In this piece
- One security fabric, many product names
- Zero Trust isn't a product, it's a property of your architecture
- Defender XDR, one pane, five engines
- Sentinel, the SIEM you can actually afford
- Purview, data security finally catches up to data growth
- Copilot for Security, the SOC analyst force multiplier
- A 12-month Zero Trust blueprint
- Incident response runbook: the first 60 minutes
- A KQL cookbook for the 10 hunts you'll run most
- Mapping Microsoft controls to ISO 27001 + SOC 2
- Six Conditional Access recipes you should ship this quarter
- Purview: where to start and what to skip in year one
- Budgeting Zero Trust honestly
- A 90-day Zero Trust quick-win plan for the CISO on a deadline
- Security metrics the board actually cares about
- Open-source and day-to-day tools to stay sharp
One security fabric, many product names
Microsoft sells six to ten security products depending on how you count. For architects, there are really just four layers you need to understand:
- Identity, Entra ID (formerly Azure AD) + Entra ID Governance + Entra Permissions Management.
- Endpoint & cloud workload, Microsoft Defender XDR (Defender for Endpoint / Identity / Office 365 / Cloud Apps) and Defender for Cloud (CSPM, CWPP, DevOps posture).
- Data, Microsoft Purview (sensitivity labels, DLP, IRM, eDiscovery, Communication Compliance).
- SIEM + SOAR, Microsoft Sentinel (cloud-native SIEM, now priced per GB or per Sentinel Unit) + Copilot for Security (AI investigator).
The rest of the catalog is features inside these four. This piece walks the fabric and explains when each layer carries the weight.
Zero Trust isn't a product, it's a property of your architecture
Zero Trust has three principles: verify explicitly (prove identity and device state for every access), least privilege (just-enough, just-in-time access), and assume breach (design controls for post-compromise containment).
Tactics that actually move the needle
- Phishing-resistant MFA, FIDO2 / passkeys. SMS/TOTP are 2021 thinking. Force Entra ID conditional access to require phishing-resistant MFA for admins and sensitive apps.
- Device compliance signals, require Intune-compliant / Defender-healthy devices to access M365 and corporate SaaS.
- Just-in-time admin elevation, Entra Privileged Identity Management (PIM). Break-glass accounts are physical, kept offline.
- Microsegmentation, Azure Firewall + NSGs + Private Endpoints. No flat VNETs.
- Continuous access evaluation (CAE), tokens get revoked within minutes of a risk event.
- Conditional access for apps and data, not just network. Example: "view-only, no download, no copy/paste" for sensitive documents via Purview adaptive protection.
If you can say "our security posture is based on network perimeter," stop. That's 2010. The perimeter is identity.
Defender XDR, one pane, five engines
Microsoft Defender XDR unifies signals from five sensors into a single portal (security.microsoft.com):
- Defender for Endpoint (MDE), endpoint EDR/XDR. Deploy to every laptop, server, container host.
- Defender for Identity (MDI), watches on-prem AD and Entra ID sign-in behaviour.
- Defender for Office 365 (MDO), phishing, BEC, malicious attachments.
- Defender for Cloud Apps (MDA), CASB, SaaS posture, shadow IT discovery.
- Defender for Cloud (MDC), IaaS/PaaS workload protection, Kubernetes, containers, DevOps posture.
Automatic attack disruption (the feature you underuse)
Since 2024, Defender XDR can auto-contain attacks in progress. When it detects ransomware, BEC, or adversary-in-the-middle across signals, it will (configurable): isolate the device, revoke the user's sessions, disable the mailbox, and block SaaS token use, within seconds. The key: enable this in block mode for your T0 and T1 assets. Don't leave it in audit-only.
Defender for Cloud DevOps posture
Connect your GitHub / Azure DevOps / GitLab orgs to Defender for Cloud. It scans IaC (Bicep, Terraform, Helm), container images, secrets in repos, and dependency CVEs, and ties findings back to the cloud resources they create. This is the one feature most CISOs underestimate. It shrinks the mean-time-to-remediate from weeks to days.
