Defender XDR - Add in MTM for tenants w/ Sentinel onboarded to USX

cwatson-cat · cwatson-cat · commit 7201a717ec8f · 2024-08-07T15:00:24.000-07:00
diff --git a/defender-xdr/mto-advanced-hunting.md b/defender-xdr/mto-advanced-hunting.md
@@ -12,17 +12,17 @@ ms.collection:
 - m365-security
 - highpri
 - tier1
+- usx-security
 ms.topic: conceptual
-ms.date: 07/18/2024
+ms.date: 08/07/2024
+appliesto:
+  - Microsoft Defender XDR
+  - Microsoft Sentinel in the Microsoft Defender portal
 ---
 
-# Advanced hunting in multi-tenant management in Microsoft Defender XDR
+# Advanced hunting in multi-tenant management for Microsoft Defender XDR
 
-**Applies to:**
-
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-
-Advanced hunting in multi-tenant management in Microsoft Defender XDR allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants at the same time.
+Advanced hunting in multi-tenant management for Microsoft Defender XDR allows you to proactively hunt for intrusion attempts and breach activity in email, data, devices, and accounts across multiple tenants at the same time. If you have tenants with a Microsoft Sentinel workspace onboarded to the unified security operations platform, search for SIEM data together with XDR data across multiple tenants.
 
 ## Run cross-tenant queries
 
@@ -73,3 +73,9 @@ When you select a single detection rule, a flyout panel opens with the detection
    :::image type="content" source="/defender/media/defender/custom-detection-rule-details.png" alt-text="Screenshot of the Microsoft Defender XDR custom detection rule details page" lightbox="/defender/media/defender/custom-detection-rule-details.png":::
 
 Select **Open detection rules** to view this rule in a new tab for the specific tenant in the [Microsoft Defender portal](https://security.microsoft.com). To learn more, see [Custom detection rules](./custom-detection-rules.md).
+
+## Related content
+
+- [Set up multi-tenant management in Microsoft Defender XDR](mto-requirements.md)
+- [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md)
+- [View and manage incidents and alerts](mto-incidents-alerts.md)
diff --git a/defender-xdr/mto-incidents-alerts.md b/defender-xdr/mto-incidents-alerts.md
@@ -1,6 +1,6 @@
 ---
-title: View and manage incidents and alerts in multi-tenant management in Microsoft Defender XDR
-description: Learn about incidents and alerts in multi-tenant management in Microsoft Defender XDR
+title: View and manage incidents and alerts in multi-tenant management for Microsoft Defender XDR
+description: Learn about incidents and alerts in multi-tenant management for Microsoft Defender XDR
 search.appverid: met150
 ms.service: defender-xdr
 ms.author: siosulli
@@ -12,23 +12,25 @@ ms.collection:
   - m365-security
   - highpri
   - tier1
+  - usx-security
 ms.topic: conceptual
-ms.date: 09/01/2023
+ms.date: 08/07/2024
+appliesto:
+  - Microsoft Defender XDR
+  - Microsoft Sentinel in the Microsoft Defender portal
 ---
 
 # View and manage incidents and alerts
 
-**Applies to:**
+Multi-tenant management for Microsoft Defender XDR and the Microsoft unified security operations platform enables security operation center (SOC) analysts to access and analyze data from multiple tenants in one place, allowing them to quickly identify and respond to threats. Triage incidents and alerts across SIEM and XDR data for tenants that have onboarded a Microsoft Sentinel workspace to the unified security operations platform. 
 
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-
-Multi-tenant management in Microsoft Defender XDR enables security operation center (SOC) analysts to access and analyze data from multiple tenants in one place, allowing them to quickly identify and respond to threats.
-
-You can manage incidents & alerts originating from multiple tenants under **Incidents & alerts**.
+Manage incidents & alerts originating from multiple tenants under **Incidents & alerts**.
 
