Safeguarding the

business with
SIEM and XDR
Safeguarding the business with SIEM and XDR 2

Contents

Introduction What is XDR? Benefits of integrated

Page 3 Page 4 SIEM and XDR
Page 6

Microsoft’s approach Integration for A clearer picture

to SIEM and XDR end-to-end visibility Page 17
Page 9 Page 15
Safeguarding the business with SIEM and XDR 3

The shift to remote and hybrid work models over the past two SecOps teams have a much broader attack surface to protect because IT
infrastructure now extends across multi-cloud, hybrid cloud and on-premises
years has left organisations more vulnerable to ransomware environments, and employees can access enterprise resources from virtually
and other threats. Microsoft’s Digital Defence Report anywhere, using company-owned systems or unmanaged personal devices.

notes a steady increase in ransomware ‘encounter rates’ for SecOps teams have responded to these trends by deploying multiple point
enterprises since the onset of the pandemic, reaching 100 products to protect against the broadening threatscape. These tools, while helping
to safeguard specific workloads, assets or people, have also complicated the
million encounters in February 2021 alone. security challenge by forcing data and detection capabilities into multiple silos.

CISOs and their security teams need a better way to view threats across multi-cloud
and on-premises IT environments to increase protection of resources and reduce
the time it takes to detect and respond to incidents.

This eBook explores a critical next step in the evolution of security operations:
Integrating cloud-native security information and management (SIEM) capabilities
with extended detection and response (XDR).
What is XDR?
Safeguarding the business with SIEM and XDR 5

A full-featured XDR platform enables organisations to The depth of information XDR consolidates helps SecOps teams uncover threats and
attacks much faster than traditional, siloed detection and response platforms. SecOps
protect their digital ecosystem by collecting, correlating analysts can leverage the cross-domain threat visibility and contextual alerts that XDR
and analysing security telemetry from endpoints, networks, platforms provide to initiate quick and targeted responses.

applications, cloud workloads and identity infrastructure. XDR improves efficiency for SecOps teams by providing telemetry across integrated
workloads. The technology helps reduce the number of alerts the security team
must investigate by using correlation and behavioural analysis on consolidated
threat data to eliminate false positives and low-fidelity alerts. The tools support
automated investigation of threats and auto-remediation of compromised assets, often
without the need for human intervention. Security teams can leverage the tailored
recommendations and workflows available with XDR tools to implement proactive
defences against identified vulnerabilities.

Microsoft 365 Defender and Microsoft Defender for Cloud offer cross-domain security
as part of the Microsoft XDR solution. Microsoft 365 Defender helps organisations
block a wide range of threats at the network perimeter, preventing intrusion. It also
automatically collects, correlates and analyses threat and alert data from across the
Microsoft 365 environment. This includes security telemetry from endpoint devices,
email, applications and identities. The technology combines AI with automation to
enable automatic attack mitigation and remediation of compromised assets.

Microsoft Defender for Cloud combines cloud security posture management with
cloud workload protection capabilities. Defender for Cloud helps SecOps teams protect
against cloud threats and continuously assess the security of their cloud environment.
It issues alerts on detected threats to cloud workloads and resources, and then
recommends customised mitigations for addressing the threats and hardening cloud
assets against identified weaknesses.
Benefits of
integrated
SIEM and XDR
Safeguarding the business with SIEM and XDR 7

SecOps teams can capture even more value by The Microsoft Sentinel cloud-native SIEM platform uses a correlation engine
and AI-enabled behavioural analytics capabilities to condense vast amounts of
layering XDR telemetry on a cloud-native SIEM data into alerts that are relevant to an organisation’s security posture. Built-in
platform. SIEM enables organisations to get more orchestration and automation allow organisations to respond rapidly to detected
threats and incidents.
actionable information from security telemetrics by
applying advanced analytics and threat intelligence SecOps analysts can use SIEM platforms like Microsoft Sentinel to compare internal
security telemetry and log data with external intelligence to detect new threats and
to security information and event data gathered from identify potential security breaches. The aggregated log data in SIEM platforms
across the enterprise IT infrastructure. enables better forensics and investigations of past security incidents.

