Merge pull request #292686 from batamig/soc-opt-unified

Soc opt unified

Author: PMEds28

articles/sentinel/media/mitre-coverage/mitre-by-threat-scenario.png

@@ -19,14 +19,14 @@ appliesto:
 
 Microsoft Sentinel analyzes ingested data, not only to [detect threats](detect-threats-built-in.md) and help you [investigate](investigate-cases.md), but also to visualize the nature and coverage of your organization's security status.
 
-This article describes how to use the **MITRE** page in Microsoft Sentinel to view the detections already active in your workspace, and those available for you to configure, to understand your organization's security coverage, based on the tactics and techniques from the MITRE ATT&CK® framework.
+This article describes how to use the **MITRE** page in Microsoft Sentinel to view the analytics rules (detections) already active in your workspace, and the detections available for you to configure, to understand your organization's security coverage, based on the tactics and techniques from the MITRE ATT&CK® framework.
 
 > [!IMPORTANT]
-> The MITRE page in Microsoft Sentinel is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include additional legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
+> The MITRE page in Microsoft Sentinel is currently in PREVIEW. The [Azure Preview Supplemental Terms](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) include legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
 ## Prerequisites
 
-Before you can view the MITRE coverage for your organization in Microsoft Sentinel, ensure you have the following:
+Before you can view the MITRE coverage for your organization in Microsoft Sentinel, ensure you have the following prerequisites:
 
 - An active Microsoft Sentinel instance.
 - Necessary permissions to view content in Microsoft Sentinel. For more information, see [Roles and permissions in Microsoft Sentinel](roles.md).
@@ -40,11 +40,29 @@ Microsoft Sentinel is currently aligned to The MITRE ATT&CK framework, version 1
 
 ##  View current MITRE coverage
 
-1. In Microsoft Sentinel, under **Threat management**, select **MITRE ATTA&CK (Preview)**. By default, both currently active scheduled query and near real-time (NRT) rules are indicated in the coverage matrix.
+By default, both currently active scheduled query and near real-time (NRT) rules are indicated in the coverage matrix.
 
-    :::image type="content" source="media/mitre-coverage/mitre-coverage.png" alt-text="Screenshot of the MITRE coverage page with both active and simulated indicators selected.":::
+1. Do one of the following, depending on the portal you're using:
+ 
+    ### [Azure portal](#tab/azure-portal)
 
-1. Do any of the following:
+    In the Azure portal, under **Threat management**, select **MITRE ATT&CK (Preview)**.
+
+    :::image type="content" source="media/mitre-coverage/mitre-coverage.png" alt-text="Screenshot of the MITRE coverage page." lightbox="media/mitre-coverage/mitre-coverage.png":::
+
+    ### [Defender portal](#tab/defender-portal)
+
+    In the Defender portal, select **Microsoft Sentinel > Threat management > MITRE ATT&CK**.
+
+    :::image type="content" source="media/mitre-coverage/mitre-coverage-defender.png" alt-text="Screenshot of the MITRE ATT&CK page in the Defender portal." lightbox="media/mitre-coverage/mitre-coverage-defender.png":::
+
+    To filter the page by a specific threat scenario, toggle the **View MITRE by threat scenario** option on, and then select a threat scenario from the drop-down menu. The page is updated accordingly. For example:
+
+    :::image type="content" source="media/mitre-coverage/mitre-by-threat-scenario.png" alt-text="Screenshot of the MITRE ATT&CK page filtered by a specific threat scenario.":::
+
+    ---
+
+1. Use any of the following methods:
 
     - **Use the legend** to understand how many detections are currently active in your workspace for specific technique.
 
@@ -58,6 +76,9 @@ Microsoft Sentinel is currently aligned to The MITRE ATT&CK framework, version 1
 
         For example, select **Hunting queries** to jump to the **Hunting** page. There, you see a filtered list of the hunting queries that are associated with the selected technique, and available for you to configure in your workspace.
 
+    On the Defender portal, the details pane also shows recommended coverage details, including the ratio of active detections and security services (products) out of all recommended detections and services for the selected technique.
+
+
 ## Simulate possible coverage with available detections
 
 In the MITRE coverage matrix, *simulated* coverage refers to detections that are available, but not currently configured in your Microsoft Sentinel workspace. View your simulated coverage to understand your organization's possible security status, were you to configure all detections available to you.
@@ -85,9 +106,9 @@ Having a scheduled rule with MITRE techniques applied running regularly in your
 
 - **Threat hunting**:
 
-    - When creating a new hunting query, select the specific tactics and techniques to apply to your query.
-    - When searching for active hunting queries, filter the queries displayed by tactics by selecting an item from the list above the grid. Select a query to see tactic and technique details on the right.
-    - When creating bookmarks, either use the technique mapping inherited from the hunting query, or create your own mapping.
+    - When you're creating a new hunting query, select the specific tactics and techniques to apply to your query.
+    - When searching for active hunting queries, filter the queries displayed by tactics by selecting an item from the list above the grid. Select a query to see tactic and technique details in the details pane on the side
+    - When you're creating bookmarks, either use the technique mapping inherited from the hunting query, or create your own mapping.
 
