Microsoft Sentinel Reviews

We have been using Microsoft Sentinel for the last 2.5 years. Our primary use case for Microsoft Sentinel is centralized security monitoring and incident response for our corporate IT environment, supporting around 1,200 to 1,500 users. We mainly use it to collect, correlate, and analyze security logs from multiple sources and convert raw events into actionable incidents for the SOC team.

The tasks we use Microsoft Sentinel for most often include threat detection and alert correlation. Microsoft Sentinel helps us identify suspicious activities by correlating logs across identity, endpoint, and network sources. We also use it for identity and user activity monitoring to monitor abnormal sign-ins, privilege misuse, and unusual user behavior across the corporate environment. Additionally, incident investigation and response is very important for our organization, and we also use threat hunting with KQL, Kusto Query Language.

We use Microsoft Sentinel mainly for centralized SIEM, Security Information and Event Management, and SOAR, Security Orchestration, Automation, and Response operations, enabling threat detection, incident investigations, and automation response across nearly 1,500 users in BFSI corporate IT.

One practical example is an abnormal user sign-in incident in our corporate IT environment. Microsoft Sentinel correlated multiple low-severity alerts, such as unusual sign-in locations, multiple failed authentication attempts, and sudden access to applications not normally used by that user. Individually, these events did not look critical. However, Microsoft Sentinel correlated them into a single incident, which allowed the SOC to identify a potential account compromise early. Using Microsoft Sentinel's investigation view, we quickly analyzed the user timelines and confirmed the suspicious behavior. The SOC then triggered a SOAR playbook to notify the security team and take immediate containment actions. Because of this correlation and centralized visibility, the incident was detected and contained early, preventing further lateral movement or misuse of the account. Microsoft Sentinel helped detect a potential account compromise by correlating abnormal sign-in behavior and access patterns into a single incident, allowing the SOC to respond and contain the issue early.

Based on real operations used in our corporate IT environment, the key features include log correlation and incident view. Microsoft Sentinel's biggest strength is how it correlates multiple related alerts into a single incident. This significantly reduces alert noise and helps the SOC focus on real threats instead of isolated events.

Another valuable feature is KQL-based threat hunting with Kusto Query Language. The flexibility of this language allows us to build custom hunting queries based on our environment's behavior. This is extremely useful for detecting low and slow threats or hidden threats that default rules may miss.

Cloud-native scalability and stability is another important feature. Being cloud-native, Microsoft Sentinel scales well for medium to large corporate environments without infrastructure management. Stability has been solid in day-to-day production.

SOAR automation using playbooks is a feature we highly recommend. Microsoft Sentinel's SOAR functionality helps automate repetitive SOC tasks like alert enrichment and notification. This saves analyst time and improves response consistency.

Microsoft Sentinel does not require extensive improvements, but there are some areas where enhancements would be beneficial. Cost visibility and control need to be simpler. Cost management is still one of the biggest pain points. Log ingestion and retention costs can grow quickly, and understanding which data source is driving cost is not always straightforward.

Better built-in cost breakdown and predictive alerts would help SOC and management teams plan more effectively. Microsoft Sentinel is a strong SIEM tool, but it would benefit from better cost transparency and easier onboarding for analysts.

We have been using Microsoft Sentinel for the last 2.5 years.

We have found Microsoft Sentinel very stable from a day-to-day SOC operation perspective. Microsoft Sentinel itself has not been a point of failure for us. The Microsoft Sentinel service in core SIEM, which means security information and event management, functions have been consistently available. Incident creations, analytics rules, investigations, and workflows have been reliable. We have not experienced Microsoft Sentinel-side outages that block the SOC operations.

Microsoft Sentinel scales smoothly, but only if log onboarding and tuning are done properly. As users, endpoints, and security tools increased, Microsoft Sentinel handled higher log ingestion without performance issues. There is no need to add hardware or redesign infrastructure because it is cloud-native. Scaling was automatic from the platform perspective. The real work was deciding what logs to ingest, not worrying about capacity.

Microsoft Sentinel scales reliably as log volume and users grow with no infrastructure bottlenecks. The main challenge is in managing ingestion and the cost, not platform performance.

Microsoft support is very helpful and outstanding. We have interacted with Microsoft support mainly for ingestion issues, analytic behavior, and connector-related problems. All of these interactions were positive.

I would rate customer support for Microsoft Sentinel seven out of ten. The reasons include good escalation support for high-severity issues, knowledgeable engineers once the case reaches the right level, and clear explanation for platform or ingestion-related problems. I rate Microsoft Sentinel support seven out of ten because escalation support is solid, but the initial response and complex issues resolution can take time without premium support. It depends on the support tier and case severities.

Positive

Microsoft Sentinel goes beyond a simple data lake. A data lake mainly stores logs without naturally understanding security context, relationships, or behaviors. Microsoft Sentinel, on the other hand, actively correlates data across multiple sources and converts raw events into security incidents.