 ## View and investigate incidents
 
-1. To View or investigate an incident, go to the [Incidents page](https://mto.security.microsoft.com/incidents) in multi-tenant management in Microsoft Defender XDR. The **Tenant name** column shows which tenant the incident originates from:
+To view or investigate an incident: 
+
+1. Go to the [Incidents page](https://mto.security.microsoft.com/incidents) in multi-tenant management in Microsoft Defender XDR. The **Tenant name** column shows which tenant the incident originates from:
 
    :::image type="content" source="/defender/media/defender/mto-incidents.png" alt-text="Screenshot of the Microsoft Defender XDR multi-tenant incidents page" lightbox="/defender/media/defender/mto-incidents.png":::
 
@@ -61,7 +63,9 @@ To learn more about incidents in the Microsoft Defender portal, see [Manage inci
 
 ## View and investigate alerts
 
-1. To view or investigate an alert, go to the [Alerts page](https://mto.security.microsoft.com/alerts) in multi-tenant management and select the alert you want to view. A flyout panel opens with the alert details page:
+To view or investigate an alert:
+
+1. Go to the [Alerts page](https://mto.security.microsoft.com/alerts) in multi-tenant management and select the alert you want to view. A flyout panel opens with the alert details page:
 
    :::image type="content" source="/defender/media/defender/mto-alerts-details.png" alt-text="Screenshot of the Microsoft Defender XDR alert details page" lightbox="/defender/media/defender/mto-alerts-details.png":::
 
@@ -86,3 +90,10 @@ On the alert fly-out you can assign alerts, set the alert status, and classify t
 > [!Note]
 > Currently, you can only assign multiple alerts from same tenant.
 To learn more about alerts in the Microsoft Defender portal, see [Manage alerts](/defender-endpoint/manage-alerts).
+
+## Related content
+
+- [Set up multi-tenant management in Microsoft Defender XDR](mto-requirements.md)
+- [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md)
+- [Advanced hunting in multi-tenant management in Microsoft Defender XDR](mto-advanced-hunting.md)
+
diff --git a/defender-xdr/mto-overview.md b/defender-xdr/mto-overview.md
@@ -1,6 +1,6 @@
 ---
-title: Multi-tenant management in Microsoft Defender XDR
-description: Overview of multi-tenant management in Microsoft Defender XDR.
+title: Multi-tenant management for the Microsoft unified security operations platform
+description: Learn about multi-tenant management for Microsoft Defender XDR and Microsoft Sentinel in the the Microsoft unified security operations platform.
 ms.service: defender-xdr
 ms.author: siosulli
 author: siosulli
@@ -11,41 +11,48 @@ ms.collection:
   - m365-security
   - highpri
   - tier1
+  - usx-security
 ms.topic: conceptual
-ms.date: 09/01/2023
+ms.date: 08/07/2024
+appliesto:
+  - Microsoft Defender XDR
+  - Microsoft Sentinel in the Microsoft Defender portal
+  - Microsoft Defender for Endpoint Plan 2
+  - Microsoft Defender for Office 365 P2
 ---
 
-# Overview of multi-tenant management in Microsoft Defender XDR
+# Multi-tenant management for Microsoft Defender XDR and the Microsoft unified security operations platform
 
-**Applies to:**
+Multi-tenant management for Microsoft Defender XDR and the Microsoft unified security operations platform provides your security operation teams with a single, unified view of all the tenants you manage. This view enables your teams to quickly investigate incidents and perform advanced hunting across data from multiple tenants, improving your security operations.
 
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-- [Microsoft Defender for Endpoint Plan 2](/defender-endpoint/microsoft-defender-endpoint)
-- [Microsoft Defender for Office 365 P2](https://go.microsoft.com/fwlink/p/?LinkID=2158212)
+If you have tenants with a Microsoft Sentinel workspace onboarded to the unified security operations platform, you're able to:
 
->[!Tip]
->To learn how to turn on preview features, see [Microsoft Defender XDR preview features](preview.md).
+- Triage incidents and alerts across SIEM and XDR data.
+- Proactively search for SIEM and XDR data across multiple tenants.
 
