat, and alert data from across your Microsoft 365 environment.
Microsoft Sentinel is a cloud-native solution that provides security information and event management (SIEM) and security orchestration, automation, and response (SOAR) capabilities. Together, Microsoft Sentinel and Microsoft Defender XDR provide a comprehensive solution to help organizations defend against modern attacks.
This guidance helps you mature your Zero Trust architecture by mapping the principles of Zero Trust in the following ways.
| Zero Trust Principle | Met by |
|---|---|
| Verify explicitly | Microsoft Sentinel collects data from across the environment and analyzes threats and anomalies so that your organization, and any automation implemented, can act based on all available and verified data points. Microsoft Defender XDR provides extended detection and response across users, identities, devices, apps, and emails. Configure Microsoft Sentinel automation to use the risk-based signals captured by Microsoft Defender XDR to take action, such as blocking or authorizing traffic based on the level of risk. |
| Use least privileged access | Microsoft Sentinel detects anomalous activity through its User Entity Behavioral Analytics (UEBA) engine. Since security scenarios can change over time, and often very quickly, Microsoft Sentinel's threat intelligence also imports data Microsoft or third-party providers to detect new, emerging threats and provide extra context for investigations. Microsoft Defender XDR has Microsoft Entra ID Protection, which can block users based on the level of risk with identity. Feed any related data into Microsoft Sentinel for further analysis and automation. |
| Assume breach | Microsoft Defender XDR continuously scans the environment for threats and vulnerabilities. Microsoft Sentinel analyzes collected data and each entity's behavioral trends to detect suspicious activity, anomalies, and multi-stage threats across enterprise. Both Microsoft Defender XDR and Microsoft Sentinel can implement automated remediation tasks, including automated investigations, device isolation, and data quarantine. Device risk can be used as a signal to feed into Microsoft Entra Conditional Access. |
Microsoft Sentinel and XDR architecture
Microsoft Sentinel customers can use one of the following methods to integrate Microsoft Sentinel with Microsoft Defender XDR services:
Use Microsoft Sentinel data connectors to ingest Microsoft Defender XDR service data into Microsoft Sentinel. In this case, view Microsoft Sentinel data in the Azure portal.
Integrate Microsoft Sentinel and Microsoft Defender XDR into a single, unified security operations platform in the Microsoft Defender portal. In this case, view Microsoft Sentinel data directly in the Microsoft Defender portal with the rest of your Defender incidents, alerts, vulnerabilities, and other security data.
This solution guide provides information for both methods. Throughout this solution guide, select the tab that's relevant for your workspace. If you've onboarded your workspace to the unified security operations platform, work in the Defender portal. If you haven't onboarded your workspace, work in the Azure portal unless otherwise indicated.
The following illustration shows how Microsoft's XDR solution seamlessly integrates with Microsoft Sentinel with the unified security operations platform.
In this diagram:
- Insights from signals across your entire organization feed into Microsoft Defender XDR and Microsoft Defender for Cloud.
- Microsoft Sentinel provides support for multicloud environments and integrates with third-party apps and partners.
- Microsoft Sentinel data is ingested together with your organization's data into the Microsoft Defender portal.
- SecOps teams can then analyze and respond to threats identified by Microsoft Sentinel and Microsoft Defender XDR in the Microsoft Defender portal.
Implementing Microsoft Sentinel and Microsoft Defender XDR for Zero Trust
Microsoft Defender XDR is an XDR solution that complements Microsoft Sentinel. An XDR pulls raw telemetry data from across multiple services like cloud applications, email security, identity, and access management.
Using artificial intelligence (AI) and machine learning, the XDR then performs automatic analysis, investigation, and response in real time. The XDR solution also correlates security alerts into larger incidents, providing security teams greater visibility into attacks, and provides incident prioritization, helping analysts understand the risk level of the threat.
With Microsoft Sentinel, you can connect to many security sources using built-in connectors and industry standards. With its AI you can correlate multiple low fidelity signals spanning multiple sources to create a complete view of ransomware kill chain and prioritized alerts.
Applying SIEM and XDR capabilities
In this section, we look into a typical attack scenario involving a phishing attack then proceed with how to respond to the incident with Microsoft Sentinel and Microsoft Defender XDR.
