Energy giant OMV has halved the time it takes to resolve cyber threats across its sprawling operations, a feat it attributes to a wholesale security operations center (SOC) modernization built on Microsoft Sentinel, Defender XDR, and rigorous automation. The Austrian oil and gas firm, which must safeguard critical infrastructure across multiple countries, detailed the transformation in a Microsoft customer story published this month. For security teams eyeing similar gains, the deployment offers a real-world blueprint—but also surfaces the hard trade-offs and operational discipline required to pull it off.
What OMV actually built
OMV’s old SOC relied on a mix of tools that generated siloed alerts and required heavy manual coordination, especially with external security partners. The new architecture ties together Microsoft Sentinel as the cloud-native SIEM and SOAR, Microsoft Defender XDR as the primary telemetry source spanning endpoints, identities, email, and cloud apps, and Azure Data Explorer for flexible, cost-effective log storage and analytics. Automation runs on Logic Apps playbooks embedded directly in Sentinel. To meet strict European data-privacy rules, the company demanded customer-managed encryption keys (CMK) for data at rest—a non-negotiable requirement that dictated parts of the architecture.
“Moving to the cloud and meeting our data compliance requirements was only possible with customer-managed keys for Azure Storage encryption,” said Ulrich Koinig, Department Manager of Cyber Defense at OMV, in the published story. Microsoft’s Unified Support team assisted with architectural validation and deployment.
Why this matters now
For large enterprises, the convergence of cloud, identity, and endpoint attacks demands a security operations stack that can correlate signals natively rather than stitching them together after the fact. OMV’s move reflects a broader shift away from sprawling, on-premises SIEM tools that buckle under modern data volumes and force analysts to context-switch across consoles. The integration of Defender XDR—which already unifies telemetry from Microsoft 365 E5 components—with Sentinel means alerts arrive enriched with cross-signal context, cutting triage time dramatically.
The result, according to OMV, is a 50% reduction in mean time to resolve (MTTR) incidents. While the 50% figure is a customer-reported metric and hasn’t been independently audited, it reflects the directional benefit of unified telemetry and automation observed in similar deployments. The operational upshot for a company like OMV, which manages both IT and operational technology (OT) environments, is a reduced attack surface dwell-time and faster containment when breaches do occur.
The architecture under the hood
OMV’s stack relies on four pillars:
- Microsoft Sentinel acts as the centralized SIEM and orchestration hub. It ingests alerts, correlates them, and triggers automated playbooks.
- Microsoft Defender XDR (encompassing Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps) provides the bulk of telemetry. Its native cross-signal correlation reduces the number of raw alerts that need human review.
- Azure Data Explorer (ADX) provides scalable, cost-tunable log storage. OMV uses “hot” storage for frequently queried data, “warm” for less active data, and “cold” for compliance-required long-term archives. This tiering avoids runaway ingestion costs while keeping recent incident data ready for fast queries.
- Logic Apps automate routine SOC tasks: isolating machines, revoking user sessions, blocking malicious IPs, and enriching incidents with threat intelligence—actions that previously required tickets to an external security operations partner.
Azure Data Explorer, for instance, allows OMV to retain petabytes of security logs while keeping query performance high for recent time ranges. By defining hot, warm, and cold data policies, the SOC can balance investigative agility with budget constraints.
Automation that shrinks response times
The standout operational win for OMV was automating away manual handoffs. “With Logic Apps in Sentinel, we automate our security workflows, so we’re not dependent on manual updates from our external security partner,” Koinig said. Playbooks codify steps like containment, enrichment, and notification, ensuring consistent response even during off-hours or staff shortages.
For SOC leaders, the lesson is twofold: automation is not just a time-saver but a dependency-reducer. By building approvals and safeguards directly into the playbooks—for example, requiring senior analyst approval for irreversible actions—teams can accelerate response without sacrificing control. A typical playbook might: enrich an incident with geolocation data, check the offending IP against threat intelligence, and if the behavior matches a known pattern, automatically isolate the affected endpoint and notify the on-call analyst. Such a workflow, which once took an hour or more of manual coordination, now executes in minutes.
