hi everyone welcome to the webinar and I hope you're doing well uh my uh if we haven't met or talked before uh my name is chin wi and uh I'm a product manager and uh a team called One stock customer experience engineering team here um just really happy to be here this is one of of our very first sessions right um on the transition um to the UniFi platform training so um we have a lot of exciting things to cover in today's session um and with me today is my wonderful colleague Naomi Christie um Naomi do you want to introduce yourself yeah hi guys hi everyone and as CH mentioned I'm Chris and I will be your co-host for today all right so for um for today's session um what we're going to to uh talk about um is uh really yes the the transition to the UI platform and uh we're going to start with an overview of the UniFi platform um kind of explain a little bit of what it is and our vision and thinking um behind it creation right and we're also going to share some of the best practices for the key areas um along with demos um to help you make a successful and smooth transition to UniFi platform um and the areas that we're going to cover uh will include the onboarding experience um alert and inent correlation uh automation Advanced hunting and other feature areas um and oh by the way if you have any questions um please feel free to drop them in the chat um we have an amazing team here in the chat that uh will help us Monitor and answer the questions why uh Naomi and I focus on the presentation okay so as Tim mentioned we will begin with an overview of the unified setups platform so let's take a look at what we are actually unifying it all starts with a foundation of global threat intelligence so this intelligence is built by human resarch researchers and AI who analyze trillions of signals a day to create that understanding of the threat landscape these foundations allow us to understand what attackers are doing and then we turn this knowledge into outof thee box real world detections that help protect you next we focus on our posture layer to ensure that you can Harden your environment and have visibility in what needs to be done and this isn't just passive protection um it also includes active analysis of inance and attack Parts looking at how attackers could get from breach points to critical assets we help prioritize these gaps and even provide simple instructions to fix them on top of that post breach our threat detection and responses combine the depth of xdr and the breadth of seam to pull in information from your entire organization so this gives you full visibility across the entire attack chain integrating multiple layers of the security domains finally we top it off with cyber security specific AI so automations that help disrupt attacks and also help save your analyst Time by providing recommendations and much more we integrate capabilities across the entire life cycle of threats in virtually every domain and platform we are heavily investing in uh expanding our support for all major Cloud platforms ensuring that we have that multicloud support as well as on premise support this helps gives us that 360 view of all attack surfaces across different operating system regardless of whether the attack occurs on a server endpoint or mobile device we will deliver a cross-domain sock experience and for the past year we have been really focusing on integrating Sentinel into our unified vision and just to make sure we're all on the same page before the release of the unified view we had to work in two different portals we had the Microsoft Sentinel portal which is located in the classic Azure portal and we had the defender portal both are very strong products with amazing capabilities and many connections between them but they were in two different places and that's why we introduced the unified seops portal now this slide perfectly illustrates the benefits of the unification of both portals so why should you transition well first and foremost we heard from many years that working with multiple portals is a struggle to treiz an instent you would start in the Sentinel portal then pivot back to the defender portal for more information on xdr instance and then finally you might return to the Sentinel portal to close the instant and this involves multiple hops between Port portals and many of you requested a single portal for your security services to monitor manage detect and respond to your incense and we provide that single view by bringing your shock operations team into the Defender X world this is a significant step because traditionally these teams are separated right so you typically have the sock team the xdr team and then the underlying Defender teams and now we bring them together which results in getting that comprehensive instant view with a full attack story you won't need to click multiple times or switch portals you get the single attack story and the combination of seam and xdr in one portal with Sentinel having its own navigation piece on the left hand side so let's just highlight some of the benefits first all incidents from Sentinel and other Microsoft first party products are integrated into this unified setups view Advanced hunting is also now in one place we have case management which helps with uh handling multiple incidents in a single case we have significant improvements on sock optimizations where we now provide a unified coverage view so that it allows you to see coverage metrics for Sentinel detection and first party detections such as MD and MD and actually the integration also goes beyond Cal right for example we also integrate with exposure management which helps improve the graph experience because we incorporate that attack pad that I talked about