Summary of "The Unified SecOps Experience Using Microsoft Sentinel’s Latest Features"
Overview
The video explains Microsoft Sentinel’s unified SecOps experience by focusing on Microsoft Sentinel’s latest integration features in the Defender XDR portal. The core theme is moving from a SIEM-only incident workflow to an unified XDR + Sentinel incident investigation workflow, with improvements in:
- faster triage speed
- correlation across sources
- multi-tenant/multi-workspace support
- new case/task handling UI
Key technological concepts & product features
1) Unified Incidents across SIEM + XDR (correlation / merging)
- In the unified portal, incidents from different sources (e.g., XDR/Defender, Sentinel, or external sources) are merged into a single incident.
- The underlying data still comes from Azure Log Analytics / Azure Monitor workspaces, but the incident view becomes unified.
- Correlation boundary: events are correlated based on the workspace and tenant scope.
- The video notes terminology is aligned so users understand correlation as “merging incidents.”
- It also references “miscorrelation” scenarios where alerts may be incorrectly correlated.
2) Workspaces as the Sentinel storage/data scope
- A “workspace” is described as where Sentinel data lands (connectors/agents → Log Analytics Azure Monitor workspace).
- Users can define filters and scope so the incident queue focuses on the right workspace(s).
- In Sentinel settings within the Defender XDR portal, Sentinel workspaces are connected so Sentinel data is unified into the Defender/XDR incident experience.
3) Faster incident triage with flyouts + actionability
The incident list supports rapid triage without fully opening the incident:
- Clicking the incident row background opens a right-side flyout panel with rich metadata.
- From the flyout, analysts can:
- view impacted assets
- review the activity log
- run playbooks
- manage incident actions
A key update adds visibility into what happened before incident merging:
- A filter shows incident logs from prior to merging, addressing feedback that earlier triage history became harder to find after merging.
4) Visual signals for severity, critical assets, and attack disruption
The UI highlights:
- severity (e.g., “High” indicating it needs attention)
- critical assets via a “crown” indicator
- whether attack disruption actions occurred
- e.g., shown as disruption like access disrupted / connection closed
The incident UI also introduces an Action Center concept to explain disruption outcomes.
5) Sentinel vs Unified queue differences (reducing analyst load)
The video contrasts:
- In non-unified Sentinel/XDR views, you may see many separate incidents (which can appear as multiple alerts/incidents).
- In the unified portal, related alerts that form the same attack story become one unified incident.
This is positioned as reducing parallel analyst effort—fewer incidents to triage for the same underlying attack.
6) UI wording updates for correlation and alert movement
Based on user/customer feedback, the UI clarifies actions:
- “Link alert to another incident” is changed to “Move alert to another incident” for miscorrelation correction.
- “Correlation reasons” wording is clarified to better explain what is correlated and why.
- Multi-select alerts can be moved in bulk to a new/existing incident.
Multi-tenant / multi-workspace “multi-x” hunting expansion
The video revisits multi-tenancy and extends it with multi-workspaces beneath tenants.
In the portal:
- users can select multiple tenants (“My organizations”)
- and multiple related workspaces
This expands hunting capability:
- hunting queries can span multiple tenants/workspaces
- the video mentions using unions across queries to combine results
- it ties directly to MSSP scenarios (managing multiple customers/workspaces)
Additional UI/workflow enhancements in Defender XDR portal
New “Refresh” indicator for changed incidents
- A new Refresh button (with a UI indicator) shows which incidents have changed since the last view.
- Example changes include:
- incident ownership assignment (e.g., “Unassigned” → assigned)
- severity updates
- Users can confirm changes via the activity log.
Tasks inside incidents
- Incident details include a Tasks section (similar to Sentinel tasks):
- add tasks (e.g., “Investigate malicious IP”)
- assign tasks and set status (e.g., In progress)
- add due dates, categories, triage requirements, descriptions, and closing notes
- The video asks about notifications for overdue tasks; the speaker indicates multiple notification/management approaches are coming (public preview).
Public preview: Cases in the unified portal
Cases are introduced as a new concept:
- create a case with a name and assignment
- link one or more incidents to the case
- add tasks within the case
- manage tasks across incidents (and potentially across alerts included in the case)
The speaker frames Cases as an early step toward full case management, with more coming.
Proactive correlation example using an empty case
A non-incident-based workflow is demonstrated:
- create an empty case (example: phone stolen in Madrid)
- assign tasks like block SIM card
- proactively wait for relevant correlated signals (e.g., unfamiliar sign-in)
This showcases using unified data to connect user-reported events with investigation signals.
Reviews / feedback handling mentioned
The video explicitly references “customer feedback” and “Ninja Show” feedback:
- Merging incidents removed earlier triage visibility → addressed via a filter to show logs prior to merging
- UI wording and terminology improvements (e.g., move vs link, “correlation reasons” wording) based on feedback
Product behavior changes are presented as iterative improvements driven by SOC/user needs.
Main speakers / sources
- Heike Ritter (host)
- Tiander Turpijn (Principal Product Manager, SIEM and XDR)
Category
Technology
Share this summary
Is the summary off?
If you think the summary is inaccurate, you can reprocess it with the latest model.