Merge pull request #297814 from AbbyMSFT/risk-based-optimization

Risk based optimization

Author: Stacyrch140

articles/sentinel/soc-optimization/soc-optimization-access.md

@@ -1,13 +1,13 @@
 ---
 title: Optimize security operations
 description: Use Microsoft Sentinel SOC optimization recommendations to optimize your security operations center (SOC) team activities.
-ms.author: bagol
-author: batamig
-manager: raynew
+ms.author: abbyweisberg
+author: AbbyMSFT
+manager: orpsod
 ms.collection:
   - usx-security
 ms.topic: how-to
-ms.date: 10/16/2024
+ms.date: 05/06/2025
 appliesto:
   - Microsoft Sentinel in the Microsoft Defender portal
   - Microsoft Sentinel in the Azure portal
@@ -67,7 +67,7 @@ Supported metrics at the top of the **Overview** tab include:
 |---------|---------|
 |**Recent optimization value**    | Shows value gained based on recommendations you recently implemented |
 |**Data ingested**     | Shows the total data ingested in your workspace over the last 90 days. |
-|**Threat-based coverage optimizations**     |  Shows one of the following coverage indicators, based on the number of analytics rules found in your workspace, compared with the number of rules recommended by the Microsoft research team: <br>- **High**: Over 75% of recommended rules are activated <br>- **Medium**: 30%-74% of recommended rules are activated <br>- **Low**: 0%-29% of recommended rules are activated. <br><br>Select **View all threat scenarios** to view the full list of relevant threats, active and recommended detections, and coverage levels. Then, select a threat scenario to drill down for more details about the recommendation on a separate, threat scenario details page. |
+|**Threat-based coverage optimizations**     |  Shows one of the following coverage indicators, based on the number of analytics rules found in your workspace, compared with the number of rules recommended by the Microsoft research team: <br>- **High**: Over 75% of recommended rules are activated <br>- **Medium**: 30%-74% of recommended rules are activated <br>- **Low**: 0%-29% of recommended rules are activated. <br><br>Select **View all threat scenarios** to view the full list of relevant threat and risk-based scenarios, active and recommended detections, and coverage levels. Then, select a threat scenario to drill down for more details about the recommendation on a separate, threat scenario details page. |
 |**Optimization status**     | Shows the number of recommended optimizations that are currently active, completed, and dismissed.        |
 
 ### [Azure portal](#tab/azure-portal)
@@ -77,7 +77,7 @@ Supported metrics at the top of the **Overview** tab include:
 | **Ingested data over the last 3 months** | Shows the total data ingested in your workspace over the last three months. |
 |**Optimizations status**    | Shows the number of recommended optimizations that are currently active, completed, and dismissed.        |
 
-Select **See all threat scenarios** to view the full list of relevant threats, percentages of active and recommended analytics rules, and coverage levels.
+Select **See all threat scenarios** to view the full list of relevant threat and risk-based scenarios, percentages of active and recommended analytics rules, and coverage levels.
 
 ---
 
@@ -105,8 +105,10 @@ SOC optimization recommendations are calculated every 24 hours. Each optimizatio
 
 Filter the optimizations based on optimization type, or search for a specific optimization title using the search box on the side. Optimization types include:
 
-- **Coverage**: Includes threat-based recommendations for adding security controls to help close coverage gaps for various types of attacks.
-
+- **Coverage** : Includes recommendations to help you close coverage gaps against specific threats and tighten your ingestion rates against data that doesn't provide security value. Coverage recommendations include:
+    - **Threat-based recommendations** for adding security controls to help close coverage gaps for various types of attacks.
+    - **AI MITRE ATT&CK recommendations** for adding tagging recommendations to help close coverage gaps for various types of attacks, based on the MITRE ATT&CK framework.
+    - **Risk-based recommendations** for adding security controls to help close coverage gaps for various types of business risks.
 - **Data value**: Includes recommendations that suggest ways to improve your data usage for maximizing security value from ingested data, or suggest a better data plan for your organization.
 