uh in the beginning that attack pad we integrated it into the investigation graph and we won't discuss the embedded gen AI po pilot for security in detail in this webinar but I just want to re highlight that it's also part of the unified portal but I think that's enough with a highlevel talk let's dive into the different aspects and best practices and let's start at the beginning right with the onboarding to the unified portal chap take it away please awesome thank you Christie so um now on to the fun part or the Practical part right best practices so um with section we um we're going to dive into each of the key areas um to highlight the best practices to make sure that you have what you need to successfully transition toi platform um and really starting with the very first step um to be able to Leverage The you know these amazing benefits of the Nei platform um first thing first we need to make sure that we we can connect and on board Microsoft centeral workspace to Defender portal um the goal for us is to make sure that we will have all the Microsoft sental data and capabilities available in um to access right from the defender portal itself so um now the process of on boarding and connecting Sentinel workspace is pretty straightforward um however there are some prerequisite um that we need to be aware of before we can start um connecting the workspace so the first thing here is uh that we need to be aware is um well yes we need to have a central workspace right which is basically ltic workspace that has Microsoft um Sentinel enable um the second thing here is the um we need to have a data connector for Microsoft Defender xdr and the the connector must be um properly configured and I'm going to show that here through a demo um this is to make sure that we have all the uh incident and alert um connected um uh and lastly we need to have uh the right permissions and roles yeah to onboard and connect Cent In A workspace to defend a portal um and I do wanted to highlight that um and reiterate what Naomi mentioned earlier is that the UniFi portal is now open to all Microsoft customers including um those who don't have an eii license and uh which mean that they can also on board Sentinel The Sentinel workspace um to um to the UniFi platform even without having Defenders product so um yeah so this is an awesome benefit and you know highly recommend that uh you take advantage of so um on to the next one um getting into the process of uh onboarding Sentinel itself um so when it comes to configuration of Defender xdr connector um there are three things to note here um first is need to make sure that not only the data connector is enable or connected right um we need to also make sure that it's configured correctly and U by that we mean that to um to turn off the Microsoft incident creation rule before we connect this incident and alert right as shown in the screenshot here um this is to avoid creating duplications of incident and alerts that uh that come from Defender products um and to perform this step a um either a global admin or a security admin wall um is required on the workspace tenant level okay um when it comes to the required roles and permission right now assuming that we already have Defender xdr connector properly configured um we need to have certain roles and permissions um in order to connect the central Works spr to Defender portal um and uh you can choose either of these uh you know permissions combination uh either subscription owner right and Microsoft Central contributor or it can be um user access administrator on the subscription and have Sentinel contributor role um and please note that for Sentinel for Microsoft Sentinel contributor um you can have it either on a subscription or Resource Group or a workspace resource level okay all right so on to the demo um so um I just wanted to quickly mention that um uh this is a pre-recorded demo and we're going to talk over it um so Christie can start so there are two entry ways right to be to connect an onboard Sentinel to Defender uh starting here from the homepage and CH the select a workspace that you want to connect to Defender and click on next then we're going to see some text and that we can expect to see when bookspace is connected and and the second option is to start from settings page right click on Microsoft Sentinel we see all the workspaces that you have access to and uh now in this case I wanted to choose a workspace where we we haven't got the defender xdr connector enable and configure yet right so in this case we uh will see this Arrow message on the top um on top here it couldn't connect the workspace right and we need to go turn on the defender connector uh for incident in Microsoft Cento first so here navigate to Azure portal uh in content Hub search for xdr connector or solution in this case and here I already have the solution installed in the workspace and navigate to data connector and clicking on Defender xdr connector and open the connector page then we're going to see all the prerequisite and the configuration steps right so in this case we already have the uh connect incident and already configure um so the connector already configured properly so now back to Defender portal settings page then we can select the workspace um and connect the workspace yeah and here there are some notes that um you know kind of tell us what to expect when the workspace is connected like things like the data the queries from Sentinel is going to be available for advanced hunting in Defender xdr and click on F and proceed um now connecting the workspace the process this process this step itself will take up to five minutes so you know if you see this don't panic right just uh be a little patient then um