Introducing SOC Optimization Recommendations Based on Similar Organizations
One of the key challenges that security teams in modern SOCs regularly face is determining which new data sources to onboard and which detections to activate. This ongoing process takes time and requires constant evaluation of the organization’s assets and the value that the data brings to the SOC. "…determining which logs to ingest for better threat coverage is time-consuming and requires significant effort. I need to spend a long time identifying the appropriate logs..." Elie El Karkafi, Senior Solutions Architect, ampiO Solutions Today, we’re excited to announce the public preview of recommendations based on similar organizations - a first-of-its-kind capability for SOC optimizations.Recommendations based on similar organizations use peer-based insights to guide and accelerate your decision-making process. We believe that applying insights learned from the actions of organizations with similar profiles can provide great value. Recommendations based on similar organizations use advanced machine learning to suggest which data to ingest, based on organizations with similar ingestion patterns. The recommendations also highlight the security value you can gain by adding the data. They list out-of-the-box rules that are provided by Microsoft research, which you can activate to enhance your coverage. Use the new recommendations to swiftly pinpoint the next recommended data source for ingestion and determine the appropriate detections to apply. This can significantly reduce the time and costs typically associated with research or consulting external experts to gain the insights you need. Recommendations based on similar organizations are now available in the SOC optimization page, in both the Azure portal and the unified security operations platform: - unified security operations platform Use cases Let’s take a tour of the unified security operations platform, stepping into the shoes of a small tech company that benefited from recommendations based on similar organizations during its private preview phase.In the following image, the new recommendation identifies that the AADNonInteractiveUserSignInLogs table is used by organizations similar to theirs: Selecting View details button on the recommendation card allowed them to explore how other organizations use the recommended table. This includes insights into the percentage of organizations using the table for detection and investigation purposes. By selecting See details hyperlink, the SOC engineer was able to explore how coverage could be improved with respect to the MITRE ATT&CK framework, using Microsoft’s out-of-the box rules: By selecting Go to Content hub, the SOC engineer was able to view all the essential data connectors needed to start ingesting the recommended tables. This page also includes a detailed list of out of the box, recommended analytics rules, which can provide immediate value and enhanced protection for your environment: Finally, by following the recommendation, which uses the security practices of similar organizations as a benchmark, the tech company quickly ingested the AADNonInteractiveUserSignInLogs table and activated several recommended analytics rules. Overall, this resulted in improved security coverage, corresponding to the company's specific characteristics and needs. Feedback from private preview: “I think this is a great addition. Like being able to identify tables not being used, it is useful to understand what tables other organizations are utilizing which could reveal things that so far haven't been considered or missed...” Chris Hoard, infinigate.cloud "In my view, those free recommendations are always welcomed and we can justify cost saving and empowering SOC analysts (that we know are more and more difficult to find)." Cyrus Irandoust, IBM “These recommendations will help us to take a look at the left out stuffs” Emmanuel Karunya, KPMG “Nice overview and insights! Love the interface too - nice and easy overview!” Michael Morten Sonne, Microsoft MVP Q&A: Q1: Why don’t I see these recommendations? A: Not all workspaces are eligible for recommendations based on similar organizations. Workspaces only receive these recommendations if the machine learning model identifies significant similarities between your organization and others, and discovers tables that they have but you don’t. If no such similarities are identified, no extra recommendations are provided. You’re more likely to see these recommendations if your SOC is still in its onboarding process, rather than a more mature SOC. Q2: What makes an organization similar to mine? A: Similarity is determined based on ingestion trends, as well as your organization's industry and vertical, when available in our databases. Q3: Is any of my PII being used to make recommendations to other customers? A: No. The recommendations are generated using machine learning models that rely solely on Organizational Identifiable Information (OII) and system metadata. Customer log content is never accessed or analyzed, and no customer data, content, or End User Identifiable Information (EUII) is exposed during the analysis process. Microsoft prioritizes customer privacy and ensures that all processes comply with the highest standards of data protection. Looking forward Microsoft continues to use artificial intelligence and machine learning to help our customers defend against evolving threats and provide enhanced protection against cyberattacks. This ongoing innovation is a key part of SOC optimization’s commitment to help you maximize your value from your SIEM & XDR. Learn More: SOC optimization documentation: SOC optimization overview ; Recommendation's logic Short overview and demo: SOC optimization Ninja show In depth webinar: Manage your data, costs and protections with SOC optimization SOC optimization API:Introducing SOC Optimization API | Microsoft Community HubWhat's New: View Microsoft Sentinel Workbooks Directly from Unified SOC Operations Platform
*This blog was posted on behalf of the original author, Aman Kaur. Thank you Aman for preparing this content for the community.* Key Benefits Unified Viewing Experience: Microsoft Sentinel workbook templates and saved workbooks can now be accessed directly within the Defender XDR portal. This eliminates the need to switch between different portals, providing a seamless experience. Increased Efficiency and Time Saving: The ability to view workbooks within the Defender XDR portal cuts down on the time spent navigating between portals, leading to faster access to critical information. Improved User Experience: This integration simplifies the process of referencing important data and insights, making it easier for security professionals to monitor security events, analyze trends, and review historical data. Important Note While viewing capabilities have been integrated into the Defender XDR portal, editing or creating workbooks will still require you to navigate to the Azure portal. This ensures that you have access to the full suite of editing tools and functionalities available in Azure. How to Get Started Getting started with viewing Microsoft Sentinel workbooks in the Defender XDR portal is simple: Access the Microsoft Defender XDR Portal: Log in to the Microsoft Defender XDR portal using your credentials. Navigate to Microsoft Sentinel > Threat Management > Workbooks : Select any workbook. View Workbooks: Access and view the templates and saved workbooks directly within the portal. Moving Forward with Sentinel Workbooks in Defender XDR Portal With the ability to view Microsoft Sentinel workbooks directly within the Microsoft Defender XDR portal, organizations can significantly enhance their security operations. This feature empowers security teams with the tools they need to efficiently monitor, investigate, and respond to threats—all from a single interface. By bringing together a unified viewing experience across incidents, alerts, users, devices, and files, this enhancement streamlines threat hunting, investigation, and response workflows. This ultimately helps organizations stay ahead of evolving threats and ensures they have the necessary context to protect their environment effectively. Get started with workbooks in the unified portal today!