The practical impact of multiple sources correlation can be seen in the detection of multi-stage attacks. Microsoft Sentinel correlates signals from identity, endpoint, network, and cloud services. Individually, these events look low-risk, but when combined, Microsoft Sentinel detects attack patterns that a data lake would never surface on its own. For example, unusual sign-in followed by endpoint activity, followed by access to uncommon resources. A data lake stores these events separately, while Microsoft Sentinel links them into one incident with context.

Microsoft Sentinel also provides security context and entity awareness. Microsoft Sentinel understands users, devices, IP addresses, and applications as entities, not just a log field. This entity-based model allows behavior analysis over time, which a raw data lake does not provide without heavy custom engineering.

The real setup cost is engineering effort and time spent on boarding data connectors, alert tuning, and cost optimization. From the banking SOC perspective, this is acceptable and expected.

One very important metric is audit and reporting time savings. Earlier, audit data collection took days across tools. But with Microsoft Sentinel's centralized logs and incident records, audit data preparation was reduced to hours. This saved time across SOC, compliance, and security management teams.

Microsoft Sentinel delivers ROI mainly by reducing response time, improving analysis efficiency, and simplifying audits. We did not cut staff, but significantly increased SOC output with the same team.

We have seen a clear return on investment mainly through time saving, operational efficiency, and better use of existing SOC resources rather than direct headcount reduction.

ROI impact from Microsoft Sentinel, which we observed in real metrics, includes improvements in incident response time. Our MTTR, mean time to response, improved by forty to fifty percent. Earlier, medium-severity incidents took two to three hours to resolve. Now, after Microsoft Sentinel, it is forty to fifty-five minutes. This came from alert correlation to a single incident, faster investigation timeline, and automation handling first-level tasks, which is the biggest and most visible ROI.

Another metric is analysis productivity. The same team handles twenty-five to thirty percent more alerts and incidents, with less time spent on manual enrichment and repetitive actions. SOAR playbooks remove routine work like incident tagging, initial contact gathering, and notifications. ROI here is capacity gain, not layoffs.

We also achieved reduction in wasted effort from false positives. After tuning, we saw a thirty to forty percent reduction in low-volume alerts. Analysts stopped spending time on isolated, non-actionable events. This directly translates to fewer wasted analyst hours and better focus on real security risk.

Microsoft follows a usage-based pricing model, mainly driven by log ingestion volume and data retention. From our experience, pricing is transparent but not always predictable at the beginning. Cost increases as more data sources are onboarded. Without log filtering and tuning, spend can grow quickly in a two-thousand user environment.

Once we optimized and selected only security-relevant logs, adjusted retention periods, and tuned analytics rules, the cost became manageable and justifiable. Microsoft Sentinel is not a low-cost SIEM. There is no traditional setup or infrastructure cost. There is no hardware, server provisioning, or on-premises SIEM installations.

I highly recommend Microsoft Sentinel as a solution.

My advice would be straightforward. Microsoft Sentinel is a powerful SIEM, but success depends on more than just the tool itself. I would give three key pieces of advice to organizations considering it.

First, plan your log ingestion strategy carefully. Do not try to onboard everything at once. Prioritize critical data sources, use filtering to reduce noise and cost, and define your data retention policies upfront.

Second, invest early in KQL skills. Do not rely only on built-in analytics. KQL is the key to unlocking advanced threat hunting, custom detections, and deep investigation. Train your analysts.

Third, tune default analytics rules and correlations. Do not assume the out-of-the-box settings are perfect for your environment. Continuously refine rules, create baselines, and reduce false positives to improve signal quality.

Fourth, use SOAR for what it is good for. Automate repetitive, high-volume, low-risk tasks like enrichment and notifications, but not complex investigation decisions.

Finally, monitor cost constantly. I rate this review seven out of ten overall.

My main use case for Microsoft Sentinel is as a SIEM.

What I like most about Microsoft Sentinel is that it's a native solution, it's not a traditional SIEM, and it integrates with all the Microsoft security workloads we use.

These features have benefited my organization by providing a single pane of glass across all our security workloads from Microsoft.

The SOC optimization feature has saved a lot of time and cost for my organization and is beneficial as we don't have to manage multiple products.

Microsoft Sentinel can be improved in that the way it is built today means if you have a third party and you pay for ingestion, this is different than how some of the traditional SIEMs work. That's probably a challenge to budget how much we will spend on the ingestion. Other than that, I don't see any other concern.

I have been using Microsoft Sentinel for eight years.

I would assess the stability and reliability of Microsoft Sentinel as pretty good; they have 99.95% uptime with 99% uptime.

Microsoft Sentinel scales well with the growing needs of my organization; it's usage-based, so it helps to scale up and down. It's pretty lightweight when it comes to that.