once the workspace is connected we should see the um the status switch to um connected uh from not connected so it takes a little bit of time to P all the capabilities over yep there you go so there's a little Green Dot there next to connected so now it signal that all the Sentinal data and uh capabilities are now available for us to access from within the UniFi portal awesome all right so yes so that's about the demo right and uh we do have um a really common question that customer asks us um you know when they work um through this process is uh related to arbac the question here is um once a sentinel workspace is on boarded to the UniFi sock platform where my Sentinel users will be able to um to see everything from Defender xdr so the answer here is it depends but because a users access to the data um in the UniFi portal would depend on the workload specific arbac right so what it means is if the user already have um let's say if they have Sentinel access um already um but they don't have uh access to Defender right to any Defender workloads then they won't to see and query any of the defender data in the UniFi platform and uh for them to be able to view and access the data in Defender uh or UniFi platform in this case um they must have the permission to the specific Defender workloads right that they allow to access to um uh and also keep in mind that the Sentinel arbac and Defender arbac are a signed and managed separately and we do have um you know really clear documentation um that kind of outlines what permission that you need to be able to um to access the data uh both Sentinel and Defender data in the UniFi platform so I highly recommend checking out the documentation if you um want to learn more okay all right moving on to correlation now before we discuss correlation and what changes for Sentinel customers moving to the seops platform let's first agree on the definitions of alerts and instance what are alerts alerts are the basis of all instance and instance cannot exist without alerts alerts are usually part of a broader attack but individually an alert indicates a malicious or suspicious event in your environment and it can originate from different threat detection activities what are incidents incidents are containers for collections of related alerts and they really tell the full story of an attack the alert in a single instant can come from a Microsoft security solution or it can come from an external solution collected through Microsoft Sentinel and Microsoft Defender for cloud now if we agree on that definition then we can Now understand that incidents are formed by related alerts we have seen that a lot of customers use isolated systems with separate teams to manage the different security domains think of teams for an endpoint think of a different team for identity emails however in that case each team lacks the context of the others which will make it more difficult to discover and respond to threats and that's why we automatically correlate alerts into insance to help you get that bigger picture now of course if an alert is sufficiently unique across all alert sources within a particular time frame we will create a new inant and we will add the alert to that new inant but if the alert is sufficiently related to other alerts then we will add the alert to an existing incense and also important to know is that the correlation activities don't stop when incense are created or merged we continue to detect for commonalities and relationships between incense and alerts across incidents and when incidents are sufficiently alike we will also merge them also good to remember is that when incense are merged the content of one incent is migrated into the other one and the original incident is then automatically closed and will no longer be available in the portal so that's when you get your reference to redirected or or merged incident now we create incidents um which represents larger attack stories uh and the force behind this grouping of alerts in in in incidents is our correlation engine the correlation engine merges instance when it spots common elements between alerts and I just wanted to touch on the most common reasons for merging so we merge when entities are similar think of the same user showing up in alerts or devices or mailbox we merge when AR effects overlap think of files or or processes and of course time frames are also an important condition we don't want to merge ancient incidents with new alerts and for example sequence of events is another thing that we keep track of um so sequence of events can point to a multi-stage attack which are of course also a good reason to merge thank of someone clicking a malicious email event which was preceded by an alert about a fishing campaign now we've talked about why and when we merge but it's also just as important to know when we don't merge so if one of the instance is marked as closed we won't merge because we don't reopen resolved instance and I want to really emphasize this point since it is crucial we will not reop closed incidents when correlating we also don't merge if the incidents are assigned to two different people and I mean that literally two different assigned entities so if one incident is assigned and the other one is not yet assigned then these two could merge if the entities incidents have uh different classifications uh so one is classified as true positive and the other one as uh false positive then we will also not merge automatically and if the merging would cause the result to exceed the allowed maximum number of entities in that case of course we will also not merge and last reason is when the two two instance contain devices in different device groups we will also not merge but