Microsoft Sentinel Reviews

Name: Microsoft Sentinel
Brand: Microsoft
Rating: 4 (88 reviews)

Vendor: Microsoft

4.1 out of 5

88 reviews
93% willing to recommend

296 followers

Post review

What is Microsoft Sentinel?

Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution that lets you see and stop threats before they cause harm. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs. With Microsoft Sentinel, you can:

Get the Microsoft Sentinel Buyer's Guide and find out what your peers are saying about Microsoft Sentinel, Microsoft Defender for Endpoint, Microsoft Intune and more!

Microsoft Sentinel is the #1 ranked solution in SOAR tools, #2 ranked solution in top Security Information and Event Management (SIEM) solutions, and #5 ranked solution in top Microsoft Security Suite solutions. PeerSpot users give Microsoft Sentinel an average rating of 8.2 out of 10. Microsoft Sentinel is most commonly compared to Microsoft Defender for Endpoint: Microsoft Sentinel vs Microsoft Defender for Endpoint. Microsoft Sentinel is popular among the large enterprise segment, accounting for 58% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 17% of all views.

Helped 793,295 peers since 2012

Featured reviews

Nitin Arora

Security Delivery Senior Analyst at Accenture

The most amazing aspect of Microsoft Sentinel is the daily upgrading of the product. They have third-party connectors that their people are enhancing on a daily basis. That is what I like about the product. Their people are not sitting idly and saying, "Okay, we have created the product, now just use it." It's nothing like that. They are continuously working on it to make it number one in the market. It also has a playbook feature so that we can do automation in Sentinel itself, based on the data sources and the logs that we are receiving. That means we don't need to do manual stuff again and again. Using Sentinel, we can collect all the logs of third-party vendors and use them to analyze what kinds of scenarios are going on in the environment. On top of that, we can create analytics rules to monitor the environment and take action accordingly if there is a suspicious or malicious event. Something else that is great is the visibility into threats. We have an AI feature enabled in Sentinel and that gives us great visibility into the data sources we have integrated. And for data sources that we don't have integrated, we have a Zero Trust feature and we get great visibility into the threat log. Visibility-wise, Sentinel is fantastic. The ingestion of data from our entire environment is very important to our security operations. We have clients in insurance and multiple firms that deal with taxation, and we need to do an audit yearly. To do that, we need the data from the whole environment to be ingested into the workspace.

Read full review

Jalan Cruz

Cyber Security Analyst at CoinFlip

In terms of visibility, Microsoft Sentinel captures a lot of useful data. Microsoft Sentinel helps us prioritize threats across our enterprise. It shows us the most vulnerable assets, and because we have agents on every machine, we know exactly where to go to investigate. This is important for staying secure as a company. It allows us to cover our own bases by seeing what is happening in real-time and taking proactive steps to address threats, rather than reacting to them after they have already occurred. We can stay up-to-date with security measures and ensure that we follow through and execute our security plan. We integrated Microsoft Sentinel with Defender for Cloud, Endpoint, and Defender Vulnerability Management. Microsoft is not the most vendor-friendly company in terms of integrations and connections, but we were able to get it working in the end, so we cannot really complain. Microsoft's security tools work natively together to deliver coordinated detection responses across our environment. The comprehensive threat protection that Microsoft Sentinel provides is good. They provide really good information. We are able to create documents, perform root cause analysis, and analyze anything we need to. Log integration is also key. We are able to find potentially malicious files, correlate events to alerts, and then take action on alerts. So, the comprehensiveness is pretty straightforward. We use Cloud and Endpoint security. We have our Defender cloud, and then Defender agents on each endpoint. The bidirectional sync capability is important, and it is a work in progress. We are in the process of off-boarding our contract with CrowdStrike. We are moving all of our cybersecurity needs to Microsoft Defender, which is included in our existing Microsoft licenses. This makes financial sense, and CrowdStrike was not providing us with much value. The system allows us to ingest data from our entire ecosystem, which is very important. This is our main source of correlation of logs to alerts. Therefore, we definitely need to get every single log source, and possibly a few more. The system allows us to investigate and respond holistically from one place. It is a very comprehensive tool to use. However, the supporting documentation is limited to initial troubleshooting. This is where I find the most difficulty in explaining how good the tool is. Other than that, the tool is pretty straightforward. There is enough documentation to get us started. However, beyond that, we will need to rely on online forums and other open-source resources to learn more about the tool. When comparing Microsoft Sentinel to other SIEMs in terms of cost, we are saving money because it is included with our Microsoft 365 E5 licenses. This also helps us to reduce the number of different types of software that we need to use. We do like redundancy in terms of coverage, but the cost of multiple solutions adds up. We want to be able to use one central location for all of our security software. This is one of the reasons why we choose Microsoft Sentinel over third-party solutions. As we move into larger projects, we need to have a centralized place for all of our security policies and procedures. Microsoft Sentinel helps us automate routine tasks and find high-value alerts. We also use Sentinel as a store for our alerts. This allows us to automate most of our responses if not all of them. We also tailored our alerts to specific events that occur in our environment. Microsoft Sentinel helps eliminate the need to use multiple dashboards by providing a single XDR dashboard. We currently use Sentinel's workbooks, which provide a dashboard that we can use for metrics, reporting, and other purposes. This makes it easier to relay information upwards, as it is presented in a more visually appealing and easy-to-understand manner. For example, we can use pie charts, bar charts, and line charts to represent data in a way that is easy to understand. This makes it easier to convey information to upper management, such as where we are most vulnerable and what steps we need to take to improve our security. Microsoft Sentinel helps us prepare for potential threats before they hit by taking proactive steps. We can also detect ongoing incidents. For example, if we receive a ticket or alert that is ongoing and will not go away, we can automate a response to it and add it to our playbook. This way, if a similar incident occurs in the future, we will know what to do to respond immediately. In terms of automation, I believe we save about 20 to 22 hours per week by closing tickets. We receive about 50 to 100 tickets per day, and we automated about 80 percent of those. This means that we can now close tickets without having to manually review them. This saved us a significant amount of time, which we can now use on other tasks. We are on the smaller side in terms of the number of logs that come in. So, I don't think it's necessary to compare at this level of data ingestion. However, I can definitely see that if we scale and grow in the future, it will save us a lot of money, especially in terms of manpower and hours that we have to dedicate to automation or non-automated tasks. For example, in the six months that we've had Sentinel up and running, we've saved 755 hours in automation alone. We currently meet all of our service level agreements in terms of incident response. This definitely saved us time, and we also receive email alerts directly so that we know as soon as something happens.

