IT Central Station is now PeerSpot: Here's why

Microsoft Sentinel OverviewUNIXBusinessApplication

Microsoft Sentinel is #3 ranked solution in top Security Information and Event Management (SIEM) tools. PeerSpot users give Microsoft Sentinel an average rating of 8 out of 10. Microsoft Sentinel is most commonly compared to Splunk: Microsoft Sentinel vs Splunk. Microsoft Sentinel is popular among the large enterprise segment, accounting for 52% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 25% of all views.
What is Microsoft Sentinel?

Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution that lets you see and stop threats before they cause harm. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs. With Azure Sentinel, you can:

- Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds

- Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence from Microsoft

- Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft

- Respond to incidents rapidly with built-in orchestration and automation of common tasks

To learn more about our solution, ask questions, and share feedback, join our Microsoft Security, Compliance and Identity Community.

Microsoft Sentinel was previously known as Azure Sentinel.

Microsoft Sentinel Buyer's Guide

Download the Microsoft Sentinel Buyer's Guide including reviews and more. Updated: May 2022

Microsoft Sentinel Customers

Microsoft Sentinel is trusted by companies of all sizes including ABM, ASOS, Uniper, First West Credit Union, Avanade, and more.

Microsoft Sentinel Video

Microsoft Sentinel Pricing Advice

What users are saying about Microsoft Sentinel pricing:
  • "Azure Sentinel is very costly, or at least it appears to be very costly. The costs vary based on your ingestion and your retention charges."
  • "I am just paying for the log space with Azure Sentinel. It costs us about $2,000 a month. Most of the logs are free. We are only paying money for Azure Firewall logs because email logs or Azure AD logs are free to use for us."
  • "I have worked with a lot of SIEMs. We are using Sentinel three to four times more than other SIEMs that we have used. Azure Sentinel's only limitation is its price point. Sentinel costs a lot if your ingestion goes up to a certain point."
  • Microsoft Sentinel Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Associate Manager at a tech services company with 10,001+ employees
    Real User
    Easy to manage with good automation and machine learning capabilities
    Pros and Cons
    • "The machine learning and artificial intelligence on offer are great."
    • "Azure Sentinel will be directly competing with tools such as Splunk or Qradar. These are very established kinds of a product that have been around for the last seven, eight years or more."

    What is our primary use case?

    Sentinel is a solution called SIEM - security information event management. It's for monitoring an entire organization from a security point of view. Along with the monitoring, what happens in the SIEM is you have to raise incidents. If there are any kind of security issues or breaches or people are trying to get into the system, you have to raise an incident ticket. You collect the event information from the systems. You'll be able to see if it's, for example, a machine or account, or an active directory outage. You can process that information using machine learning AI, and then raise incidents. It's basically helping a security operations center team (SOC). With the help of Azure Sentinel, we can build a SOC.There are plenty of use cases. You have to cover your entire security environment. For example, a brute force attack against your Azure Portal. If someone is trying to guess your password, you will see the incident. When somebody puts four, five wrong passwords, and then a correct password, it could mean someone is trying to guess your password and you would see that. Basically, there are a lot of use cases, however, all of them revolve around monitoring security. Whenever something happens, we should get alerted or we can proactively assess our environment.With Sentinel, you can also do the hunting. It'll try to identify if your environment is compromised with any kind of attack. In most cases, it'll try to protect your organization before this attack can happen. If somebody is trying to snoop in your environment, we can track him. Or if somebody is trying to guess your password, we can protect the password. If somebody is injecting the malware, we can identify and protect the organization.

    How has it helped my organization?

    The solution has improved functionality as most of the organization will be in the cloud. If an organization is already on the Azure cloud, then they don't have to go for any other solution for the SIEM. They can easily integrate Sentinel. Most of us are on the Microsoft products, so it's very easy to deploy this with the Microsoft products as well as to the other products. 

    What is most valuable?

