ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett • Microsoft Defender • Sentinel Setup

I Opened The New Defender Portal… Now What?

Microsoft Defender loaded.

Microsoft Sentinel appeared inside the same experience.

Secure Score was showing. UEBA was waiting. Data connectors were empty. Automation rules were missing. Some tiles said no data. Other tiles looked like they were still loading.

If you have opened the new Microsoft Defender portal and thought, “Where do I even start?” — you are not alone.

Microsoft is moving security operations into a more unified experience, bringing Defender XDR, Sentinel, incidents, hunting, automation, Secure Score and investigation data closer together.

That is powerful.

But for many businesses and administrators, the first view can feel overwhelming.

This Agent Foskett briefing explains what the new Defender and Sentinel setup means, why some widgets show no data, and what organisations should configure first.

Discuss your Defender setup Back to Investigation Hub
Agent Foskett Microsoft Defender Sentinel unified security operations setup guide
Briefing summary

The new Microsoft Defender experience brings Sentinel, Defender XDR, Secure Score, incidents, automation and hunting closer together. This guide helps businesses understand what they are seeing and what to configure first.

Understand the new Defender portal
Configure Sentinel data sources
Start hunting with useful KQL
🚨 Empty dashboards do not always mean nothing is happening.
In many environments, it means the right logs, connectors, onboarding steps and analytics rules have not been configured yet.
Book a security review →

What changed?

The Microsoft security experience is becoming more unified. Instead of thinking about Defender and Sentinel as completely separate places, organisations are now encouraged to investigate incidents, hunt threats, review posture and manage operations from a more connected security operations view.
Defender is becoming the front door Microsoft Defender is increasingly where organisations review incidents, hunting, exposure, identities, devices, email and Sentinel security operations.
Sentinel is closer to the investigation Sentinel capabilities such as data connectors, automation, analytics and UEBA now sit closer to the day-to-day Defender investigation workflow.
The first view can feel empty No incidents, no connectors or no data does not always mean the environment is safe. It may mean the telemetry is not connected yet.

Why does everything say no data?

This is one of the most common first reactions. The portal loads, but several tiles may show no data, failed loading, empty incidents or no automation rules. That does not automatically mean something is broken.
Data connectors may not be enabled Sentinel needs data sources. Without connectors, there may be nothing meaningful for dashboards, analytics or incidents to process.
Devices may not be onboarded Device risk, active malware and endpoint visibility depend on devices being correctly onboarded into Microsoft Defender for Endpoint.
Some data takes time Secure Score, Action Center, incidents and analytics views can have delays, caching or dependency requirements before they become useful.

What should you configure first?

The best first step is not to click everything at once. Build visibility in layers: identity, devices, email, cloud activity, automation and hunting.
1. Connect identity logs Start with Entra ID sign-in logs and audit logs. Identity is often the first place attacker behaviour appears.
2. Onboard devices Endpoint telemetry gives Defender the visibility it needs to detect malware, risky devices, process activity and suspicious behaviour.
3. Connect email security Microsoft 365 Defender email telemetry helps investigate phishing, malicious links, delivered threats and user clicks.
4. Enable UEBA User and Entity Behavior Analytics helps Sentinel understand normal behaviour and highlight unusual user or entity activity.
5. Review Secure Score Secure Score gives a posture baseline and helps identify practical improvements across identity, devices, apps and data.
6. Add automation slowly Automation rules are powerful, but they should be introduced carefully after the organisation understands its alerts and incident flow.

First hunt: are users signing in successfully?

Even before every dashboard looks impressive, the logs may already be useful. Start with simple sign-in visibility.
successful-signins-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == 0
| summarize SignIns=count() by UserPrincipalName, IPAddress
| order by SignIns desc
What to review Look for users signing in from unexpected IP addresses, unusual locations, unfamiliar devices or strange volumes of activity.
Why it matters The dashboard may look quiet, but identity logs often reveal early signs of compromise, risky access or poor conditional access coverage.
Best next pivot Review failed sign-ins, MFA status, conditional access results, device details and risky users.

Second hunt: are there failed sign-in patterns?

