Merge pull request #1096 from cwatson-cat/8-7-24-mlti-ten-sent

Defender XDR - Add in MTM for tenants w/ Sentinel onboarded to USX [READY FOR MERGE]

Author: Stacyrch140

defender-xdr/TOC.yml

@@ -483,7 +483,7 @@
           href: https://aka.ms/soc-opt-ref
     - name: Manage multitenant environments
       items:
-        - name: Multitenant management in Microsoft Defender XDR
+        - name: Overview
           href: mto-overview.md
         - name: Set up multitenant management
           href: mto-requirements.md

defender-xdr/mto-advanced-hunting.md

@@ -1,6 +1,6 @@
 ---
-title: Advanced hunting in multi-tenant management in Microsoft Defender XDR
-description: Learn about advanced hunting in multi-tenant management in Microsoft Defender XDR
+title: Advanced hunting in Microsoft Defender multitenant management
+description: Learn about advanced hunting in Microsoft Defender multitenant management
 search.appverid: met150
 ms.service: defender-xdr
 ms.author: siosulli
@@ -12,21 +12,21 @@ ms.collection:
 - m365-security
 - highpri
 - tier1
+- usx-security
 ms.topic: conceptual
-ms.date: 07/18/2024
+ms.date: 08/19/2024
+appliesto:
+  - Microsoft Defender XDR
+  - Microsoft Sentinel in the Microsoft Defender portal
 ---
 
-# Advanced hunting in multi-tenant management in Microsoft Defender XDR
+# Advanced hunting in Microsoft Defender multitenant management
 
-**Applies to:**
-
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-
-Advanced hunting in multi-tenant management in Microsoft Defender XDR allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants at the same time.
+Advanced hunting in Microsoft Defender multitenant management allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants at the same time. If you have tenants with a Microsoft Sentinel workspace onboarded to the Microsoft unified security operations platform, search for security information and event management (SIEM) data together with extended detection and response (XDR) data across multiple tenants. 
 
 ## Run cross-tenant queries
 
-In multi-tenant management, you can use any of the queries you currently have access to. They're filtered by tenant in the **Queries** tab. Select a tenant to view the queries available under each one.
+In multitenant management, you can use any of the queries you currently have access to. They're filtered by tenant in the **Queries** tab. Select a tenant to view the queries available under each one.
 
 Once you load the query in the query editor, you can then specify the scope of the query by tenant by selecting **Tenant scope**:
 
@@ -50,7 +50,7 @@ Likewise, you can manage custom detection rules from multiple tenants in the cus
 
 ### View custom detection rules by tenant
 
-1. To view custom detection rules, go to the [Custom detection rules page](https://mto.security.microsoft.com/v2/custom_detection) in multi-tenant management in Microsoft Defender XDR.
+1. To view custom detection rules, go to the [Custom detection rules page](https://mto.security.microsoft.com/v2/custom_detection) in Microsoft Defender multitenant management.
 2. View the **Tenant name** column to see which tenant the detection rule comes from:
 
    :::image type="content" source="/defender/media/defender/mto-custom-detection-tenant-name.png" alt-text="Screenshot of the Microsoft Defender XDR multi-tenant custom detection page" lightbox="/defender/media/defender/mto-custom-detection-tenant-name.png":::
@@ -61,15 +61,21 @@ To read more about custom detection rules, read [Custom detections overview](cus
 
 ### Manage custom detection rules
 
-You can **Run**, **Turn off**, and **Delete** detection rules from multi-tenant management in Microsoft Defender XDR.
+You can **Run**, **Turn off**, and **Delete** detection rules from Microsoft Defender multitenant management.
 