-Managing multi-tenant environments can add an additional layer of complexity when it comes to keeping up with the ever-evolving security threats facing your enterprise. Navigating across multiple tenants can be time consuming and reduce the overall efficiency of security operation center (SOC) teams.
+Only one Microsoft Sentinel workspace per tenant is currently supported in the unfied security platform. So for multi-tenant management, you'll have SIEM data from one Microsoft Sentinel workspace per tenant.
 
-Multi-tenant management in Microsoft Defender XDR was designed to provide security operation teams with a single, unified view of all the tenants they manage. This view enables teams to quickly investigate incidents and perform advanced hunting across data from multiple tenants, improving their security operations.
+For more information, see:
 
->[!Tip]
->To learn more about multi-tenant organizations, see [Multi-tenant organizations documentation](/azure/active-directory/multi-tenant-organizations/).
+- [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md)
+- [Multi-tenant organizations documentation](/azure/active-directory/multi-tenant-organizations/)
 
-Some of the key benefits you get with multi-tenant management in Microsoft Defender XDR include:
 
-- **A centralized place to manage incidents across tenants**: A unified view provides SOC analysts with all the information they need for incident investigation across multiple tenants, eliminating the need to sign in and out of each one.
+## Benefits of multi-tenant management
+
+Some of the key benefits you get with multi-tenant management for Defender XDR and the Microsoft unified security operations platform include:
+
+- **A centralized place to manage incidents across tenants**: A unified view provides SOC analysts with all the information they need to investigate incidents across multiple tenants, eliminating the need to sign in and out of each one.
 
 - **Streamlined threat hunting**: Multi-tenancy support enables SOC teams use Microsoft Defender XDR advanced hunting capabilities to create KQL queries that will proactively hunt for threats across multiple tenants.
 
 - **Multi-customer management for partners**: Managed Security Service Provider (MSSP) partners can now gain visibility into security incidents, alerts, and threat hunting across multiple customers through a single pane of glass.
 
 <a name='whats-included-in-multi-tenant-management-in-microsoft-365-defender'></a>
 
-## What's included in multi-tenant management in Microsoft Defender XDR
+## What's included in multi-tenant management
 
-The following key capabilities are available for each tenant you have access to in multi-tenant management in Microsoft Defender XDR:
+The following key capabilities are available for each tenant you have access to in multi-tenant management for Microsoft Defender XDR and the Microsoft unified security operations platform:
 
 | Capability | Description |
 | ------ | ------ |
diff --git a/defender-xdr/mto-requirements.md b/defender-xdr/mto-requirements.md
@@ -1,6 +1,6 @@
 ---
 title: Set up multitenant management in Microsoft Defender XDR
-description: Learn what steps you need to take to get started with multitenant management in Microsoft Defender XDR.
+description: Learn what steps you need to take to get started with multitenant management for Microsoft Defender XDR and the Microsoft unified security operations platform.
 ms.service: defender-xdr
 ms.author: siosulli
 author: siosulli
@@ -11,40 +11,39 @@ ms.collection:
   - m365-security
   - highpri
   - tier1
+  - usx-security
 ms.topic: conceptual
-ms.date: 09/01/2023
+ms.date: 08/07/20
+appliesto:
+  - Microsoft Defender XDR
+  - Microsoft Sentinel in the Microsoft Defender portal
 ---
 
 # Set up multi-tenant management in Microsoft Defender XDR
 
-**Applies to:**
-
-- [Microsoft Defender XDR](microsoft-365-defender.md)
-
-This article describes the steps you need to take to start using multi-tenant management in Microsoft Defender XDR.
-
->[!Note]
->In multi-tenant management, interactions between the multi-tenant user and the managed tenants could involve accessing data and managing configurations. The ability to undertake these actions is determined by the permissions a managed tenant has granted the multi-tenant user.
+This article describes the steps you need to take to start using multi-tenant management for Microsoft Defender XDR and the Microsoft unified security operations platform.
 
