Microsoft Sentinel is a next-generation cloud-native Security Information and Event Management (SIEM) solution, enriched by AI and threat intelligence. It delivers end-to-end protection across the multicloud, multiplatform digital estate. With industry-leading innovations focused on SOC productivity, efficient threat investigations, and cost optimizations, Microsoft Sentinel empowers defenders to stay ahead of threats in a simplified, scalable, and accelerated manner.
One of the key features of Microsoft Sentinel is the SOC Optimization capability, which is now in Public Preview. This feature makes it easier for security teams to effectively customize and manage their SIEM for specific business and security requirements. Which is great, as it gives you guidance on building coverage (use cases) for specific threats, MITRE ATT&CK techniques and optimizing it.
What means SOC Optimization?
SOC Optimization provides dynamic, actionable, research-backed recommendations to optimize data usage, costs, and security coverage against relevant threats. These recommendations are tailored to your organization and update every day, enabling you to confidently understand your security coverage and immediately discover content best suited for your security needs.
The recommendations are threat-based and backed by Microsoft research, helping identify rules or data sources needed to improve security coverage against various types of attacks. They also provide visibility into your data usage patterns and actionable recommendations for out-of-the-box detections, so you can gain immediate security value from ingested data and improve threat protection.
Capabilities of SOC Optimization
SOC Optimization is designed to empower security teams with precision-driven management capabilities. Here are some of its use cases:
- Tailored Recommendations: SOC Optimization offers tailored recommendations unique to your organization that update every day. This enables you to confidently understand your security coverage and immediately discover content best suited for your security needs.
- Threat-Based Recommendations: These are backed by Microsoft research to help identify rules or data sources needed to improve security coverage against various types of attacks.
- Data Usage Patterns: SOC Optimization provides insights into your data usage patterns and actionable recommendations for out-of-the-box detections. This allows you to gain immediate security value from ingested data and improve threat protection.
- Cost Optimization: It provides insights into ingested data that are not being utilized for detection or investigation with recommendations on how to save money.
SOC Optimizations Overview
Choose SOC Optimization (from the Azure Portal & Sentinel), or choose from the Unified Security Operations Center (in the Security Portal).
PS I prefer the Azure Portal due my daily habits, but the Unified Security Operations Center is more slick and smooth ^^
Moving on… from here you can find an impressive overview of the types of optimizations, either the Data value optimizations or the Threat-based optimization.
If you want an overview of the possible threat scenario’s, click on the following link:
You’ll get a nice list of current scenario’s, also with numbers of active detections you’ve already setup/configured, the amount of possible (recommended) detections and the coverage you’ve achieved:
If you continue opening the scenario’s, you can see a spidergraph, with the “to improve” coverage, but also actions to take, and relations to the MITRE ATT&CK framework:
Clicking further on the Content Hub, SOC Optimization shows you which analytics could possible be installed (depends on the use case and situation – but you can use this as guidance)
I recommend you go through all the scenario’s step-by-step, to verify the coverage and the steps to take hardening you environment. Also the same goes for the Data value optimizations (they’re important as well).
Verify all the taken actions (whether automatically or manually) from the completed tab:
SOC optimization reference of recommendations
Use SOC optimization recommendations to help you close coverage gaps against specific threats and tighten your ingestion rates against data that doesn’t provide security value. SOC optimizations help you optimize your Microsoft Sentinel workspace, without having your SOC teams spend time on manual analysis and research.
Microsoft Sentinel SOC optimizations include the following types of recommendations:
- Threat-based optimizations recommend adding security controls that help you close coverage gaps.
- Data value optimizations recommend ways to improve your data use, such as a better data plan for your organization.
Data value optimizations
To optimize your cost to security value ratio, SOC optimization surfaces hardly used data connectors or tables, and suggests ways to either reduce the cost of a table or improve its value, depending on your coverage.
This type of optimization is also called data value optimization. Data value optimizations only look at billable tables that ingested data in the past 30 days.
The following table lists the available data value SOC optimization recommendations:
| Observation | Action |
|---|---|
| The table wasn’t used by analytic rules or detections in the last 30 days but was used by other sources, such as workbooks, log queries, hunting queries. | Turn on analytics rule templates OR Move to basic logs if the table is eligible |
| The table wasn’t used at all in the last 30 days | Turn on analytics rule templates OR Stop data ingestion or archive the table |
| The table was only used by Azure Monitor | Turn on any relevant analytics rule templates for tables with security value OR Move to a nonsecurity Log Analytics workspace |
Threat-based optimization
To optimize data value, SOC optimization recommends adding security controls to your environment in the form of extra detections and data sources, using a threat-based approach.
To provide threat-based recommendations, SOC optimization looks at your ingested logs and enabled analytics rules, and compares it to the logs and detections that are required to protect, detect, and respond to specific types of attacks.
This optimization type is also known as coverage optimization, and is based on Microsoft’s security research. The following table lists the available threat-based SOC optimization recommendations:
| Observation | Action |
|---|---|
| There are data sources, but detections are missing. | Turn on analytics rule templates based on the threat. |
| Templates are turned on, but data sources are missing. | Connect new data sources. |
| There are no existing detections or data sources. | Connect detections and data sources or install a solution. |
Sources
https://learn.microsoft.com/en-us/azure/sentinel/soc-optimization/soc-optimization-reference
Conclusion
In conclusion, SOC Optimization in Microsoft Sentinel is a powerful tool that helps organizations optimize their security operations, improve threat protection, and reduce costs. It’s a game-changer in the world of cybersecurity, providing organizations with the tools they need to stay one step ahead of threats.
