Microsoft Sentinel for Microsoft 365 – a must have!

Microsoft Sentinel is a cloud-native SIEM and SOAR solution. Microsoft 365 offers integrated security functions for Azure Active Directory (Entra), Microsoft Defender for Office 365, Microsoft Defender for Endpoint and Microsoft Cloud App Security. However, these features do not cover all possible attack vectors and vulnerabilities that hackers could exploit. In this blog post, I explore how Microsoft Sentinel extends the capabilities of Microsoft Defender XDR (and other Defender products).

Microsoft Defender XDR

Note: Microsoft 365 Defender was rebranded at Microsoft Ignite 2023 and is now called Microsoft Defender XDR.

Microsoft 365 Defender provides comprehensive protection against a wide range of attack vectors such as phishing, malware, ransomware, identity theft and data breaches. It uses artificial intelligence and machine learning to analyze vast amounts of signals in Microsoft services and third-party sources and automatically block or remove threats where possible. While Microsoft 365 Defender is a very valuable and powerful tool, the solution does not completely cover all possible attack vectors and vulnerabilities, as already described in the introduction. There is also potential for improvement in terms of efficient incident handling, automatic response and hunting. This is where Microsoft Sentinel comes into play.

Microsoft Sentinel

The SIEM solution "Microsoft Sentinel" collects data from various sources and analyzes it. The data comes from deployed Azure services, local systems and other cloud providers as well as Microsoft 365 Defender. Sentinel enables organizations to gain a holistic overview of the security landscape, identify anomalies and suspicious activities and conduct investigations with KQL-Queris. These functionalities help to automate the response to incidents using playbooks (logic apps) and to create user-defined alerts and appropriate dashboards (workbooks).

But now back to the actual topic. What is the effective benefit of linking my Microsoft 365 Defender with Microsoft Sentinel? As already mentioned several times, the functions of Microsoft 365 Defender do not cover all possible attack vectors and vulnerabilities. For example, lateral movement, cross-domain attacks or advanced persistent threats may not be detected.

Sentinel vs Defender

The following table provides a rough overview and a better understanding of how the functions of the two products differ.

CapabilityMicrosoft 365 DefenderMicrosoft Sentinel
Data sourcesMicrosoft 365 data mainly  Microsoft 365 data and other cloud and on-premises data (any)
Analytics rulesPredefined rules onlyPredefined rules, user-defined rules, and community rules (GitHub)
InvestigationGraphical interface and advanced hunting queriesGraphical interface and advanced hunting queries
ResponsePredefined actions and automation  Predefined playbooks, user-defined playbooks and integration with other tools
M365 Log Retention7 - 180 days, max 30 days active (depending on plan & type)Active for 90 days (free of charge), up to 2 years. Additional 10 years of archiving possible.
IntegrationMainly integrated with other Microsoft security solutionsIntegrates with other Microsoft security solutions and third-party solutions.

As can be seen from the table, Microsoft Sentinel offers more flexibility and functionality than the Microsoft 365 Defender standalone solution. This is the reason why Microsoft 365 Defender should be supplemented with Sentinel. The integration of Microsoft 365 Defender into Microsoft Sentinel offers the following advantages:

  • Improved transparency: Microsoft Sentinel can ingest data from Microsoft 365 Defender and correlate it with other sources to create a comprehensive picture of the threat environment. Organizations can also use Microsoft Sentinel to monitor the health and performance of their Microsoft 365 Defender components such as devices, users, mailboxes and applications.
  • Faster response: Microsoft Sentinel can trigger actions in Microsoft 365 Defender based on predefined or user-defined rules, such as isolating a compromised device, blocking a malicious email or resetting a user password. Organizations can also use Microsoft Sentinel to orchestrate complex response scenarios involving multiple teams and systems.
  • Less complexity: Microsoft Sentinel can simplify management by displaying all security data and alerts in a single window. Organizations can also leverage Microsoft Sentinel's built-in features such as connectors, workbooks, analytics and incidents to reduce manual configuration and maintenance efforts.
  • It provides ready-to-use templates for analysis rules that help detect suspicious activity and anomalies in the Microsoft 365 environment, such as account compromise, data exfiltration, phishing campaigns, ransomware attacks and more. You can also create your own user-defined rules or import rules from the community.
  • Investigate incidents via a graphical user interface: which display the relationships between entities and events. Advanced search queries can also be used to look for indicators of compromise in data sources. This helps to understand the scope and impact of the attack and to find the root cause and take action.

Additional costs

Microsoft Sentinel is an Azure solution based on the Log Analytics Workspace resource. Log data that is written to this workspace and therefore to Sentinel incurs additional costs. The costs are calculated from several factors.

  • Log Ingestion
  • Log Retention
  • Search Queries & Jobs

The costs are therefore largely dependent on how much log data is produced and how long it is stored (although it should be noted that 90 days of retention is free). The actual costs are therefore difficult to predict and caution is advised. However, there are various data types that do not incur any additional costs for Sentinel or Log Analytics Workspace and can be fed into Sentinel free of charge. These are the following connectors and data types.

Microsoft Sentinel data connectorFree data type
Azure Activity LogsAzureActivity
Microsoft Entra ID ProtectionSecurityAlert (IPC)
Office 365OfficeActivity (SharePoint)
OfficeActivity (Exchange)
OfficeActivity (Teams)
Microsoft Defender for CloudSecurityAlert (Defender for Cloud)
Microsoft Defender for IoTSecurityAlert (Defender for IoT)
Microsoft Defender XDRSecurityIncident
SecurityAlert
Microsoft Defender for EndpointSecurityAlert (MDATP)
Microsoft Defender for IdentitySecurityAlert (AATP)
Microsoft Defender for Cloud AppsSecurityAlert (Defender for Cloud Apps)
Source: https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=classic%2Cfree-data-meters&WT.mc_id=AZ-MVP-5004129#free-data-sources

These connectors and data types can therefore be activated free of charge. However, marginal costs will still be incurred by the search queries used.

Personal conclusion

Microsoft 365 Defender supplemented with Microsoft Sentinel brings various advantages. If you limit yourself to the free data sources, you even get these advantages almost for free. The greater flexibility, the additional automation options, the longer retention period and the better and longer searchability of the log data (keyword active/passive) that Sentinel brings with it indicate: In my opinion, Microsoft Sentinel should be activated for every Microsoft 365 environment in which security is of importance. Even if Sentinel is not yet actively used and managed. Because in the event of an incident, there are more options available than without it. Is Microsoft Sentinel a "must have" for Microsoft 365? For me, the answer to this question is yes.

1 thought on “Microsoft Sentinel for Microsoft 365 – a must have!”

Leave a comment

en_GBEnglish