Prior to adopting Microsoft Sentinel, we were using a traditional SIEM called QRadar.

I wasn't directly involved in deploying Microsoft Sentinel.

I have seen tons of ROI with Microsoft Sentinel; that's the backbone for our security solution.

My experience with pricing, setup costs, and licensing has been that it's free. Microsoft Sentinel is provided at no cost, so we didn't have any issues with the cost.

The other solution we considered before selecting Microsoft Sentinel was mainly QRadar.

Microsoft Sentinel gives me a unified set of tools to detect, investigate, and respond to incidents.

This unified approach is very important to me. That was one of the main reasons we moved to Microsoft because of the single approach. It allowed us to action the threats faster than going into multiple portals.

My impression of the effectiveness of AI and machine learning in enhancing threat detection and response with Microsoft Sentinel has been positive. We are in the pilot phase for that, and so far the results are pretty good.

Microsoft Sentinel's ability to correlate data from multiple sources has enhanced my threat detection capabilities beyond what a simple data solution could offer since we are using all Microsoft, and we use a few third parties that we use MCAS for, but so far it's been with the APIs, it's pretty good.

I don't have metrics apart from reducing the time it takes from our traditional SOC to Microsoft Sentinel; it has drastically reduced the time by less than half.

My advice to another organization considering it is that if you're using all Microsoft, you should be using Microsoft Sentinel since it's free.

A good data point is that we haven't been hacked yet, which is a good indicator. We are able to catch the threats early and respond to them.

What led us to change over was the fact that everything was Microsoft.

What stood out to me was getting all of Microsoft. I would rate this product a 7.

My main use cases for Microsoft Sentinel are primarily the SIEM at this point. We monitor and typically feed in Entra ID and security logs. We have connected it to XDR as well. We are channeling some items through Event Hub from other providers that we cannot access from a native connector. Additionally, we have been heavily using Azure Arc to get on-premises and multi-cloud systems into Microsoft Sentinel via the Arc agent.

I find the features of Microsoft Sentinel that are most valuable are the breakdown of the details that come in from Microsoft Sentinel's alert status, which are really helpful and they lead you in the right direction. It is integrated into our ServiceNow more easily than other vendors we have dealt with in the past from a SIEM perspective that are not providing the managed service on their own.

Microsoft Sentinel gives me a unified set of tools to detect, investigate, and respond to incidents. I cannot speak to the response side because we are not doing a lot of automated response, but definitely from the detection and investigation side.

The unified approach of Microsoft Sentinel is very important to me. With anything we do, because it is going to cut down on time for engineers to identify the issue and remediate it. There is a predictable cost across the board. I work for a managed service provider, so we are not working in a large enterprise, we are working across hundreds of different customers. So we can actually go and say, "Hey, company of this size, we can sell it to you, and this is how much it is going to cost you." From a training perspective, it makes it much easier to train not only the people coming in that are doing the higher level work, but also the people who are taking the calls initially, such as our SOC engineers that are doing the initial triage, to say that you have to go into this portal and look at this thing. All of these are going to aggregate together. Instead of saying, "Okay, you have to hop here. Then if this is the problem, you have to hop over here." Being able to dictate and train efficiently and in a streamlined way is probably the most value proposition we have for something in this category.

In my opinion, Microsoft Sentinel could be better if it could set itself up for me. At this point, I think we are going in the right direction with the unified portal and getting everything in. I think one thing that could be really helpful, and I actually do not know of any provider that is doing this, is that our SIEM is only as good as the information we are ingesting. We are all human and we forget to ingest things. So either Microsoft Sentinel or possibly another product from Microsoft that is able to go out and conduct discovery on your environment and say, "Hey, you are missing this from this connector for this because there is a whole new subset," would be extremely helpful. Helping find those gaps in the configuration piece would be extremely beneficial.

I have been using Microsoft Sentinel for the past two years.

I have had no performance issues with Microsoft Sentinel yet. We have had other Azure issues and other Microsoft outages, but Microsoft Sentinel has actually been pretty solid since we started using it.

In terms of scale, Microsoft Sentinel does scale with the growing needs of my customers. It is relatively new, as we have only had it deployed for about a year. We do see more and more customers coming on to it. I think we are seeing also that it is just a little bit easier to sell than some of the other products. We were using Fortinet and nobody knows who Fortinet is other than firewalls. They are expanding services because there is an ever-expanding security landscape. Then you have this threat detection and more recently with everything on the AI side, they are seeing some value there in either being able to remediate or help with remediation. Knowing that we are using Microsoft Sentinel, they are asking us to expand it out to more areas of the business.