    In terms of Sentinel, it's a best-in-class solution. The SIEM solution is hosted in the cloud. When you compare it with the other tools, the on-premises tools may not be that great. The best piece about it is when it comes to the traditional SIEM solutions, it's very hard to manage them. First of all, licensing will be there. Then you need to manage underlying infrastructure as well. You also need a big setup. All these things aren't necessary with Sentinel due to the fact that it's on the cloud. You just get a cloud subscription and do a pay-as-you-go model. The machine learning and artificial intelligence on offer are great. These are the things that happen in the background that we do not see. Whenever you have an incident, it will provide you with all the options so that you can drill down. For example, I have identified one incident where somebody was trying to do a brute-force attack. When this incident was generated, I had a lot of data with which I could start to investigate things. It provides the best-in-class hunting capabilities. It's very easy to write the hunting logic. You have to write some searching queries. It's very easy to write those all queries and identify the test. It'll give you the capabilities of automation. Azure is not only about security or infrastructure. It has a lot of programming features, functions, logic apps, and automation. You can easily integrate. If you can do a little bit more programming, then you can integrate it with functions or automation, or anything else. There is a different tool for security postures. That's called Azure Security Center. From November, it's going to be called Azure Defender. This tool does not do posture management, however, it can integrate with Azure Security Center. There is also this XDR tool, Microsoft Defender. It can easily integrate it. Once you set up the integration between these tools, then you will have the advantage of both the tools. You will have a unified ticketing system where you can view the alerts from XDR and you can view the alerts from the posture management and from the SIEM.

    What needs improvement?

    Every month there are new features in Sentinel and the tools are stable. All the features and functionality that those tools provide are slowly coming to the Azure Sentinel as well. So it's improving a lot day by day.  Initially, we had the data connector that could bring the data from any of the platforms that we wanted to monitor. Now, Microsoft has improved the solutions and they're providing a lot of options. While you can (and now have) almost all the functionalities that are needed for SIEM capabilities, it's still adapting to new things as well.  Azure Sentinel will be directly competing with tools such as Splunk or Qradar. These are very established kinds of a product that have been around for the last seven, eight years or more. They have a lot of good things going for them and are slightly ahead of Microsoft, which is new to the game. However, Microsoft is adapting. Microsoft keeps working on its solutions and offers feature request platforms as well. We have given them a lot of feedback in terms of some customizations - and they keep adding to it. There are a lot of new things that are in the pipeline. In the next four to six months, we will see more new features which will further enhance the existing tools. For example, there were some custom fields that were missing. We wanted to do mapping of the custom fields and this capability wasn't there in the Sentinel. However, when we requested it they implemented it.
    Buyer's Guide
    Microsoft Sentinel
    May 2022
    Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: May 2022.
    598,116 professionals have used our research since 2012.

    For how long have I used the solution?

    I have been on Sentinel for the last two to two and a half years. Initially, I was just doing it for my own self-interest, however, for the last one and a half years, it's been more of a professional relationship and I've been working with it for customers.

    What do I think about the stability of the solution?

    The solution is quite stable. I have not seen any downtime so far. It is working for customers as well. It's good. It's on a cloud and therefore we need not worry about maintaining the databases or maintaining the platforms, or wherever the data is stored. It's all Microsoft's responsibility.

    What do I think about the scalability of the solution?

    The scalability is a unique selling proposition for Sentinel. Due to the fact that it's on the cloud, you can scale it up to any limit. Of course, you have to pay for whatever data you are storing. As compared to an on-premises tool the sometimes they may fail to scale, however, this is great. You don't have to bring up a lot of hardware with Sentinel.  This solution is being used quite extensively right now. Whether or not the usage will increase depends on the pricing that comes up the more you use it. We have to pay for whatever data, telemetry, that gets into the Sentinel. For example, let's say today I collected 1GB of data, tomorrow I'm going to collect 5GB of data. Microsoft can easily hold this, however, then they also provide you with some kind of plans. You can reserve the space. You can say "I will use 100GB of data per month." Microsoft will give you a discount and you have to pay for the reserved 100GB. It is a pay-as-you-go model. The solution is used by the development team, which sets it up, and then by the SOC team, which takes over and starts monitoring for security incidents.

    How are customer service and support?

    Technical support depends on what kind of agreement you have with Microsoft. If you are a premier customer, under the top 100, then they can provide you with some direct connection with the Microsoft program managers. You can have a conversation with them once every two weeks. If you are not in the premier tier, if you are just directly buying it from Azure, then technical support, again, depends. There are two types of technical service. One is the professional and the second one is the premier. Premier support is good. Obviously, you will be paying extra for it. Professional support is not that great. Often, I'd rather not involve them. They will simply mess up things. It's better to just post your questions on the forums and try to get some answers from the experts.I use all kinds of support. If you are working for a customer who has a very good rapport with Microsoft and they are their top Azure consumer, then they can do things for you. If you give them feedback and you are potentially a big customer for Sentinel, then they will try to adjust things according to your environment. However, if you are not, you are just using Sentinel, then it's okay. It all depends on how much money you are paying and how much business you are doing with Microsoft.  If a customer is planning to buy Sentinel, then they should initially negotiate with Microsoft for premier support. They can ask for 100 hours of premier support or the fast-track service. You can initially negotiate for a situation where, if some technical issues arise, then you will only work with premier support, and you can reserve your 100 or so hours for that.  Initially, it's better to agree in advance with Microsoft that you will be needing X number of technical support or the fast-track service or engagement with the Sentinel development team.

