Microsoft Sentinel Reviews

Our use cases include working with clients by installing it for them, deploying it within our own organization, and I personally utilize it as a Solutions Architect for demo purposes, etc. 

The features that I or my customers consider most valuable within Microsoft Sentinel include the ability to query, the integration with the rest of the Defender and the Microsoft suites, and the workbooks and dashboards.

The ability to query is valuable to us because it allows you to drill down to specific information that you need and even drill down further from there. It really helps you get at the information, especially from an investigative perspective, that you need. With the workbook dashboards, once you find a good information set or data set, let you flip that around and turn it into a dashboard so it can be repeatable and visible to other folks in the organization.

Microsoft Sentinel's ability to correlate data from multiple sources enhances our threat detection capabilities beyond what is a simple data lake solution by filtering out the noise and consolidating the signal down to a meaningful level that is easier to investigate and see. It allows us to truly see what is going on and gives us that focused visibility.

It does provide actionable data, not just visibility, as it can provide insights beyond what a normal data stream could give you.

The integration of security functionalities such as SIEM, SOAR, TIP, and UEBA in Microsoft Sentinel is well-executed, particularly the seamless integration of UEBA. However, there is confusion between UEBA and Defender for Identity that needs to be explored further. Microsoft has defined the XDR level, but from an MSSP perspective, the SOAR capability is integrated adequately, while customers might not fully utilize it yet due to marketing factors.

Creating an awareness campaign for these integrations would be beneficial.

The impact of Microsoft Sentinel on our advanced hunting abilities has been significant because it allows us to really hone in from an investigative perspective and dive deeper into investigations. Even without access to a customer's environment, we capture a lot of data and can drill down on specifics like when and from where emails were sent, what their content was, and so on. It provides us with a complete attack story and history.

Up until recently, the MITRE ATT&CK integration in Microsoft Sentinel was based on an older version, rendering it less meaningful, but now with the upgrade to the latest version, it allows us to map our threat intelligence efficiently to the MITRE framework, which has been beneficial.

I would highlight the new case management feature as great. Its presence gives Microsoft Sentinel an edge as many other SIEMs have had mature case management capabilities. Additionally, as it becomes part of the Defender portal, the journey and integration narrative between Sentinel and the complete Defender XDR should be better defined, especially since more customers opt for Sentinel only.

Having a great CX team within Microsoft enhances the experience, although having a distracted account manager lessens focus on critical details for customer needs.

A lot of the automation inside Sentinel comes with inside actually rolling out brand new Sentinel environments. We utilize that a lot and it might go beyond just Sentinel, for example, utilizing templates in Azure and templates elsewhere to actually deploy out. A good scenario is when customer environments have multi tenancy. Being able to roll out those additional tenants with the automation has been huge. We went from it taking 20 hours to build a tenant to a matter of two to four hours. That's a 75% savings. 

The SOC optimization is a big part of what we do. We have to manage our own costs, however, we have built in automations for reporting to trigger when data is exposed. I have one customer that had 225 GBs a day when onboarded, and now we're down to 110 GBs. As far as our reporting, it does help everything become more efficient.

We started using Microsoft Sentinel one year ago. We are still piloting the environment because we are transitioning towards cloud solutions with Microsoft Intune. 

Until now, we have been using third-party products, but due to requirements to have stronger security in the cloud, not only on the client endpoint side, we are moving to Microsoft Sentinel. Our focus is on strengthening cloud security as well as client endpoints. Microsoft Sentinel is used to substitute our Splunk solution, covering the security of main Azure services such as Entra ID and automating threat protection for client sites and endpoints.

The automation feature affects our team's efficiency in handling security incidents. It helps us to auto-isolate or auto-react to defined issues or activities. We do not need a lot of manpower.

We are now seeing many more incidents. Previously, we were not aware of them. We are able to close those security gaps. It helps us protect our environment better. We feel safe knowing that we have a solution that we can use to react in case of an emergency.

We now have Office 365, Exchange, and other solutions included in there. We are now also onboarding clients. We will be able to track the threat workflow better and see if it is coming through the email or getting exploited from the network share. We will be able to find the source of the issues and prevent them in the future. We are still at the beginning and have not discovered any issues yet.

We're an MDR provider, so we utilize Microsoft Sentinel in deployments into our customers' environments to protect their environments and detect any type of security threats. We offer 24/7 support.

Microsoft Sentinel helps our company generate revenue directly from supplying these security services and managing them for our customers on a monthly basis. Along with the SOC services that we provide on top, there is a holistic coverage for customers.

It has enabled our team to triage security incidents faster and remediate them to get back to business quicker after customer incidents. Because we're able to reduce the number of incidents and the time per incident with Microsoft Sentinel, we can handle more incidents. Additionally, through rule tuning within Microsoft Sentinel, we reduce the number of incidents that have to be reviewed.

Microsoft Sentinel has increased efficiency and allowed our team to do more proactive work. We have seen at least a 60% increase in efficiency with Microsoft Sentinel and the ability to reduce the MTTD down to under five minutes and MTTR down to under fifteen.

A part of what we do within Microsoft Sentinel for our customers, and for ourselves, is the rule tuning. We're able to only ingest the logs that are going to provide additional security value. With that, we're able to utilize the SOC automation features. We're able to reduce the amount of log ingestion that takes place and reduce the customers' costs.

The integration of security functionalities, such as SIEM, SOAR, TIP, and EUBA, in Microsoft Sentinel is definitely beneficial. It's definitely a benefit of Microsoft Sentinel to be able to have a holistic deployment and a best-of-breed tool set that can integrate with each other. We can utilize the components from each of the tools to gain additional insight, additional access, and additional steps.