you have to configure this one now let's dive into the portal uh to show you what I've actually been rambling about when we go into the investigation section uh we can already see the distinction between alerts and instance let me quickly okay logged in so we see the distinction between alerts and instance so let's skip the alerts section for now and you can explore it in your own environment later instead let's go straight into the instant queue now the instance queue is one of our selling points of the unified portal because it provides that unified view of instance from your seam and xdr so you can see in the detection Source colum um which um Source has created this incident where it originates from so like EDR or scheduled detection now what happens when alerts are correlated to make this point clearer um I will manually relink an alert so we have um this instent called Anonymous IP with a t tag to merge and an entity ntis and one anert and we can move this one to the suspicious scob for example with also the ATT also to merge an entity um which is lab uh 192 now um we can easily move this alert by clicking the move alert button um and this can be easily done from the instant queue itself and you can move it to another uh instant for example 38 which is the instant that we want to move the alert to now I can get you a scoop because real soon you will actually also be able to merge instance so if I click those two instance you see the button merge instance come up so let's try out this new feature and let's merge these two instance let's say merging for demo purposes and now also notice um we ask for feedback here so this feedback feature is also not yet available in your environment but it soon will be public and this feature actually allows us to collect your feedback on correlations which help us improve uh the correlation engine now while this is merging and it's already done but let's focus first on a multi-stage attack so we have this multi-stage incident um which is an automatically correlated incident and as you can see immediately um in this view we have the incident um with a detailed timeline of the attack with all the alerts and we also have that interactive uh graph which allows you to easily recognize patterns now to understand why alerts were merge you can also go to the alert step in the incident uh itself and then look at the correlation reason column so this column explains why the alerts belong to this incident so this feature is actually also not yet available um but um so you are getting another scoop but soon this will be public so so it should be fine now as you can see most of the alerts are linked because they originate from the same uh device or IP add address uh so that's why they were merched and this is basically I have the same reasons over here because I launched multiple attacks in a very short time from one of my VMS in uh in this uh demo environment now let's go back to the overview uh and let's revisit Our Man merg incident right so as you can see the incidents have merged um we now have multiple TXS the two original TXS and the entities have also been mer so we see lab 192 and Naomi Christies and then another scoop I keep on giving good news um we will also now correlate Commons so if you check the activity tab you can also already notice that the com that you have commments from the original uh incident and the ones from merch instance so the you can easily see which ones originate from where and then last coup and then I really have to stop um I want to to mention that we will also um have this feature which allows you to filter the activity logs um from one incident or from the merged incident but let's let's stop now with with the Scoops um before I get into trouble um oh before I forget I'd like to also invite you to next week's what's new webinar um because Jeremy and I will also be delivering a demo on some useful recent features and then these Scoops are old news of course all right let's wrap up the correlation section uh just also by answering some common questions we've heard uh and if you have any more questions please feel free to put them in the chat like CH mentioned we have an amazing team answering the questions now first question what happens to Fusion well once you on board to the unified SE Ops platform the fusion rules you might remember from Sentinel will be disabled and will no longer be available this is because the correlation engine will now handle all correlation responsibilities and you're actually getting an upgrade so with a correlation engine we consider many additional factors for merging so yes Fusion disappears but you get the correlation engine which serves the same purpose but they do it better next question what happens to alert grouping um well when correlation kicks in alert grouping will not be taken into account because it conflicts with our strategy and vision of having that full attack story in one single incident I know that in Sentinel you could configure alert grouping in your analytic rules now in my experience this feature wasn't used that much um but for those who are using it you might notice that when correlation kicks in we might override the alert grouping if you see alerts or instant belonging to the same attack story now if alert grouping um sometimes we saw that it was being used uh because you have different teams that look Solly at specific alerts or inant but this approach can create gaps like we discussed right um so because you are focusing on certain alerts you might not get the full picture but for those customers who want different teams managing different alerts we suggest assigning the alerts to those specific teams um or persons as you can see in the screenshot and