    Which solution did I use previously and why did I switch?

    I did not use a different solution. I'm from the Azure Log Analytics Monitoring part. I came from that side. We directly jumped into Sentinel. I've heard that people are doing migrations from Splunk. That's the number one tool that's available for SIEM. However, I directly started from Sentinel.

    How was the initial setup?

    The initial setup is very easy. You just need some basic knowledge of the monitoring platform called Azure Log Analytics. If you have the knowledge of Azure Log Analytics, then you can easily set up this.If you just want to set up over the Azure Portal, then it will hardly take 15 to 20 minutes to deploy. Of course, this is not the final setup. The final setup is when you will be connecting it with different sources. For example, if you have 100 machines, you will have 100 Linux machines, you will have routers and switches too. Everything you want to monitor needs to be there. You have to implement these all solutions one by one as per your requirement. If your requirement is you will want Linux machine monitoring, you want firewall monitor, then it can take time, however, it is pretty easy to accomplish.

    What's my experience with pricing, setup cost, and licensing?

    The pricing model is good. Microsoft does the reservations as well. Perfect planning is needed, as, once you reserve the space, you can save up to 30% or 40% of the cost. If you are not doing good planning, then it'll cost you a lot. However, from a costing point of view, it's fair and comparatively low. It's not a costly service.

    Which other solutions did I evaluate?

    I'm not the decision-maker. I was mostly from the Azure Log Analytics Monitoring background, however, when this was released, even the Microsoft CEO and CTO were touting its abilities. Initially, I looked at it for self-interest, and then we thought of implementing it for our labs, and then we found it fruitful. Then we started getting Sentinel projects. 

    What other advice do I have?

    I'm a consultant and service provider. It's hosted on a cloud. There is nothing like versioning or anything. It's just software as a service. I would rate the solution at around eight out of ten. When we do the migration, there are still few people who are used to it. Not many have hands-on experience. Sometimes we struggle in maintaining gaps.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Amazon Web Services (AWS)
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    JimMiller - PeerSpot reviewer
    Director Cybersecurity at a pharma/biotech company with 201-500 employees
    Real User
    Good documentation, helps with our security posture and has a straightforward setup
    Pros and Cons
    • "We’ve got process improvement that's happened across multiple different fronts within the organization, within our IT organization based on this tool being in place."
    • "They're giving us the queries so we can plug them right into Sentinel. They need to have a streamlined process for updating them in the tool and knowing when things are updated and knowing when there are new detections available from Microsoft."

    What is our primary use case?

    It's a SIEM tool. Our process right now is to put as much data as we possibly can from all of our network devices into it. We use it as a centralized logging mechanism and the feature that is nice there is that it's agnostic against the types of devices you're using. I have firewalls that can log onto it. I have Linux boxes that can log onto it. I have Windows boxes that can log to it and I can collect a variety of logs from around the organization into it. I can analyze those logs, I can get detections against those logs and use them to take a look at the security footprint of the organization.

    All of the different security centers within Microsoft are alerting systems like Azure Defender ATP, the Security Centers, and Azure. All of those products, when they generate incidents and alerts, send feedback into this tool. With this product, you get a single dashboard for managing your security footprint, both from the 365 Azure environment, as well as your on-premise environment.

    How has it helped my organization?

    From a security perspective, it has clearly improved our alerting in our incident management processes. We've also been able to improve other processes for network monitoring and for trouble remediation within the environment. Our infrastructure team and some of our application team are now plugging into the data that's in that tool as they can use it to find issues within their applications rather quickly - a lot more easily than the other tools that they've got, which has been a huge boom. 

    We also see that some of our help desk processes have now been informed by it. We have queries that run against the data set that's behind that same tool and they are built specifically for the help desk. For example, if a user's account has been locked out due to the fact that we have all of the data from all the different systems plugged into that tool, we can give the help desk a complete picture of authentication failures against that device so that they can quickly identify where the problem is and resolve the issue for the user.

    What is most valuable?

    This system has a list of data connectors and you choose what connects to it. By default, it has access to any of the core Azure data that you have access to, however, those are due to the fact that it lives in that environment. It would naturally have access to that data. Then, you choose which data sources you want to connect to it. Many of them are very easy to set up. They're within the 365 of the Azure portion and a point and click away with a lot of the third-party services. You click a button and do authentication and things connect right up. With some of the Linux, there are setups of Syslogs.