 ### View optimization details and take action

articles/sentinel/soc-optimization/soc-optimization-reference.md

@@ -7,7 +7,7 @@ manager: orspod
 ms.collection:
   - usx-security
 ms.topic: reference
-ms.date: 04/08/2025
+ms.date: 05/06/2025
 appliesto:
   - Microsoft Sentinel in the Microsoft Defender portal
   - Microsoft Sentinel in the Azure portal
@@ -17,14 +17,18 @@ appliesto:
 
 ---
 
-# SOC optimization reference of recommendations types
+# SOC optimization recommendations types
 
 Use SOC optimization recommendations to help you close coverage gaps against specific threats and tighten your ingestion rates against data that doesn't provide security value. SOC optimizations help you optimize your Microsoft Sentinel workspace, without having your SOC teams spend time on manual analysis and research.
 
 Microsoft Sentinel SOC optimizations include the following types of recommendations:
 
 - **Data value recommendations** suggest ways to improve your data use, such as a better data plan for your organization.
-- **Threat-based recommendations** suggest adding security controls that help you close coverage gaps.
+
+- **Coverage based recommendations** suggest adding controls to prevent coverage gaps that can lead to vulnerability to attacks or scenarios that can lead to financial loss. Coverage recommendations include:
+    - **Threat-based recommendations**: Recommends adding security controls that help you detect coverage gaps to prevent attacks and vulnerabilities.
+    - **AI MITRE ATT&CK tagging recommendations (Preview)**: Uses artificial intelligence to suggest tagging security detections with MITRE ATT&CK tactics and techniques.
+    - **Risk-based recommendations (Preview)**: Recommends implementing controls to address coverage gaps linked to use cases that may result in business risks or financial losses, including operational, financial, reputational, compliance, and legal risks. 
 - **Similar organizations recommendations** suggest ingesting data from the types of sources used by organizations which have similar ingestion trends and industry profiles to yours.
 
 This article provides a detailed reference of the types of SOC optimization recommendations available.
@@ -43,7 +47,7 @@ The following table lists the available types of data value SOC optimization rec
 |---------|---------|
 | The table wasn't used by analytics rules or detections in the last 30 days but was used by other sources, such as workbooks, log queries, hunting queries.     | Turn on analytics rule templates <br>OR<br>Move the table to a [basic logs plan](../billing.md#auxiliary-logs) if the table is eligible.   |
 | The table wasn’t used at all in the last 30 days.     | Turn on analytics rule templates <br>OR<br> Stop data ingestion and remove the table or move the table to long term retention.       |
-| The table was only used by Azure Monitor.     | Turn on any relevant analytics rule templates for tables with security value <br>OR<br>Move to a non-security Log Analytics workspace.       |
+| The table was only used by Azure Monitor.     | Turn on any relevant analytics rule templates for tables with security value <br>OR<br>Move to a nonsecurity Log Analytics workspace.       |
 
 If a table is chosen for [UEBA](/azure/sentinel/enable-entity-behavior-analytics) or a [threat intelligence matching analytics rule](/azure/sentinel/use-matching-analytics-to-detect-threats), SOC optimization doesn't recommend any changes in ingestion.
 
@@ -58,12 +62,15 @@ SOC optimization also surfaces unused columns in your tables. The following tabl
 
 > [!IMPORTANT]
 > When making changes to ingestion plans, we recommend always ensuring that the limits of your ingestion plans are clear, and that the affected tables aren't ingested for compliance or other similar reasons.
->
-## Threat-based optimization recommendations
+
+## Coverage-based optimization recommendations
+Coverage-based optimization recommendations help you close coverage gaps against specific threats or to scenarios that can lead to business risks and financial loss.
+
+### Threat-based optimization recommendations
 
 To optimize data value, SOC optimization recommends adding security controls to your environment in the form of extra detections and data sources, using a threat-based approach. This optimization type is also known as *coverage optimization*, and is based on Microsoft's security research.
 
-To provide threat-based recommendations, SOC optimization looks at your ingested logs and enabled analytics rules, and compares them to the logs and detections that are required to protect, detect, and respond to specific types of attacks.
+SOC optimization provides threat-based recommendations by analyzing your ingested logs and enabled analytics rules, then comparing them to the logs and detections needed to address specific types of attacks.
 
 Threat-based optimizations consider both predefined and user-defined detections.
 
