What caught you off guard when onboarding Sentinel to the Defender portal?

The incident creation rules being active during onboarding is the one that would catch most teams off guard. Those rules tend to be set-and-forget from early Sentinel deployments - nobody remembers they exist until the XDR connector spins up and suddenly the incident queue doubles overnight. The onboarding wizard offers to disable them, but by that point you're already cleaning up.

What I'd add to the inventory angle: check your automation rules for title-based conditions. Things like "if incident title contains 'Suspicious sign-in', then enrich and notify". After onboarding, XDR groups and renames incidents differently - those conditions don't throw errors, they just quietly stop matching. Found that pattern in more environments than I'd like to admit.

Interested in how you're structuring the pre-migration inventory - one-time audit before onboarding, or something you keep running post-migration to catch drift?