 To manage detection rules:
 
-1. Go to the [Custom detection rules page](https://mto.security.microsoft.com/v2/custom_detection) in multi-tenant management in Microsoft Defender XDR
+1. Go to the [Custom detection rules page](https://mto.security.microsoft.com/v2/custom_detection) in Microsoft Defender multitenant management
 2. Choose the detection rule you want to manage
 
 When you select a single detection rule, a flyout panel opens with the detection rule details:
 
    :::image type="content" source="/defender/media/defender/custom-detection-rule-details.png" alt-text="Screenshot of the Microsoft Defender XDR custom detection rule details page" lightbox="/defender/media/defender/custom-detection-rule-details.png":::
 
 Select **Open detection rules** to view this rule in a new tab for the specific tenant in the [Microsoft Defender portal](https://security.microsoft.com). To learn more, see [Custom detection rules](./custom-detection-rules.md).
+
+## Related content
+
+- [Set up Microsoft Defender multitenant management](mto-requirements.md)
+- [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md)
+- [View and manage incidents and alerts](mto-incidents-alerts.md)

defender-xdr/mto-incidents-alerts.md

@@ -1,6 +1,6 @@
 ---
-title: View and manage incidents and alerts in multi-tenant management in Microsoft Defender XDR
-description: Learn about incidents and alerts in multi-tenant management in Microsoft Defender XDR
+title: View and manage incidents and alerts in Microsoft Defender multitenant management
+description: Learn about incidents and alerts in Microsoft Defender multitenant management
 search.appverid: met150
 ms.service: defender-xdr
 ms.author: siosulli
@@ -12,29 +12,31 @@ ms.collection:
   - m365-security
   - highpri
   - tier1
+  - usx-security
 ms.topic: conceptual
-ms.date: 09/01/2023
+ms.date: 08/19/2024
+appliesto:
+  - Microsoft Defender XDR
+  - Microsoft Sentinel in the Microsoft Defender portal
 ---
 
-# View and manage incidents and alerts
+# View and manage incidents and alerts in Microsoft Defender multitenant management
 
-**Applies to:**
+Multitenant management for Microsoft Defender XDR and the Microsoft unified security operations platform enables security operation center (SOC) analysts to access and analyze data from multiple tenants in one place, allowing them to quickly identify and respond to threats. Triage incidents and alerts across security information and event management (SIEM) and extended detection and response (XDR) data for tenants that onboarded a Microsoft Sentinel workspace to the unified security operations platform.
 
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-
-Multi-tenant management in Microsoft Defender XDR enables security operation center (SOC) analysts to access and analyze data from multiple tenants in one place, allowing them to quickly identify and respond to threats.
-
-You can manage incidents & alerts originating from multiple tenants under **Incidents & alerts**.
+Manage incidents & alerts originating from multiple tenants under **Incidents & alerts**.
 
 ## View and investigate incidents
 
-1. To View or investigate an incident, go to the [Incidents page](https://mto.security.microsoft.com/incidents) in multi-tenant management in Microsoft Defender XDR. The **Tenant name** column shows which tenant the incident originates from:
+To view or investigate an incident: 
 
-   :::image type="content" source="/defender/media/defender/mto-incidents.png" alt-text="Screenshot of the Microsoft Defender XDR multi-tenant incidents page" lightbox="/defender/media/defender/mto-incidents.png":::
+1. Go to the [Incidents page](https://mto.security.microsoft.com/incidents) in Microsoft Defender multitenant management. The **Tenant name** column shows which tenant the incident originates from:
+
+   :::image type="content" source="/defender/media/defender/mto-incidents.png" alt-text="Screenshot of the Microsoft Defender multitenant incidents page." lightbox="/defender/media/defender/mto-incidents.png":::
 
 2. Select the incident you want to view. A flyout panel opens with the incident details page:
 
-   :::image type="content" source="/defender/media/defender/mto-incident-details.png" alt-text="Screenshot of the Microsoft Defender XDR incidents details page" lightbox="/defender/media/defender/mto-incident-details.png":::
+   :::image type="content" source="/defender/media/defender/mto-incident-details.png" alt-text="Screenshot of the Microsoft Defender multitenant incidents details page." lightbox="/defender/media/defender/mto-incident-details.png":::
 
 3. From the incident details page you can:
 
@@ -47,10 +49,10 @@ To learn more, see [Investigate incidents](/defender-endpoint/investigate-incide
 
 To manage incidents across multiple tenants:
 
-1. Go to the [Incidents page](https://mto.security.microsoft.com/incidents) in multi-tenant management.
+1. Go to the [Incidents page](https://mto.security.microsoft.com/incidents) in Microsoft Defender multitenant management.
 2. Choose the incidents you want to manage from the incidents list and select **Manage incidents**.
 
