The features that I or my customers consider most valuable within Microsoft Sentinel include the ability to query, the integration with the rest of the Defender and the Microsoft suites, and the workbooks and dashboards. The ability to query is valuable to us because it allows you to drill down to specific information that you need and even drill down further from there. It really helps you get at the information, especially from an investigative perspective, that you need. With the workbook dashboards, once you find a good information set or data set, let you flip that around and turn it into a dashboard so it can be repeatable and visible to other folks in the organization. Microsoft Sentinel's ability to correlate data from multiple sources enhances our threat detection capabilities beyond what is a simple data lake solution by filtering out the noise and consolidating the signal down to a meaningful level that is easier to investigate and see. It allows us to truly see what is going on and gives us that focused visibility. It does provide actionable data, not just visibility, as it can provide insights beyond what a normal data stream could give you. The integration of security functionalities such as SIEM, SOAR, TIP, and UEBA in Microsoft Sentinel is well-executed, particularly the seamless integration of UEBA. However, there is confusion between UEBA and Defender for Identity that needs to be explored further. Microsoft has defined the XDR level, but from an MSSP perspective, the SOAR capability is integrated adequately, while customers might not fully utilize it yet due to marketing factors. Creating an awareness campaign for these integrations would be beneficial. The impact of Microsoft Sentinel on our advanced hunting abilities has been significant because it allows us to really hone in from an investigative perspective and dive deeper into investigations. Even without access to a customer's environment, we capture a lot of data and can drill down on specifics like when and from where emails were sent, what their content was, and so on. It provides us with a complete attack story and history. Up until recently, the MITRE ATT&CK integration in Microsoft Sentinel was based on an older version, rendering it less meaningful, but now with the upgrade to the latest version, it allows us to map our threat intelligence efficiently to the MITRE framework, which has been beneficial. I would highlight the new case management feature as great. Its presence gives Microsoft Sentinel an edge as many other SIEMs have had mature case management capabilities. Additionally, as it becomes part of the Defender portal, the journey and integration narrative between Sentinel and the complete Defender XDR should be better defined, especially since more customers opt for Sentinel only. Having a great CX team within Microsoft enhances the experience, although having a distracted account manager lessens focus on critical details for customer needs. A lot of the automation inside Sentinel comes with inside actually rolling out brand new Sentinel environments. We utilize that a lot and it might go beyond just Sentinel, for example, utilizing templates in Azure and templates elsewhere to actually deploy out. A good scenario is when customer environments have multi tenancy. Being able to roll out those additional tenants with the automation has been huge. We went from it taking 20 hours to build a tenant to a matter of two to four hours. That's a 75% savings. The SOC optimization is a big part of what we do. We have to manage our own costs, however, we have built in automations for reporting to trigger when data is exposed. I have one customer that had 225 GBs a day when onboarded, and now we're down to 110 GBs. As far as our reporting, it does help everything become more efficient.