By feeding XDR data into SIEM, organisations can derive more value from both
technologies. An integrated SIEM and XDR environment provides consolidated
dashboards for viewing and managing threats across multi-cloud, hybrid cloud
and on-premises environments. It allows for billions of pieces of signal data from
XDR and other sources to be reduced to thousands of alerts and tens of incidents
– minimising alert fatigue and false positives.
Safeguarding the business with SIEM and XDR 8

SIEM and XDR integration enhances the ability of SecOps teams to perform centralised,
context-based threat detection, analysis and response. SIEM platforms offer log
management and retention capabilities for XDR data, so it is available for threat
investigation and forensic analysis. This can enable better insight into past security
incidents so measures can be taken to prevent the same events from happening again.

Organisations can also gain significant productivity benefits from connecting SIEM with
XDR. A Forrester Consulting Total Economic Impact™ study found that Microsoft 365
Defender helped organisations reduce the number successful attacks and recover faster
from breaches that did occur. The technology decreased the need for remediation efforts
because fewer machines were compromised. XDR helped organisations
The Forrester study showed that, cumulatively, XDR helped organisations save
USD 6.7 million in end-user productivity by ensuring less system downtime from security
save USD 6.7 million
breaches. Security teams reported another USD 6.7 million in efficiency gains from: in end-user productivity

A unified view of threat data.

Fewer false positives to chase after.

Automated response and remediation capabilities.

Microsoft’s
approach to
SIEM and XDR
Safeguarding the business with SIEM and XDR 10

Microsoft’s vision for SIEM and XDR is to

deliver an integrated offering that connects
Microsoft Sentinel with Microsoft 365 Defender
and Defender for Cloud. The technology also
supports multi-cloud and multi-platform
environments to ensure third-party data and
signals are part of Microsoft SIEM and XDR.

Microsoft’s goal is to combine the automated correlation from XDR with the
power of cloud-native SIEM to help SecOps teams protect against attacks and
keep enterprise data and resources safe from compromise.
Safeguarding the business with SIEM and XDR 11

Microsoft Sentinel

Microsoft Sentinel is Microsoft’s cloud-native SIEM platform. It accelerates threat detection

and response by collecting, correlating and analysing security log and event data at scale
from devices, applications, users and infrastructure hosted in the cloud and on-premises.

Microsoft Sentinel enables organisations to detect threats they might have otherwise
missed, by comparing internally gathered security telemetry with real-time external threat
intelligence gathered from Microsoft sensors and other third parties. SecOps teams can
leverage the AI and cloud security analytics capabilities in Microsoft Sentinel to hunt for
hidden threats and signs of previous breaches in aggregated log data. The technology
offers inline orchestration and automation capabilities for speeding up threat response and
remediating compromised resources quickly and efficiently.

Microsoft aggregates security data – more than 24 trillion signals a day – from a broad and
diverse spectrum of business environments and consumer devices. Microsoft Sentinel’s
correlation and analytics capabilities help organisations condense billions of daily security
signals from across the enterprise technology stack into a manageable handful of legitimate
events, and even fewer high-priority alerts that need to be investigated. This means SecOps
teams can spend more time on proactive threat hunting and mitigation. The technology
reduces complexity by enabling a unified, multi-domain view of the threat environment.
Safeguarding the business with SIEM and XDR 12

Microsoft 365 Defender

Microsoft 365 Defender offers XDR for email, documents, identities, apps and endpoints.
It collects, correlates and analyses threat signals and alerts from across the Microsoft 365
environment including endpoint devices, email, applications and identities. Microsoft 365
Defender includes the following services to provide additional XDR depth:

