Agent Foskett Academy • Microsoft Sentinel • Lesson 4

Lesson 4 — Connecting Microsoft Defender XDR

Microsoft Defender XDR and Microsoft Sentinel are stronger when they work together.

Defender XDR provides rich Microsoft-native detection and response across endpoint, email, identity and cloud app activity. Sentinel brings that evidence into a wider SIEM and SOAR workflow where it can be correlated with Azure, firewall, VPN, server and third-party telemetry.

In this lesson, you will learn why the Defender XDR connector matters and how it helps turn Microsoft security detections into enterprise SOC investigations.

Defender XDR detects across Microsoft workloads. Sentinel brings that evidence into the wider SOC.
Agent Foskett Microsoft Sentinel connecting Microsoft Defender XDR lesson
What you will learn

This lesson explains how Defender XDR becomes a high-value Sentinel data source for real-world SOC operations.

Why connect Defender XDR to Sentinel
What incidents, alerts and entities mean
How Sentinel enriches Defender investigations
Common connector and workflow mistakes

Learning objectives

After completing this lesson, you should understand how Defender XDR evidence flows into Sentinel.

  • Explain why Defender XDR is a key Sentinel data source.
  • Understand the difference between incidents, alerts, entities and telemetry.
  • Recognise how Defender XDR incidents can support Sentinel SOC workflows.
  • Understand why Sentinel adds value beyond Microsoft-native detection.
  • Prepare for future lessons on incidents, analytics rules and automation.

The problem this solves

Defender XDR is excellent at detecting threats across Microsoft workloads, but many organisations need to investigate beyond Microsoft telemetry.

Sentinel helps bring Defender evidence together with firewall logs, VPN activity, Azure Activity, servers, third-party clouds and other operational security data.

Why connect Defender XDR to Sentinel?

The Defender XDR connector allows Sentinel to use Microsoft-native security detections as part of a wider SIEM and SOAR process. Instead of treating Defender incidents as separate from the SOC, Sentinel can make them part of enterprise monitoring, hunting, dashboards and automation.

Agent Foskett tip:

Defender XDR is not just another log source. It is already doing high-value Microsoft security correlation. Sentinel should extend that work, not duplicate it.

How the connection fits together

Defender XDR collects and correlates Microsoft security signals. Sentinel receives those signals and places them inside broader SOC workflows.

Microsoft Defender for Endpoint Microsoft Defender for Office 365 Microsoft Defender for Identity Microsoft Defender for Cloud Apps Microsoft Entra ID signals │ ▼ Microsoft Defender XDR │ ├── Incidents ├── Alerts ├── Entities └── Evidence │ ▼ Microsoft Sentinel │ ├── Enterprise incidents ├── Hunting queries ├── Workbooks ├── Automation rules └── Playbooks

What is an incident?

An incident groups related security evidence together so an analyst can investigate it as one case. Defender XDR can create incidents from Microsoft security detections, while Sentinel can manage incidents across a wider SIEM environment.

Incidents help analysts avoid chasing isolated alerts without context.

What is an alert?

An alert is a detection that something suspicious or important occurred. Multiple alerts may belong to one incident.

For example, one phishing incident might include an email alert, a risky sign-in alert and an endpoint execution alert.

What are entities?

Entities are the objects involved in an investigation. These are the things analysts pivot around during triage.

  • Users
  • Devices
  • IP addresses
  • Domains
  • Mailboxes
  • Applications

What is telemetry?

Telemetry is the underlying activity data that supports investigation. Incidents and alerts tell you something may be wrong. Telemetry helps you prove what happened.

Sentinel becomes powerful when analysts can move from an incident summary into the evidence behind the story.

Real-world phishing example

A user receives a phishing email. Microsoft Defender for Office 365 detects the message and Defender XDR correlates related user, email and endpoint evidence. Sentinel can then add wider context.

Defender XDR evidence Sentinel enrichment
Email detection, Safe Links activity, user identity signals and endpoint evidence. Firewall logs, VPN sessions, Azure Activity, third-party logs, threat intelligence and automation workflows.
Shows what happened inside the Microsoft security ecosystem. Shows what happened across the wider organisation.

Why this matters for the SOC

Security analysts need one investigation workflow. If Defender incidents sit in one place and enterprise SIEM data sits somewhere else, the analyst has to manually piece the story together.

Connecting Defender XDR to Sentinel helps make Microsoft detections part of the wider SOC process.

Common mistake

A common mistake is expecting Sentinel to magically improve Defender incidents without wider context.

The connector brings Defender evidence into Sentinel, but the value increases when you also connect the surrounding data sources needed to validate the investigation.

Agent Foskett investigation tip

Do not duplicate the investigation. Extend it.

Let Defender XDR do what it is good at: Microsoft-native correlation. Let Sentinel do what it is good at: enterprise-wide visibility, hunting, dashboards and response orchestration.

What to check after connecting

After enabling the connector, analysts should confirm that incidents and evidence are appearing as expected.

  • Are Defender XDR incidents visible in Sentinel?
  • Are important entities appearing correctly?
  • Can analysts pivot from Sentinel back to Defender where needed?
  • Are automations or workbooks relying on the correct data?

Agent Foskett takeaway

Defender XDR gives Microsoft security investigations depth.

Sentinel gives those investigations enterprise context.

Together, they give the SOC a clearer investigation path.

Lesson summary
Connecting Microsoft Defender XDR to Microsoft Sentinel allows Defender incidents, alerts, entities and evidence to become part of wider SOC workflows. Defender XDR provides Microsoft-native detection. Sentinel expands the investigation across the enterprise.
Sentinel Academy Home

Connecting Microsoft Defender XDR to Microsoft Sentinel

Microsoft Defender XDR connects to Microsoft Sentinel so Defender incidents, alerts, entities and Microsoft security evidence can support SIEM, SOAR, threat hunting, analytics rules, workbooks and automation workflows.

Microsoft Sentinel Lesson 4

This Agent Foskett Microsoft Sentinel Academy lesson explains the Defender XDR connector, incidents, alerts, entities, telemetry flow, Sentinel enrichment and SOC investigation workflows.