-   :::image type="content" source="/defender/media/defender/mto-manage-incidents.png" alt-text="Screenshot of the Microsoft Defender XDR incidents page" lightbox="/defender/media/defender/mto-manage-incidents.png":::
+   :::image type="content" source="/defender/media/defender/mto-manage-incidents.png" alt-text="Screenshot that highlights the manage incidents option on the incidents page in Microsoft Defender multitenant management." lightbox="/defender/media/defender/mto-manage-incidents.png":::
 
 On the incidents fly-out you can assign incidents, assign incidents tags, set the incident status, and classify multiple incidents for multiple tenants simultaneously.
 
@@ -61,9 +63,11 @@ To learn more about incidents in the Microsoft Defender portal, see [Manage inci
 
 ## View and investigate alerts
 
-1. To view or investigate an alert, go to the [Alerts page](https://mto.security.microsoft.com/alerts) in multi-tenant management and select the alert you want to view. A flyout panel opens with the alert details page:
+To view or investigate an alert:
+
+1. Go to the [Alerts page](https://mto.security.microsoft.com/alerts) in multitenant management and select the alert you want to view. A flyout panel opens with the alert details page:
 
-   :::image type="content" source="/defender/media/defender/mto-alerts-details.png" alt-text="Screenshot of the Microsoft Defender XDR alert details page" lightbox="/defender/media/defender/mto-alerts-details.png":::
+   :::image type="content" source="/defender/media/defender/mto-alerts-details.png" alt-text="Screenshot of alert details page for an alert in Microsoft Defender multitenant management." lightbox="/defender/media/defender/mto-alerts-details.png":::
 
 2. From the alert details page you can:
 
@@ -76,13 +80,20 @@ To learn more, see [Investigate alerts](/defender-endpoint/investigate-alerts).
 
 To manage alerts across multiple tenants:
 
-1. Go to the [Alerts page](https://mto.security.microsoft.com/alerts) in multi-tenant management.
+1. Go to the [Alerts page](https://mto.security.microsoft.com/alerts) in Microsoft Defender multitenant management.
 2. Choose the alerts you want to manage from the alerts list and select **Manage alerts**.
 
-   :::image type="content" source="/defender/media/defender/mto-manage-alerts.png" alt-text="Screenshot of the Microsoft Defender XDR alerts page" lightbox="/defender/media/defender/mto-manage-alerts.png":::
+   :::image type="content" source="/defender/media/defender/mto-manage-alerts.png" alt-text="Screenshot that highlights the manage alerts option for selected alerts in Microsoft Defender multitenant management." lightbox="/defender/media/defender/mto-manage-alerts.png":::
 
 On the alert fly-out you can assign alerts, set the alert status, and classify the alerts for multiple tenants simultaneously.
 
 > [!Note]
 > Currently, you can only assign multiple alerts from same tenant.
 To learn more about alerts in the Microsoft Defender portal, see [Manage alerts](/defender-endpoint/manage-alerts).
+
+## Related content
+
+- [Set up Microsoft Defender multitenant management](mto-requirements.md)
+- [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md)
+- [Advanced hunting in Microsoft Defender multitenant management](mto-advanced-hunting.md)
+

defender-xdr/mto-overview.md

@@ -1,6 +1,6 @@
 ---
-title: Multi-tenant management in Microsoft Defender XDR
-description: Overview of multi-tenant management in Microsoft Defender XDR.
+title: Microsoft Defender multitenant management
+description: Learn about multitenant management for Microsoft Defender XDR and Microsoft Sentinel in the Microsoft unified security operations platform.
 ms.service: defender-xdr
 ms.author: siosulli
 author: siosulli
@@ -11,41 +11,48 @@ ms.collection:
   - m365-security
   - highpri
   - tier1
+  - usx-security
 ms.topic: conceptual
-ms.date: 09/01/2023
+ms.date: 08/19/2024
+appliesto:
+  - Microsoft Defender XDR
+  - Microsoft Sentinel in the Microsoft Defender portal
+  - Microsoft Defender for Endpoint Plan 2
+  - Microsoft Defender for Office 365 P2
 ---
 
-# Overview of multi-tenant management in Microsoft Defender XDR
+# Microsoft Defender multitenant management
 
-**Applies to:**
+Multitenant management for Microsoft Defender XDR and the Microsoft unified security operations platform provides your security operation teams with a single, unified view of all the tenants you manage. This view enables your teams to quickly investigate incidents and perform advanced hunting across data from multiple tenants, improving your security operations.
 
