Has anyone of you explored Observability Agent capability sitting in the Logs Blade inside Sentinel.

I had gone through the MS provided docs, but didn't find it useful. The real deal is different, with this here, what we have is an AI Agent sitting on top of our SIEM logs. We can ask it anything and it will give us how we will get from a model like chatgpt or claude, if they had this data to analyse.

I tried use-cases where I asked the agent to see if we can reduce log ingestion by removing unwanted logs,

Cases on cost optimisation.

Even pulling the watchlist ( via the Get watchlist fun ) and asking it to evaluate the current logs for any old IOCs from the watchlist.

Also tried analysing present rules with this agent and seeing if it fits the security posture.

But I also found some downfalls - like in certain customers of mine, the OAgent was not giving faster response and the more it took to give the response, it felt like those answers were not really accurate as well. Also found the limitation that, a single prompt couldn't be more than 500 words...

So similarity if you guys have tried it out and have tried out interesting use-cases please share and also if you have any docs or materials on the Observability Agent, so as to get in, drill deep down and understand this, please share the same as well

All comments are welcome. Thanks

Hey Reddit 👋,

I’m working on migrating a multi-workspace tenant into Microsoft Defender XDR / Sentinel and ran into a weird issue —

Here’s the situation:

I’ve got Security Administrator access on the workspace.

I also have User Access Administrator rights on the workspace.

The Defender XDR data connector is present and showing as Connected. Logs are definitely flowing from Defender into the Sentinel tables.

Yet — when I log into the portal at security.microsoft.com and try to connect the workspace for migration, I don’t see the workspace listed. Meanwhile, a demo workspace that our pre-sales team previously onboarded is visible and already migrated. When I try to add another workspace, it simply doesn’t show up.

My questions:

1. Are there any other roles or RBAC permissions needed beyond what I have?

2. Could the issue be that the workspace is not in the correct tenant or is somehow not eligible as a “primary workspace” in the Defender portal context?

3. Any other known quirks/troubleshooting steps when a workspace doesn’t appear for migration?

Would appreciate any insights or similar experiences! Thanks in advance