     For more information, see [Hunt for threats with Microsoft Sentinel](hunting.md) and [Keep track of data during hunting with Microsoft Sentinel](bookmarks.md).
 

articles/sentinel/media/mitre-coverage/mitre-coverage-defender.png

@@ -19,11 +19,9 @@ appliesto:
 
 # Optimize your security operations
 
-Security operations center (SOC) teams actively look for opportunities to optimize both processes and outcomes. You want to ensure that you have all the data you need to take action against risks in your environment, while also ensuring that you're not paying to ingest *more* data than you need. At the same time, your teams must regularly adjust security controls as threat landscapes and business priorities change, adjusting quickly and efficiently to keep your return on investments high.
+Security operations center (SOC) teams look for ways to improve processes and outcomes and ensure you have the data needed to address risks without extra ingestion costs. SOC teams want to make sure that you have all the necessary data to act against risks, without paying for *more* data than needed. At the same time, SOC teams must also adjust security controls as threats and business priorities change, doing so quickly and efficiently to maximize your return on investment.
 
-SOC optimization surfaces ways you can optimize your security controls, gaining more value from Microsoft security services as time goes on.
-
-SOC optimizations are high-fidelity and actionable recommendations to help you identify areas where you can reduce costs, without affecting SOC needs or coverage, or where you can add security controls and data where its found to be missing. SOC optimizations are tailored to your environment and based on your current coverage and threat landscape.
+SOC optimizations are actionable recommendations that surface ways that you can optimize your security controls, gaining more value from Microsoft security services as time goes on.  Recommendations help you reduce costs without affecting SOC needs or coverage, and can help you add security controls and data where needed. These optimizations are tailored to your environment and based on your current coverage and threat landscape.
 
 Use SOC optimization recommendations to help you close coverage gaps against specific threats and tighten your ingestion rates against data that doesn't provide security value. SOC optimizations help you optimize your Microsoft Sentinel workspace, without having your SOC teams spend time on manual analysis and research.
 
@@ -41,7 +39,8 @@ Watch the following video for an overview and demo of SOC optimization in the Mi
 
 ## Access the SOC optimization page
 
-Use one of the following tabs, depending on whether you're working in the Azure portal or Defender portal:
+Use one of the following tabs, depending on whether you're working in the Azure portal or Defender portal. When your workspace is onboarded for unified security operations, SOC optimizations include coverage from across Microsoft security services.
+
 
 ### [Azure portal](#tab/azure-portal)
 
@@ -70,15 +69,15 @@ Supported metrics at the top of the **Overview** tab include:
 | **Ingested data over the last 3 months** | Shows the total data ingested in your workspace over the last three months. |
 |**Optimizations status**    | Shows the number of recommended optimizations that are currently active, completed, and dismissed.        |
 
-Select **See all threat scenarios** to view the full list of relevant threats, active and recommended detections, and coverage levels.
+Select **See all threat scenarios** to view the full list of relevant threats, percentages of active and recommended analytics rules, and coverage levels.
 
 ### [Defender portal](#tab/defender-portal)
 
 |Title  | Description |
 |---------|---------|
 |**Recent optimization value**    | Shows value gained based on recommendations you recently implemented |
-|**Ingested data**     | Shows the total data ingested in your workspace over the last 90 days. |
-|**Threat-based coverage optimizations**     |   Shows coverage levels for relevant threats. <br>Coverage levels are based on the number of analytics rules found in your workspace, compared with the number of rules recommended by the Microsoft research team. <br><br>Supported coverage levels include:<br>- **Best**: 	90% to 100% of recommended rules are found<br>- **Better**: 60% to 89% of recommended rules were created<br>- **Good**: 40% to 59% of recommended rules were created<br>- **Moderate**: 20% to 39% of recommended rules were created<br>- **None**: 0% to 19% of recommended rules were created<br><br>Select **View all threat scenarios** to view the full list of relevant threats, active and recommended detections, and coverage levels.    |
+|**Data ingested**     | Shows the total data ingested in your workspace over the last 90 days. |
+|**Threat-based coverage optimizations**     |  Shows one of the following coverage indicators, based on the number of analytics rules found in your workspace, compared with the number of rules recommended by the Microsoft research team: <br>- **High**: Over 75% of recommended rules are activated <br>- **Medium**: 30%-74% of recommended rules are activated <br>- **Low**: 0%-29% of recommended rules are activated. <br><br>Select **View all threat scenarios** to view the full list of relevant threats, active and recommended detections, and coverage levels. Then, select a threat scenario to drill down for more details about the recommendation on a separate, threat scenario details page. |
 |**Optimization status**     | Shows the number of recommended optimizations that are currently active, completed, and dismissed.        |
 
 ---
@@ -102,10 +101,7 @@ In the Defender portal, SOC optimization recommendations are listed in the **You
 
 ---
 
-Each optimization card includes the status, title, the date it was created, a high-level description, and the workspace it applies to.
-
-> [!NOTE]
-> SOC optimization recommendations are calculated every 24 hours.
+SOC optimization recommendations are calculated every 24 hours. Each optimization card includes the status, title, the date it was created, a high-level description, and the workspace it applies to.
 