Customer-managed keys: a double-edged sword
For regulated industries, proving key control is often table stakes. OMV’s use of CMK let it meet GDPR and internal standards. But the operational realities are more complex than marketing suggests. A dedicated cluster is typically required, which elevates baseline cost. Key lifecycle management—rotation, access policies, disaster recovery—must be carefully planned to avoid service interruptions. Moreover, the CMK scope is limited; it does not uniformly cover every log artifact, a nuance that could trip up compliance teams if not documented clearly. Any enterprise evaluating CMK for Sentinel should start with a thorough mapping of data flows and a commitment to ongoing operational overhead.
What it takes to get similar results
OMV’s experience provides a repeatable pattern—but only under the right conditions. Here’s a phased roadmap drawn from their journey and our own analysis:
- Start with a pilot. Choose a subset of high-value assets, perhaps a single business unit, and measure detection fidelity, false positive rates, and analyst effort before scaling.
- Model costs rigorously. Cloud SIEMs charge for data ingestion, retention, and query. Use ADX or Log Analytics tiering to keep recent data interactive while pushing older logs to cold storage. Factor in the dedicated cluster cost if CMK is required.
- Invest in telemetry coverage. No amount of automation can compensate for blind spots. Ensure endpoints, identity, email, and cloud logs are fully onboarded before tuning detections.
- Build and govern playbooks with care. Start with enrichment-only automation (e.g., adding IP reputation data to an incident). Graduate to semi-automated actions requiring analyst approval, then fully automated containment for well-understood threats. Always include rollback steps.
- Train analysts on the unified console. Moving from multiple tools to a single Defender-plus-Sentinel interface requires a shift in mindset. Run parallel operations for a transition period.
- Define operational KPIs early. Track mean time to detect (MTTD), MTTR, analyst hours per incident, false positive rate, and playbook success rate. These metrics will justify the investment and pinpoint areas for tuning.
- Plan for the long tail. If you have critical non-Microsoft telemetry (e.g., specialized OT or network sensors), ensure you can ingest it cost-effectively. Sentinel supports many native connectors, but custom feeds may require Azure Functions or syslog forwarders.
- Document an exit strategy. While not suggesting immediate departure, regulators and auditors will want to know that forensic artifacts can be exported in a portable format if the need arises.
Who should—and shouldn’t—follow OMV’s lead
This model fits best for organizations that are already heavy Microsoft 365 E5 users, want to consolidate SOC tooling, and have the engineering staff to manage playbooks, data tiering, and key lifecycle. Regulated firms gain additional benefit from demonstrable key control and audit trails.
Caution flags fly for teams with predominantly non-Microsoft endpoints or those that rely on third-party XDR tools that would become redundant. Vendor lock-in is real: unwinding a deeply integrated Microsoft security stack is costly and disruptive. And while automation reduces analyst workload, it shifts demand to security engineering skills; you need people who can code Logic Apps and maintain detection rules. Teams that can invest in security engineering to build and maintain playbooks, detections, and governance will reap the most benefit. Those lacking such resources may find the operational burden outweighs the gains.
The bigger picture
OMV’s story is one data point in a steady drumbeat of enterprises betting on platform consolidation. Microsoft’s push to unify Sentinel with Defender XDR in a single portal (now renamed Microsoft Defender) signals where the product is heading: a fully integrated security operations platform that spans SIEM and XDR. For Windows-centric shops, the appeal is immediate: fewer consoles, native correlation, and a licensing model that leverages existing E5 investments. Competitors like Splunk and CrowdStrike still offer more flexible integrations in heterogeneous environments, but Microsoft’s value proposition for its own ecosystem is difficult to ignore.
As Koinig put it, “It’s not just about detecting threats. Microsoft Defender XDR unifies our security environment, so everything works together seamlessly.” For security leaders staring down board demands to do more with less, that seamlessness—warts and all—may be the deciding factor.