A quiet incident queue does not mean attackers are not trying. Failed sign-in behaviour can expose password spraying, brute-force attempts and legacy authentication issues.
failed-signin-patterns.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType != 0
| summarize FailedAttempts=count(),
            Users=dcount(UserPrincipalName)
          by IPAddress
| order by FailedAttempts desc
What to review Look for one IP address attempting many users, repeated failures against one user, or patterns outside normal business hours.
Why it matters Failed sign-ins may not always create a dramatic incident, but they can show active targeting and weak identity controls.
Best next pivot Check MFA requirements, conditional access policies, risky users and whether legacy authentication is still allowed.

Third hunt: are emails being clicked?

If Microsoft Defender for Office 365 is available, URL click telemetry helps connect email threats to user behaviour.
url-click-review.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
UrlClickEvents
| where Timestamp > ago(7d)
| project Timestamp,
          AccountUpn,
          Url,
          ActionType,
          IPAddress,
          NetworkMessageId
| order by Timestamp desc
What to review Check whether users clicked allowed links, blocked links, rewritten Safe Links or suspicious URLs.
Why it matters Email risk is not only about what was delivered. It is also about what the user did after delivery.
Best next pivot Use NetworkMessageId to connect the click back to the original email, recipient and sender.

What is UEBA in plain English?

UEBA stands for User and Entity Behavior Analytics. In practical terms, it helps Microsoft Sentinel learn what normal behaviour looks like so unusual behaviour becomes easier to spot.
It builds behaviour context UEBA helps create a picture of normal activity across users, devices and entities in the environment.
It highlights abnormal activity Unusual sign-ins, abnormal access, strange timing or suspicious entity behaviour can become easier to investigate.
It supports investigations UEBA does not replace investigation. It gives defenders extra behavioural clues when something does not feel right.

Where businesses get stuck

The new Defender setup is not just a technical change. It changes how security teams think about visibility, detection and response.
They enable the portal but not the data The interface may load, but without connectors, onboarding and log sources, there is limited visibility.
They trust the dashboard too early No incidents does not always mean no risk. It may mean analytics rules, signals or connectors are not mature yet.
They skip the investigation basics Before complex automation, organisations need to understand sign-ins, devices, email, alerts, users and response workflows.

How GEMXIT approaches the new Defender setup

At GEMXIT, we focus on practical visibility first. The goal is not to make the portal look busy. The goal is to make the security data useful.
We review your current visibility We look at Defender, Sentinel, Entra ID, device onboarding, email telemetry, Secure Score and connector coverage.
We build a practical roadmap Instead of turning everything on at once, we help prioritise the actions that improve detection, response and business risk first.
We make the logs useful Defender and Sentinel become more valuable when the data can answer real investigation questions quickly.
The new Defender portal is powerful. But it needs the right setup.
GEMXIT helps organisations review Microsoft Defender XDR, Microsoft Sentinel, Secure Score, UEBA, data connectors, KQL hunting and practical security operations workflows.
Contact GEMXIT

Final thought

The new Defender experience can feel confusing at first.

Empty widgets do not always mean the environment is safe.

No active incidents does not always mean there is nothing to investigate.

And a quiet dashboard does not always mean the logs are quiet.

Sometimes the most important security work begins after someone asks a simple question:

“What am I actually looking at?”
At GEMXIT We help organisations configure Microsoft Defender, Sentinel, Microsoft 365 security, Entra ID, UEBA, Secure Score, data connectors, KQL hunting and practical security operations workflows.
Agent Foskett mindset The important question is not only: “Is the portal turned on?”

It is: “Is the environment actually visible?”

Continue the investigation with Microsoft Defender KQL Threat Hunting Guide, KQL Threat Hunting in Defender and Sentinel, The User Passed MFA But It Wasn't Really Them, The Dashboard Was Green, When Nothing Looks Wrong, Microsoft Security, Security Operations and the GEMXIT Security Review.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

New Microsoft Defender Portal Setup Guide

This Agent Foskett briefing explains the new Microsoft Defender portal experience, Microsoft Sentinel integration, unified security operations, UEBA, Secure Score, data connectors and what organisations should configure first.

Microsoft Sentinel Inside Defender

GEMXIT helps organisations understand Microsoft Defender XDR, Microsoft Sentinel, data connectors, automation rules, analytics, incidents, hunting, SigninLogs, UrlClickEvents, Secure Score and security operations workflows.

Why Defender Shows No Data

Common setup areas include missing Sentinel data connectors, devices not onboarded to Defender for Endpoint, identity logs not connected, empty automation rules, UEBA not enabled, licensing gaps and delayed security posture data.