if you really don't agree with the correlation you can always move the alerts as well as I demonstrated in the demo and give us feedback uh and if you have another use case for using alert grouping that we might have missed that we should know about then please feel free to reach out to us so that we can learn from your experience now moving on to automation CH take it away awesome thank you Naomi so um let me share my screen here so then we could uh kind of easily navigate since I'm going to have some uh demo as well just give me a second okay so um let start with automation trying to navigate teams and uh share the screen okay so share just double checking if you're you can see my deck yeah yes okay perfect thank you so um yeah automation let's start talking about that um so automation is really one of the key feature areas that uh used by our Microsoft Central customers today um but if you're not familiar with with the automation um capabilities and um just to give you a quick overview here um automation as the name indicates right um it provides automated workflows to enable sock teams to um automate repetitive tests right to speed up incident investigation and hunting um and ultimately it frees up analyst time to um so that they can focus on what matters most um and more complex tasks right and automation also enables um customizable workflows to meet unique organizational needs and then on to some of the best practices that I think is really relevant um in our case uh when it come to transitioning um from Microsoft Central to the UniFi platform so um a couple items that I wanted to highlight here the first the first one is around the automation wall condition so um if you if you already set up and um configure your automation Rule and uh you may have existing rule that has um that filter incident based on the title or incident text right um then the best practice here uh or recommendation is to um update that to analytics rule name in the condition right so here we have a screenshot on the right that kind of um show you where the condition and the you know the condition name that we need to select in this case the reason for it is um as Naomi kind of explained earlier um Coalition once Co coalation kicks in incident title may change right so you um that means that it's it's um it's uh it it's not a um consistent or constant kind of um value that we can we can rely on on for the condition so instead um using analytics rule name um because it doesn't change regardless of correlation scenarios um then the corelations should work as expected right um the second item that I wanted to mention uh regarding best practice here is um also related to the condition in automation wule so um you may you know if you have automation rule that already configure incal on Azure uh you may remember that there was a condition called incident provider right where you can filter uh and they have two options either Microsoft Sentinel or micros Defender xdr as another condition uh filter value um now was keep in mind that this condition property um already removed and been replaced by a new condition named alert product names um and this will give you um more granularity and flexibility in terms of you know filtering on the specific detection sources right whether it's comes from dop data loss prevention Defender for cloud for cloud apps and so on so you can see that on the right side we have a uh kind of a drop down of all the different products that already integrated into the UniFi portal so um so yeah so this is the recommendation that using the alert product names in this case now now let's see a demo see how it works in action so I'm going to Pivot to uh to my portal here so um yes so here we are in the the cq. microsoft.com which is the UniFi portal and uh navigate to Microsoft Sentinel uh configuration and automation right so this is where you can find all the existing automation rules that you may have already configure or you can create a new new rule um so I kind of wanted to quickly show you the the two condition that I um should mention earlier right the first one is analytics rule name right so if you have incident title or tag that you're using today to filter the incidents um the recommendation is to update that to analytics rule name um like we discussed earlier and the second one is the alert product names right so we just need to type in and search for alert product names now you can see that here on the right side the drop down there's a list of all the different uh detection sources that you can filter um uh for these conditions right so so this is where um you configure and kind of manage the automation rules today um I wanted to mention that Azure logic app which is you know the um the uh the playbooks right the Playbook that you may be familiar with in Sentinel are also available um available in the UniFi portal um and uh they should work as expected as well uh similar to uh the automation rule so we'll let it load for a minute um something to um one thing that I want to mention that um because the playbooks um is built on Azure logic app and the Azure logic app is a native Azure feature so um to uh View and author or update a Playbook right if you have one already today um then it's will route you to the Azure portal if you can see that you know it's asked me to log in AZ your portal for the interest of time we will't go through this this process itself but I kind of want to show you that um this is the expected experience today um yeah so that is um about the automations and I wanted to kind of switch back to our deck here and uh wanted to mention something uh a very important area which is API um automation using the incident API right um so you may have use