This control plane turns Sentinel workspace data into one buyer-readable surface: connector health, analytics-rule coverage, automation readiness, stale incidents, and the response packets needed before SOC drift, audits, or tenant trust slip.
| Lane | Owner | Focus | Status | Findings | Next action |
|---|---|---|---|---|---|
| Identity detection lane Identity analytics still carry unresolved coverage and owner pressure. |
Identity Detection Engineering | Privileged access detections, anomaly coverage, and rule ownership. | red | 2 | Reconcile analytics tuning and privileged access ownership before the next admin review window. |
| Endpoint coverage lane Endpoint coverage is recoverable, but connector drift is still blocking full trust. |
Security Platform | Connector health, server telemetry, and endpoint evidence completeness. | yellow | 6 | Restore endpoint connector health and verify finance node telemetry. |
| Collaboration detection lane Collaboration event flow is degraded and detection coverage is incomplete. |
Collaboration Detection Engineering | M365 audit events, mailbox detections, and cloud-app visibility. | red | 3 | Repair audit ingestion and confirm collaboration detections before external campaigns expand. |
| Incident automation lane Playbook drift and incident-closure proof are still below the desired bar. |
Incident Automation | Playbook readiness, incident closure evidence, and response confidence. | red | 8 | Repair incident playbook execution and close the stale TI queue. |