all right let me go to the vision screen yeah so as Jeremy mentioned we'll begin with um just briefly explaining our vision so we've been working towards a unified secops platform for a while now and lately we've been focusing on integrating all of Microsoft Sentinel into the unified secops platform so instead of multiple interfaces and data streams you that you'd need to learn to work through your security instance we've made things much easier the unified secops platform provides that single view for all your security operations by integrating seam and XDR into one portal so you really get that comprehensive overview of incidents across your environment and then with co-pilot for security we also significantly expand our AI capabilities so let's explore what we are actually bringing together in the unified platform and look at all the different layers so our security approach starts with the global threat intelligence the threat intelligence helps us understand how attackers behave and they and we turn that uh knowledge into practical detections to protect you next we have posture management to strengthen your environment and give you better visibility into how attackers might move from breach point to critical assets building on that our post breach threat detection and response capabilities and they combine the depth of XDR with the breath of seam so we get that full visibility across the entire attack chain and finally we enhance everything with cyber security specific AI so automations to help disrupt attacks but also AI that offers recommendations and enrichments and much more but let's dive into the main event of this webinar and talk about the newest features jeremy take it away please thanks Nami for the quick intro um on our vision now um we categorize the updates that we have uh compiled for you into three um persona so we have the security architect persona we have the soft engineer and the soft analyst now just want to um give you a quick um um heads up that you know we because there there are a lot of updates that we would like to um walk you through so um we will only talk about this feature that we release um at a high level um however we have provided links to each item so um when you have the opportunity to get this tag uh feel free to click on the links um on each item so that you can learn more uh on the specific items now um without further ado let's get started with the first persona which is the soft architect now you have heard from Naomi mentioning about the benefits of the unifi sock platform um so unifi soft platform is something that we announced about one and a half years ago and about 12 months ago event for the uh single workspacing of tenant scenario now of course um you know we understand that there's a need to support multiworkspace and multi-tenant scenarios especially um for partners and NSSP so we are pleased to announce that uh just last week um we announced supporting the multiworkspace and multi- tenant scenario in the unified socks platform now there is a a few screenshots that um you know you could see over here so this is the one for the multiworkspace support where you could see that you know we have this workspace column where you can um identify which incidents that the uh you know that's coming from and also there's another screenshot um we have this concept of the primary workspace uh for the multiworkspace scenarios now I'm not going to discuss too much as of now because uh we do have a demo prepared for you um at the end so stay tuned to the end now besides the multi-tenant and multiworkspace support um we also support the sentinel only uh scenarios so it means that uh for customer without our Microsoft Defender XDR or EI license you can also on board your Sentinel to the Unifi portal um to leverage the benefits of the Defender XDR correlation engine um that will help you to reduce alert fatigue and also for customer with speed coil you could also leverage the unified portal for the embedded experience now besides that um Sentinel uh polygraph cloud um um Sentinel GA features are also supported in the Unifi socks platform in GCC high and VOD clouds and moving on with the experience of the unifi sock platform is the work viewing workbook in the unifi portal um we we all know that workbook is a feature in the agile portal um so now we are supporting viewing the uh workbooks in the unified portal without pivoting back to the agile portal so this is definitely providing you a seamless experience now the next item here um although not directly related to Sentinel um but as part of the XDR um so now we have the uh unify areback as the default permissions for new customer on boarding to MDE and MDI now last item in this list for customer who looking for resilient solution or VCR we just released the workspace fabrication to GA now moving next is the um our lock tearing solutions now we understand that not all the locks are the same um so some of the locks might be high in volume and low in uh uh security value right and so you might want to keep the logs for long-term uh purpose or maybe for compliance but might not need to create a detection rule on those uh logs so that's why we have introduced our low cost um injection solution which is called auxiliary logs so this is now available so if you have any logs which are low in security value and high in volume so now you can leverage this feature now what if you have um those logs in this auxiliary logs tier but you might want to create detections right on on some of the some of the log sources now this works hand inhand with summary rules because summary rules allows you to create summarization and aggregations on top of the auxiliary logs um and then what you could do is the results would be ingest back into the the premium analytics tier for you to create detection rule or even visualizations um so on top of that summary rules also will works on the analytics tier so I just want to give you a quick um you know a screenshot of how the uh summary rules visa looks like in the unifi soft platform as you could see you could define your own logic in the summary query and define the uh the frequency um and also running time now next I'll hand it over to Naomi to walk us through on some of the improvement and enhancement