Sentinel, the SIEM you can actually afford
Microsoft Sentinel is the cloud-native SIEM + SOAR. It ingests logs (from Azure, AWS, GCP, SaaS, firewalls, anywhere with syslog), runs analytics rules (built-in + custom KQL), correlates into incidents, orchestrates response (playbooks in Logic Apps), and integrates with Copilot for Security for natural-language investigation.
2026 pricing options
| Tier | Model | Best for |
|---|---|---|
| Pay-as-you-go | Per GB ingested | Small tenants, bursty volume |
| Commitment tiers | Reserved GB/day (discount up to 60%) | Steady ingest > 100 GB/day |
| Auxiliary logs | $0.05/GB ingest, long retention | Network flow logs, firewall logs, low-value high-volume |
| Sentinel Unit (2025+) | Bundled ingest + analytics + automation | Enterprise SOCs wanting predictable cost |
The game changer is Auxiliary Logs. Dump bulk firewall, network, DNS logs into Auxiliary at $0.05/GB with 1-year retention. Promote only interesting data to Analytics tier. Many mid-size enterprises halve their SIEM spend using this pattern.
Content hub, use it
The Sentinel Content Hub has 300+ pre-built solutions (connectors + rules + workbooks + playbooks) for AWS, Okta, Salesforce, Cisco, Palo Alto, CrowdStrike, Jamf, and more. Install rather than write from scratch. Your homegrown KQL is almost never better than Microsoft's tested baseline.
Core KQL patterns for a starting SOC
- Signins with impossible travel + unfamiliar IP.
- Mass file access anomalies (OneDrive, SharePoint audit logs).
- Rare process executions on servers (via Defender for Endpoint device tables).
- Privilege escalation patterns (PIM activation + PolicyAssignment changes).
- Data exfiltration via cloud apps (CloudAppEvents).
Purview, data security finally catches up to data growth
Microsoft Purview covers: Information Protection (MIP) with sensitivity labels; Data Loss Prevention (DLP) across M365, endpoints, Edge browsing, and custom apps; Insider Risk Management; Communication Compliance; eDiscovery Premium; Compliance Manager; and Data Governance (the old Purview Data Catalog).
The four labels every tenant needs
- Public, no encryption, watermark only.
- General, default, no restriction.
- Confidential, encrypted, all employees.
- Highly Confidential, encrypted, specific groups + "do not forward".
More than four and users get paralysed. Auto-labelling based on trainable classifiers (financial, legal, HR, source code) applies these without user action on ~80% of content.
DLP that matters in the AI era
Add DLP policies for the new "Copilot Experiences" location, block or warn when a user prompt asks Copilot to extract or summarise Highly Confidential content. This closes the biggest novel risk of AI deployment: accidental summarisation and redistribution of sensitive data.
Insider Risk + Adaptive Protection
Insider Risk Management scores users on risky behaviour signals (mass downloads, sharing to personal OneDrive, leaver workflows). Adaptive Protection then dynamically elevates DLP stringency for elevated-risk users. A user flagged as "leaver" automatically gets stricter policies without a helpdesk ticket.
Copilot for Security, the SOC analyst force multiplier
Copilot for Security is a domain-grounded Copilot for the SOC. It's priced per Security Compute Unit (SCU) hour, provisioned at the tenant level. Plans typically start at 1 SCU ($4/hour, always on, ~$2,900/month) with overage at the same rate.
Where it earns its keep
- Incident summarisation, one-click natural-language report with timeline, affected assets, TTPs mapped to MITRE ATT&CK.
- KQL generation, "Show all successful sign-ins from risky IPs in the last 30 days grouped by user, excluding known VPN ranges." Translates to a working KQL query.
- Script analysis, paste a PowerShell or Bash script; Copilot tells you what it does and whether it's malicious.
- Threat intel lookup, plug-in to Microsoft Threat Intelligence. Ask about an IOC or actor and get context.
- Playbook drafting, turn an incident into a repeatable Logic Apps playbook.
Honest caveats
Copilot for Security is not a replacement for a Tier 2 analyst. It's a force multiplier, analysts report 20-30% time reduction on repetitive tasks after 3 months. Don't sell the savings as "we can fire half the SOC." Sell it as "our existing SOC can now cover 2× the volume." That's the reality.