Common attack order
The following diagram shows a common attack order of a phishing scenario.
The diagram also shows the Microsoft security products in place to detect each attack step and how attack signals and SIEM data flow to Microsoft Defender XDR and Microsoft Sentinel.
Here's a summary of the attack.
| Attack step | Detection service and signal source | Defenses in place |
|---|---|---|
| 1. Attacker sends phishing email | Microsoft Defender for Office 365 | Protects mailboxes with advanced anti-phishing features that can protect against malicious impersonation-based phishing attacks. |
| 2. User opens attachment | Microsoft Defender for Office 365 | The Microsoft Defender for Office 365 Safe Attachments feature opens attachments in an isolated environment for more threat scanning (detonation). |
| 3. Attachment installs malware | Microsoft Defender for Endpoint | Protects endpoints from malware with its next generation protection features, such as cloud-delivered protection and behavior-based/heuristic/real-time antivirus protection. |
| 4. Malware steals user credentials | Microsoft Entra ID and Microsoft Entra ID Protection | Protects identities by monitoring user behavior and activities, detecting lateral movement, and alerting on anomalous activity. |
| 5. Attacker moves laterally across Microsoft 365 apps and data | Microsoft Defender for Cloud Apps | Can detect anomalous activity of users accessing cloud apps. |
| 6. Attacker downloads sensitive files from a SharePoint folder | Microsoft Defender for Cloud Apps | Can detect and respond to mass download events of files from SharePoint. |
If you onboarded your Microsoft Sentinel workspace to the unified security operations platform, SIEM data is available with Microsoft Sentinel directly in the Microsoft Defender portal.
Incident response using Microsoft Sentinel and Microsoft Defender XDR
Now that we've seen how a common attack takes place, let's look into using the integration of Microsoft Sentinel and Microsoft Defender XDR for incident response.
Select the relevant tab for your workspace depending on whether you onboarded your workspace to the unified security operations platform.
After integrating Microsoft Sentinel and Microsoft Defender XDR by onboarding your workspace to the unified security operations platform, complete all incident response steps directly in the Microsoft Defender portal, just as you would for other Microsoft Defender XDR incidents. Supported steps include everything from triage to investigation and resolution.
Use the Microsoft Sentinel area in the Microsoft Defender portal for features unavailable with the Defender portal alone.
For more information, see Respond to an incident using Microsoft Sentinel and Microsoft Defender XDR.
Key capabilities
To implement a Zero trust approach in managing incidents, use these Microsoft Sentinel and XDR features.
| Capability or feature | Description | Product |
|---|---|---|
| Automated Investigation & Response (AIR) | AIR capabilities are designed to examine alerts and take immediate action to resolve breaches. AIR capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives. | Microsoft Defender XDR |
| Advanced hunting | Advanced hunting is a query-based threat hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events on your network to locate threat indicators and entities. The flexible access to data enables unconstrained hunting for both known and potential threats. | Microsoft Defender XDR |
| Custom file indicators | Prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. | Microsoft Defender XDR |
| Cloud discovery | Cloud Discovery analyzes traffic logs collected by Defender for Endpoint and assesses identified apps against the cloud app catalog to provide compliance and security information. | Microsoft Defender for Cloud Apps |
| Custom network indicators | By creating indicators for IPs and URLs or domains, you can now allow or block IPs, URLs, or domains based on your own threat intelligence. | Microsoft Defender XDR |
| Endpoint detection and response (EDR) Block | Provides added protection from malicious artifacts when Microsoft Defender Antivirus (MDAV) isn't the primary antivirus product and is running in passive mode. EDR in block mode works behind the scenes to remediate malicious artifacts that were detected by EDR capabilities. | Microsoft Defender XDR |
| Device response capabilities | Quickly respond to detected attacks by isolating devices or collecting an investigation package | Microsoft Defender XDR |
| Live response | Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time. | Microsoft Defender XDR |
| Secure cloud applications | A development security operations (DevSecOps) solution that unifies security management at the code level across multicloud and multiple-pipeline environments. | Microsoft Defender for Cloud |