related to the sauce analyst persona nami you want to um walk us through thank you Jeremy so a sock analyst will mainly be interested in features that help him with monitoring and responding to security incidents right so let's start with incident management and investigation features so the main focus for these features will be around streamlining your investigation processes and reducing context switches and most of the features on this page will be part of a demo later on so the ones I will be covering in the demo will be skipped for now first up as we can see in the screenshot we have a feature designed to reduce the context switching um by integrating perview data with XDR so alerts and insights from insider risk management are now integrated into the unified secops platform and they will help monitor and identify internal threats such as intellectual property theft next we have several features aimed at streamlining that investigation process um so if you attended our transitioning to unified secops webinar or watch the recording from last week I might have spoiled some of these features for you um but the next three features mentioned on the slide are also included in the demo so don't fear we will discuss them also in a few minutes it's also worth mentioning that while they are marked as public preview in the slide they are technically still in private preview but they will be available very very very soon now we've made significant progress and effort with our correlation engine which is why we also explicitly mention that instant correlation improvements have been made so although this isn't a feature immediately visible as a button or something it is important we think to highlight that we made significant uh progress and impact for correlation the last two features on this slide will also be shown in the demo so let's just move on to the next slide and as you can see we needed a second slide uh for instant management because of all the improvements we've made in this area so first on this slide is a highly requested feature for the unified secops portal that's the refresh button we will demo this later on but basically refresh button notifies you when changes are made in the instant queue next similar to improving correlation feature from the last slide we want to explicitly mention that we've made significant improvements in reducing synchronization latency another feature related to the unification of the portals is the unified timeline for devices but I think it's also makes more sense to showcase it via a demo so that will will also be skipped for now and then the next one critical asset tagging that one is designed to help you quickly triage and prioritize instance by identifying critical assets involved in your instance so once you start your investigation these asset tags will help you determine the best starting point and will help you focus your responses on the most critical assets last uh feature is also um um related to our graph in instance so we have released the ability to show attack paths so the instant graph now contains information about attack paths and they will enable you to identify which other entities an attacker is likely to target next okay let's move on to advanced hunting and case management so advanced hunting this is a central place where you would explore all your data right so the data that's relevant for your security investigations and hunting and then case management is our um response to your actually highly requested um um feature to collaborate inside the portal so for advanced hunting we have made significant investments in reducing latency so that's also why we want to mention it here um and we have released the link to incident feature but this is shown later in a demo so we'll skip it uh and case management also it will be in a demo so at this point we will also not um go into the uh capabilities um then last on my list before I hand it back over to Jeremy threat intelligence so first it's important to know that threat intelligence for Microsoft Sentinel in the unified sec portal has changed so we've renamed the page to Intel management and we moved it alongside other thread intelligence workflows so this makes it easier to find because it's now grouped with other TI sections next we want to highlight our expanded support for thread actors attack patterns identities and relationships so in addition to the existing support for indicators of compromise we now have these additional types uh which will help you give additional context and broader insights and not only can you now import more type of objects you can also fine-tune what you ingest via ingestion rules so you can set custom detections uh conditions and actions on all types of uh thread intelligence objects before they are ingested and speaking of ingestion we now also support importing thread intelligence with the upload API moving on we have reports um now these reports are actually a detailed analysis of the tracked threats and and they will provide guidance on how to defend against those threats um they integrate with data from your network and they will show whether the threat is active and if you have the necessary protections in place and last um we also now have the ability to customize your TI experience by filtering threat analytics based on specific industries so the enhancements um enables you to concentrate on threats that are most relevant to your sector uh like for example finance or healthcare or manufacturing um so this allows you to really prioritize based on the unique risks that are are part of your industry now Jeremy I know you are eager to tell us more about attack disruption absolutely thank you now continuing with the U soft analyst persona um we have few more uh features areas to go through um so the first one is the attack disruption um so basically um is a um features that will allows us to disrupt um any attacks uh before the damage has been done um so let's look at what are the uh new enhancements uh in this area now in the first two items over here um we have introduced um some new actions so the first one is the mark user as compromised so this essentially um will rewoke the um the session tokens um and uh you will be flagged as a high risk in the enter ID so