In terms of Microsoft support, I would evaluate them on a scale of one to ten based on who I am calling. I typically have a good experience with Microsoft support. Since we are a CSP partner, I do not have to go through the base level, but we get to a higher tier of engineers. Typically, once you explain your issue, they will either tell you they are in the wrong department or they are helpful and working through the issue. The one thing I have to say is sometimes they take a little bit longer than I would prefer to either respond or be able to rectify the issue. But again, they are humans trying to figure out the issue with you. When I try to call or email or speak to the person, I try to provide as much useful detail as possible. I know when other people call, they provide nothing almost. So it is more of a discovery exercise. But all in all, I have a good experience. We do not come across a lot of people who are not confident in Microsoft support, which I cannot say about some of the other companies I have worked for who have not had this level of support. I am pretty happy on that front as well.

Positive

We previously used another SOC provider for SIEM. We have had a lot of enterprise customers really looking to go with the full Microsoft stack. So we have really integrated into Microsoft Sentinel, and it also integrates with a lot of our third-party vendors, and we run a lot of things on Azure. In that regard, it works in really well. It is a seamless integration.

My experience deploying Microsoft Sentinel has no real issues. The documentation is great. We did do some customization on some of the integration into our ServiceNow instance. But ultimately, we did a proof of concept on pretty much what eighty percent of customers are using these days, and then converted that into Terraform scripts. Then we deploy that pretty consistently across the board when we get a new customer. So we are able to really quickly streamline that onboarding process. At least we know what works and we are eighty percent of the way there. Of course, if there is something custom that needs to be added, that gets added manually, but taking out that human error was actually a real game changer compared to some of the other solutions that we were deploying.

Our customers do see a return on the investment in Microsoft Sentinel, and I believe there has been an expedited or quicker response time using Microsoft Sentinel versus using some other products. So in that, if we find a compromised password or we see some movement on the network, we are able to respond to it quicker. So we can stop that threat a little bit quicker. But in terms of overall technical value or even ROI, it is tough to say.

In terms of pricing, setup costs, and licensing of Microsoft Sentinel, I have had no issues honestly. We are always going to pose a competitive solution on the market. So the pricing and costs are no problem. We do have smaller customers that do not want to spend the money. But there is a value proposition there. You can buy a lesser solution and get lesser results and lesser security, or you can buy something that is a little more robust and you can be a little more comfortable. It is up to you.

Microsoft Sentinel is definitely comparable to similar solutions in the market in terms of its function, depending on where your stack sits. I think it is extremely well-placed in the market for what myself and my company do. We are really in the Microsoft ecosystem. We have clients going from on-premises Windows servers, Exchange servers, and SharePoint boxes up into Microsoft 365 and all the SaaS products. Now we are starting to see that shift into the PaaS services and the IaaS services. So Microsoft Sentinel is actually a perfect fit. There is not a lot of effort that goes into building those connections because it is already there. So it saves us a lot of time, ultimately.

I estimate that we have cut down our time to deploy using Microsoft Sentinel by about twenty to twenty-five percent.

The ease or difficulty of navigating the integrated features and UI across Microsoft Sentinel SIEM, XDR, and exposure management capabilities is getting better. When we first started, it was separate portals, for sure. Then I believe at this point, you have XDR and Microsoft Sentinel in one portal, and then everything is going to be rolled up into Purview. So I think once that becomes under one umbrella and one portal where you control it all, that will be the sweet spot. Because you do not want people going to multiple portals.

My impression of the effectiveness of AI and machine learning in enhancing threat detection and response within Microsoft Sentinel is that I have an interesting thought on AI. This whole thing is about AI, AI, AI. I think it is a great companion. I think a lot of people have taken the dive and said, "AI is going to do this for me." So they are taking that detection and response and remediation piece without actually putting eyes on it. For me, it is a little bit different. AI is great, but a human has to spot check it. Especially when it comes to actually implementing something in a customer's environment. It could be the right solution, for sure, but it could also break something and cause a bit of downtime. So that is not good either. So it is a good coworker.

AI is not replacing a human.

Microsoft Sentinel's ability to correlate data from multiple sources enhances my threat detection capabilities beyond what a simple data lake solution could offer. Our other platforms that we have worked with have been pretty good at aggregating data. Speaking into the realm of AI and then moving into something in the Microsoft Fabric, having the data in Microsoft Sentinel and being in a data lake, we can integrate it into something else in the Fabric where we can actually train it on different scenarios and AI. We can come up with our own internal agent that could remediate these things as we see them. So I think in that regard, it is good, but also I think we could do that with other platforms.

There is nothing out of the ordinary.

I cannot speak to the SOC optimization feature because I am more on the deployment, implementation, and architecture side, and that is a whole other department.

My overall rating for Microsoft Sentinel is six out of ten.

My main use case would be incident investigation.

The features I like the most include KQL, running KQL queries, and analyzing logs. An example of how these features have benefited my organization would be when you have different alerts, such as an anomalous login. You can use Microsoft Sentinel to perform KQL queries to look for sign-in logs and hunt specific anomalies and investigate further.

