MicrosoftMicrosoftGreetings
I was quick to onboard our Sentinel workspace into our Defender tenant but was then just as quick to find the features available from the Defender portal to be lacking, at least from the perspektive of the workflow we have established in Sentinel over the years.
The feature most important to us that I'm missing is the option to run a playbook agains an incident or entities in an incident. We use this extensively both manually and through automations to enrich incidents with information from both Microsoft and/or external sources.
On top of this there seems to be a differende on how Defender views the incidents created from my custom analytic rules I've set up for products not natively supported by Sentinel. In Sentinel we got these as incidents with one or many related entities which we had a process for but after the Defender integration it seems Defender is stopping these incidents until in has gathered enough of these to flag them as an "multiple event on one endpoint". This again might have some logic behind it that we need to figure out but any delays in incident generation in a SOC tool seems risky to me.
Just my 2 cents, and I have alot of those 🙂