 ### Filter optimizations
 
@@ -117,20 +113,45 @@ Filter the optimizations based on optimization type, or search for a specific op
 
 ### View optimization details and take action
 
-In each optimization card, select **View full details** to see a full description of the observation that led to the recommendation, and the value you see in your environment when that recommendation is implemented.
+Select one of the following tabs, depending on the portal you're using:
+
+### [Azure portal](#tab/azure-portal)
+
+In each optimization card, select **View details** to see a full description of the observation that led to the recommendation, and the value you see in your environment when that recommendation is implemented.
 
 Scroll down to the bottom of the details pane for a link to where you can take the recommended actions. For example:
 
 - If an optimization includes recommendations to add analytics rules, select **Go to Content Hub**.
 - If an optimization includes recommendations to move a table to basic logs, select **Change plan**.
 
-If you choose to install an analytics rule template from the Content Hub, and you don't already have the solution installed, only the analytics rule template that you install is shown in the solution when you're done. Install the full solution to see all available content items from the selected solution. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](../sentinel-solutions-deploy.md).
+### [Defender portal](#tab/defender-portal)
+
+1. In each optimization card, select **View details** to see a full description of the observation that led to the recommendation, and the value you see in your environment when that recommendation is implemented.
+
+1. For threat-based coverage optimizations:
+
+    - Toggle between the spider charts to understand your coverage across different tactics and techniques, based on the user-defined and out-of-the-box detections active in your environment.
+    - Select **View threat scenario in MITRE ATT&CK** to jump to the [**MITRE ATT&CK** page in Microsoft Sentinel](../mitre-coverage.md?tabs=defender-portal), prefiltered for your threat scenario. For more information, see [Understand security coverage by the MITRE ATT&CK® framework].
+
+1. Scroll down to the bottom of the details pane for a link to where you can take the recommended actions. For example:
+
+- If an optimization includes recommendations to add analytics rules, select **Go to Content Hub**.
+- If an optimization includes recommendations to move a table to basic logs, select **Change plan**.
+- For threat-based coverage optimizations, select **View full threat scenario** to see the full list of relevant threats, active and recommended detections, and coverage levels. From there you can jump directly to the **Content hub** to activate any recommended detections, or to the **MITRE ATT&CK** page to view the [full MITRE ATT&CK coverage for the selected scenario](../mitre-coverage.md?tabs=defender-portal#view-current-mitre-coverage). For example:
+
+    :::image type="content" source="media/soc-optimization-access/threat-scenario-page.png" alt-text="Screenshot of the SOC optimization threat scenario page." lightbox="media/soc-optimization-access/threat-scenario-page.png":::
+
+---
+
+If you install an analytics rule template from the Content hub without the solution installed, only the installed template appears in the solution.
+
+Install the full solution to see all available content items from the selected solution. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](../sentinel-solutions-deploy.md).
 
 ### Manage optimizations
 
 By default, optimization statuses are **Active**. Change their statuses as your teams progress through triaging and implementing recommendations. 
 
-Either select the options menu or select **View full details** to take one of the following actions:
+Either select the options menu or select **View details** to take one of the following actions:
 
 |Action |Description  |
 |---------|---------|
@@ -141,7 +162,7 @@ Either select the options menu or select **View full details** to take one of th
 
 ## View completed and dismissed optimizations
 
-If you marked a specific optimization as *Completed* or *Dismissed*, or if an optimization was automatically completed, it's listed on the **Completed** and **Dismissed** tabs, respectively.
+If you marked a specific optimization as *Completed* or *Dismissed*, or if an optimization is automatically completed, it's listed on the **Completed** and **Dismissed** tabs, respectively.
 
 From here, either select the options menu or select **View full details** to take one of the following actions:
 
@@ -164,7 +185,7 @@ This section provides a sample flow for using SOC optimizations, from either the
 
       - Add analytics rules to use the table for enhanced protection. To use this option, select **Go to the Content Hub** to view and configure specific out-of-the-box analytic rule templates that use the selected table. In the Content hub, you don't need to search for the relevant rule, as you're taken directly to the relevant rule.
 
-        If new analytic rules require additional log sources, consider ingesting them to improve threat coverage.
+        If new analytic rules require extra log sources, consider ingesting them to improve threat coverage.
 
         For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](../sentinel-solutions-deploy.md) and [Detect threats out-of-the-box](../detect-threats-built-in.md).