that means that any relevant conditional access policy will kick in um as the user will need to resign in now the second item here is the uh the contain uh IP actions so this is uh an additional actions on top of the uh the existing ones such as the uh isolate device disable user um so another effort for us to disrupt the attack um and the next one here the next three items over here actually um are some of the scenarios that um we have a while ago but now going to G um so the first one is the integration with the uh SSPM so this will actually um leverage XPM to identify your crown jewel or critical assets um again this will help to uh you know in increase the efficiency uh in terms of the disrupting uh the attack and protecting right your your crown jewel uh in the uh early stages of the attack next item over here is the new o application disruption so this is uh basically disabling the malicious uh OP applications when attacks being found now the next item over here is the hands-on keyboard scenario um this is uh leveraging the MDE signals to disrupt the attacks um and there's also been uh uh a demo video actually published um few weeks ago with the uh with one of our uh MVP uh members now last item over here um uh is a is the new uh option for exclusions um on top of what we already have today um which are the uh the exclusion through device group and also user so this uh will actually allows you to exclude specific IP address and IP ranges um so there's a screenshot over here so you could see that under the uh the settings of automated respond you can actually configure the IPs IP ranges um so um for example if you have any environment that you would like to be excluded uh through IP ranges so this will be um an options for you to perform exclusions now the next feature area is security copilot um just just want to uh mention that we are only covering the embedded experience and not the standalone experience due to the interest of time um so the first item over here is um one of our major releases uh you know recently which is the co-pilot socks agent now as you could see from the list over here there are different type of agents that we release um in the uh in the in the in the first version in the early stage um so again I'm not going to go through each and everyone but I just want to highlight uh particularly the uh the sock agent for the um the fishing triage right for the uh email alerts so basically we understand that for the socks team right um I think for the user submitted fishing email this is one of the um the highest numbers of alerts that the uh the sock team will receive right on daily basis so this sock agent will actually help to triage the um the fishing alerts um and help to identify whether you know the uh is true positive or false positive and this actually will help to in increase the uh the efficiency of the s team now the next item over here is um related to the um natural language to KQL translation um ADA something so basically um we have um added the KQL respond explanation um so with that user will actually understand um how the KQL being constructed um when you ask uh the questions in the natural language right so um this will help you to understand what's the logic um behind it and the last item over here is the uh the user summarization um in the edify portal um that has been GA um and of last year so let's move on to the third and the last persona um that we have prepared for you which is the sock engineer now for soft engineer um of course you know the content is is something that uh I would say the the source engineer will be dealing right uh most of the time um either looking for the out of the box content uh and and to see what uh Microsoft have for you before you know you decide to create your own ones um so in the past you have to install the solutions uh to navigate right what's the the contents that uh that that comes with in the solutions so now we have improved the experience right to provide you the uh the content hub granular informations um so today you don't have to install a solutions to explore what are the contents that comes uh with it so you could see in the screenshot over here uh I have a solutions that I have not installed but I'll be able to you know by clicking on this uh by expanding this solution right uh by clicking on this arrow I'll be able to navigate and explore what are the content underneath that specific solution so this will be um you know nice and easy for me to uh have a look right and navigate what's uh in there before installing and besides that the search um capability has also improved now the next item over here is the uh bicep template support for repository um so previously for repository we only support ARM templates and we know that bicep has been getting a lot of tractions right in uh uh in terms of popularity uh we understand that uh because of the simplicity uh and uh u you know it's more readability right in in terms of the uh templates so we now also support uh bice as part of the repository next data collections um so as you can see there are many uh data connectors that we have released in the past six months um and again I'm not going to go through each and every one of this um but I just want to highlight the uh the SAP agentless data connector so previously you will require to have a VM right as a collector so now we have this agentless um SAP connector that will actually uh simplifies the uh collection method and for the rest of this um you know connector list um make sure that once you get the deck you could check each of the links um over here to find out more information now this is the last slides before we go into the demo um for for socks optimization and opt and and automations um so we have two items over here um related to soft optimizations again these two item are actually part of the demo so not gonna not gonna dive into too much on on that um but just want to quickly talk about the first one which is the similar uh organization um recommendation so basically one of the uh the top ask from customer is um what should I collect right what are the data sources I should collect next right to improve my security coverage so for this feature we actually look at your peers um that means um organizations in the