I think any feature which can further help streamline the different security products Microsoft offers would be beneficial. For example, you have Defender for Cloud, Endpoint, and all, but when a Defender is investigating an incident, you would likely have to jump into different environments to truly understand what's happening. I understand Microsoft is in the process of porting Microsoft Sentinel within Defender, which is a good first step, but anything that can be done to further harmonize the different security offerings would be a good step in the right direction.

I have been using Microsoft Sentinel since 2021.

I have not experienced any downtime, crashes, or performance issues in our environment.

Microsoft Sentinel scales pretty well with the growing needs of the organization.

We have expanded our usage. The process when we expanded was pretty automated, so you just have more traffic.

I think customer service and technical support are pretty good. Given our partnership with Microsoft, I would say customer service and technical support have been great, and I would rate it a 10 for us.

Prior to adopting Microsoft Sentinel, we were using another solution to address similar needs. Given our objective is to protect our Microsoft environment, Microsoft Sentinel was our pick. We have not evaluated other solutions to manage our Azure environment.

Regarding my experience with the pricing, setup cost, and licensing, I think it has been great.

I have another team member who performed the deployment of Microsoft Sentinel, and it seemed pretty standard.

I have seen a return on investment. For us, at least, the price point is justified, and we have not had any issues.

Regarding my experience with the pricing, setup cost, and licensing, I think it has been great.

Given our objective is to protect our Microsoft environment, Microsoft Sentinel was our pick. We have not evaluated other solutions to manage our Azure environment.

My impression of the effectiveness of the AI and machine learning in enhancing the threat detection and response is positive. We also use additional tools to augment from the Microsoft security family.

I think Microsoft Sentinel's ability to correlate data from multiple sources is strong. We definitely correlate data across different sensors within the Microsoft family, such as Defender for Endpoint or other tools we would use to further understand specific behavior. We do this on Microsoft Sentinel by running KQL queries. Given we have good proficiency with the data models underneath the hood, we are able to perform those analytics.

We do not use the SOC optimization feature yet.

My advice to another corporation considering using Microsoft Sentinel is to ensure your analysts understand the different data models within Microsoft Sentinel so that they can effectively execute KQL queries. I think that kind of training would further enable a partner to better utilize the Microsoft security family. I would rate this review an 8 overall.

My main use cases for Microsoft Sentinel involve implementing it for customers, and the use case varies depending on their needs. Typically, we conduct proof of concepts and test Microsoft Sentinel for threat detection across the Azure landscape. Many of the use cases with M365 connectors involve ingesting data from Defender. The use case varies, but it mostly focuses on the collection of security data from Microsoft-centric applications.

My favorite feature of Microsoft Sentinel is probably the connectors. We don't have to build custom solutions to ingest data from products, and the third-party ecosystem is quite good. If we have companies like Fortinet, Palo Alto, or Cisco, the fact that we can simply pull a connector makes it straightforward, so we don't have to spend time on that.

Microsoft Sentinel does give me a unified set of tools to detect, investigate, and respond to incidents. This unified approach is important to me. In today's world with numerous tools available, it's quite important. When we're training support technicians or security analysts, it's easier for them to pick up on centralized management with one place for incidents, alerts, and remediation.

I assess the ease of navigating the integrated feature and UI across Microsoft Sentinel, SIEM, and XDR as better than it used to be. It's quite good nowadays. There are still a couple of different portals that I have to navigate through, particularly Microsoft Sentinel in Azure and Microsoft Sentinel in Defender to get things connected. Overall, it's definitely better, and I would say it's quite easy to use.

My impression of the effectiveness of AI and machine learning enhancing threat detection is still forming. I've only barely used the Copilot features on Microsoft Sentinel, so I don't have a great opinion on it yet. It's relatively new to me, but I think it's a positive development. I believe it makes it faster to identify threats and connect the dots in certain areas that we can't see, so I think it's a good step forward. I just need to use it more.

The SOC optimization feature has not impacted my organization because we don't utilize it.

I think the integration with Azure Monitor could be better in certain cases. We've had difficulty extracting certain data out of Microsoft Sentinel to create alerts around monitoring. Additionally, Microsoft built-in connectors are constantly being deprecated, removed, and replaced. If they could streamline that process and better inform customers of what they should use for certain products, that would be beneficial.

I have been using Microsoft Sentinel since approximately 2021, so for four or five years now.

I have never had a problem with the stability and reliability of Microsoft Sentinel.

Microsoft Sentinel scales well with my growing organization in most cases. However, it comes down to cost, which is the biggest problem we have. If we want to ingest another data point, we have to be very careful about whether this will cost us ten thousand more dollars. It scales well, but we have to be conscious of cost.

