You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/workspaces-defender-portal.md
+9-5Lines changed: 9 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -22,14 +22,18 @@ This article primarily applies to the scenario where you onboard Microsoft Senti
22
22
23
23
Select your primary workspace when you onboard Microsoft Sentinel to the Defender portal. Any other workspaces that you onboard to the Defender portal are considered as secondary workspaces. The Defender portal supports one primary workspace and up to 99 secondary workspaces per tenant for Microsoft Sentinel.
24
24
25
-
When you also have Microsoft Defender XDR, alerts from your primary workspace are correlated with Defender XDR data, and incidents include alerts from both your primary workspace and Defender XDR in a unified queue. When you select a primary workspace, the [Defender XDR data connector](connect-microsoft-365-defender.md) for incidents and alerts is connected to the primary workspace only. Any other workspaces that were previously connected to the Defender XDR connector are disconnected. Any standalone Defender service data connectors, such as for Defender for Identity or Defender for Cloud Apps, are disconnected for all workspaces. Secondary workspaces function in the Defender portal as Microsoft Sentinel only.
25
+
When you also have Microsoft Defender XDR, alerts from your primary workspace are correlated with Defender XDR data, and incidents include alerts from both your primary workspace and Defender XDR in a unified queue. When you select a primary workspace, the [Defender XDR data connector](connect-microsoft-365-defender.md) for incidents and alerts is connected to the primary workspace only.
26
26
27
27
In such cases:
28
28
29
-
- All Defender XDR alerts and incidents are synced to your primary workspace only.
30
-
- The Defender portal keeps incident creation and alert correlation separate between the Microsoft Sentinel workspaces. Incidents in secondary workspaces don't include data from any other workspace, or from Defender XDR.
31
-
- The Defender XDR data connector is disconnected in secondary workspaces. This means that Defender XDR data is no longer available in a secondary workspace, and analytics rules and automation that you have configured based on Defender XDR data no longer function.
32
-
- One primary workspace must always be connected to the Defender portal.
29
+
|Area |Description |
30
+
|---------|---------|
31
+
|**Other workspaces previously connected to Defender XDR**| Any other workspaces that were previously connected to the Defender XDR connector are disconnected, and function as secondary workspaces. Defender XDR data isn't available in a secondary workspace, and any analytics rules and automation that you had previously configured based on Defender XDR data no longer function.|
32
+
|**Standalone Defender service data connectors**| Any standalone Defender service data connectors, such as for Defender for Identity or Defender for Cloud Apps, are disconnected for all workspaces. Secondary workspaces function in the Defender portal as Microsoft Sentinel only.|
33
+
|**Defender XDR alerts and incidents**| All Defender XDR alerts and incidents are synced to your primary workspace only.|
34
+
|**Tenant-based alerts**| Tenant-based alerts, such as alerts regarding users, are synched to the primary workspace only. Tenant-based alerts relate to the entire tenant instead of a specific workspace. Before connecting your workspaces to the Defender portal, these alerts would have been sent to any workspace with the relevant data connector. |
35
+
|**Incident creation and alert correlation**| The Defender portal keeps incident creation and alert correlation separate between the Microsoft Sentinel workspaces. Incidents in secondary workspaces don't include data from any other workspace, or from Defender XDR.|
36
+
|**One primary workspace required**| One primary workspace must always be connected to the Defender portal.|
33
37
34
38
For example, you might be working on a global SOC team in a company that has multiple, autonomous workspaces. In such cases, you might not want to see incidents and alerts from each of these workspaces in your global SOC queue in the Defender portal. Since these workspaces are onboarded to the Defender portal as secondary workspaces, they show in the Defender portal as Microsoft Sentinel only, without any Defender data, and continue to function autonomously. When looking at your global SOC workspace, you won't see data from these secondary workspaces.
0 commit comments