same industry in you know similar size uh uh to yours and then we'll see what are the um data sources that they collect and we'll make the recommendations as you see over here um as you know there's entra ID that's been collected by other organizations and what kind of the usage right uh 28% % used for detection 64% used for um investigation so this will help you to um solite uh consider and then you could actually uh see the the content that comes with it not just data connector but uh also analyics rule by navigating to the content hub and the last item over here is the the ability to export and import automation rules to and from ARM templates so this will actually um help you to uh manage right your automation rule as code um and also um if you want to move the automation rule from one environment to another one it'll be also easier so that's wrap up all the updates uh that we have as as I mentioned earlier right uh treat this as a recap of what we have uh released in the last six months uh and once you have uh the uh the deck with you so make sure you check out the links uh of each item to learn more details so next up let's let's change the gear a bit to uh to demo all right um so we have four demos that we prepared as mentioned the first two will be presented by Naomi so maybe I'll just let Nami to walk us through the first two demo that she prepared for us u Nami yep thank you so first use case will highlight uh the latest features for instant solution so all the features I skipped earlier in the presentation will be demonstrated here and right after this we'll actually move on to the next demo immediately so we'll focus on case management and with case management you can create custom workflows link multiple instance to a single case track changes and collaborate within cases so I'll be showing you all of these uh capabilities in the demo so let's get started [Music] um so imagine we are a security analyst um that is responsible for monitoring and uh responding to uh the instance in our queue so at the beginning of this story we see a new instance in our instant queue so let's go ahead and read the instant description to understand what it is about so we notice now that a user uh Christie Christy C um has access a finance share but the title of this instance uh suggest that it involves a decommissioned account so let's actually first start with adding a comment um to our incident so that we know that we will be starting um investigations now it starts the investigations on this suspicious file uh accessed by a decommissioned user and let's also immediately first assign the instant to me this is not new but I just want to do the first few steps and let's also um um add a tag um new incident for Naomi and let's set a classification so classification is compromised compromised account probably now let's use our first new feature to update the instant description um to better reflect that um it is about a decommissioned account that is accessing this finance chair so let me quickly use Bruno and Bruno will help us with our API call and in the API call I'll just use graph API um to call to instance a patch call and I'll change the description this loads and if we now reload this page now we can see that the incident description is updated right so it now correctly reflects that this is about a file accessed by a decommissioned account now the default behavior for the instant description feature as you noticed is for the instant description to match the description of the first alert um but as I just showed you you can easily set the description via API from now on also now if we go back to our instance Q I think we should actually also investigate this user a bit more this Christy C because we just learned that this a decommissioned account that has tried to access a file but it might also be useful to know um if this user has also logged on at some point for example so if we go to advanced hunting and look at our signin logs where user display name is Christy Klein um and run this then we can see oh Christie actually also has a failed sign in so this is might also be something that we should investigate and keep track of right so let's use the new functionality to link this um login attempt to an incident now normally in this case uh the most um reasonable thing to do would be to immediately um correlate it with the right instant right because it's about ChristyC but um for the sake of this demo I am going to create a new instance um so that I can also share the login uh the merge instant feature in a few seconds so let me just give her a nice alert title the severity is medium so login attempt by decommissioned account this is initial access let's also give it a nice description so identification of an activity from a user account that has been marked as no longer active and block access is the recommended action what I also want to do is add um Christie as one of the entities in this in this instance so let's say let's map it correctly and then let's create our incident so while this is creating oh it's very quick so we can go to our newly created instant and we see that it's ve very nice instant right we have Christc um with the authentication application we have that login that we um talked about and let's also add a comment to this um incident that we actually created this instant for the suspicious login right and let's also have this with an instant tag so this is a manually created incident voila now let's go back to our other uh view this view and let's use our new um feature the refresh button to refresh our instant queue so now you see when we refresh that we uh have in bold the newly added incident um so that we know that this is something that we need to um take a look at now I also promised you to show the merge feature so let's hurry up and use the merge functionality so that it's over here and when we merge it's always nice to also have a good comment so merging because the instance contain the same decommissioned account and actually we are also from now on asking feedback so when you are merging or correlating manually um we would like to know why you are doing this because at that point we might have not correlated ourselves um uh same let's say same thread source and let's start the