I would describe the experience deploying Microsoft Sentinel as generally straightforward. We don't ever have many problems deploying it. There have been some open-source GitHub projects to rapidly accelerate the deployment via Bicep templates, and I don't think we have any problems deploying it. It's quite easy.

The costs and pricing of Microsoft Sentinel are expensive. That's my biggest complaint, especially from customers who are concerned about the significant expense.

Microsoft Sentinel's ability to correlate data from multiple sources has enhanced my threat detection. I think it's enhanced it because we don't have to go to multiple places. Every security vendor has their own solution, so if we have multiple firewall vendors feeding into one place, it's easy to see that across the landscape. I think it's faster. I would rate this review an eight overall.

Microsoft Sentinel serves as our main SIEM.

The features of Microsoft Sentinel that I appreciate the most include its SOAR feature, and it is beneficial that it has log collection capabilities.

Microsoft Sentinel has benefited our organization because we use it as a SOC as a Service, so all our logs come to one single pane of glass and provide one-stop shop visibility to all the logs.

Microsoft Sentinel provides me with a unified set of tools to detect, investigate, and respond to incidents, which is something I greatly value.

I find it interesting that Microsoft Sentinel is being moved to Defender, though I am not entirely satisfied with that direction. I believe the current implementation from the Azure portal is very solid.

For the next release, I suggest keeping Microsoft Sentinel in the Azure portal and enhancing how the data security connectors work. It would be beneficial to make it more robust towards threat hunting, and perhaps change the name from Jupiter to something else.

I have been using Microsoft Sentinel since 2022.

I assess the stability and reliability of Microsoft Sentinel as very stable and constantly improving.

I have never experienced any downtime, crashes, or performance issues with Microsoft Sentinel because it is SOC as a Service, so it maintains 100% uptime and scaling. However, I do have challenges with KQL, and I believe they could work on making the language more user-friendly.

Microsoft Sentinel scales with the growing needs of my organization because it has a threat hunting feature, threat intelligence, and it is a SOAR.

I am currently looking into expanding our usage and integrating multiple tools into Microsoft Sentinel.

I would evaluate customer service and technical support as solid because the team is local, very reachable and approachable. We also work with our sister agency, who are very well trained in Microsoft Sentinel.

On a scale of one to ten, I rate customer support and technical support an eight because sometimes when I have called tech support and it goes overseas, it becomes difficult to communicate effectively with them. I believe Microsoft could improve by keeping customer service within the US for Microsoft Sentinel customers who are within state and federal government sectors.

Prior to adopting Microsoft Sentinel, we were using Splunk to address similar needs.

The factors that led me to consider the change from Splunk to Microsoft Sentinel include the learning curve of Splunk, which I find not user-friendly. Compared to Microsoft Sentinel, the transition was straightforward due to its user-friendly portal, environment, and interface.

My experience with deploying Microsoft Sentinel was very straightforward because it functions as a SOC as a Service. I did need to engage an outside vendor, our sister company agency, to help us create a tenancy, which presented a minor challenge, but otherwise the process was much easier than expected.

My experience with pricing, setup costs, and licensing for Microsoft Sentinel has been positive because I appreciate the pay-as-you-go model, which is very reasonable. If you do not use it, you are not paying for it.

I did not consider any other solutions before selecting Microsoft Sentinel, as Microsoft Sentinel is growing significantly in its field, making further exploration unnecessary.

Microsoft Sentinel's ability to correlate data from multiple sources has enhanced my threat detection capabilities considerably because it has a diverse range of data connectors that integrate with all my other security tools.

The SOC optimization feature positively impacts my organization's data management and cost efficiency because I value Microsoft Sentinel as a SOC as a Service for our team. It is much easier and managed by our Managed Detection and Response provider.

I do have metrics and data points through the portal, where I can view cost and billing effects through subscription. It is beneficial to see how it displays the ingress data and usage data, and I use that on a weekly basis.

My advice to other organizations considering Microsoft Sentinel is to choose Microsoft Sentinel over Splunk. I give this review an overall rating of ten out of ten.

Microsoft Sentinel is used to monitor cloud security for the university, focusing primarily on sign-in logs and alerts from those sources.

The playbooks and automated alerts are convenient features.

Microsoft Sentinel flags when admin credentials log in from an unusual location, automatically alerting the security team so they can investigate. This is an example of how Microsoft Sentinel's features have helped the organization.

Microsoft Sentinel provides a unified set of tools to detect, investigate, and respond to threats. A unified approach with Microsoft Sentinel is important, and if it works effectively, that would be beneficial.

The effectiveness of AI and machine learning in Microsoft Sentinel is uncertain, but in theory, it sounds promising if it would reduce the workload and make threat identification easier.

The SOC optimization feature of Microsoft Sentinel does not appear applicable at the moment in terms of data management and cost efficiency.

