Integrating SIEM + XDR: Azure Sentinel and Azure Defender bi-directional incident sync

Published Jul 26 2021 08:26 AM 6,926 Views

To help defend against today’s evolving threats, SecOps teams need sophisticated tooling that provides both breadth of visibility across the entire enterprise and the depth needed to investigate threats.  At Microsoft, we have a unique vision for the future of threat protection. While other vendors offer only a SIEM or XDR, Microsoft’s perspective is that SecOps can benefit from both. A SIEM delivers visibility into the full kill chain across the entire organization, including third party data, while XDR delivers deeper insights with contextual alerts for multi-cloud and multi-platform resources to reduce false alerts. 

At Microsoft Ignite 2021 in March, we announced an important step in bringing you the most integrated SIEM and XDR on the market with the release of incident sharing between Microsoft 365 Defender and Azure Sentinel.  Today, we are continuing the journey by announcing the public preview of incident sharing for Azure Defender and Azure Sentinel.  Now, Microsoft delivers the only integrated SIEM and XDR with incident sharing across the full set of components.

Using this new capability, customers can use Azure Sentinel as their single pane of glass for incident triage, leverage Microsoft 365 Defender or Azure Defender for incident investigation and remediation, and stay seamlessly in-sync across all three products. This new capability helps reduce the overall time you spend on responding to incidents – giving you more time to focus on what’s important.


How does it work?

Azure Defender & Sentinel bi-directional status sync will automatically sync alerts and incidents statuses between the products:

  • Closing or updating incidents in Azure Sentinel containing Azure Defender alerts will automatically close/update the status of the alert in the Azure Defender portal.
  • Alerts closed in the Azure Defender will be reflected as closed in Sentinel, but the status of the incident containing them will remain unchanged.


How to enable it?

  1. In Azure Sentinel, navigate to the data connectors tab and open the Azure Defender data connector.
  2. You can configure on which subscriptions you would like the bi-directional sync to take effect by changing the drop down in the “Bi-directional sync (Preview)” column to “Enabled”.
    1. Notice – enabling bi-directional sync required contributor permission in the selected subscription.
  3. To enable bi-directional sync on several subscriptions at once, mark their check boxes and select the “Enable bi-directional sync” button on the bar above the list.




We are excited about these new capabilities and will continue our mission to help you protect your companies.  Stay tuned for more SIEM and XDR integration!


Further reading

Senior Member

Great news for such a very important integration.


The question here is: "Does the bi-directional sync between ASC-Sentinel affect all ASC alert types?"
After testing, we have noticed that we are not able to get all the ASC alerts dismissed after closing the corresponding Azure Sentinel Incidents. For example, we observed that some ASC alerts related to "Non-Azure resources" (e.g alerts related with Azure-Arc enabled servers) were not closing (status not changed to "Dismissed") after closing an Azure Sentinel Incident.


Can you confirm the above issue or it something that happens due to the feature is currently in PREVIEW mode?


Thank you very much.



Hi Greg,

Thanks for your feedback.


The feature should work for all alerts. Would appreciate if you can open support ticket with the exact information of the issue you encountered and we will work to resolve it.



Tal Rosler,

Product Manager - Azure Defender

Version history
Last update:
‎Jul 26 2021 10:24 AM
Updated by: