Merge pull request #291651 from yelevin/patch-2

Court72 · web-flow · commit a8dd065d7b95 · 2024-12-18T09:34:26.000-07:00
Similar customers - Sentinel
diff --git a/articles/sentinel/soc-optimization/soc-optimization-reference.md b/articles/sentinel/soc-optimization/soc-optimization-reference.md
@@ -7,7 +7,7 @@ manager: raynew
 ms.collection:
   - usx-security
 ms.topic: reference
-ms.date: 06/09/2024
+ms.date: 12/18/2024
 appliesto:
   - Microsoft Sentinel in the Microsoft Defender portal
   - Microsoft Sentinel in the Azure portal
@@ -23,46 +23,64 @@ Use SOC optimization recommendations to help you close coverage gaps against spe
 
 Microsoft Sentinel SOC optimizations include the following types of recommendations:
 
-- **Threat-based optimizations** recommend adding security controls that help you close coverage gaps.
+- **Threat-based recommendations** suggest adding security controls that help you close coverage gaps.
 
-- **Data value optimizations** recommend ways to improve your data use, such as a better data plan for your organization.
+- **Data value recommendations** suggest ways to improve your data use, such as a better data plan for your organization.
+
+- **Similar organizations recommendations** suggest ingesting data from the types of sources used by organizations which have similar ingestion trends and industry profiles to yours.
 
 This article provides a reference of the SOC optimization recommendations available.
 
 [!INCLUDE [unified-soc-preview](../includes/unified-soc-preview.md)]
 
-## Data value optimizations
+## Data value optimization recommendations
 
-To optimize your cost to security value ratio, SOC optimization surfaces hardly used data connectors or tables, and suggests ways to either reduce the cost of a table or improve its value, depending on your coverage. This type of optimization is also called *data value optimization*.
+To optimize your cost/security value ratio, SOC optimization surfaces hardly used data connectors or tables, and suggests ways to either reduce the cost of a table or improve its value, depending on your coverage. This type of optimization is also called *data value optimization*.
 
 Data value optimizations only look at billable tables that ingested data in the past 30 days.
 
 The following table lists the available data value SOC optimization recommendations:
 
-|Observation  |Action  |
+| Observation | Action |
 |---------|---------|
-|The table wasn’t used by analytic rules or detections in the last 30 days but was used by other sources, such as workbooks, log queries, hunting queries.     |    Turn on analytics rule templates <br>OR<br>Move to basic logs if the table is eligible    |
-|The table wasn’t used at all in the last 30 days     | Turn on analytics rule templates <br>OR<br> Stop data ingestion or archive the table       |
-|The table was only used by Azure Monitor     |  Turn on any relevant analytics rule templates for tables with security value <br>OR<br>Move to a nonsecurity Log Analytics workspace       |
+| The table wasn’t used by analytics rules or detections in the last 30 days but was used by other sources, such as workbooks, log queries, hunting queries.     | Turn on analytics rule templates <br>OR<br>Move to basic logs if the table is eligible.    |
+| The table wasn’t used at all in the last 30 days.     | Turn on analytics rule templates <br>OR<br> Stop data ingestion or archive the table.       |
+| The table was only used by Azure Monitor.     | Turn on any relevant analytics rule templates for tables with security value <br>OR<br>Move to a non-security Log Analytics workspace.       |
 
 If a table is chosen for [UEBA](/azure/sentinel/enable-entity-behavior-analytics) or a [threat intelligence matching analytics rule](/azure/sentinel/use-matching-analytics-to-detect-threats), SOC optimization doesn't recommend any changes in ingestion.
 
 > [!IMPORTANT]
 > When making changes to ingestion plans, we recommend always ensuring that the limits of your ingestion plans are clear, and that the affected tables aren't ingested for compliance or other similar reasons.
 >
-## Threat-based optimization
+## Threat-based optimization recommendations
+
+To optimize data value, SOC optimization recommends adding security controls to your environment in the form of extra detections and data sources, using a threat-based approach. This optimization type is also known as *coverage optimization*, and is based on Microsoft's security research.
 
-To optimize data value, SOC optimization recommends adding security controls to your environment in the form of extra detections and data sources, using a threat-based approach.
+To provide threat-based recommendations, SOC optimization looks at your ingested logs and enabled analytics rules, and compares them to the logs and detections that are required to protect, detect, and respond to specific types of attacks.
 
-To provide threat-based recommendations, SOC optimization looks at your ingested logs and enabled analytics rules, and compares it to the logs and detections that are required to protect, detect, and respond to specific types of attacks. This optimization type is also known as *coverage optimization*, and is based on Microsoft's security research. SOC optimization considers both user-defined and out-of-the-box detections.
+Threat-based optimizations consider both predefined and user-defined detections.
 
 The following table lists the available threat-based SOC optimization recommendations:
 
-|Observation  |Action  |
+| Observation | Action |
 |---------|---------|
-|There are data sources, but detections are missing.     |   Turn on analytics rule templates based on the threat: Create a rule using an analytics rule template, and adjust the name, description, and query logic to suit your environment. <br><br>For more information, see [Threat detection in Microsoft Sentinel](../threat-detection.md). |
-|Templates are turned on, but data sources are missing.     |    Connect new data sources.     |
-|There are no existing detections or data sources.     |   Connect detections and data sources or install a solution.      |
+| There are data sources, but detections are missing.     | Turn on analytics rule templates based on the threat: Create a rule using an analytics rule template, and adjust the name, description, and query logic to suit your environment. <br><br>For more information, see [Threat detection in Microsoft Sentinel](../threat-detection.md). |
+| Templates are turned on, but data sources are missing.     | Connect new data sources.     |
+| There are no existing detections or data sources.     | Connect detections and data sources or install a solution.      |
+
+## Similar organizations recommendations
+
+SOC optimization uses advanced machine learning to identify tables that are missing from your workspace, but are used by organizations with similar ingestion trends and industry profiles to yours. It shows how other organizations use these tables and recommends to you the relevant data sources, along with related rules, to improve your security coverage.
+
+| Observation | Action |
+|---------|---------|
+| Log sources ingested by similar customers are missing   | Connect the suggested data sources. <br><br>This recommendation doesn't include: <ul><li>Custom connectors<li>Custom tables<li>Tables that are ingested by fewer than 10 workspaces <li>Tables that contain multiple log sources, like the `Syslog` or `CommonSecurityLog` tables   |
+
+### Considerations
+
+- Not all workspaces get similar organizations recommendations. A workspace receives these recommendations only if our machine learning model identifies significant similarities with other organizations and discovers tables that they have but you don't. SOCs in their early or onboarding stages are generally more likely to receive these recommendations than SOCs with a higher level of maturity.
+
+- Recommendations are based on machine learning models that rely solely on Organizational Identifiable Information (OII) and system metadata. The models never access or analyze the content of customer logs or ingest them at any point. No customer data, content, or End User Identifiable Information (EUII) is exposed to the analysis.
 
 ## Related content
 
diff --git a/articles/sentinel/whats-new.md b/articles/sentinel/whats-new.md
@@ -4,7 +4,7 @@ description: Learn about the latest new features and announcement in Microsoft S
 author: yelevin
 ms.author: yelevin
 ms.topic: concept-article
-ms.date: 12/15/2024
+ms.date: 12/18/2024
 
 
 #Customer intent: As a security team member, I want to stay updated on the latest features and enhancements in Microsoft Sentinel so that I can effectively manage and optimize my organization's security posture.
@@ -24,12 +24,19 @@ Get notified when this page is updated by copying and pasting the following URL
 
 ## December 2024
 
+- [New SOC optimization recommendation based on similar organizations (Preview)](#new-soc-optimization-recommendation-based-on-similar-organizations-preview)
 - [Agentless deployment for SAP applications (Limited preview)](#agentless-deployment-for-sap-applications-limited-preview)
 - [Microsoft Sentinel workbooks now available to view directly in the Microsoft Defender portal](#microsoft-sentinel-workbooks-now-available-to-view-directly-in-the-microsoft-defender-portal)
 - [Unified Microsoft Sentinel solution for Microsoft Business Apps](#unified-microsoft-sentinel-solution-for-microsoft-business-apps)
 - [New documentation library for Microsoft's unified security operations platform](#new-documentation-library-for-microsofts-unified-security-operations-platform)
 - [New S3-based data connector for Amazon Web Services WAF logs (Preview)](#new-s3-based-data-connector-for-amazon-web-services-waf-logs-preview)
 
+### New SOC optimization recommendation based on similar organizations (Preview)
+
+SOC optimization now includes new recommendations for adding data sources to your workspace based on the security posture of other customers in similar industries and sectors as you, and with similar data ingestion patterns. Add the recommended data sources to improve security coverage for your organization.
+
+For more information, see [SOC optimization reference of recommendations](soc-optimization/soc-optimization-reference.md).
+
 ### Agentless deployment for SAP applications (Limited preview)
 
 The Microsoft Sentinel solution for SAP applications now supports an agentless deployment, using SAP's own cloud platform features to provide simplified, agentless deployment and connectivity. Instead of deploying a virtual machine and containerized agent, use the SAP Cloud Connector and its existing connections to back-end ABAP systems to connect your SAP system to Microsoft Sentinel.