cases where uh you need to synchronize incidents and alerts with the internal ticketing system um so you're using API for this integration right and uh today there are two API where you can query uh and access the incident and alert information um in Sentinel on Azure right uh you may know that security Insight API is um is the API that you can you can still use today and uh but the recommendation here uh going forward is um using the uh the Microsoft grab API for any um incident and alert um queries uh your API the reason for it is because not only it contains all the alerts and entities uh details um it also give you the kind of the uh more granularity in terms of the filter uh for the detection Source right so you can see I have two screenshots here uh on the left side security Insight API um we can filter by provider name but it's going to be pretty generic as asual Sentinel um and but if you want to cut up you know have more granular filter uh based on the detection sources then um you could um you could specify the detection Source name here right in this case I have an example with window uh Defender ATP or the old name for mde right um using grab API so um you know highly recommend if you're not using R API today for um incident and alert querying um then I recommend checking it out we have documentation available as well um uh um okay so then that will be our recommendations regarding the incident API with automation um and on to the next section which is Advanced hunting so advanced hunting is also one of the key areas the core areas right in the UniFi platform and um as you may know that advanced hunting is native features in Defender right Defender uh Defender uh suite and uh in Microsoft Sentinel you may be familiar with capabilities callede logs right um they are quite similar but there are some difference and I'm going to cut up um show you where you know the um the common areas and where the differences are um so threat hunting if you knew here right um Advanced hunting in the UniFi portal context is a query based hunting tool that lets you explore the data for investigation uh build custom detections and threat hunting um and uh with the unification of Sentinal um capabilities uh and Defenders you can now query you can now um correlate data set right in for both sentino and xdr tables uh for custom detections for investigation and hunting um and all the Sentinel uh if you already have Sentinel queries um that you save You Know sample queries and query functions that you already built and set up in Sentinel they are all available in advanced hunting as well um and also if if you um currently by default the retentions in advanced hunting uh for Defender table is 30 days but if you do need to um retain the data for longer than 30 days then U keep in mind that the data ingestion is still needed uh for advanced hunting table in Sentinel so um I wanted to mention some of the best practices here related to uh Advanced hunting um if you have any queries right whether it's detection Advance uh hunting or investigation right um that rely on security alert table uh keep in mind that the this table is now replaced by the two table uh Alert info and alert evidence um so you know recommend that you review any query that has um that contain this table reference this table um to make sure that it's not um your queries won't break right um and the second thing here to consider is um if you do need to um to uh use uh to capture records from Advanced hunting activities right um to kind of um dive deeper uh or maybe raise that into an incident or bookmarket right to create a reach the timeline and Contex your information uh regarding incident um the recommendation is to use Link to incident uh functions right so I here I have a screenshot to highlight the link to incident um um so this capabilities is basically it's very similar to The Bookmark uh features that you may know and familiar with in Sentinel it's not exactly the same but um for the purpose of capturing the records right um and create reach a timeline contact information for regarding incidents um this would do the job so maybe enough of me uh talking to the slide I'm going to kind of pivot to the portal here kind of show you the advanced hunting experience right so here we are back to the security. microsoft.com portal um and navigate to investigation and response right click on Hunting uh Advanced hunting and here we are at the advanced hunting experience so first thing first I wanted to point out that all the table the data inide Seno right now available uh to access from Advanced hunting including the building Microsoft sentino table um and also custom loog table yeah um all available in one place right so this is so convenient um that means that you can now build queries right for investigation and hunting um that correlate both data set both Sentinel and Defender data um and uh without having to ingest the advanced hunting table into Sentinel right so for from cost optimization standpoint um you know it will save you um the ingestion cost right of these Advanced hunting tables and please keep in mind that if you do need to retain the data for more than 30 days then we do need to uh still need to ingest the data into Sentinel for um uh for that purpose so here I have an example query right that I um joined the two table where I have S log table which is a sentinel table and device login events which is a Defender table and I have the join um operator right in between uh to to join these two on specific criteria I also have some filter criteria as well um I wanted to show you that um yes uh you can build the query correlate the data set between your SE and xdr all in one place in this case we do have a result