Microsoft Sentinel has not directly affected our compliance reporting, but it has been utilized for audit evidence collection to be able to do SOX compliance from Microsoft Sentinel logs.

Microsoft Sentinel has the ability to enhance some of the features that we already have. It allows our team to see some additional threat vectors.

The MITRE ATT&CK-based recommendations within Microsoft Sentinel are paramount for helping our customers understand where they're seeing threats and the part of the framework. We are able to catch threats faster instead of waiting for breach notifications. Microsoft Sentinel drastically reduces the impact of any type of breach.

In our Security Operations Center, we rely on Microsoft Sentinel for continuous security monitoring. We collect logs from various customer environments and define security use cases with correlation rules to analyze activities. These rules leverage predefined criteria to identify potential malicious behavior. Microsoft Sentinel serves as our central platform for security monitoring, investigation, and remediation of security threats detected through alerts.

The biggest challenge in security monitoring is managing the vast amount of logs generated daily from various devices like web servers and firewalls. Microsoft Sentinel tackles this by collecting all logs in a central location and allowing us to define rules. Using its query language, we can search across these logs for specific conditions, like malicious activity. If a suspicious event is identified, Sentinel generates an immediate security alert, enabling our team to investigate and take appropriate action to stop potential attacks.

Microsoft Sentinel helps us identify security threats through built-in machine learning. It analyzes network traffic patterns and can detect anomalies, like unusually high data transfers outside typical hours. These anomalies trigger alerts, allowing for early intervention.

Microsoft Sentinel shines in its ability to bridge hybrid and multi-cloud environments. It seamlessly integrates with on-premises infrastructure through Azure Arc, and even private clouds can be connected via Azure Gateway and a VPN to the Azure Log Analytics workspace. This unified approach ensures all our security data, regardless of origin, is ingested and analyzed for potential threats.

Microsoft recently launched Content Hub, a marketplace for pre-configured security solutions within Azure Sentinel. Unlike our previous experience setting up data connectors a few years ago, Content Hub offers a one-stop shop for integrating security tools. When we choose a data connector, we also get pre-built correlation rules, playbooks, and workbooks – all packaged together for faster and more effective security monitoring. The content hub streamlines onboarding pre-built SIEM content, especially during the initial SOC setup. When starting fresh with a new environment and unsure of specific use cases, we can search for relevant data sources in the hub. Once integrated, the content hub provides pre-configured rules alongside those connectors. Simply enabling these rules offers substantial coverage for our MITRE ATT&CK mapping, a framework that assesses our ability to detect various attack techniques. By leveraging these out-of-the-box tools, we gain significant initial security coverage with minimal effort.

The content hub helps us centralize all of the out-of-the-box content available from Sentinel.

Sentinel acts as a central hub, bringing together information from various sources both internal, first-party, and external, third-party into a single, unified view. This allows us to analyze logs stored in different tables, regardless of their naming conventions. By defining correlation routes, Sentinel can examine specific activities across these disparate sources. For example, we could create a route that checks firewall logs for suspicious activity and then correlates it with specific user actions in Windows device logs, providing a more comprehensive picture of potential security incidents.

Sentinel improves our visibility into user and network behavior through a feature called User Entity Behavior Analytics. This leverages Microsoft's machine learning to analyze user and device activity. If we're investigating multiple security incidents involving a user or device, UEBA provides a broader view. We can directly access the user's history of incidents and visualize their connections to other alerts and impacted devices in a graph format. This allows for efficient investigation of complex incidents impacting multiple users and devices.

Microsoft Sentinel streamlines security incident investigation. The incident page clearly displays involved entities and details of triggered alerts, including logs. This allows SOC analysts to quickly assess the situation and potentially predict the nature of the activity, even before diving into event logs. Sentinel's powerful query language further simplifies investigation by enabling easy data visualization, formatting, and custom functions, all within various timeframes. This significantly accelerates the overall investigation process.

Sentinel has streamlined our event investigation process. By allowing us to predefine keyword queries for specific alerts, it eliminates the need to manually craft queries each time. Similar to how SOCs use pre-defined playbooks for various incidents, Sentinel lets us define queries that return relevant data quickly. This cuts down on investigation time by allowing us to focus on the specific alert and the data it generates.

Our use cases for Microsoft Sentinel are SIEM and logging for any activity. We have been having some issues and we are using this logging for that purpose.

I am using Microsoft Sentinel for threat intelligence and threat hunting, and it is definitely helping us.

We did not have centralized logging in place, and Microsoft Sentinel has definitely helped us instead of having to spin up our own centralized logging, which is not scalable. Microsoft Sentinel has many integrations that help us with threat hunting and reduce the amount of effort needed from our end.

We're using it for threat intelligence and threat hunting and it's definitely been helping. 

As a managed security service provider, we have a managed security service that we provide to customers, and our managed services are often built on Microsoft Sentinel.

Our managed SOC is based on Microsoft Sentinel, and a key benefit is that we've been able to take customers' investments, especially in E5 licensing, and make that investment stretch further than they would have had they gone to a competitor's product. This helps organizations drive and uplift their cyber resilience in a cost-effective manner.

For us, customer retention is key, and we can articulate value about the services we provide because the backend services and Microsoft Sentinel itself do the job for us. The benefit lies in customer retention, keeping our costs down, and providing value to customers by making every dollar they invest go further.