SOC optimization reference of recommendations (preview)
Use SOC optimization recommendations to help you close coverage gaps against specific threats and tighten your ingestion rates against data that doesn't provide security value. SOC optimizations help you optimize your Microsoft Sentinel workspace, without having your SOC teams spend time on manual analysis and research.
Microsoft Sentinel SOC optimizations include the following types of recommendations:
Threat-based optimizations recommend adding security controls that help you close coverage gaps.
Data value optimizations recommend ways to improve your data use, such as a better data plan for your organization.
This article provides a reference of the SOC optimization recommendations available.
Important
Microsoft Sentinel is available as part of the public preview for the unified security operations platform in the Microsoft Defender portal. For more information, see Microsoft Sentinel in the Microsoft Defender portal.
Data value optimizations
To optimize your cost to security value ratio, SOC optimization surfaces hardly used data connectors or tables, and suggests ways to either reduce the cost of a table or improve its value, depending on your coverage. This type of optimization is also called data value optimization.
Data value optimizations only look at billable tables that ingested data in the past 30 days.
The following table lists the available data value SOC optimization recommendations:
| Observation | Action |
|---|---|
| The table wasn’t used by analytic rules or detections in the last 30 days but was used by other sources, such as workbooks, log queries, hunting queries. | Turn on analytics rule templates OR Move to basic logs if the table is eligible |
| The table wasn’t used at all in the last 30 days | Turn on analytics rule templates OR Stop data ingestion or archive the table |
| The table was only used by Azure Monitor | Turn on any relevant analytics rule templates for tables with security value OR Move to a nonsecurity Log Analytics workspace |
If a table is chosen for UEBA or a threat intelligence matching analytics rule, SOC optimization doesn't recommend any changes in ingestion.
Important
When making changes to ingestion plans, we recommend always ensuring that the limits of your ingestion plans are clear, and that the affected tables aren't ingested for compliance or other similar reasons.
Threat-based optimization
To optimize data value, SOC optimization recommends adding security controls to your environment in the form of extra detections and data sources, using a threat-based approach.
To provide threat-based recommendations, SOC optimization looks at your ingested logs and enabled analytics rules, and compares it to the logs and detections that are required to protect, detect, and respond to specific types of attacks. This optimization type is also known as coverage optimization, and is based on Microsoft's security research.
The following table lists the available threat-based SOC optimization recommendations:
| Observation | Action |
|---|---|
| There are data sources, but detections are missing. | Turn on analytics rule templates based on the threat. |
| Templates are turned on, but data sources are missing. | Connect new data sources. |
| There are no existing detections or data sources. | Connect detections and data sources or install a solution. |
Next step
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for