    Microsoft has pretty good documentation. It doesn't take long. It's not hard to set up.

    The biggest feature we've got out of it is visibility into our environment and what's going on across our estate. Being able to see, for example, anomalous RDP logins, to be able to see deviations from our standard traffic flows on the firewalls, things like that, give us insight into when we may have potential issues or a breach type situation.

    The second thing you get is when you’re managing security within the Microsoft environment with Azure 365 you're on-premise you're bouncing between three or four or five, six different tools to do that. This centralizes the management of all of those. You get one pane of glass in all of those tools that give you a very easy way to see what's going on.

    It also allows you to correlate between those tools. I can see if I have, for example, a low-priority incident in one tool. If I have another low-priority incident on the other tool made against the same user, that may force me to say, “Hey, maybe those things combined generate a higher level incident that I maybe need to put up for investigation.” That's the advantage of the tool.

    The solution does not have specific features that have helped improve our security posture. Rather, the whole idea of making security a little bit easier while also being able to correlate data between multiple disparate systems has, as a whole, improved our security posture overall.

    We’ve got process improvement that's happened across multiple different fronts within the organization and within our IT organization based on this tool being in place.

    We were tracking in the neighborhood of 20 to 30 incidents a month coming out of one or two source systems within the environment. What Sentinel has given us the ability to do is move up. We're now evaluating somewhere in the neighborhood of 10 to 12 a day.

    They're much more robust as a product. What we've been able to do is tune the alerts so that the things that are common, that are false positives that we see all the time, we've been able to filter those out and give ourselves this complete picture as things change and work but we're filtering out the standard data sets. There are things we’re going to look at and walk away from as we know they're false positives.

    In terms of receiving false positives, it does take some work to tune the environment, to get it to get rid of all those false positives. It's not ridiculous work, however. I didn't find it to be the hardest problem. It took us a couple of months, doing an hour or so a day to clean them up. Going through that process offered a tremendous amount of learning about the environment. In looking at those false positives, you start to learn things about how people use the environment - things that we didn't realize before. That's extremely valuable for a security team to understand how your assets are used and what your users are doing.

    The end users are barely involved in the process. They see our security team more proactively reaching out to them when they may have a problem. For example, I may have a user who has got an excessive amount of login failures against their ID and it's coming from, say, a mobile phone. We'll see that in the SIEM and what we'll do is reach out to the user proactively. Maybe they've been seeing lockout events, or, most likely, they have been seeing lockout events but they haven't quite figured out what's going on and we'll be able to proactively go to them and say, “Hey, we're seeing this, here's the device it's coming from and here's the action you should take and see if we can fix the problem.” It's given us the ability to reach out to the user. In some cases, it's an incident where we want to reach out, get more information from the user to understand whether it was them or not. In other cases, we're reaching out to them proactively and helping solve problems for them that they may or may not even be aware they're having.

    What needs improvement?

    Microsoft has a number of detections that they bundle with the product and there's a number of detections that are out against GitHub that are available. We have more and more of those going out every day. Microsoft periodically is releasing more updates. I love the fact that they're giving it to us. They're giving us the queries so we can plug them right into Sentinel. 

    We have to do very little editing of the plugins, however, I would love to see the ability to have those queries immediately, as Microsoft updates them. They need to have a streamlined process for updating them in the tool and knowing when things are updated and knowing when there are new detections available from Microsoft.

    For how long have I used the solution?

    I've used the solution for two years.

    What do I think about the stability of the solution?

    The solution has been extremely stable. We haven't had any downtime that I can recall.

    What do I think about the scalability of the solution?

    The scalability is great. It's all backed by the log analytics infrastructure. All of the data that we stuff in it is stuck with the log analytics retention times and data storage capabilities which scale wonderfully.

    We are using it pretty heavily. At this point, we're plumbing pieces of data from all of our systems into it. We're actively in it every day.

    We're constantly adding new data sets too.

    How are customer service and support?

    I haven't used technical support yet.

    In general, the Microsoft technical support unit is okay. There are times when you get help and it's wonderful and there are times when things are not as good. It's not what I would consider the best support I've ever received. That said, they're trying. They could work on their response times.

    Which solution did I use previously and why did I switch?

    We did not previously use a different solution. We did a little bit of data consolidation, however, nothing at this level.