A 12-month Zero Trust blueprint
Quarter 1, Identity first
- Enforce MFA on every account. Move admins to phishing-resistant (FIDO2).
- Enable Entra ID Continuous Access Evaluation tenant-wide.
- Implement Entra PIM for all privileged roles. Break-glass accounts documented, physically stored.
- Baseline conditional access: compliant device required for M365 apps.
Quarter 2, Endpoints and data
- Deploy Defender for Endpoint to 100% of devices. Enable Network Protection and ASR rules.
- Deploy Purview MIP with 4 sensitivity labels. Enable auto-labelling.
- Configure DLP for email, OneDrive, Teams, and Copilot Experiences.
- Enroll corporate devices in Intune with compliance policies.
Quarter 3, SIEM and SOC
- Deploy Microsoft Sentinel. Ingest M365, Entra, Defender, Azure Activity, firewall, DNS.
- Enable top 20 analytics rules from the Content Hub. Tune weekly.
- Build your first 5 playbooks (disable user, isolate device, block hash, notify channel, create ticket).
- Enable automatic attack disruption in Defender XDR (block mode) for T0 assets.
Quarter 4, Optimisation
- Move bulk logs to Auxiliary tier.
- Pilot Copilot for Security with 10 SOC analysts. Measure triage time.
- Run a tabletop with a red team. Fix what breaks.
- Publish a quarterly security posture score and present to the board.
Incident response runbook: the first 60 minutes
Every CISO should be able to hand this to a SOC analyst at 2 a.m. and trust them to execute.
- 0–5 min, Acknowledge. Claim the incident in Sentinel. Check if it's part of a correlated cluster.
- 5–15 min, Triage. Entities impacted (users, hosts, IPs). Pull the last 24h of sign-ins for each. Flag any MFA bypass, impossible travel, token theft patterns.
- 15–25 min, Contain. Disable the user in Entra, revoke sessions. Isolate the host via Defender for Endpoint. Block the IP at the Azure Firewall / Front Door layer.
- 25–40 min, Collect. Export the audit log slice. Snapshot affected VMs. Preserve email headers if phish.
- 40–55 min, Communicate. Page the on-call business owner. Draft the stakeholder update using the pre-written template. Don't speculate on cause.
- 55–60 min, Hand off. Update the Sentinel incident with everything above. The next shift should be able to resume without a call.
The single biggest improvement most SOCs can make: pre-approved containment. Get written CISO sign-off on "we can disable any account showing impossible-travel + risky sign-in within 5 minutes without management approval". Every minute shaved saves data.
A KQL cookbook for the 10 hunts you'll run most
// 1. Impossible travel in the last 24h
SigninLogs
| where TimeGenerated > ago(24h)
| summarize cities = make_set(LocationDetails.city) by UserPrincipalName
| where array_length(cities) >= 2
// 2. Mass download from SharePoint
OfficeActivity
| where Operation in ("FileDownloaded","FileSyncDownloadedFull")
| summarize downloads=count() by UserId, bin(TimeGenerated, 1h)
| where downloads > 200
// 3. OAuth app consent grants in the last 7d
AuditLogs
| where OperationName == "Consent to application"
| project TimeGenerated, InitiatedBy, TargetResources
// 4. RDP / SSH brute force on public IP
SecurityEvent
| where EventID in (4625, 4648)
| summarize attempts=count() by Account, IpAddress
| where attempts > 20
// 5. Token replay candidates
SigninLogs
| where ConditionalAccessStatus == "success"
| where TokenIssuerType == "AzureAD"
| where AuthenticationRequirement == "singleFactorAuthentication"
| where RiskLevelDuringSignIn == "high"Save these as Sentinel saved-queries, wrap them in Analytics Rules with reasonable thresholds, and you've covered the majority of Microsoft's own most-triggered detections.