merge incident so this feedback is very important for us because our Microsoft uh security research team can really learn from it and will it will help improve our correlation engine so as I said we are constantly working on improving that correlation in engine and this is uh one of the things that we need to help you uh have it improved now as you can see the refresh button uh notifies me that I should refresh again and it's refreshed um because of course I merged those um two instance now the next improvement that I want to spotlight is our improved auditing when correlation or merging happens so all those comments that I added and and tags are with a purpose so as you can um now see we have our uh tag over here we have nicely our two alerts which are in a nice graph together with Christy C at the at the center of it all and if we go into our activity log you can also easily see um that we now correlated the comments and which comments are coming from where so we have the comments from the merged incident and the original incident you can easily see it by the symbol now to further improve the experience you can also filter uh on on which incident activities that you want to see well so then you get that overview from from the right instant what I also wanted to uh spotlight what I promised to show was the unified device timeline right um so let's go into our device uh device page and let's go to that timeline that has now been unified so the unified device timeline now has that single cohesive view um that will integrate the device activities from Microsoft Sentinel and Defender XDR into one timeline um so as you can see we have here the uh Sentinel um rule incident that was created and the other defender incidents the last thing that I want to show you from my list of of first features um is the correlation um reason that we added so for that I will switch to an automatically uh merged instance because this is where we want to know why something merged right so if you go into alerts um as you can see we now have here the correlation reason so these were uh correlated the same device or similar IP um which is normal in the case um because this instance was created via an attack in my own lab environment and I don't have that many things uh to attack and simulate with so that's why it's all from the same IP and same device in a very short time frame so that's uh actually the first part so the first demo for this webinar um and let's follow it up immediately by uh creating also a case for this so you can find case management as a new blade in the unified portal under the heading cases and um in this environment you see that I already created some cases that are being worked on and as you uh would expect you can easily filter on those cases or search for uh certain cases now a short summary per case is also available if you click on it then you get an easy uh readable overview of the case but let's start with creating our case now right so after our investigations um on the decommissioned user uh we want to create a case to collaborate with our peers um and and really get to the root cause of of um of why this account was still active so it's important to document our actions so that we can refer back to them um if in case some other issues uh arise so let's start by defining some basic elements so we give it a case name uh we can set a priority um we can even set an SLA so this should be resolved by next week and a short description of what we are actually doing now everything we have just configured um is can be seen on the left hand side panel over here so um we have our uh title we have our description we have who created it and when it was last updated and things like that now over here when we um go into our activities view um we also see everything that has happened to the to this case at the moment it's of course not that much but let's start with also assigning a custom status uh to this case um because with cases we can easily add custom statuses so that they can uh fit your specific needs so I'll I'll create the status assigned and for me this this implies um a case that is actually new but already assigned so let's say assigned and then also assign it to me so that we're not not lying about it and as you can see immediately um we have uh more activity in the activity log overview and we can of course easily also filter on on what has been done um now of course more um activities will appear um you can also easily add nice comments so that we can keep track of what's happening um but I think it's also important that we link the incidents to this case right because it all started with the instance now of course the linked instant tab is currently empty but it's very easy to search for the right instant we have enough of filtering and searching capabilities but at this point not a lot of new and in progress um instance are open so it's very easy for me to find the right one so let's link this one um and you can also of course later on unlink an incident um if it's no longer u important for the case so if we now go back to the case you see that we now have a linked incident um the activity is also added um and then maybe the last thing that is also very important and interesting to see is the tasks right um so we can easily add tasks um it's it's actually a very rich um kind of task um because you can give it as norm normal a name a title but you can also set SLAs's for this um task so priority you can set an SLA and a description and you can set a status so a lot of of progress already has been made um this was a very quick rundown of case management and the capabilities but I I really would like for you to keep keep an eye on case management because this is just an introductory set of features so this is really the foundation for future capabilities um and we will uh keep on working on this jeremy you also have interesting demos right yes Nami and thanks for the um the great uh demo that you have show us so let me go back to the deck so right so Nami has show us the first two demo um and I will um show you the next uh the third and the fourth the fourth one so the third demo that we have prepared for you is related to multiworkspace multi-tenant scenario um where I will first show you the uh the