Azure Defender & Sentinel Alerts Bi-Directional Sync
Azure Defender and Azure Sentinel bi-directional status sync will help you work seamlessly with Azure Defender & Sentinel by automatically syncing alerts and incidents statuses between the products.
Close or updated incidents in Azure Sentinel containing Azure Defender alerts will automatically update the alert in the Azure Defender portal, and alerts closed in the Azure Defender will be reflected as such in Sentinel.
This new game changing capability will reduce the overhead of doing duplicated changes in both products for your security analysts and reduce the overall time to respond to incidents
Common Use-Cases & Scenarios:
• Security operations team working in Sentinel and want to keep Azure Defender portal synced.
• Workload owners working in Azure Defender and want to provide visibility to security operations teams using Sentinel.
To enable this feature, you’ll need to goto Azure Sentinel, Data Connectors, then Azure Defender, open the blade and you can enable bi-directional sync
Then to create a Sample alerts, goto “Security Alerts” within Azure Security Center
Click “Sample Alerts”
Select your Subscription and you can “check and uncheck” the Defender plans you want to include or exclude (tbh I would leave them all checked…leave no stone unturned)
Now if you navigate to the Azure Sentinel (the workspace which Security Center/Defender is connected too)
Click your incidents pane under Threat Management and you’ll see a whole array of new incidents (this will be quite overwhelming at first sight)
Click on one of the Alerts, and select “View Full details” in the preview pane
Change the status of the incident to “Closed”
Once closed, wait a few seconds then click “Investigate in Azure Defender”
The alert status should automatically be populated as “Dismissed” in the Azure Defender Portal
I think this is a lovely little feature from Microsoft again for Sentinel, they’re always changing the game and updating it with more and more features, I do however think it should give the User some sort of “prompt” to say “hey do you want me to clear this in Defender as well” just my 2 Cents…
If you accidently close it, and it closes the Defender Alert and you look back on your Incident reports, you’ll miss the fact that an Alert was accidently closed, which may have been a true positive and the Alert may go completely un-missed, this is coming from the perspective of the SOC Team is separate from the Infrastructure Security Team (again this is my 2 cents)
Mor info can be found here https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center