 1. [Review the requirements](#review-the-requirements)
 2. [Verify your tenant access](#verify-your-tenant-access)
 3. [Set up multi-tenant management in Microsoft Defender XDR](#set-up-multi-tenant-management)
 
 >[!Note]
-> [Data privacy](data-privacy.md), [role-based access control (RBAC)](m365d-permissions.md) and [Licensing](prerequisites.md#licensing-requirements) are respected by multi-tenant management in Microsoft Defender XDR.
+>- In multi-tenant management, interactions between the multi-tenant user and the managed tenants could involve accessing data and managing configurations. The ability to undertake these actions is determined by the permissions a managed tenant has granted the multi-tenant user.
+>- [Data privacy](data-privacy.md), [role-based access control (RBAC)](m365d-permissions.md) and [Licensing](prerequisites.md#licensing-requirements) are respected by multi-tenant management in Microsoft Defender XDR.
 
 ## Review the requirements
 
-The following table lists the basic requirements you need to use multi-tenant management in Microsoft Defender XDR.
+The following table lists the basic requirements you need to use multi-tenant management for Microsoft Defender XDR and the unified security operations platform.
 
 | Requirement | Description |
 |:---|:---|
 | Microsoft Defender XDR prerequisites | Verify you meet the [Microsoft Defender XDR prerequisites](prerequisites.md)|
 | Multi-tenant access | To view and manage the data you have access to in multi-tenant management, you need to ensure you have the necessary access. For each tenant you want to view and manage, you need to have either: <br/> <br/> - [Granular delegated admin privileges (GDAP)](/partner-center/gdap-introduction) <br/> - [Microsoft Entra B2B authentication](/azure/active-directory/external-identities/what-is-b2b) <br/> <br/> To learn more about how to synchronize multiple B2B users across tenants, see [Configure cross-tenant synchronization](/azure/active-directory/multi-tenant-organizations/cross-tenant-synchronization-configure).|
 | Permissions | Users must be assigned the correct roles and permissions at the individual tenant level, in order to view and manage the associated data in multi-tenant management. To learn more, see: <br/><br/> - [Manage access to Microsoft Defender XDR with Microsoft Entra global roles](./m365d-permissions.md) <br/> - [Custom roles in role-based access control for Microsoft Defender XDR](./custom-roles.md)<br/><br/> To learn how to grant permissions for multiple users at scale, see [What is entitlement management](/azure/active-directory/governance/entitlement-management-overview).|
+| SIEM data (Optional) |To include SIEM data with the XDR data, one or more tenants must include a Microsoft Sentinel workspace onboarded to unified security operations platform. For more information, see [Connect Microsoft Sentinel to Microsoft Defender XDR](microsoft-sentinel-onboard.md).<br/><br/>Only one Microsoft Sentinel workspace per tenant is currently supported in the unfied security operations platform. So for multi-tenant management, you'll have SIEM data from one Microsoft Sentinel workspace per tenant.|
+
+We recommend that you set up [multi-factor authentication trust](/azure/active-directory/external-identities/authentication-conditional-access) for each tenant to avoid missing data in multi-tenant management for Microsoft Defender XDR and the unified security operations platform.
 
->[!Note]
-> Setting up [multi-factor authentication trust](/azure/active-directory/external-identities/authentication-conditional-access) is highly recommended for each tenant to avoid missing data in multi-tenant management Microsoft Defender XDR.
 
 ## Verify your tenant access
 
diff --git a/defender-xdr/mto-tenants.md b/defender-xdr/mto-tenants.md
@@ -12,15 +12,17 @@ ms.collection:
   - m365-security
   - highpri
   - tier1
+  - usx-security
 ms.topic: conceptual
-ms.date: 03/20/2024
+ms.date: 08/07/2024
+appliesto:
+  - Microsoft Defender XDR
+  - Microsoft Sentinel in the Microsoft Defender portal
 ---
 
-# Manage tenants
+# Manage tenants in Microsoft Defender XDR
 
-**Applies to:**
-
-- [Microsoft Defender XDR](microsoft-365-defender.md)
+Add or remove tenants from the settings page in multi-tenant management from the Microsoft Defender portal.
 
 ## View the tenants page
 
