What’s New: Global Search in Unified Security Operations platform includes Sentinel user and devices

We are excited to announce significant improvements to our Unified Security Operations (SecOps) platform. The global search capability in the Defender Portal now supports Microsoft Sentinel user and device searches, providing a more comprehensive and integrated search experience for customers using Microsoft’s Unified Security Operations platform. This powerful capability allows you to search for devices, users, and other information by entering full or partial search terms. This update enables you to search Microsoft Sentinel entities directly within the Unified Security Operations platform, streamlining your workflow and improving efficiency.

Key Benefits

• Unified search results: Microsoft Sentinel devices and users are now merged into the Microsoft Defender XDR portal entity to provide a single, unified search result, eliminating the need to switch between different tools.
• Increase efficiency and save time – The ability to search Sentinel incidents and other data in the Defender Portal reduces investigation time and helps resolve security incidents faster.
• Comprehensive identifier support: The search function supports a variety of identifiers to ensure that devices and users are identified. Microsoft Sentinels and Defenders with matching identifiers are merged into a single result. This includes identifiers such as HostName, NTDomain, DnsDomain, and NetBiosName.
• Improved user experience: The integration simplifies the search experience, enabling security professionals to quickly and efficiently find the information they need. This enhancement is part of our ongoing effort to integrate Microsoft Sentinel entities within a comprehensive XDR+SIEM platform.

How to get started

Getting started with the global search feature is simple.

1. Access the Microsoft Defender XDR portal: Sign in to the Microsoft Defender XDR portal using your credentials.
2. Go to global search: Find the global search bar at the top of the portal.
3. Please enter your search term: Enter a full or partial search term for the device or user you are looking for. Searches now include Sentinel entities along with Defender entities.
4. Review the integrated results: Search results display a unified view. Microsoft Sentinel and Defender entities help you find the information you need quickly.

Use Cases and Scenarios

1. Incident investigation: Analysts can use global search to quickly find all affected devices related to an incident. This enables faster and more efficient investigations. This makes it easier to investigate the scope of the issue and prioritize appropriate responses.
2. Threat Hunting: Threat hunters can use global searches to find suspicious user activity or specific files flagged as malicious, and correlate these findings with other relevant alerts within the system.
3. Device Tracking: Security teams can use global search to track compromised devices and view alerts, users associated with the device, and any incidents related to that device.

Supported Sentinel Host Identifiers

You can search for Sentinel devices with the following strong identifiers and merge them with Defender devices with matching identifiers:

Supported Account Identifiers

Sentinel accounts with the following strong identifiers can be merged with Defender users with matching identifiers:

Moving forward with global search

Organizations can significantly enhance their security operations by enabling global search for Sentinel entities in the Microsoft Defender XDR portal. This capability provides security teams with the tools they need to efficiently search, investigate, and respond to threats, all from a single interface.

By incorporating unified search across incidents, alerts, users, devices, and files, Global Search streamlines threat hunting, investigation, and response workflows. This ultimately helps organizations stay ahead of evolving threats and gain the context they need to effectively protect their environments.

For more information and documentation on how to use Global Search, please visit the official Microsoft 365 Defender Portal Documentation