Microsoft Sentinel could be improved by integrating all playbooks with different other products that they can monitor. If that becomes even easier and more streamlined, it would probably be helpful.

Microsoft Sentinel has been in use for approximately four years.

There have not been any major issues with Microsoft Sentinel in terms of crashes or downtime. While there have been some outages over the several years of use, nothing has specifically affected the organization.

Microsoft Sentinel has scaled well with growing needs during this period, and it has been adopted gradually.

Microsoft customer service was used initially when implementing Microsoft Sentinel.

The customer service provided was good. Microsoft customer service would be rated eight or nine, as it was effective.

Positive

The experience with deploying Microsoft Sentinel was straightforward and easy, even though it was a few years ago. The ability to take it into use modularly was valuable, as it allowed starting in one area and then adding components incrementally, which worked well for this case.

A good return on investment has been observed from Microsoft Sentinel. While not in finance, the ROI appears positive.

Regarding the pricing and setup costs of Microsoft Sentinel, lower costs are always preferable. However, it has been beneficial that Microsoft Sentinel is included as part of the Microsoft package, making it more cost-effective.

Navigating and integrating Microsoft Sentinel for SIEM and XDR across the UI is mostly fairly convenient and easy. The new Defender XDR roles and permissions have changed, making it somewhat challenging to get them to work together with Microsoft Sentinel and Entra ID roles.

Microsoft Sentinel may possibly be used in additional ways at some point. The overall review rating for Microsoft Sentinel is eight out of ten.

We are familiar with Microsoft Sentinel. We previously worked with McAfee and Check Point solutions, but since we specialized in Microsoft, we transitioned everything to Microsoft Sentinel.

Microsoft Sentinel allows you to manage all solutions as the base and integrate other brands, making reporting, event correlation, and data preparation easier to leverage AI for generating alarms or trend analysis.

The ability of Microsoft Sentinel to correlate data from multiple sources greatly helps our threat detection capabilities because correlation enables faster threat detection, even proactively. Previously, we had to check several sources, making it difficult for one person or even several people to monitor everything all day. With correlation, what initially appears simple may relate to other information, revealing that it is a situation worth addressing.

The best features of Microsoft Sentinel are its integration with all Microsoft products, which is the main aspect we value because all of our customers and ourselves primarily have Microsoft infrastructure, servers, applications, and systems, so it integrates seamlessly into the Microsoft environment.

Microsoft Sentinel should continue adding support for several other security brands because sometimes you have a firewall from a different brand and if you cannot correlate or integrate that seamlessly, it creates multiple points of checking information, which diminishes efficiency. Despite this, we believe Microsoft Sentinel has the best capabilities to work with.

The main factor that led us to Microsoft Sentinel is that it is a well-rated and well-perceived product. However, the key reason is that our unit focused exclusively on Microsoft solutions, and we believe in the quality of the product, so that decision was straightforward.

Microsoft Sentinel's support and customer service deserves at least a nine rating because if you have any issues, you can easily submit a ticket and they will help you. There are different priority levels if you purchase extended support, which we have not done. We have been working for over two years with standard support and have not encountered any problems, so we appreciate it greatly. Microsoft invests significantly in support, which is crucial for companies.

Positive

We previously worked with McAfee and Check Point solutions before Microsoft Sentinel, but since we specialized in Microsoft, we transitioned everything around.

Setting up Microsoft Sentinel requires a little expertise; there is substantial documentation available and while it is not extremely difficult, some configurations require know-how to truly make it work. Microsoft Sentinel rates at a seven or eight for how straightforward it is to set up on a scale where ten is the easiest.

Over 80% of our log data have been moved to auxiliary logs since implementing Microsoft Sentinel, as we primarily use Microsoft solutions.

Microsoft Sentinel's pricing is competitive, especially when you have a Microsoft infrastructure, as you typically receive better deals. In the end, it is positive because integrating Microsoft Sentinel with the Microsoft solutions you are acquiring turns out to be much cheaper than purchasing everything needed from a different SIEM solution.

As an ISO certified organization, it is very important for us to have clear data for usage, and Microsoft Sentinel helps significantly because you can automate reporting for audits, making the process very efficient.

We typically work on a cloud deployment model for Microsoft Sentinel, but hybrid is an option if there is a significant on-premise footprint. Our infrastructure is approximately 95% in the cloud, so we are using the cloud solution. Microsoft Sentinel can also be deployed hybrid if there is a data center involved; I would not recommend working on it locally as cloud-first is ideal.

We primarily use Azure as our main cloud provider, but it is possible to use AWS; it will just work more easily and configure better in Azure, though it can also be utilized in AWS for checking servers and security equipment on VMs.

Our overall rating for Microsoft Sentinel is nine out of ten.

My main use case for Microsoft Sentinel is centralized log monitoring, threat detection, and incident investigation, utilizing automated response with analytic rules and playbooks to improve SOC efficiency.