Mapping Microsoft controls to ISO 27001 + SOC 2
| Control family | ISO 27001 | SOC 2 TSC | Microsoft product |
|---|---|---|---|
| Identity & access | A.5.15–A.5.18 | CC6.1–CC6.3 | Entra ID, PIM, Conditional Access |
| Endpoint protection | A.8.7 | CC6.8 | Defender for Endpoint |
| Logging & monitoring | A.8.15–A.8.16 | CC7.2–CC7.3 | Sentinel, Log Analytics |
| Data classification | A.5.12 | CC6.1, C1.1 | Purview Information Protection |
| Change management | A.8.32 | CC8.1 | Azure DevOps + GitHub Advanced Security |
| Incident response | A.5.24–A.5.26 | CC7.4 | Sentinel + Defender XDR |
| Vulnerability mgmt | A.8.8 | CC7.1 | Defender for Cloud, VM |
Microsoft Purview Compliance Manager ships pre-built assessments for ISO, SOC 2, HIPAA, PCI-DSS, DPDP, GDPR. Start there, don't build your control library from scratch.
Six Conditional Access recipes you should ship this quarter
- Block legacy auth everywhere. Legacy protocols are the number one gateway to credential attacks.
- Require phishing-resistant MFA (FIDO2, Windows Hello, passkeys) for admin roles and sensitive apps. SMS is no longer acceptable.
- Country allow-list for privileged roles. Impossible-travel rules break before they trigger if you never let the sign-in happen.
- Session lifetime by risk. Token lifetime shortens automatically when Entra ID Protection flags sign-in risk.
- Managed-device requirement for downloads from SharePoint and OneDrive. Web view only from unmanaged endpoints.
- Continuous Access Evaluation on every identity-aware app. Token revocation in seconds, not hours.
Purview: where to start and what to skip in year one
Purview is the umbrella SKU that can swallow a quarter if you let it. Here is the 90-day plan that delivers real value.
| Month | Focus | Outcome |
|---|---|---|
| 1 | Information Protection labels (5-7 labels max) | Manual classification on high-risk sites |
| 2 | Auto-labelling policies + DLP for Copilot + endpoint | 90% of sensitive files labelled automatically |
| 3 | Insider Risk Management + eDiscovery Premium | Case workflow ready for legal + HR |
Skip Data Map for year one unless you are regulated. Most of its value overlaps with Fabric catalog and Defender CSPM; revisit when those two plateau.
Budgeting Zero Trust honestly
A typical 1,000-seat mid-market rollout, 24 months:
- Entra ID P2 + PIM: $9/user/mo = $108,000/yr
- Defender for Endpoint Plan 2 + MDO Plan 2: $6/user/mo = $72,000/yr
- Sentinel: $150-500 per GB depending on commitment tier - budget $120,000/yr
- Purview E5 compliance: $12/user/mo for full-stack = $144,000/yr
- Consulting + training: $80,000 one-time, $40,000/yr ongoing
Roughly $500,000/yr all-in. The bill looks big until you compare to the average breach cost ($4.9M in 2025 IBM report) and the fact that you compress two dozen point products into one pane of glass.
A 90-day Zero Trust quick-win plan for the CISO on a deadline
Zero Trust is a journey, but boards want progress. Here is a 90-day plan that produces visible wins every two weeks and lays the foundation for the multi-year roadmap.
Days 1-14 - identity baseline
Enable Entra ID MFA for every account. Turn on Conditional Access block-legacy-auth and require-MFA-for-admins policies. Enable Password Protection with your banned-word list. This alone blocks roughly 99% of credential-stuffing attacks.
Days 15-30 - privileged access
Roll out Entra ID PIM for Global Admin, Application Admin, Security Admin. Cut standing privilege to zero. Every privileged action requires justification, time-bound activation, and MFA. Document the emergency break-glass account in the security vault.
Days 31-45 - endpoint posture
Deploy Defender for Endpoint Plan 2 to every managed device. Enable attack surface reduction rules. Turn on controlled folder access for ransomware protection. Onboard the first 20% of servers to Defender for Servers.
Days 46-60 - data protection
Publish five Purview sensitivity labels. Pilot auto-labelling on HR, Finance, Legal sites. Enable default-Confidential for documents containing SSN, credit card, health, or contract terms. DLP policies block egress of labelled content outside the tenant.
Days 61-75 - detection and response
Connect Defender XDR to Sentinel. Enable the top 20 out-of-the-box analytics rules. Build SOC runbooks for the top 10 incident types. Run a tabletop exercise with the executive team.