What's New: Global Search in Unified Security Operations platform includes Sentinel user and devices
We are thrilled to announce a significant enhancement to our Unified Security Operations (SecOps) platform. The Global Search feature in the Defender XDR portal now supports searching for Microsoft Sentinel users and devices, providing a more comprehensive and unified search experience for the customers using Microsoft’s Unified Security Operations platform. This powerful feature allows you to search for devices, users, and other information by typing full or partial search terms. With this update, you can now search for Microsoft Sentinel entities directly within the Unified security operations platform, streamlining your workflow and improving efficiency. Key Benefits Unified Search Results: Microsoft Sentinel devices and users are now merged with Microsoft Defender XDR portal entities, providing a single, unified search result. This eliminates the need to switch between different tools. Increased efficiency and Time saving - The ability to search across Sentinel incidents and other data in the Defender portal cuts down investigation time, leading to faster resolution of security incidents. Comprehensive Identifier Support: The search feature supports various identifiers, ensuring that devices and users from Microsoft Sentinel and Defender with matching identifiers are merged into a single result. This includes identifiers such as HostName, NTDomain, DnsDomain, and NetBiosName. Improved User Experience: The integration simplifies the search experience, making it easier for security professionals to find the information they need quickly and efficiently. This enhancement is part of our ongoing effort to consolidate Microsoft Sentinel entities within the comprehensive XDR+SIEM platform. How to Get Started Getting started with the Global Search feature is simple: Access the Microsoft Defender XDR Portal: Log in to the Microsoft Defender XDR portal using your credentials. Navigate to Global Search: Locate the Global Search bar at the top of the portal. Enter Search Terms: Type in the full or partial search terms for the device or user you are looking for. The search will now include Sentinel entities along with Defender entities. Review Unified Results: The search results will display a unified view of Microsoft Sentinel and Defender entities, allowing you to quickly find the information you need. Use-Cases & Scenarios Incident Investigation: An analyst can use Global Search to quickly find all affected devices related to an incident. This allows for a faster and more efficient investigation. This makes it easier to investigate the scope of the issue and prioritize the appropriate response. Threat Hunting: Threat hunters can use Global Search to locate suspicious user activity or specific files that have been flagged as malicious, correlating these findings with other related alerts in the system. Device Tracking: Security teams can use Global Search to track a compromised device, checking for alerts, users associated with the device, and any incidents that might involve it. Supported Sentinel Host Identifiers Sentinel devices with the following strong identifiers can be searched and merged with Defender devices with matching identifiers: HostName+NTDomain HostName+DnsDomain NetBiosName+NTDomain NetBiosName+DnsDomain Supported Account Identifiers Sentinel accounts with the following strong identifiers can be merged with Defender user with matching identifiers: Name+UPNSuffix AADUserId Sid Moving Forward with Global Search With Global Search for Sentinel entities now available in the Microsoft Defender XDR portal, organizations can significantly enhance their security operations. This feature empowers security teams with the tools they need to efficiently search, investigate, and respond to threats—all from a single interface. By bringing together a unified search across incidents, alerts, users, devices, and files, the Global Search feature streamlines threat hunting, investigation, and response workflows. This ultimately helps organizations stay ahead of evolving threats and ensures they have the necessary context to protect their environment effectively. For more detailed information and documentation on how to use Global Search, visit the official Microsoft 365 Defender portal documentation
Introducing a Unified Security Operations Platform with Microsoft Sentinel and Defender XDR
Read about our announcement of an exciting private preview that represents the next step in the SOC protection and efficiency journey by bringing together the power of Microsoft Sentinel, Microsoft Defender XDR and Microsoft Security Copilot into a unified security operations platform.