uh from this queries I already prun um we have one result and uh in this case if I like if this is you know I find this interesting and I wanted to bookmark this right I wanted to capture this record for uh further uh review then I have an option to link to incident in this case yeah so once you click on link incident it's going to um ask you to either create a new incident or you can link to an existing incident so that's a cool thing about it right um in this case I uh this environment I don't have access to perform this step so um but I kind of just wanted to show you that there there should be two options for you after you click to this one yeah so this one it does ask for more permissions and I don't have that here um another thing to to uh take note is to um we do have an option to take actions right um and also it's also required to have permissions um um the action here could be uh things like isolate uh a device from the network if we know that this is a compromised device right um or disable users there's a list of actions you know I recommend checking out documentation for um to see what specific action that you can take from here so this is a another benefit and an upgrades right um compared to the the existing experience in uh in log analytics in in Azure experience um I wanted to mention another key area which is the custom detections right um from Advanced hunting um experience you can um we can create custom detection uh queries yeah um and today there are two options uh for us to create custom detections uh one is create Analytics R which is a native feature Sentinel as you may know and custom detection which is a native Defender uh featur as you may may know uh please keep in mind that um we are actively working on enhancing and kind of improving the custom detection experience so that um you you may see new capabilities coming up really soon available in public preview um for you to to um you know to build all these Uh custom detections queries um all from one place um so um but please note that you know before that happened right before the improvements for custom detections available you can still leverage the C the um the analytics rule today so nothing will break um it still work as expected if you have any analytics rule that already created today they should still work as expected all right um I think I could have mentioned all the key area regarding Advanced hunting so I think we could navigate back to our deck here and uh we could wrap up this area uh with a commonly asked question so a question here is how would data retention work in Advanced hunting in the UniFi portal right so as I mentioned earlier um if you know we ingest data just into the advanced hunting table today retention is still set to 30 Days by default right however if you do need to uh to retain the data more than 30 days then the recommendation is still to ingest the advanced hunting data into Sentinel and when it comes to quing the data right that older than 30 days um then the first how it works is the first 30 days will be query from the advanced hunting table and any data that's beyond 30 days right is going to be queried from Sentinel so that is something to keep in mind all right so then um we do have um beside this core area that we mentioned earlier right the incident alert um automation Advanced hunting um we do have other you know equivalently important right feature areas that we want to to show you um for the interest of time because you know we have limited time um I'm going to cut up you know cherry pick some of the areas that I think are um impactful and with some changes that that you may um that we we need to be aware of right so um maybe to make it easy I'm going to Pivot to um back to our portal here and uh starting with the workbook area um I wanted to show maybe first of all before we jump into the workbook um I want to show you that um all the capabilities that you know you may know and familiar with in Microsoft Cent and Azure are all available in Microsoft sensal menu right on this navigation uh section um and when you expand that right you see that there's PR managements content management configuration all all these capabilities still exist today still work as expected um starting with the workbook um workbook is essentially uh you know a tool for us to create dashboard for visualization and Reporting purposes and um I wanted to mention that all the workbooks that you um you know if you have workbooks that already created in Azure uh they still work as expected today um something to note here is the U viewing experience right viewing workbook um you can you can view the workbook today um in UniFi platform like within this security. microsoft.com portal no need to navigate to uh you know back to Azure portal um however for adding right authoring the workbook um or updating the workbook um it still Rouse us to Azure portal um at the moment um workbook is another capabili that is uh is native to Azure so um that is the reason why that is is still that it's you know it will take us to Azure experience um so that's something to keep in mind um for other features like hunting notebooks threat intelligent miter um attack right these are all still available and works as expected I do wanted to highlight the threat intelligence area though because we do have um a new home for for this uh for this area so the new home here is uh Intel management and either you can navigate it from here right click on open Intel management or you could navigate directly from the threat intelligence menu um and go to Intel management then that's going to open up the um Intel management um uh capabilities okay so um T intelligence is really um you know it's I think this is one of