In the first blog in this series, I introduced the new Microsoft Defender portal. In part two, alongside  Jon Shectman, Principal Program Manager for Security at Microsoft, I’ll explain how to maximise Security Operations Centre (SOC) optimisation.

Harnessing the power of SOC optimisation in Defender

In the ever-evolving realm of cyber security, it’s imperative to maintain an edge over threat actors. The SOC optimisation feature within the Defender is a powerful tool aimed at enhancing your organisation’s security stance through ongoing improvements and personalised recommendations.

The Importance of SOC optimisation

Before delving into specifics, it’s crucial to grasp why SOC optimisation is essential. The cyber security landscape is continuously changing, with attackers perpetually inventing new methods. Security is not a fixed target but a continuous journey of enhancement. Many SOCs face challenges with high noise-to-signal ratios, often overwhelmed by false positives and inadequately calibrated alerts. SOC optimisation helps overcome these challenges by providing actionable insights to refine and improve security operations.

Understanding SOC optimisation in Defender

SOC optimisation in Defender offers tailored recommendations to optimise your organisation’s security operations. These recommendations are divided into three categories: Data Value, Coverage-based, and Similar Organisations, each targeting different aspects of SOC efficiency and effectiveness. SOC optimisation features are available in both Defender and the standalone Microsoft Sentinel within the Azure portal. While both provide similar functionalities, there are some differences, which I’ll highlight as necessary.

Overview of SOC optimisation in Defender

The Overview page in Defender serves as your gateway to SOC optimisation. It features status panes and recommendations displayed as cards. Clicking on a card opens a detailed pane on the right, allowing you to explore recommendations further. A search pane enables quick navigation across cards, simplifying the process.

Data Value Recommendations

Data Value Recommendations focus on maximising the utility of your Security Information and Event Management (SIEM) investment by optimising ingested data. This is achieved through three types of recommendations aimed at leveraging your data resources effectively.

Key Considerations for Data Value Recommendations:

• Billable Data Focus: Recommendations target billable data ingested over the past 30 days. Consider how this data might be used differently in the future for threat hunting, retention, or incident response. Collaborate with relevant teams to ensure data is properly assessed.
• Proactive Logging: Keep a log of optimisation actions taken and revisit them periodically to ensure alignment with evolving business needs. The Overview page’s Completed status is a helpful starting point, but don’t rely on it exclusively.
• UEBA and TI Exceptions: If a data table is selected for User and Entity Behaviour Analytics (UEBA) or threat intelligence matching, SOC optimisation will not recommend changes to its ingestion, assuming its utility elsewhere.

Unused Columns feature

A notable preview feature in Data Value Recommendations is the Unused Columns feature, which identifies underutilised data columns that can be optimised. It’s important to verify that any tables marked for optimisation are not required for compliance, health monitoring, or other critical functions.

Coverage-based recommendations

Coverage-based recommendations are essential for identifying vulnerabilities and fortifying your organisation’s security framework. They focus on detecting gaps in threat coverage and addressing scenarios that could lead to significant business or financial exposure.

Key Components of Coverage-based SOC Optimisations:

• Detection Rule Configuration: Many organisations ingest datasets without configuring the appropriate custom detection rules, known as analytics rules in Microsoft Sentinel. Implementing these rules can significantly enhance security coverage beyond default settings.
• Example Scenario: IaaS Resource Theft: Consider a scenario where your current coverage includes one active detection rule against Infrastructure as a Service (IaaS) resource theft, while 86 additional rules are recommended. SOC optimisation cards highlight such opportunities for improvement, presenting them through intuitive visualisations.
• Microsoft XDR Products Integration: Unique to Defender, SOC optimisation also displays recommendations for Microsoft extended detection and response (XDR) products alongside Sentinel rules, offering a comprehensive view of your security setup.
• Exploring Threat Scenarios: By clicking “View full threat scenario,” you can access detailed breakdowns of relevant Sentinel rules and products, enabling you to take informed

I hope you’re found these update valuable. If so, you might be interested in part three where I talk about how to unravel Incidents, Alerts, and Correlation in Defender. I’ll publish part three on 28th August 2025.

In the meantime, if you would like to discuss any of these issue, don’t hesitate to get in touch.