But as more customers started using the service, Winter started noticing an interesting side effect that he calls 'data exhaust'; patterns of information that emerge from the data customers are creating inside OMS. By uploading their logs in the Security and Audit Collection, customers don't just get alerts about attacks that are happening. They also add their information about attacks to the details Microsoft gathers from its own system, making it easier to spot malicious IP addresses that are engaged in attacks.
There's also a social, community aspect emerging, Winter says. "Another thing we saw - and it seems really simple; how long a patch takes to apply. How long is it taking other people?" That kind of comparison can be invaluable (rather than invidious), because it's going to help you see how you're doing on the basics. And if you don't get those right, the most sophisticated threat intelligence systems can't protect you.
Sign up for CIO Asia eNewsletters.