Day-to-day, I monitor alerts and the dashboard, and Microsoft Sentinel investigates incidents using log queries and automated responses with playbooks. For example, I detected multiple failed login attempts from an unusual location, correlated Azure AD logs, and automatically triggered a playbook to block the IP and notify the team, which helped us stop a potential account compromise quickly.

Additionally, I use Microsoft Sentinel for continuous log integration for multiple resources, Azure endpoints, and firewalls, proactive threat hunting using KQL queries, and automating routine tasks including alert triggers and ticket creations.

The best features Microsoft Sentinel offers are centralized log management, AI-based threat detection, automation with playbooks, strong integration, and a scalable, cloud-native architecture.

I rely most on analytic rules and automation playbooks because they automatically detect suspicious activities and trigger responses such as alerting, blocking, or ticket creation, which saves considerable manual effort and helps us respond to incidents much faster and more consistently.

Additionally, the built-in connectors and KQL-based threat hunting are very useful as they allow me to pull logs from multiple resources and quickly investigate or proactively search for threats, which improves overall visibility and detection capability.

Microsoft Sentinel has positively impacted my organization by improving visibility across all security logs, reducing incident response time through automation, and enabling faster threat detection, which has strengthened our overall security posture and reduced the manual workload for the SOC team.

Microsoft Sentinel could be improved by making the UI more intuitive, simplifying KQL queries for easier use, improving cost visibility and optimization controls, and enhancing performance and query speed when handling large volumes of data.

Additionally, it would help if Microsoft Sentinel had more out-of-the-box use cases and pre-built dashboards, better correlation across multiple cloud and non-Microsoft sources, simplified troubleshooting of data collection, and more granular cost control to avoid unexpected billing in high-log ingestion environments.

My advice for others looking into using Microsoft Sentinel is to start with a very clear log ingestion strategy to control costs, invest time in learning KQL and tuning analytics rules, and leverage the built-in connectors and automation early, especially if you are already using Azure, to get the most value quickly.

Overall, Microsoft Sentinel is a powerful and scalable SIEM solution that significantly improves visibility and response capabilities. With proper tuning and cost management, it provides strong value for organizations, especially those already using the Microsoft ecosystem. I would rate this product an eight out of ten.

We generally used Microsoft Sentinel to identify issues, threat hunting, log analysis, and incident triage. Logic App is one tool we use, along with Watchlist, Summary table, search job, and threat hunting. The search job feature allows us to check for archive logs through a search option.

Microsoft Sentinel helps us understand the areas that we have to improve and provides information on our current coverage. When we get an incident, we receive that information, but this also creates some noise around it because even simple things receive tags, though this noise actually makes more value for a real incident.

It has a positive impact. For example, we try to identify compliance issues and vulnerabilities and search across different custom applications. We are able to mitigate these, which helps improve the security score. Enriching all other information and making value out of it is important. Microsoft Sentinel is another SIEM tool, and any SIEM tool provides similar values. That is why we are going for the tool. Whatever SIEM we have, every SIEM has its own advantage and should have some value.

There is a lot of room for improvement. Because there are automations and logics, we use mostly Logic App, and that can be improved significantly with additional connectors for integration. The GUI can be enhanced. Palo Alto XSOAR and others were very good in SOAR, but when it comes to Microsoft Sentinel, they are not matured to that level.

When compared to other industry standard SIEM solutions like Splunk or Palo Alto, Microsoft Sentinel can improve a lot. It is acceptable as its own product, but compared to others, it can be improved substantially.

I have been working with this solution since 2020.

Microsoft Sentinel is reliable and stable, but it is a little costlier.

The support from Microsoft is not up to the standard because it takes a lot of time to analyze and get the right people and the right solution. It takes time, but we are able to resolve things, though the process is time-consuming.

Neutral

I was using Splunk later, but not extensively as Microsoft Sentinel.

I am working on some Azure items, though I do not know if that qualifies as something relevant. I am working in Microsoft Sentinel and Defender XDR. We are a partner with Microsoft from our firm, and as an employee, I work on the solution for different customers. The version of Microsoft Sentinel is the latest version, and I do not see any version specific limitations.

Microsoft Sentinel is good, but it is going to be deprecated and integrated with Defender XDR, so we will use that. It is a little expensive. There is a limitation in that not all Azure Data Explorer queries and KQL queries can be used in Microsoft Sentinel. However, now they are moving to Azure Data Lake, which could be one reason for this limitation. There are many functionalities that are available in Azure Data Explorer which we cannot use in Microsoft Sentinel. It would be more useful if more Azure Data Explorer queries and the syntax available in Data Explorer could be leveraged in Microsoft Sentinel.

I am not using that module as we use it in the organization, but I am not handling it. This review has an overall rating of five out of five.