demo for the multiworkspace in a single tenant um you know and we'll talk about the primary and secondary workspace uh where the primary workspace is a new concept um we also show you some of the scenarios that comes with it uh such as the unifi incidents unifi alerts and also the um the advanced hunting queries and followed by the multi-tenant scenarios by leveraging the um multi-tenant portal now I also want to call out that um you know this is just a quick demo but there's actually a dedicated webinar uh next month I think it was on the 20th of May um on this multiworkspace multi-tenant topic so make sure that you know you register for it um to have the uh the in-depth session regarding this topic and after the third one um I will showcase the stocks optimization unifi coverage uh which is a new feature so this is for the environment with Sentinel uh our SIM and also Microsoft Defender XDR um and we will showcase how this unifications will provide you a unified coverage so let's say for a specific thread how we will present you with the coverage not only just from the central perspective but also our first party products like MDE MDI right how what are the detections what are the response actions that we provides out of box to protect against a specific threat so without further ado let's dive in um so the third demo um the multiworkspace multi-tenant so I'll first begin with the multiworkspace in a single tenant so as you could see in this demo environment under the settings Microsoft Sentinel I just want to show you that I have multiple workspaces um and you could see that I have my Sentinel retail workspace set as primary and I have my Sentinel finance workspace set as uh so basically um all the other workspace beside primary will be considered as secondary okay so this will be my secondary and this will be the primary now the the the because as I said this is a new concept right primary so the difference here is um the primary workspace um will be the one that correlate with the uh the XDR alerts and incidents um so what it means is you know the alerts and incident coming from this workspace will be the one that correlate with the XDR right incidents and those incidents and alerts coming from the secondary workspace will not be correlated with the XDR incidents however um the incidents coming from this workspace will um correlate within themsel right within this specific workspace but it will not correlate with XDR so this is something that uh you know just want to call out which is a a new experience now you could actually change the primary workspace if you would like to um just by clicking the three dots over here so it's just a quick and easy way um but do take note that once you connect multiple workspaces you have to um configure one of them as the primary so once I have multiple workspaces configured on boarded to my uh unifi socks experience um so let me showcase a couple of uh scenarios that we currently support um the first one is the unifi incident Q so in this incident queue as you can see we have added uh the workspace column uh as you can see I get this unifi incident view where incident coming from uh the workspaces that I connected will be presented in this incident queue and of course I could perform filtering right if I want to uh filter uh and I want to to to view incidents coming from any specific uh workspace I can I can do that as well now the same thing uh here with the alert queue so as you could see um there's this uh workspace um column over here right and again you can also filter based on the uh workspace um if you need to right so so this is something that added uh to give you a a unifi uh a unified view now let's look at the um incidents investigation experience so let's say if I pick one of the incidents and I kind of minimize the sidebar over here um and during investigation so let's say if I pick on this specific entity um so I have this IP over here that I'm I'm triaging um in the overview um in the side pane over here right you could see that uh this IP actually is been observed um in in two of my workspaces right so if I click over here so you could see that um you know this data table the data source and the workspace that's been observed right for this specific IP address um and of course I could click on this entity page um and you see the same overview tab which I just showed you earlier um but what I want to show you as well is the incidents and alerts tab um in this incident alert tab again we added this workspace uh column over here so now you could see right all the uh the alerts that trigger based on this entity right in in one single view whereas in the past if you are using the Azure portal for Sentinel right if you have two different workspaces um you have to go to each individual workspace right to view uh the specific entity um so right now you can see everything under um one single place so I also want to call out that um you could also uh another benefit is you could also search for this specific entity right using the search bar over here um it doesn't matter the entity coming from primary or secondary so you'll be able to search it from the search bar as well so again another convenient way right uh to identify the entity uh regardless which workspace is coming from now um of course we have this um you know informations uh coming from Sentinel UVA as well uh something that you might familiar with in the uh the uh Sentinel in the aure portal right which is the Sentinel timeline and also the insights right um again in the past you have to go to each an individual space right to look at them so right now you can actually uh we actually have this workspace selector over here so you could just select and switch them and it will refresh automatically now also I want to quickly showcase the advanced hunting capability so over here you also have this um workspace selector right so let's say if I want to run this query right on this specific workspace that I selected of course I would be able to run this uh as usual but for the previous experience right for for Sentinel Asia portal you um if if let's say a user would like to run a query against like another workspace what they normally do is they will use this workspace um operator right so This is again