Hi all
It's been a few weeks now since the unified Sentinel experience dropper publicly and I've been running that since then. It was alot of bells, whistles and hype build since the Ignite event but I feel like...meh, now what.
What happened to playbooks? What happened to all the automations we had that enriched events into the the audit logs in Sentinel for correlation?
These are either gone or not working as intended anymore. Before the "unification" we had an incident come in from our firewalls with a blocked URL which was enriched from externa threat intelligence sources and could be closed within minutes by an operator after scrolling the audit log. Now it seems the idea is for the operator to click around in the Defender portal and view the different pages for similar information, not to mentioning the seemingly nesessity for the Microsoft Intelligence platform, before the operator can determine the posture of an incident. It feels like we took a step back.
Peace
/Fredrik