The security solutions used in the Azure & Microsoft 365 ecosystem share data and signals with each other, which gains a huge synergy advantage comparing to 3rd party solutions. To be able to share data, there are a number of inter-connections between the security solutions underneath the hood.
To take the most out of the solutions I encourage enable all the integrations to get the best synergy advantages out of them. It’s good to know that most of the integrations are enabled by default nowadays. This mainly touches the M365 Defender solutions and enabling the integrations isn’t covered in this blog, it might be the topic of another blog post:)
There are multiple ways to describe inter-connections between the products and here is one version of it. Recently, I have written multiple Microsoft cloud security monitoring designs and both of the pictures were created during the design phase (kudos goes also to my colleague Markus Pitkäranta – @PitkarantaM).
High-level Integrations Between Microsoft Security Solutions
The following picture describes Azure Sentinel positioning and high-level inter-connections between the Azure & M365 Microsoft security solutions. The original picture is from Microsoft’s (unknown) presentation. From the original one, the names of the solutions are changed.
Data Flows Between Microsoft Security Solutions
From docs.microsoft.com – The table below lists how each supported M365 Defender service provides additional data, opportunities to obtain additional insight by correlating the data, and better remediation and response capabilities.
The picture below describes the data flows between the solutions. I didn’t add all the possible flows because the picture starts to come a little messy so don’t expect it to be 100% accurate. I’m more than happy to receive suggestions & comments about the pic. So, If you would change or add something please let me know and drop me a line.
In the picture, the assumption is that from Azure, Azure AD, and Microsoft 365 the main security solutions are used, such as Azure Sentinel, Azure Security Center & Microsoft 365 Defender solutions.
The picture describes to main data flows including:
- Data and signal sharing
- Events / raw logs
As said, it’s not 100% accurate but gives you an overall picture of how security-related data is flowing between the solutions. From MDx products there is only one integration line to Azure Sentinel even though underneath the hood every product has its own integration. This makes the picture more clearer, thanks to @Thomas_live for the feedback.
Hopefully, this gives you an understanding of how security solutions are integrated with each other and how data is flowing between them.
Merry Christmas & Happy New Year, stay safe out there!!