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-- [Microsoft Defender for Endpoint Plan 2](/defender-endpoint/microsoft-defender-endpoint)
-- [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/p/?LinkID=2158212)
+If you have tenants with a Microsoft Sentinel workspace onboarded to the unified security operations platform, you're able to:
 
->[!Tip]
->To learn how to turn on preview features, see [Microsoft Defender XDR preview features](preview.md).
+- Triage incidents and alerts across security information and event management (SIEM) and extended detection and response (XDR) data.
+- Proactively search for SIEM and XDR data across multiple tenants.
 
-Managing multi-tenant environments can add an additional layer of complexity when it comes to keeping up with the ever-evolving security threats facing your enterprise. Navigating across multiple tenants can be time consuming and reduce the overall efficiency of security operation center (SOC) teams.
+Only one Microsoft Sentinel workspace per tenant is currently supported in the unified security operations platform. So in Microsoft Defender multitenant management, you have SIEM data from one Microsoft Sentinel workspace per tenant.
 
-Multi-tenant management in Microsoft Defender XDR was designed to provide security operation teams with a single, unified view of all the tenants they manage. This view enables teams to quickly investigate incidents and perform advanced hunting across data from multiple tenants, improving their security operations.
+For more information, see:
 
->[!Tip]
->To learn more about multi-tenant organizations, see [Multi-tenant organizations documentation](/azure/active-directory/multi-tenant-organizations/).
+- [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md)
+- [Multitenant organizations documentation](/azure/active-directory/multi-tenant-organizations/)
 
-Some of the key benefits you get with multi-tenant management in Microsoft Defender XDR include:
 
-- **A centralized place to manage incidents across tenants**: A unified view provides SOC analysts with all the information they need for incident investigation across multiple tenants, eliminating the need to sign in and out of each one.
+## Benefits of multitenant management
 
-- **Streamlined threat hunting**: Multi-tenancy support enables SOC teams use Microsoft Defender XDR advanced hunting capabilities to create KQL queries that will proactively hunt for threats across multiple tenants.
+Some of the key benefits you get with multitenant management for Defender XDR and the Microsoft unified security operations platform include:
+
+- **A centralized place to manage incidents across tenants**: A unified view provides SOC analysts with all the information they need to investigate incidents across multiple tenants, eliminating the need to sign in and out of each one.
+
+- **Streamlined threat hunting**: Multi-tenancy support enables SOC teams use Microsoft Defender XDR advanced hunting capabilities to create Kusto Query Language (KQL) queries that proactively hunt for threats across multiple tenants.
 
 - **Multi-customer management for partners**: Managed Security Service Provider (MSSP) partners can now gain visibility into security incidents, alerts, and threat hunting across multiple customers through a single pane of glass.
 
 <a name='whats-included-in-multi-tenant-management-in-microsoft-365-defender'></a>
 
-## What's included in multi-tenant management in Microsoft Defender XDR
+## What's included in multitenant management
 
-The following key capabilities are available for each tenant you have access to in multi-tenant management in Microsoft Defender XDR:
+The following key capabilities are available for each tenant you have access to in multitenant management for Microsoft Defender XDR and the Microsoft unified security operations platform:
 
 | Capability | Description |
 | ------ | ------ |
@@ -60,4 +67,4 @@ The following key capabilities are available for each tenant you have access to
 
 ## Next steps
 
-- [Set up multi-tenant management in Microsoft Defender XDR](mto-requirements.md)
+- [Set up Microsoft Defender multitenant management](mto-requirements.md)