this is also supported right in this experience so you could see that um I'm I'm actually selecting this Sentinel retail workspace right so this is my my workspace that I've run my query against but I can also do a cross workspace query against the other workspace right so again um I'll be able to present all um visualize all the results in in one single view so this is a quick just a quick overview on the um the multiworkspace in the single tenant now let's move to the multi-enant right scenario right um so with the same environment basically but I've added uh another two tenant right so so let me just show you uh under settings by the way you could see from the URL over here so the different is basically you have this m right on uh as a prefix of the uh securityoft com another way is there's a link over here in the if you go to the skyd.microsoft.com you can see there's link to the multi-tenant portal right and then you bring you here as well so you can see that I have three um I have three tenants right the one that I show you earlier was this tenant so now I've added another two so as long as you have permission you'll be able to add your tenant over here now the similar experience um Benny saw before is also available so first of all I want to show you the unifi insert queue uh again um on top of the workspace column that you saw now I have the tenant name tenant column right so again I'll be able to filter right my my tenant right of course I can filter my workspace as well and the same experience available in the uh in the alert queue also um now I just want to show you the query experience so the query experience is um slightly different than what I show you earlier so first of all you still get this um the selector right so if you remember the one for multiworkspace you're able to select the workspace so here you are selecting the tenant right but under each tenant you get to choose which workspace you want the query to runs against right um currently we only support a single workspace under each tenant right uh so you can see here this one I have one workspace the other one I have two and for this one I have two right so now if I run this query over here so this query sign logs just take one right so This will run against all these three environment that I just show you and you could see that the result return um uh one record from each tenant right and I'll be able to see okay this is coming from this tenant this is coming for the other one this coming from the third one right so easily um I'll be able to differentiate result is coming from um and just quickly before I move on to the next one is the tenant group you'll be able to create tenant group over here so let's say um I would like to select these two as the tenant group and I'll be able to deploy my content so currently it supports custom detection so I'll able to choose custom detection from this tenant and add to this tenant group and you'll be able to deploy to the other two tenant that I just uh selected okay so this is just a quick demo um and I'll quickly show you the last demo that we have prepared which is source optimization unifi coverage so first of all um as you can see this is the we have some thread based scenarios that uh we comes out of the box so I just want to show you the business email compromise BC um so what you've seen in the past was the spider map over here right what we have added recently is this tab called products so what you're able to visualize is for to cover against this specific thread um I can not not only I'm able to visualize my sentinel coverage but you could see all the other first party products as well so from here I know that I have opportunity to add 16 right in new analytics um but I know that this track is covered by six products and on top of that I have six respond actions come with it out of the box now if I want to look at what are the the details right uh what are the detections that have been covered I can look at this tab over here and you could see uh Sentinel actually provides 12 detection out of the box but as I said uh I I I need to install 11 more because I only install one right so that's why the states show as partially covered but for other products you could see uh let's say for um MVE right so it has two detections right that comes with it out of the box against this threat for defender for cloud apps um he has six out ofbox detection and he also have one respond actions come with it out of the box against this specific threat now if I want to look at what are the 11 sentinel uh detection rules that comes from it i can actually go to here and you bring me to the content hub and from that content hub uh I'll be able to deploy the detection rules um out the box right by selecting it now lastly the integration also um integrated with maider dashboard so if I select the direct link to mother dashboard you could see that I'm actually filtering the scenario that I came from and from here I'll be able to visualize uh the tactics and techniques specifically for this specific threat scenario all right um so this actually concludes our presentation so um we hope you find this useful um and uh with that I'll hand it back to you uh Jacqueline thank you so much and thank you to both Naomi and Jeremy for being our guests today and for sharing such great information with our community also thank you a huge thank you to the Q&A team behind the scenes who helped us to answer questions along the way and provided such resourceful information to all the listeners still on the line if you're someone who wishes to aid in the protection of the world from cyber threats and desires to have a say in shaping our strategies blueprints and recommendations then we invite you to become part of our security community together we can make a global impact so join us at aka.m/security community this is also where you'll be notified about upcoming webinars events and other announcements for those of you who may have additional questions on today's topic or any other product related questions please raise them on our Microsoft Tech community discussion space at aka.m/microsofts sentinel community thank you all for being part of our community and for joining us on these webinars we hope to see you next time goodbye