Edit

Share via

What's new in Microsoft's unified security operations platform

  • Article

This article lists recent features added into Microsoft's unified SecOps platform within the Microsoft Defender portal, and new features in related services that provide an enhanced user experience in the platform.

January 2025

Case management (Preview)

Case management is the first installment of an end-to-end solution that provides seamless management of your security work. SecOps teams maintain security context, work more efficiently and respond faster to attacks when they manage case work without leaving the Defender portal. Here's the initial set of scenarios and features that CMSK supports.

  • Define your own case workflow with custom status values
  • Assign tasks to collaborators and configure due dates
  • Handle escalations and complex cases by linking multiple incidents to a case
  • Manage access to your cases using RBAC

This is just the start. Stay tuned for additional capabilities as we evolve this solution.

For more information, see the following articles:

Unified device timeline in Microsoft Defender portal (Preview)

The unified device timeline, a single, cohesive view that integrates device activity from Microsoft Sentinel and Defender XDR into a single timeline, is now available in Preview. This feature streamlines security investigations by enabling analysts to access all relevant device activities in one place, reducing the need to switch between platforms and lowering incident response times.

For more information, see Device entity page in Microsoft Defender.

SOC optimization updates for unified coverage management

In workspaces enabled for unified security operations, SOC optimizations now support both SIEM and XDR data, with detection coverage from across Microsoft Defender services.

In the Defender portal, the SOC optimizations and MITRE ATT&CK pages also now provide extra functionality for threat-based coverage optimizations to help you understand the impact of the recommendations on your environment and help you prioritize which to implement first.

Enhancements include:

Area Details
SOC optimizations Overview page - A High, Medium, or Low score for your current detection coverage. This sort of scoring can help you decide which recommendations to prioritize at a glance.

- An indication of the number of active Microsoft Defender products (services) out of all available products. This helps you understand whether there's a whole product that you're missing in your environment.
Optimization details side pane,
shown when you drill down to a specific optimization		 - Detailed coverage analysis, including the number of user-defined detections, response actions, and products you have active.

- Detailed spider charts that show your coverage across different threat categories, for both user-defined and out-of-the-box detections.

- An option to jump to the specific threat scenario in the MITRE ATT&CK page instead of viewing MITRE ATT&CK coverage only in the side pane.

- An option to View full threat scenario to drill down to even further details about the security products and detections available to provide security coverage in your environment.
MITRE ATT&CK page - A new toggle to view coverage by threat scenario. If you've jumped to the MITRE ATT&CK page from either a recommendation details side pane or from the View full threat scenario page, the MITRE ATT&CK page is pre-filtered for your threat scenario.

- The technique details pane, shown on the side when you select a specific MITRE ATT&CK technique, now shows the number of active detections out of all available detections for that technique.

For more information, see Optimize your security operations and Understand security coverage by the MITRE ATT&CK framework.

December 2024

New SOC optimization recommendations based on similar organizations (Preview)

SOC optimizations now include new recommendations for adding data sources to your workspace based on the security posture of other organizations in similar industries and sectors as you, and with similar data ingestion patterns.

For more information, see SOC optimization reference of recommendations.

Microsoft Sentinel workbooks now available to view directly in the Microsoft Defender portal

Microsoft Sentinel workbooks are now available for viewing directly in the Microsoft Defender portal with Microsoft's unified security operations (SecOps) platform. Now, in the Defender portal, when you select Microsoft Sentinel > Threat management > Workbooks, you remain in the Defender portal instead of a new tab being opened for workbooks in the Azure portal. Continue tabbing out to the Azure portal only when you need to edit your workbooks.

Microsoft Sentinel workbooks are based on Azure Monitor workbooks, and help you visualize and monitor the data ingested to Microsoft Sentinel. Workbooks add tables and charts with analytics for your logs and queries to the tools already available.

For more information, see Visualize and monitor your data by using workbooks in Microsoft Sentinel and Connect Microsoft Sentinel to Microsoft Defender XDR.

November 2024

Microsoft Sentinel availability in Microsoft Defender portal

We previously announced Microsoft Sentinel is generally available within Microsoft's unified security operations platform in the Microsoft Defender portal. For preview, Microsoft Sentinel is now available in the Defender portal without Microsoft Defender XDR or an E5 license. For more information, see:

Feature availability for Government clouds

In the Defender portal, all Microsoft Sentinel features for unified SecOps that are in general availability are now available in both commercial and GCC High and DoD clouds. Features still in preview are available only in the commercial cloud.

For more information, see Microsoft Sentinel feature support for Azure commercial/other clouds and Microsoft Defender XDR for US Government customers.

Related content

For more information on what's new with other Microsoft Defender security products and Microsoft Sentinel, see:

You can also get product updates and important notifications through the message center.