Merge pull request #1761 from MicrosoftDocs/release-sentinel-only

[PLS MERGE MEEEEEE] Sentinel only in Defender release [MERGE NOV 19 FOR AM publishing - IGNITE]

Author: diannegali

defender-xdr/copilot-in-defender-device-summary.md

@@ -21,7 +21,7 @@ search.appverid:
 ms.date: 10/04/2024
 appliesto:
 - Microsoft Defender XDR
-- Microsoft Sentinel in the Microsoft Defender portal
+- Microsoft Sentinel with Defender XDR in the Microsoft Defender portal
 ---
 
 # Summarize device information with Microsoft Copilot in Microsoft Defender

defender-xdr/microsoft-sentinel-onboard.md

@@ -1,6 +1,6 @@
 ---
-title: Connect Microsoft Sentinel to Microsoft Defender XDR
-description: Learn how to connect your Microsoft Sentinel environment to Microsoft Defender XDR to unify your security operations.
+title: Connect Microsoft Sentinel to the Microsoft Defender portal
+description: Learn how to connect your Microsoft Sentinel environment to the Defender portal to unify your security operations.
 ms.service: defender-xdr
 f1.keywords: 
   - NOCSH
@@ -22,22 +22,23 @@ search.appverid:
 appliesto:
     - Microsoft Defender XDR
     - Microsoft Sentinel in the Microsoft Defender portal
-ms.date: 07/10/2024
+ms.date: 10/16/2024
 ---
 
-# Connect Microsoft Sentinel to Microsoft Defender XDR
+# Connect Microsoft Sentinel to the Microsoft Defender portal
 
-Microsoft Sentinel is generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. When you onboard Microsoft Sentinel to the Defender portal, you unify capabilities with Microsoft Defender XDR like incident management and advanced hunting. Reduce tool switching and build a more context-focused investigation that expedites incident response and stops breaches faster. For more information, see:
+Microsoft Sentinel is generally available within Microsoft's unified security operations (SecOps) platform in the Microsoft Defender portal. When you onboard Microsoft Sentinel to the Defender portal with Microsoft Defender XDR, you unify capabilities like incident management and advanced hunting. Reduce tool switching and build a more context-focused investigation that expedites incident response and stops breaches faster. For more information, see:
 
-- Blog post: [General availability of the Microsoft unified security operations platform](https://aka.ms/unified-soc-announcement)
+- Blog post: [General availability of the Microsoft's unified security operations platform](https://aka.ms/unified-soc-announcement)
 - Blog post: [Frequently asked questions about the unified security operations platform](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/frequently-asked-questions-about-the-unified-security-operations/ba-p/4212048)
 - [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690)
 - [Microsoft Defender XDR integration with Microsoft Sentinel](/azure/sentinel/microsoft-365-defender-sentinel-integration)
 
+For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license.
 
 ## Prerequisites
 
-Before you begin, review the feature documentation to understand the product changes and limitations:
+Before you begin, review the feature documentation to understand the product changes and limitations.
 
 - [Microsoft Sentinel in the Microsoft Defender portal](/azure/sentinel/microsoft-sentinel-defender-portal)
 - [Advanced hunting in the Microsoft Defender portal](advanced-hunting-microsoft-defender.md)
@@ -46,16 +47,17 @@ Before you begin, review the feature documentation to understand the product cha
 
 The Microsoft Defender portal supports a single Microsoft Entra tenant and the connection to one workspace at a time. In the context of this article, a workspace is a Log Analytics workspace with Microsoft Sentinel enabled.
 
-To onboard and use Microsoft Sentinel in the Microsoft Defender portal, you must have the following resources and access:
+### Microsoft Sentinel prerequisites
+
+To onboard and use Microsoft Sentinel in the Defender portal, you must have the following resources and access:
 
 - A Log Analytics workspace that has Microsoft Sentinel enabled
-- The data connector for Microsoft Defender XDR (formerly named Microsoft 365 Defender) enabled in Microsoft Sentinel for incidents and alerts. For more information, see [Connect data from Microsoft Defender XDR to Microsoft Sentinel](/azure/sentinel/connect-microsoft-365-defender).
-- Access to Microsoft Defender XDR in the Defender portal
-- Microsoft Defender XDR onboarded to the Microsoft Entra tenant
+- The data connector for Microsoft Defender XDR enabled in Microsoft Sentinel for incidents and alerts. Install the Defender XDR solution and configure the data connector to connect Microsoft Sentinel to the Defender portal. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](/azure/sentinel/sentinel-solutions-deploy). <!--Question to Simaya about configuring the other options on this connector - would we still need that for unified SOC. Would they go  back and configure those settings? https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender-->
 - An Azure account with the appropriate roles to onboard, use, and create support requests for Microsoft Sentinel in the Defender portal. The following table highlights some of the key roles needed.
 