Read full review

Adam Gordon

EXECUTIVE CONSULTANT at Freelance

It can connect to an ever-growing number of platforms and systems within the Microsoft ecosystem, such as Azure Active Directory and Microsoft 365 or Office 365, as well as to external services and systems that can be brought in and managed. We can manage on-premises infrastructure. We can manage not just the things that are running in Azure in the public cloud, but through Azure Arc and the hybrid capabilities, we can monitor on-premises servers and endpoints. We can monitor VMware infrastructure, for instance, running as part of a hybrid environment. The continuing evolution of what we call the connectors, which is the marketplace that lets us connect these systems to Microsoft Sentinel, is probably one of the most important features. The reliance on a very simple but very powerful query language called Kusto Query Language or KQL that Microsoft uses to allow us to log into the analytics workspace to assess and analyze the data is also valuable. That has made it very approachable and very scalable. Those are very big and important things for me as a consultant, as an architect, and as a person who is implementing these solutions for customers and who is explaining them, and ultimately working with them. This makes the product not only usable but also very flexible. Those are two very important elements.

Read full review

Microsoft Sentinel mindshare

Product category:

As of July 2024, the mindshare of Microsoft Sentinel in the Security Information and Event Management (SIEM) category stands at 10.9%, down from 13.6% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Security Information and Event Management (SIEM)

Key learnings from peers

Valuable Features

According to the reviews, Microsoft Sentinel's most valuable features include its cloud-based and scalable architecture, automation capabilities with custom playbooks, and the flexibility to run custom KQL queries for data analysis.

Users appreciate the easy integration with various data sources through connectors, as well as the comprehensive visibility and effective threat detection capabilities. Sentinel's seamless integration with the Microsoft ecosystem provides a unified security approach. The solution enables data ingestion from both Microsoft and non-Microsoft sources, offering comprehensive monitoring capabilities.

Additionally, Sentinel includes built-in SOAR capabilities for automated incident response, along with threat intelligence and proactive threat hunting features to improve overall security posture.

"Sentinel has reduced the work involved in the event investigation by quite a lot."
"Microsoft Sentinel stands out among SIEM tools for its user-friendliness and powerful built-in query language."
"While Microsoft Sentinel provides a log of security events, its true power lies in its integration with Microsoft Defender."

Room for Improvement

Key areas for improvement in Microsoft Sentinel include support for on-premises systems, AI capabilities, user access management, GUI usability, query interface, third-party integration, customization options, reporting and analytics, onboarding process, data ingestion, and EDR integration.

"From a client perspective, they'd like to see more cost savings."
"Microsoft Sentinel's search efficiency can be improved, especially for queries spanning large datasets or long timeframes like 90 days compared to competitors like Splunk."
"I would like Microsoft Sentinel to enhance its SOAR capabilities."

ROI

Microsoft Sentinel has provided a positive return on investment (ROI) for users. The automation capabilities, integration with other products, and reduction in manual tasks have helped save time and reduce workload.

The solution has also improved security posture, compliance, and revenue generation for companies. Users have mentioned cost savings, reduction in staff, and quicker detection and response to threats.

Pricing

The pricing for Microsoft Sentinel is described as relatively expensive, confusing, and not straightforward. It is seen as an enterprise-level application, making it cost-effective compared to other products at the same level. The pricing is based on how much is used or consumed, rather than a one-time cost. There are additional costs for service agreements and data storage.

The pricing is reasonable when considering the features included and the ability to integrate with other enterprise technologies. However, it can be costly for small-scale businesses and may require careful cost estimation and planning.