@@ -75,6 +82,32 @@ The following table lists the available types of threat-based SOC optimization r
 | Templates are turned on, but data sources are missing.     | Connect new data sources.     |
 | There are no existing detections or data sources.     | Connect detections and data sources or install a solution.      |
 
+### AI MITRE ATT&CK tagging recommendations (Preview)
+
+The AI MITRE ATT&CK Tagging feature uses artificial intelligence to automatically tag security detections. The AI model runs on the customer's workspace to create tagging recommendations for untagged detections with relevant MITRE ATT&CK tactic and techniques.
+
+Customers can apply these recommendations to ensure their security coverage is thorough and precise. This ensures complete and accurate security coverage, enhancing threat detection and response capabilities.
+
+These are 3 ways to apply the AI MITRE ATT&CK tagging recommendations:
+- Apply the recommendation to a specific analytics rule.
+- Apply the recommendation to all analytics rules in the workspace.
+- Don't apply the recommendation to any analytics rules.
+
+### Risk-based optimization recommendations (Preview)
+
+Risk-based optimizations consider real world security scenarios with a set of business risks associated with it, including Operational, Financial, Reputational, Compliance, and Legal risks. The recommendations are based on the Microsoft Sentinel risk-based approach to security.
+
+To provide risk-based recommendations, SOC optimization looks at your ingested logs and analytics rules, and compares them to the logs and detections that are required to protect, detect, and respond to specific types of attacks that may cause business risks.
+Risk-based recommendations optimizations consider both predefined and user-defined detections.
+
+The following table lists the available types of risk-based SOC optimization recommendations:
+
+| Type of observation | Action |
+|---------|---------|
+| There are data sources, but detections are missing.     | Turn on analytics rule templates based on the business risks: Create a rule using an analytics rule template, and adjust the name, description, and query logic to suit your environment. |
+| Templates are turned on, but data sources are missing.     | Connect new data sources.     |
+| There are no existing detections or data sources.     | Connect detections and data sources or install a solution.      |
+
 ## Similar organizations recommendations
 
 SOC optimization uses advanced machine learning to identify tables that are missing from your workspace, but are used by organizations with similar ingestion trends and industry profiles. It shows how other organizations use these tables and recommends the relevant data sources, along with related rules, to improve your security coverage.
@@ -85,9 +118,9 @@ SOC optimization uses advanced machine learning to identify tables that are miss
 
 ### Considerations
 
-- Not all workspaces get similar organizations recommendations. A workspace receives these recommendations only if our machine learning model identifies significant similarities with other organizations and discovers tables that they have but you don't. SOCs in their early or onboarding stages are more likely to receive these recommendations than SOCs with a higher level of maturity.
+- A workspace only receives similar organization recommendations if the machine learning model identifies significant similarities with other organizations and discovers tables that they have but you don't. SOCs in their early or onboarding stages are more likely to receive these recommendations than SOCs with a higher level of maturity. Not all workspaces get similar organizations recommendations.
 
-- Recommendations are based on machine learning models that rely solely on Organizational Identifiable Information (OII) and system metadata. The models never access or analyze the content of customer logs or ingest them at any point. No customer data, content, or personal data (EUII) is exposed to the analysis.
+- The machine learning models never access or analyze the content of customer logs or ingest them at any point. No customer data, content, or personal data (EUII) is exposed to the analysis. Recommendations are based on machine learning models that rely solely on Organizational Identifiable Information (OII) and system metadata. 
 
 ## Related content
 

articles/sentinel/whats-new.md

@@ -4,7 +4,7 @@ description: Learn about the latest new features and announcement in Microsoft S
 author: batamig
 ms.author: bagol
 ms.topic: concept-article
-ms.date: 04/28/2025
+ms.date: 05/06/2025
 
 #Customer intent: As a security team member, I want to stay updated on the latest features and enhancements in Microsoft Sentinel so that I can effectively manage and optimize my organization's security posture.
 
@@ -18,6 +18,13 @@ The listed features were released in the last three months. For information abou
 
 [!INCLUDE [reference-to-feature-availability](includes/reference-to-feature-availability.md)]
 
+## May 2025
+SOC optimization support for: 
+ - **AI MITRE ATT&CK tagging recommendations (Preview)**: Uses artificial intelligence to suggest tagging security detections with MITRE ATT&CK tactics and techniques.
+ - **Risk-based recommendations (Preview)**: Recommends implementing controls to address coverage gaps linked to use cases that may result in business risks or financial losses, including operational, financial, reputational, compliance, and legal risks. 
+ 
+For more information, see [SOC optimization reference](soc-optimization/soc-optimization-reference.md).
+
 ## April 2025
 
 - [Security Copilot generates incident summaries in Microsoft Sentinel in the Azure portal (Preview)](#security-copilot-generates-incident-summaries-in-microsoft-sentinel-in-the-azure-portal-preview)