-  |Task |Azure built-in role required |Scope  |
+  |Task |Microsoft Entra or Azure built-in role required |Scope  |
   |---------|---------|---------|
+  |Onboard Microsoft Sentinel to the Defender portal|[Global administrator](/entra/identity/role-based-access-control/permissions-reference#global-administrator) or [security administrator](/entra/identity/role-based-access-control/permissions-reference#security-administrator) in Microsoft Entra ID|Tenant|
   |Connect or disconnect a workspace with Microsoft Sentinel enabled|[Owner](/azure/role-based-access-control/built-in-roles#owner) or </br>[User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) and [Microsoft Sentinel Contributor](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) |- Subscription for Owner or User Access Administrator roles </br></br>- Subscription, resource group, or workspace resource for Microsoft Sentinel Contributor |
   |View Microsoft Sentinel in the Defender portal|[Microsoft Sentinel Reader](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-reader) |Subscription, resource group, or workspace resource  |
   |Query Sentinel data tables or view incidents  |[Microsoft Sentinel Reader](/azure/role-based-access-control/built-in-roles#microsoft-sentinel-reader) or a role with the following actions:</br>- Microsoft.OperationalInsights/workspaces/read</br>- Microsoft.OperationalInsights/workspaces/query/read</br>- Microsoft.SecurityInsights/Incidents/read</br>- Microsoft.SecurityInsights/incidents/comments/read</br>- Microsoft.SecurityInsights/incidents/relations/read</br>- Microsoft.SecurityInsights/incidents/tasks/read|Subscription, resource group, or workspace resource       |
@@ -64,28 +66,39 @@ To onboard and use Microsoft Sentinel in the Microsoft Defender portal, you must
 
   After you connect Microsoft Sentinel to the Defender portal, your existing Azure role-based access control (RBAC) permissions allow you to work with the Microsoft Sentinel features that you have access to. Continue to manage roles and permissions for your Microsoft Sentinel users from the Azure portal. Any Azure RBAC changes are reflected in the Defender portal. For more information about Microsoft Sentinel permissions, see [Roles and permissions in Microsoft Sentinel | Microsoft Learn](/azure/sentinel/roles) and [Manage access to Microsoft Sentinel data by resource | Microsoft Learn](/azure/sentinel/resource-context-rbac).
 
+### Microsoft's unified SecOps platform prerequisites 
+
+To unify capabilities with Defender XDR in Microsoft's unified SecOps platform, you must have the following resources and access:
+
+- Licensing for Defender XDR, as described in [Microsoft Defender XDR prerequisites](/microsoft-365/security/mtp/prerequisites)
+- Account for Defender XDR is a member of the same Microsoft Entra tenant with which Microsoft Sentinel is associated
+- Access to Microsoft Defender XDR in the Defender portal, as described in [Microsoft Defender XDR prerequisites](/microsoft-365/security/mtp/prerequisites#required-permissions)
+
 ## Onboard Microsoft Sentinel
 
-To connect a workspace that has Microsoft Sentinel enabled to Defender XDR, complete the following steps:
+To connect a Microsoft Sentinel workspace to the Defender portal, complete the following steps. If you're onboarding Microsoft Sentinel without Defender XDR (preview) there is an extra step to trigger the connection with Microsoft Sentinel and Defender portal. 
 
 1. Go to the [Microsoft Defender portal](https://security.microsoft.com/) and sign in.
-1. In Microsoft Defender XDR, select **Overview**.
+1. To onboard Microsoft Sentinel without Defender XDR in the Defender portal: 
+   1. To trigger the connection with Microsoft Sentinel, select **Investigation & response** > **Incidents**.
+   1. Wait a few minutes for the connection to complete. 
+1. In the Defender portal, select **Overview**.
 1. Select **Connect a workspace**.
 1. Choose the workspace you want to connect and select **Next**.
 1. Read and understand the product changes associated with connecting your workspace. These changes include:
 
-   - Log tables, queries, and functions in the Microsoft Sentinel workspace are also available in advanced hunting within Defender XDR.
+   - Log tables, queries, and functions in the Microsoft Sentinel workspace are also available in advanced hunting within the Defender portal.
    - The Microsoft Sentinel Contributor role is assigned to the Microsoft Threat Protection and WindowsDefenderATP apps within the subscription.
    - Active [Microsoft security incident creation rules](/azure/sentinel/threat-detection#microsoft-security-rules) are deactivated to avoid duplicate incidents. This change only applies to incident creation rules for Microsoft alerts and not to other analytics rules.
    - All alerts related to Defender XDR products are streamed directly from the main Defender XDR data connector to ensure consistency. Make sure you have incidents and alerts from this connector turned on in the workspace.
 
