This control plane turns Sentinel workspace data into one buyer-readable surface: connector health, analytics-rule coverage, automation readiness, stale incidents, and the response packets needed before SOC drift, audits, or tenant trust slip.
| Gap | Owner | Subject | Principal | Message |
|---|---|---|---|---|
| high identity-detection-gap |
Identity Detection Engineering | Privileged access analytics Global SOC workspace |
global-admins@kineticgain.com | Identity detection coverage around "Privileged access analytics" still needs confirmation before the SOC can call posture healthy. |
| high cloud-app-gap |
Incident Automation | Phishing incident playbook EMEA collaboration workspace |
— | Connector or cloud-app coverage for "Phishing incident playbook" remains incomplete and may leave Sentinel blind to incident pivots. |
| high playbook-gap |
Incident Automation | Phishing incident playbook EMEA collaboration workspace |
— | Incident automation around "Phishing incident playbook" is still missing enough playbook proof for response confidence. |
| high playbook-gap |
Incident Automation | TI correlation incident queue Global SOC workspace |
— | Incident automation around "TI correlation incident queue" is still missing enough playbook proof for response confidence. |
| medium connector-gap |
Collaboration Detection Engineering | Collaboration Detection Engineering EMEA collaboration workspace |
— | Sentinel workspace in EMEA collaboration workspace is degraded and not carrying healthy connector coverage. |
| medium playbook-gap |
Collaboration Detection Engineering | Collaboration Detection Engineering EMEA collaboration workspace |
— | Sentinel workspace in EMEA collaboration workspace is missing healthy incident-playbook automation coverage. |
| medium stale-active-detection |
Identity Detection Engineering | Privileged access analytics Global SOC workspace |
— | Detection "Privileged access anomaly detection is missing a current owner" has remained active since 2026-05-26T10:35Z. |
| medium endpoint-detection-gap |
Security Platform | Defender for Endpoint connector Global SOC workspace |
— | Endpoint detection coverage for "Defender for Endpoint connector" remains incomplete and needs a tighter containment path. |
| medium stale-active-detection |
Security Platform | Defender for Endpoint connector Global SOC workspace |
— | Detection "Server telemetry connector drift on finance reporting nodes" has remained active since 2026-05-25T21:00Z. |
| medium cloud-app-gap |
Collaboration Detection Engineering | M365 audit connector EMEA collaboration workspace |
— | Connector or cloud-app coverage for "M365 audit connector" remains incomplete and may leave Sentinel blind to incident pivots. |
| medium stale-active-detection |
Collaboration Detection Engineering | M365 audit connector EMEA collaboration workspace |
— | Detection "Collaboration app connector is not ingesting enough audit events" has remained active since 2026-05-24T22:40Z. |
| medium stale-active-detection |
Incident Automation | Phishing incident playbook EMEA collaboration workspace |
— | Detection "Incident playbook is incomplete for high-confidence phishing incidents" has remained active since 2026-05-24T09:15Z. |
| medium high-severity-unassigned |
Incident Automation | TI correlation incident queue Global SOC workspace |
— | High-severity detection "Threat-intel correlation rule remains active without verified closure" still has no assigned owner. |
| medium stale-active-detection |
Incident Automation | TI correlation incident queue Global SOC workspace |
— | Detection "Threat-intel correlation rule remains active without verified closure" has remained active since 2026-05-23T12:20Z. |