the most essential areas right it's for soof team to to uh to leverage um it embes investigations with the latest insights on threats and uh if you using TW intelligent CES in Sentinel then you may be familiar with this view right where you um here you can kind of think of that as UniFi um intelligence uh platform right where you can uh manage you can uh manage and curates your um TI feed you can import right uh from external feed um you can add manually add new um TI object and TI relationships so we do have um quite robust TI capabilities available here um and uh I wanted to mention that so this is a new home right uh new home and this is built B uh built on the existing Sentinel TI capabilities so going forward this is where um uh you know stock teams can operationalize threat intelligence uh especially you know for tier 2 tier three analyst right to uh to to curate their TI attacking existing data as well as generating new TI directly in the portal all right so that is about uh TI um back to um the Microsoft Sentinel menu here so other capabilities including content Hub right Repository Community uh and uh configuration of data connectors analytics rules summary rules watch list automations these cilities are all still available and work as expected today right all right so um I think that's is pretty much it for our um demo here let me PIV it back to our portal uh our slide here to see if there's anything else that we need to cover all right with that that set I'm going to hand over to um Naomi to talk about case management thanks so for the next SL next two slides I'll uh follow Chi and uh I'll be showing the experience live in the portal instead of using the PowerPoint so first let's start by going into case management and it's mentioned in the very beginning of this webinar this is one of our selling points for you to move to the unified setups with case management you can better manage your security work from within the portal in the first installment of this end to-end solution um we help you work more efficiently and respond faster to attex without leaving the seops portal by allowing you to create those uh cases currently we support defining your own case workflow with custom values for with custom status values so as you can see needs to be assigned is a custom value we can assign tasks uh to collaborators and configure due dates we can handle uh escalations and complex cases by linking multiple instance to a case and we help manage access to your cases using arbc so these are First Steps in delivering a unified security case management experience and this will help with a reach collaboration customization evidence collection and Reporting across your SEC Ops worklooks before we run out of time let me quickly highlight another benefit um I mentioned earlier sock optimization so optimizations are recommendations which will help you optimize your security controls so these recommendations can help you reduce costs without affecting your so coverage and they will assist in adding that secure that extra value by saying which security controls you can improve and where you need more additional data for example so these are personalized because they are based on your environment's needs and your current coverage now for the selling point for C customers with a unified setups we provide unified coverage view this means that you will be able to see coverage metrics not only for Sentinal detection but also for our first party detections such as Microsoft Defender for endpoint or Microsoft Defender for identity all right let's get back to the slides and let's wrap up this webinar with a final frequently Asked question that didn't quite fit in to the previous section so that's why it's a miscellaneous FAQ if I'm a sentinal only customer without any xdr products is there any benefit for me to start using the unified secops platform the answer is absolutely yes not only will you be able to take advantage of the power of the correlation engine but you will also have a better experience with co-pilot and on top of that some features like case management only appear in the unified seops platform so please feel free to test it out and experience the unified portal for yourself okay that's it for today thank you so much for attending the webinar we really hope you find it useful and informative and if you have any more questions or need further clarification please don't hesitate to reach out we are here to help you and if you want more of these sessions please let us also know we always want to hear your feedback and understand what you need and try to help have a great day and we look forward to connecting with you again and maybe see you next week for the next webinar thank you thank you CH and Naomi for being our guests and for sharing the great information with our community also thank you to the Q&A team who helped us with answering the questions and providing the resourceful information to all the listeners still on the line if you're someone who wishes to Aid in the protection of the world from cyber threats and desire to have a say in shaping our strategies Blueprints and recommendations then we invite you to become part of our security Community together we can make a global impact so join us at aka.ms security Community this is also where you'll be notified about the upcoming webinars events and other announcements for those of you who may have additional questions on the topic we just covered or other product related questions please feel free to raise them on our Microsoft Tech Community discussion space at aka.ms / Microsoft Sentinel Community thank you all for being part of our community and for joining us on these webinars we hope to see you next time goodbye