"We only pay for the amount of data we bring in, which is fair."
"It is consumption-based pricing. It is an affordable solution."
"I am not involved on the financial side, but from an enterprise-wide use perspective, I think the price is good enough."

Popular Use Cases

The primary use cases of Microsoft Sentinel include:

1. MSSP and threat detection engineer: Used by a Managed Security Service Provider (MSSP) and threat detection engineer for security monitoring and incident management.

2. Traditional SOC: Replacing multiple products with Microsoft Sentinel to simplify incident and event analysis in a Security Operation Center (SOC), saving time and reducing the need for manpower.

3. Log monitoring and alarm building: Used to monitor logs, build alarms, correlate events, and automate security response in the event of a security incident.

4. MSSP solution and integration with MISP: Proposed as an MSSP solution to clients, integrated with MISP (open source intelligence trading platform) to create a comprehensive solution for various sectors.

5. Complex configurations and threat hunting: Deployed in Government departments for threat hunting and correlation of telemetry data to identify anomalies and potential security threats.

6. Integration with Microsoft Defender products: Integrated with Microsoft Endpoint for Defender, M365 Defender, and Exchange Online to track and analyze security incidents and threats.

7. Automated security management: Utilized to automate security processes, manage events, and provide AI-based predictions and analysis of security threats.

8. SIEM solution for Security Operations Center (SOC): Used as the primary tool in a Security Operations Center (SOC) for security monitoring, incident management, and threat detection.

9. Correlating logs and automating tasks: Used to correlate logs, automate security tasks, and provide a centralized point for log information.

10. Monitoring cloud environments and infrastructure: Used to monitor cloud environments, detect anomalies, and protect against cyber attacks and vulnerabilities.

11. Managed security services: Utilized by a Managed Security Service Provider (MSSP) to offer security services, threat detection, and security incident management to clients.

12. Integration with multiple vendors and environments: Integrated with various third-party vendors and data sources to provide a comprehensive view of security incidents and threats across different environments.

13. Centralized log aggregation and security management: Used for centralized log aggregation, security management, and unified security management across hybrid environments.

14. Security analytics and incident response: Leveraged for security analytics, proactive incident response, and coordination with other Microsoft security products.

15. Security information and event management (SIEM): Used as a SIEM tool to monitor and analyze security events, raise incidents, and enhance security posture.

Service and Support

The customer service and support of Microsoft Sentinel have received mixed reviews. Some customers have had positive experiences, stating that the support is responsive, helpful, and knowledgeable. They appreciate the quick response time and the ability to connect with developers for prompt answers. Upgraded support tiers, such as premium support, are highly regarded for their effectiveness.

However, there are also customers who have faced challenges with support. They mention that basic support may have longer wait times and less knowledgeable technicians, especially in tier-one support. Some customers note they have to pay extra for access to senior technicians with in-depth knowledge.

Deployment

The initial setup for Microsoft Sentinel is generally straightforward and easy. It can be done within a few minutes to a couple of days, depending on the complexity of the environment and the number of resources being integrated.

Integrating Microsoft security solutions and other connectors are relatively simple, however, customizing rules and alarms may require more expertise. The deployment process is smooth, especially for cloud-based environments, and maintenance is minimal as Microsoft handles updates and server roles.

Some users recommend seeking assistance from service providers or specialists for customization and optimization. There are some users who mention that the setup can be complex, especially when connecting to certain servers or third-party solutions.

Scalability

Microsoft Sentinel is highly scalable, as it runs on the cloud and can automatically scale up or down based on the needs of the user. It offers a scalable model with options for log retention and data limitation, allowing users to control costs. It can handle large volumes of data without any issues.

Users have reported that Sentinel is capable of handling big data and can adapt to the needs of large organizations with thousands of users. The solution is also praised for its continuous development and introduction of new features based on customer feedback.

Stability

Microsoft Sentinel is highly stable according to the reviews. Users have experienced very few or no outages, and any issues that have occurred have been promptly addressed by Microsoft. The stability of Sentinel is attributed to it being a cloud-based solution managed by Microsoft.

Users have also praised the reliability and performance of the solution, with some rating it as highly stable and giving it a nine out of ten for reliability.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Microsoft Sentinel Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Computer Software Company

17%

Financial Services Firm

10%

Government

Manufacturing Company

Retailer

University

Healthcare Company

Educational Organization

Energy/Utilities Company

Comms Service Provider

Insurance Company

Construction Company

Real Estate/Law Firm

Media Company

Non Profit

Legal Firm

Wholesaler/Distributor

Hospitality Company

Outsourcing Company

Transportation Company

Performing Arts

Logistics Company

Recreational Facilities/Services Company

Consumer Goods Company

Pharma/Biotech Company

Marketing Services Firm

Aerospace/Defense Firm

Compare Microsoft Sentinel with alternative products

Learn more about Microsoft Sentinel

- Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds

- Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence from Microsoft

- Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft

- Respond to incidents rapidly with built-in orchestration and automation of common tasks

To learn more about our solution, ask questions, and share feedback, join our Microsoft Security, Compliance and Identity Community.

Microsoft Sentinel was previously known as Azure Sentinel.