v0.4.0 — Sentinel detection depth
+7 Sentinel posture checks targeting the operational surfaces a real SOC engineer monitors weekly.
New Sentinel checks
- Data connectors configured. Zero connectors = structurally limited detection coverage. P2 finding when empty.
- Workbooks deployed. Visibility dashboards over Sentinel data. Microsoft publishes 50+ free templates.
- Hunting queries available. Proactive analyst layer above scheduled analytics rules.
- Automation playbooks (Logic Apps). SOAR functionality for incident response automation.
- Watchlists configured. Curated reference data (high-value assets, terminated employees, VIP users).
- UEBA Entity Analytics enabled. Behavioral baseline scoring (requires Entra ID P2).
- Threat Intelligence indicators. Sentinel TI feed ingestion (MISP, AlienVault OTX, MDTI).
Each carries documentation_url linking the relevant Microsoft Learn article.
End-to-end mock now produces 49 findings
Up from 42 in v0.3.0. Distribution: 2 P1, 9 P2, 22 P3, 16 INFO. The growing P3 count is expected — many Sentinel features are best-practice rather than critical-gap.
Test coverage
114 Pester tests passing.
Roadmap note
v0.5.0 will land Defender O365 +10 + Defender for Cloud +8 depth checks together with CI matrix (PS5.1, PS7 on Win/Linux/Mac) and Codecov integration. v0.6.0 adds documentation depth (walkthroughs, threat model, ADRs).