Microsoft Defender for Endpoint analyses behavioural signals from Windows 11 Microsoft Defender for Identity helps organisations detect and respond to
endpoint environments to detect threats that signature-based threat detection tools identity-based risks in cloud-based Microsoft Entra ID environments. It can
might miss. It applies cloud security analytics to translate behavioural signals into be used to monitor users, entity behaviour and activities, and to protect user
actionable insights and threat detections, and recommends automated responses to identities and credentials in Active Directory. Defender for Identity monitors
advanced threats. Defender for Endpoint leverages Microsoft and third-party threat on-premises Active Directory signals to detect and investigate compromised
intelligence to identify threat actor tactics, techniques and procedures (TTPs) and to identities, credential misuse and potentially malicious insider actions. Defender
generate alerts when these artefacts are present in internally collected telemetry. for Identity offers user profile analytics and security reporting capabilities, so
organisations have a better understanding of their attack surface.
Microsoft Defender for Office 365 protects against email threats such as malicious
links and attachments. Organisations can use it to protect Microsoft Exchange Microsoft Defender for Cloud Apps is a cloud access security broker that works
environments against broad, volume-based, known attacks. Defender for Office 365 across multiple cloud environments including virtual machines, containers,
offers capabilities for correlating attack patterns with known threat actor TTPs databases and the internet of things. It helps organisations protect against threats
so security analysts can identify campaigns and mitigate them. The technology to and from cloud apps and services by enabling discovery of all authorised and
integrates capabilities for helping security teams identify, prioritise and investigate unauthorised cloud apps. It ensures that cloud apps are compliant with internal
threats across the Office 365 environment. Inline incident response and automation policy and industry/regulatory requirements by, among other things, enabling
capabilities allow security teams to quickly address detected threats and remediate continuous monitoring of new and risky cloud apps.
compromised systems.
Safeguarding the business with SIEM and XDR 13

Microsoft Defender for Cloud

Microsoft Defender for Cloud provides cloud security posture management and threat
protection for workloads across Azure, AWS, GCP and on-premises. It helps assess and
strengthen the security configuration of your cloud resources, manage compliance with
critical industry and regulatory standards, as well as detect and respond to vulnerabilities
and threats in the cloud or on-premises. It strengthens the security posture of cloud
resources and provides the tools needed to harden resources, protect against cyberattacks
and streamline security management.

The natively integrated capabilities in Microsoft 365 Defender and Microsoft Defender for
Cloud enable comprehensive proactive and post-breach defences across Microsoft and
third-party environments.
Safeguarding the business with SIEM and XDR 14

For example:

Defender for Office 365 provides proactive In the case of credential theft, Defender
defence by detecting phishing emails and for Identity can spot attempts to misuse
testing attachments to verify if it they are user credentials to elevate privileges or
harmful – before they hit inboxes. move laterally in a compromised network.

If a user opens a malicious attachment, When an attacker uses a stolen identity to

Defender for Endpoint detects and blocks move laterally and tries to exfiltrate data from
any malware that might be downloaded on a cloud environment, Defender for Cloud
the user device before it connects to the apps can spot and stop the threat.
corporate network.
Integration
for end-to-end
visibility
Safeguarding the business with SIEM and XDR 16

Integrating Microsoft Sentinel with Microsoft’s XDR solutions The combination of Microsoft Sentinel and XDR enables better threat hunting
across the enterprise. SecOps analysts can look at hot data in XDR and compare
keeps incidents across endpoint and cloud environments it against 10 years or more of SIEM information to determine, for instance, if they
bidirectionally synchronised and available in a way that might have been previously breached. They can write one query and have it
executed in both solutions to search for signs of lateral movement and malware
enables rapid detection, analysis and automated response. persistence, or determine the full scope of a security incident.
For example, security teams can quickly verify if a threat they
Importantly, integrating the two platforms allows security teams to augment XDR
might have detected in an on-premises system is also present telemetry with rich, real-time threat intelligence from Microsoft security researchers
in their cloud infrastructure, or if a threat actor might have and third-party partners. By comparing external threat intelligence data with
internal telemetry, SecOps analysts can quickly identity if threat actor activities and
moved laterally from an on-premises environment to a cloud artefacts observed in the wild are present inside the organisation.
asset. Bidirectional synchronisation also means that when
the status of a security alert changes in Microsoft Sentinel, it
automatically changes in the Microsoft XDR environment.
 17

A clearer picture

A broader attack surface requires CISOs and their teams to continuously improve their ability Learn more about how integrated threat protection can
to protect, detect and respond to threats. Layering Microsoft XDR telemetry from endpoints,
email, apps, identities and cloud resources with cloud-native SIEM can help SecOps teams help stop breaches across your entire organisation.
mitigate threats effectively, reduce the time it takes to detect and respond to attacks and
minimise costly downtime from system disruptions caused by security incidents.

© 2022 Microsoft Corporation. All rights reserved. This document is provided ’as is’. Information and views expressed in this document, including URLs and other internet website references, may change without notice. You bear the risk of using it.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.