Unified coverage management across SIEM and XDR in SOC optimization

SOC optimization aims to help SOC teams enhance security efficiency by providing tailored recommendations to close coverage gaps, reduce unnecessary data ingestion, and adapt to evolving threats, maximizing value from Microsoft Sentinel while minimizing the need for manual efforts.

As threat landscapes evolve, SOC optimization continues to innovate, providing new ways to enhance your security controls. The initial phase of this feature offers deep insights into your data usage patterns and coverage gaps against specific threats. Recently, SOC optimization introduced recommendations based on similar organizations, suggesting data ingestion strategies aligned with organizations that share similar trends and industry profiles. Building on this momentum, we are excited to announce a new capability within SOC optimization: Unified Coverage Management Across SIEM and XDR, empowering security teams with unified coverage management experience across SIEM and XDR.

Problem statement

What challenges does this feature address, and what benefits does it provide? Traditionally, SIEM and XDR operate alongside each other but lack tight integration, making it difficult for security teams to assess their organization's overall security coverage across various tools. Identifying coverage gaps and determining necessary actions often require time-consuming manual analysis and research across siloed systems, leaving analysts with limited time to focus on high-value tasks.

“Historically we went through use cases manually and wrote data on a whiteboard to see what kind of gap we can find with the use of the current data and the one available. With the addition of SOC Optimization, we can easily identify common use cases and see exactly where we have a gap. We do try to keep every environment the same, but organisations differ from one another. This feature allows us to demonstrate data deficiencies more effectively and bring them up in meetings."

Tom Rolvers, Security Consultant – yellow arrow

 

The solution

To address these challenges, we leverage our unified security operations platform to deliver a complete and integrated coverage management experience across Microsoft Sentinel and Defender XDR. Organizations using this unified experience will get recommendations for both SIEM and XDR scenarios and content, along with coverage scores that highlight areas requiring additional focus, helping users prioritize their actions. These scenarios are integrated into the MITRE ATT&CK Blade, enhancing the accuracy and documentation of the coverage management experience by presenting data and impacts for specific threat scenarios focused on tactics, techniques, and sub-techniques within the unified portal (Microsoft Sentinel in the Defender portal).

Use-cases

Now, let’s see this feature in action with four sample use cases:

1. As a user of Microsoft's SIEM and XDR, I have visibility into my coverage score, enabling me to prioritize and address areas that need improvement. 

• • Navigate to SOC optimization in the unified portal. Since this unified coverage management feature is for customers with Microsoft SIEM and XDR, it will only be available in the unified portal. The overview banner for threat-based coverage highlights the coverage level, helping you to prioritize the threat scenarios.
  •  
  • Additionally, it outlines the number of detections from Microsoft SIEM + XDR products (such as Microsoft Sentinel, Microsoft Defender for Endpoint, Microsoft Defender for Identity, etc.) and how many of them are active in your environment for the specific scenario.
  •  
  • Clicking on ‘View all threat scenarios’ will display a summary table of the coverage level for each threat scenario.

 

2. As a user of Microsoft's SIEM and XDR products, I would like to get full visibility and a unified coverage management experience across both platforms.

• • Let’s drill down into the coverage details for one of the scenarios, for example, AiTM (Adversary in the Middle). You have two navigation options: either by clicking the scenario name under ‘View all threat scenarios’ or by selecting ‘View details’ in the optimization card. 
  • You will see the updated details pane as below. The highlighted areas indicate the new enhancements compared to the previous version.

• •  One of the newly added insights is the spider chart of coverage status by product.

• •  Click on ‘View full threat scenario’ to gain complete visibility of the coverage status for AiTM in the environment. This includes the threat measures, associated MITRE tactics and techniques, product state, and recommended user defined detections. It also provides links to the content hub for enabling them.

 

3. As a user of Microsoft's SIEM and XDR, I can enhance security coverage by adding or modifying rules and products based on the provided recommendations.

• • Continuing from the page where we left in the second use case, you can explore the recommended measures to assess how your organization is currently managing this security threat and identify ways to improve your coverage with SIEM + XDR products, user defined detections and other recommended actions.

     

  • Clicking on a specific product will open a detailed side pane with security coverage information and recommendations for that product in the context of this threat scenario, such as built-in detections and automated response actions.

     

  • You will find links to the content hub not only under ‘View full threat scenario -> user defined detections’, but also in the details pane below (from the optimization card). Clicking on the ‘Go to Content hub’ button will present the relevant content, allowing you to perform the installation in the content hub view that you are familiar with, without navigating away from the SOC optimization page.

     

• 

   

   

4. As a user of Microsoft's SIEM and XDR, I have visibility into threat-based scenarios in the MITRE Blade, offering a more detailed and well-explained coverage management experience. 

• • With this new release, we’ve integrated the threat-based scenarios with the MITRE blade, offering a detailed coverage management experience aligned with the MITRE framework. There are three entry points to view coverage details for your threat-based scenarios in the MITRE blade, ensuring a seamless experience whether you access it directly or navigate from the SOC optimization page.
•  
  • First, let’s explore the details by accessing the MITRE blade directly. Click on ‘MITRE ATT&CK’ under Microsoft Sentinel in the left menu pane, toggle to view MITRE by threat scenarios, and select your scenario from the drop-down list. Selecting a specific technique will open the details pane.

     

  • In the details pane, your will find the coverage details associated with the specific technique, including the highlighted ratio of active rules to total available detections.

• • The second entry point is through the coverage details pane. The MITRE blade view will automatically be pre-filtered with the specific threat scenario you came from.

• • The third entry point is from the ‘View full threat scenario’ page. Similar to the second entry point, The MITRE blade view will automatically be pre-filtered with the specific threat scenario.

     

 

Next steps

Get started with SOC optimization today. We hope this detailed walkthrough helps you better understand the benefits of this feature and improve your security coverage. Microsoft will continue to invest in this feature to assist our customers in defending against evolving security threats.

 

Learn more

SOC optimization documentation:  SOC optimization overview ; Recommendation's logic  

Short overview and demo:  SOC optimization Ninja show 

In depth webinar:  Manage your data, costs and protections with SOC optimization 

SOC optimization API: Introducing SOC Optimization API | Microsoft Community Hub 

MITRE ATT&CK coverage: View MITRE coverage for your organization from Microsoft Sentinel