Days 76-90 - measure and report
Publish a Zero Trust maturity dashboard - identity, device, network, data, application, infrastructure, each scored 1-5. Present to the board with clear next-quarter targets. You now have a program that runs itself on governance rather than heroics.
Total additional spend for a 1,000-seat org over these 90 days: roughly $28,000-$45,000 in licenses and $40,000-$60,000 in consulting. Average cost-avoided based on peer benchmarks: $400,000+ within the first incident the new controls prevent.
Security metrics the board actually cares about
Most security dashboards are built for SOC analysts. The board wants a different layer.
| Metric | Why it matters to the board | Target |
|---|---|---|
| Mean time to detect (MTTD) | Proxy for detection maturity | Under 1 hour for critical |
| Mean time to respond (MTTR) | Proxy for containment muscle | Under 4 hours for critical |
| Percent of privileged access via PIM | Standing privilege elimination | Greater than 95% |
| Percent of identity risk sessions blocked | Real identity defense | Greater than 90% |
| Patch compliance - critical endpoints | Baseline hygiene | Greater than 98% within 14 days |
| Phishing simulation click rate | Human factor | Under 3% at month 12 |
| Incidents avoided by automation | SOC leverage | Trending up |
| Spend per incident avoided | ROI narrative | Trending down |
Three numbers beats ten. Pick three, track them quarterly, and make the trend line the story - not a screenshot of every alert from last night.
Open-source and day-to-day tools to stay sharp
- Microsoft Security Exposure Management (MSEM), unified attack-path view across Defender + Entra + MDC. Enable it.
- KQLSearch.com, community KQL queries, copy/paste into Sentinel.
- Azure Sentinel GitHub repo, the canonical content source.
- Atomic Red Team, open-source adversary simulation you can run against MDE to test detection.
- Velociraptor, open-source endpoint forensics (alternative to paid EDR triage).
- Wazuh, open-source SIEM you can run locally for training and testing.
- Suricata / Zeek, network IDS, ship logs into Sentinel Auxiliary tier.
- Osquery, open endpoint querying; fills gaps in specific Linux fleets.
Frequently Asked Questions
Do I need both Defender and Sentinel?
Yes, they solve different problems. Defender XDR is the detection engine, it generates high-confidence incidents from endpoint, identity, email, and cloud app signals. Sentinel is the SIEM, it correlates Defender incidents with everything else (firewall, DNS, AWS, SaaS, on-prem) and drives SOAR playbooks. Skip Sentinel and you have no visibility outside Microsoft. Skip Defender and you're drowning in raw logs.
How much does a small Sentinel deployment cost?
At 10 GB/day ingest (typical for ~1,000 seat org), pay-as-you-go is ~$700/month for Sentinel plus ~$200 for Log Analytics. With auxiliary logs for bulk data you can hit 30 GB/day for around the same price. Commit tier kicks in useful savings above 100 GB/day.
Is Copilot for Security worth the SCU cost?
For SOCs handling more than 50 incidents/week, yes, the triage time savings justify a 1-2 SCU commitment within 3-4 months. For smaller SOCs (<20 incidents/week), it's a nice-to-have; start with pay-as-you-go SCU hours rather than a commitment.
How do I handle on-premises Active Directory in a Zero Trust model?
Deploy Defender for Identity sensors on every domain controller and AD FS server. Harden with Tiered Administration (T0/T1/T2), LAPS for local admin passwords, Protected Users group for admin accounts, and Entra Connect Cloud Sync replacing legacy AD FS where possible. Plan a multi-year migration to fully cloud-first identity where feasible.
What's the fastest win if I'm starting from scratch?
Enforce phishing-resistant MFA for admins and enable Defender XDR automatic attack disruption in block mode. These two controls alone block the majority of real-world attacks we see. Everything else is layered on top.
Are Microsoft Security products better than best-of-breed?
In 2023 the honest answer was 'mostly competitive, some gaps.' In 2026 the integrated fabric (identity + endpoint + email + SaaS + SIEM + AI) is a stronger value proposition than any single best-of-breed tool. Specialist products still beat Microsoft in narrow areas (certain OT/IOT, specific DLP use cases), but for 90% of enterprises the consolidation math works.