🎤

Transitioning to the UniFi Platform Webinar

Apr 24, 2025

Transition to the UniFi Platform Webinar

Introduction

  • Speakers: Chin Wi (Product Manager) & Naomi Christie (Co-host)
  • Session Focus: Transition to the UniFi Platform
    • Overview of the platform
    • Best practices for key areas
    • Demos for smooth transition

Overview of the UniFi Platform

  • Foundation: Built on global threat intelligence analyzed by researchers and AI.

    • Detection: Out-of-the-box detections based on threat landscape.

  • Security Layers:

    • Posture Layer: Harden environment & analyze incidents and attack paths.
    • Threat Detection & Response: Integrating multiple layers to provide full visibility.
    • AI Integration: Automations to save time and disrupt attacks.

  • Platform Support:

    • Expansion for all major cloud platforms.
    • 360-degree view across all attack surfaces.

Integration with Microsoft Sentinel

  • Historical Context: Previously required working across two portals (Sentinel & Defender).
  • Benefits of Unification:
    • Single portal for monitoring, managing, detecting, and responding to incidents.
    • Unified view of incidents and attacks.

Key Areas Covered

Onboarding Experience

  • Prerequisites:

    • Microsoft Sentinel workspace enabled.
    • Properly configured data connector for Microsoft Defender XDR.
    • Correct permissions and roles.

  • Demo Highlights:

    • Connecting Sentinel to Defender portal.
    • Configuring Defender XDR connector.

Correlation

  • Definitions:

    • Alerts: Indicate malicious or suspicious events.
    • Incidents: Collections of related alerts representing broader attack stories.

  • Correlation Engine: Merges incidents based on common elements.

    • Reasons for Merging: Similar entities, AR effects overlap, sequence of events.
    • Non-merging Conditions: Closed incidents, different assignments, classifications.

  • Demo Highlights:

    • Investigation section of the portal.
    • Manual relinking and merging of alerts and incidents.

Automation

  • Overview: Automation for repetitive tasks, made through workflows.

  • Best Practices:

    • Use 'analytics rule name' instead of incident title for filter conditions.
    • Replace 'incident provider' with 'alert product names' for more granular conditions.

  • Demo Highlights:

    • Configuring and using automation rules.
    • Using Microsoft Graph API for incident and alert data.

Advanced Hunting

  • Features: Query-based tool for data exploration and threat hunting.

  • Best Practices:

    • Replace 'security alert' table with 'alert info' and 'alert evidence'.
    • Use 'link to incident' for capturing records.

  • Demo Highlights:

    • Advanced hunting experience.
    • Linking and taking actions on query results.

Additional Features

  • Case Management:

    • Manage security work from within the portal.
    • Custom workflows, task assignment, escalations.

  • Soc Optimization:

    • Recommendations to optimize security controls.
    • Unified coverage view for metrics.

Conclusion

  • Final Remarks: Encouragement to explore the unified platform for its streamlined experience.
  • Community Engagement: Invitation to join the security community and participate in further webinars.

This summary includes the main topics, demos, and practical steps covered during the transition webinar to the UniFi platform. Ensure to explore all additional resources and documentation provided during the session for a comprehensive understanding of the platform capabilities.

Full transcript