| Improve your security posture | A cloud security posture management (CSPM) solution that surfaces actions that you can take to prevent breaches. | Microsoft Defender for Cloud |
| Protect cloud workloads | A cloud workload protection platform (CWPP) with specific protections for servers, containers, storage, databases, and other workloads. | Microsoft Defender for Cloud |
| User and Entity Behavioral Analytics (UEBA) | Analyzes behavior of organization entities such as users, hosts, IP addresses, and applications) | Microsoft Sentinel For onboarded workspaces, Microsoft Sentinel in the unified security operations platform |
| Fusion | A correlation engine based on scalable machine learning algorithms. Automatically detects multistage attacks also known as advanced persistent threats (APT) by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. | Microsoft Sentinel For onboarded workspaces, Microsoft Sentinel in the unified security operations platform |
| Threat Intelligence | Use Microsoft third-party providers to enrich data to provide extra context around activities, alerts, and logs in your environment. | Microsoft Sentinel For onboarded workspaces, Microsoft Sentinel in the unified security operations platform |
| Automation | Automation rules are a way to centrally manage automation with Microsoft Sentinel, by allowing you to define and coordinate a small set of rules that can apply across different scenarios. | Microsoft Sentinel For onboarded workspaces, Microsoft Sentinel in the unified security operations platform |
| Anomaly rules | Anomaly rule templates use machine learning to detect specific types of anomalous behavior. | Microsoft Sentinel For onboarded workspaces, Microsoft Sentinel in the unified security operations platform |
| Scheduled queries | Built-in rules written by Microsoft security experts that search through logs collected by Sentinel for suspicious activity chains, known threats. | Microsoft Sentinel For onboarded workspaces, Microsoft Sentinel in the unified security operations platform |
| Near-real-time (NRT) rules | NRT rules are limited set of scheduled rules, designed to run once every minute, in order to supply you with information as up-to-the-minute as possible. | Microsoft Sentinel For onboarded workspaces, Microsoft Sentinel in the unified security operations platform |
| Hunting | To help security analysts look proactively for new anomalies that weren't detected by your security apps or even by your scheduled analytics rules, Microsoft Sentinel's built-in hunting queries guide you into asking the right questions to find issues in the data you already have on your network. | Microsoft Sentinel For onboarded workspaces, use the Microsoft Defender portal's advanced hunting functionality. |
| Microsoft Defender XDR Connector | The Microsoft Defender XDR connector synchronizes logs and incidents to Microsoft Sentinel. | Microsoft Defender XDR and Microsoft Sentinel br> For onboarded workspaces, Microsoft Sentinel in the unified security operations platform |
| Data connectors | Allow for the ingestion of data for analysis in Microsoft Sentinel. | Microsoft Sentinel For onboarded workspaces, Microsoft Sentinel in the unified security operations platform |
| Content hub solution -Zero Trust (TIC 3.0) | Zero Trust (TIC 3.0) includes a workbook, analytics rules, and a playbook, which provide an automated visualization of Zero Trust principles, cross-walked to the Trust Internet Connections framework, helping organizations to monitor configurations over time. | Microsoft Sentinel For onboarded workspaces, Microsoft Sentinel in the unified security operations platform |
| Security orchestration, automation, and response (SOAR) | Using automation rules and playbooks in response to security threats increases your SOC's effectiveness and saves you time and resources. | Microsoft Sentinel For onboarded workspaces, Microsoft Sentinel in the unified security operations platform |
| SOC optimizations | Close coverage gaps against specific threats and tighten your ingestion rates against data that doesn't provide security value. |
What's in this solution
This solution steps you through the implementation of Microsoft Sentinel and XDR so that your security operations team can effectively remediate incidents using a Zero Trust approach.
Recommended training
Training content doesn't currently cover the unified security operations platform.
| Training | Connect Microsoft Defender XDR to Microsoft Sentinel |
|---|---|
|
Learn about the configuration options and data provided by Microsoft Sentinel connectors for Microsoft Defender XDR. |
Next steps
Use these steps to implement Microsoft Sentinel and XDR for a Zero Trust approach:
- Set up your XDR tools
- Architect your Microsoft Sentinel workspace
- Ingest data sources
- Respond to an incident
Also see these articles for applying Zero Trust principles to Azure:
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for