You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/soc-optimization/soc-optimization-access.md
+19-5Lines changed: 19 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -41,7 +41,8 @@ Watch the following video for an overview and demo of SOC optimization in the Mi
41
41
42
42
## Access the SOC optimization page
43
43
44
-
Use one of the following tabs, depending on whether you're working in the Azure portal or Defender portal:
44
+
Use one of the following tabs, depending on whether you're working in the Azure portal or Defender portal. When your workspace is onboarded for unified security operations, SOC optimizations include coverage from across Microsoft security services.
45
+
45
46
46
47
### [Azure portal](#tab/azure-portal)
47
48
@@ -55,8 +56,6 @@ In the Defender portal, select **SOC optimization**.
55
56
56
57
:::image type="content" source="media/soc-optimization-access/soc-optimization-xdr.png" alt-text="Screenshot of the SOC optimization page in the Defender portal." lightbox="media/soc-optimization-access/soc-optimization-xdr.png":::
57
58
58
-
When your workspace is onboarded for unified security operations, SOC optimizations include coverage from across Microsoft security services.
59
-
60
59
---
61
60
62
61
## Understand SOC optimization overview metrics
@@ -80,7 +79,7 @@ Select **See all threat scenarios** to view the full list of relevant threats, a
80
79
|---------|---------|
81
80
|**Recent optimization value**| Shows value gained based on recommendations you recently implemented |
82
81
|**Data ingested**| Shows the total data ingested in your workspace over the last 90 days. |
83
-
|**Threat-based coverage optimizations**| Shows a **High**, **Medium**, and **Low** coverage indicator, based on the number of analytics rules (detections) found in your workspace, compared with the number of rules recommended by the Microsoft research team.<br>The metrics show a ratio of your active detections, and if you're onboarded to the unified security operations platform, the ratio of active security services in your environment.<br><br>Select **View all threat scenarios** to view the full list of relevant to view the full list of relevant threats, active and recommended detections, and coverage levels. Select a threat scenario to drill down for more details about the recommendation. |
82
+
|**Threat-based coverage optimizations**| Shows a **High**, **Medium**, and **Low** coverage indicator, based on the number of analytics rules (detections) found in your workspace, compared with the number of rules recommended by the Microsoft research team.<br><br>The metrics show a ratio of your active detections and the ratio of active security services in your environment.<br><br>Select **View all threat scenarios** to view the full list of relevant threats, active and recommended detections, and coverage levels. Then, select a threat scenario to drill down for more details about the recommendation on a separate, threat scenario details page. |
84
83
|**Optimization status**| Shows the number of recommended optimizations that are currently active, completed, and dismissed. |
85
84
86
85
<!--do we have an indication of what low med high mean? we use to have best, better, good, moderate, none-->
@@ -118,7 +117,20 @@ Filter the optimizations based on optimization type, or search for a specific op
118
117
119
118
### View optimization details and take action
120
119
121
-
1. In each optimization card, select **View details** to see a full description of the observation that led to the recommendation, and the value you see in your environment when that recommendation is implemented.
120
+
Select one of the following tabs, depending on the portal you're using:
121
+
122
+
### [Azure portal](#tab/azure-portal)
123
+
124
+
In each optimization card, select **View details** to see a full description of the observation that led to the recommendation, and the value you see in your environment when that recommendation is implemented.
125
+
126
+
Scroll down to the bottom of the details pane for a link to where you can take the recommended actions. For example:
127
+
128
+
- If an optimization includes recommendations to add analytics rules, select **Go to Content Hub**.
129
+
- If an optimization includes recommendations to move a table to basic logs, select **Change plan**.
130
+
131
+
### [Defender portal](#tab/defender-portal)
132
+
133
+
1. In each optimization card, select **View details** to see a full description of the observation that led to the recommendation, and the value you see in your environment when that recommendation is implemented.
122
134
123
135
1. For threat-based coverage optimizations:
124
136
@@ -133,6 +145,8 @@ Filter the optimizations based on optimization type, or search for a specific op
133
145
134
146
:::image type="content" source="media/soc-optimization-access/threat-scenario-page.png" alt-text="Screenshot of the SOC optimization threat scenario page.":::
135
147
148
+
---
149
+
136
150
If you choose to install an analytics rule template from the Content hub, and you don't already have the solution installed, only the analytics rule template that you install is shown in the solution when you're done. Install the full solution to see all available content items from the selected solution. For more information, see [Discover and manage Microsoft Sentinel out-of-the-box content](../sentinel-solutions-deploy.md).
0 commit comments