 1. Select **Connect**.
 
-After your workspace is connected, the banner on the **Overview** page shows that your unified security information and event management (SIEM) and extended detection and response (XDR) is ready. The **Overview** page is updated with new sections that include metrics from Microsoft Sentinel like the number of data connectors and automation rules.
+After your workspace is connected, the banner on the **Overview** page shows that your environment is ready. The **Overview** page is updated with new sections that include metrics from Microsoft Sentinel like the number of data connectors and automation rules.
 
 ## Explore Microsoft Sentinel features in the Defender portal
 
-After you connect your workspace to the Defender portal, **Microsoft Sentinel** is on the left-hand side navigation pane. Pages like  **Overview**, **Incidents**, and **Advanced Hunting** have unified data from Microsoft Sentinel and Defender XDR. For more information about the unified capabilities and differences between portals, see  [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690).
+After you connect your workspace to the Defender portal, **Microsoft Sentinel** is on the left-hand side navigation pane. If you have Defender XDR enabled, pages like  **Overview**, **Incidents**, and **Advanced Hunting** have unified data from Microsoft Sentinel and Defender XDR. If you don't have Defender XDR enabled, these pages just include data from Microsoft Sentinel (preview). For more information about the unified capabilities and differences between portals, see  [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690).
 
 Many of the existing Microsoft Sentinel features are integrated into the Defender portal. For these features, notice that the experience between Microsoft Sentinel in the Azure portal and Defender portal are similar. Use the following articles to help you start working with Microsoft Sentinel in the Defender portal. When using these articles, keep in mind that your starting point in this context is the [Defender portal](https://security.microsoft.com/) instead of the Azure portal.
 
@@ -135,5 +148,5 @@ If you want to connect to a different workspace, from the **Workspaces** page, s
 - [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690)
 - [Advanced hunting in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2264410)
 - [Automatic attack disruption in Microsoft Defender XDR](automatic-attack-disruption.md)
-- [Investigate incidents in Microsoft Defender XDR](investigate-incidents.md)
+- [Investigate incidents in Microsoft Defender portal](investigate-incidents.md)
 - [Optimize your security operations](/azure/sentinel/soc-optimization/soc-optimization-access?tabs=defender-portal)

defender-xdr/security-copilot-defender-identity-summary.md

@@ -21,7 +21,7 @@ search.appverid:
 ms.date: 10/14/2024
 appliesto:
 - Microsoft Defender XDR
-- Microsoft Sentinel in the Microsoft Defender portal
+- Microsoft Sentinel with Defender XDR in the Microsoft Defender portal
 ---
 
 # Summarize identity information with Microsoft Copilot in Microsoft Defender

defender-xdr/security-copilot-m365d-guided-response.md

@@ -21,7 +21,7 @@ search.appverid:
 ms.date: 10/14/2024
 appliesto:
 - Microsoft Defender XDR
-- Microsoft Sentinel in the Microsoft Defender portal
+- Microsoft Sentinel with Defender XDR in the Microsoft Defender portal
 ---
 
 # Triage and investigate incidents with guided responses from Microsoft Copilot in Microsoft Defender

includes/unified-soc-preview-no-alert.md

@@ -1,7 +1,7 @@
 ---
 title: "include file" 
 description: "include file" 
-ms.date: 07/10/2024
+ms.date: 10/16/2024
 manager: dansimp
 ms.author: cwatson
 author: cwatson-cat
@@ -10,4 +10,4 @@ ms.topic: include
 ms.custom: "include file"
 ---
 
-Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. For more information, see [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690).
+Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690).

includes/unified-soc-preview.md

@@ -1,7 +1,7 @@
 ---
 title: "include file" 
 description: "include file" 
-ms.date: 07/10/2024
+ms.date: 10/16/2024
 manager: dansimp
 ms.author: cwatson
 author: cwatson-cat
@@ -11,4 +11,4 @@ ms.custom: "include file"
 ---
 
 > [!IMPORTANT]
-> Microsoft Sentinel is now generally available within the Microsoft unified security operations platform in the Microsoft Defender portal. For more information, see [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690).
+> Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see [Microsoft Sentinel in the Microsoft Defender portal](https://go.microsoft.com/fwlink/p/?linkid=2263690).