Azure Defender and Azure Sentinel Alerts Bi-Directional Sync

Azure Defender & Sentinel Alerts Bi-Directional Sync

Azure Defender and Azure Sentinel bi-directional status sync will help you work seamlessly with Azure Defender & Sentinel by automatically syncing alerts and incidents statuses between the products.

Close or updated incidents in Azure Sentinel containing Azure Defender alerts will automatically update the alert in the Azure Defender portal, and alerts closed in the Azure Defender will be reflected as such in Sentinel.

This new game changing capability will reduce the overhead of doing duplicated changes in both products for your security analysts and reduce the overall time to respond to incidents

Common Use-Cases & Scenarios:

• Security operations team working in Sentinel and want to keep Azure Defender portal synced.

• Workload owners working in Azure Defender and want to provide visibility to security operations teams using Sentinel.

To enable this feature, you’ll need to goto Azure Sentinel, Data Connectors, then Azure Defender, open the blade and you can enable bi-directional sync

Then to create a Sample alerts, goto “Security Alerts” within Azure Security Center

Click “Sample Alerts”

Select your Subscription and you can “check and uncheck” the Defender plans you want to include or exclude (tbh I would leave them all checked…leave no stone unturned)

Now if you navigate to the Azure Sentinel (the workspace which Security Center/Defender is connected too)

Click your incidents pane under Threat Management and you’ll see a whole array of new incidents (this will be quite overwhelming at first sight)

Click on one of the Alerts, and select “View Full details” in the preview pane

Change the status of the incident to “Closed”

Once closed, wait a few seconds then click “Investigate in Azure Defender”

The alert status should automatically be populated as “Dismissed” in the Azure Defender Portal

I think this is a lovely little feature from Microsoft again for Sentinel, they’re always changing the game and updating it with more and more features, I do however think it should give the User some sort of “prompt” to say “hey do you want me to clear this in Defender as well” just my 2 Cents…

If you accidently close it, and it closes the Defender Alert and you look back on your Incident reports, you’ll miss the fact that an Alert was accidently closed, which may have been a true positive and the Alert may go completely un-missed, this is coming from the perspective of the SOC Team is separate from the Infrastructure Security Team (again this is my 2 cents)

Mor info can be found here https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center

alwayssecurity #alwaysready #alwayscloud #alwaysazure


One thought on “Azure Defender and Azure Sentinel Alerts Bi-Directional Sync

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s