    We adopted Sentinel as we were looking to mature our security footprint. We started looking at tools that could help us do that, and Sentinel was very easy to dig into, primarily due to the fact that you could bite little pieces off at a time. I didn't have to consume a massive cost. I could throw a little bit of data and consume at a pretty minor cost and prove its value before I started increasing my cost.

    How was the initial setup?

    The initial setup is very easy.

    It's a point-and-click Azure environment. You just click the button and say "yep, I want this."

    The solution does not need a lot of maintenance. Once you have the log analytics infrastructure configured, as in your retention times, et cetera, there's your maintenance of the systems that becomes the analytics that you're using. There's a little bit of work that needs to be done there. That was the part that needed some streamlining, however, that's about it. It's managing your rules and your playbooks, et cetera, that needs to be handled.

    What was our ROI?

    It's hard to measure ROI on these types of processes. I can't give hard numbers on what the return is. What I can say is that the organization is much better off having this tool in place than not having it in place. The fact is we are improving processes around the organization and the visibility. We recently had some huge vulnerabilities in Exchange that were being breached, and knowing that we have tools like this in place that have detections to help us establish whether we were having an issue or not was useful. The product helps to make us aware of issues and we're not guessing and not spending too much time digging.

    Which other solutions did I evaluate?

    We did evaluate other options. Most had a larger acquisition cost associated with them. That was obviously a big factor. The other thing that helped the decision was that we live in a Microsoft-centric environment and most of the Microsoft tools were prebuilt and correctly connected very easily.

    What other advice do I have?

    The product is part of the Azure platform - now the Microsoft platform. It's all fully managed by Microsoft at that level. We're using it as a SAFe solution.

    I'd advise potential users to take a good look at your analytical rules and feed it with data. The more data you give it, the more valuable it becomes.

    I'd rate the solution at an eight out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Buyer's Guide
    Microsoft Sentinel
    May 2022
    Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: May 2022.
    598,116 professionals have used our research since 2012.
    Oluwaseun Oluwatomisin - PeerSpot reviewer
    Cloud Infrastructure and Security Consultant
    Consultant
    Top 20
    Good security orchestration and automation response with very useful AI functionality
    Pros and Cons
    • "There are a lot of things you can explore as a user. You can even go and actively hunt for threats. You can go on the offensive rather than on the defensive."
    • "The only thing is sometimes you can have a false positive."

    What is our primary use case?

    Azure Sentinel is a SIEM solution. It offers security information on an event management solution and also security orchestration automation response. It actually looks into events coming into your environment and events from a lot of sources, or whatever you might have in your network.

    There are a lot of events and logs generated by all of these resources - sometimes in the thousands or millions. Azure Sentinel helps you investigate a lot of these logs faster. It uses artificial intelligence, called threat intelligence, to look into all the events that might be coming into your environment.

    For example, on a daily basis, you might be receiving two million events coming from all the resources you have, including your users. If you're a very big enterprise and you have thousands of users, there are logs coming in from each of these users. You also have some resources, such as your web application, virtual machine, and a lot of your resources that span across both Azure AWS, GCP, and other solution providers like Sophos, Fortinet, Cisco, and your on-premise environment. You can get all these logs together with this.

    What is most valuable?

    The solution is still new, and there are a lot of new things coming out each and every day. Microsoft is trying to improve the solution constantly. In the last two weeks, there was a section of the Azure Sentinel code solutions that was integrated. It's something organizations could explore. Recently, they just included automation rules that you can use with Logic Apps to automate threat responses.

    Azure Sentinel works with artificial intelligence. With AI by your side, you are able to investigate everything very fast. Within a blink of an eye, it's going to help you look into all these things. Before it can do that, however, you need to set up some form of analytics rules to help you look into all the events that might be coming into your environment.

    There's also a security orchestration and automation response. Sentinel is able to identify and spot threats in our environment. We can also set up some automation rules to be able to automate when there is any form of an incident in our environment. For example, if there is a brute force attack on a user account, we can automate a response such that we can block the user account for a time while an investigation is done on that account. There are automation rules that can help to automate responses as well.

    There are a lot of things you can explore as a user. You can even go and actively hunt for threats. You can be on the offensive rather than on the defensive.

    It's quite different from a traditional SIEM solution whereby you need to have a couple of security analysts to be able to help you manage it. All of these traditional SIEM solutions don't have the capability to look into threats as fast. For instance, if a DDoS attack was placed on our web application hosted with a cloud solution provider and we hosted this web application on our virtual machine, if we have a DDoS attack (a denial-of-service attack), we can spot the threats very quickly. AI will also help to stop these attacks before they can do damage.

    You can bring in your own machine learning algorithms to help you look into the threats community environment. If you are someone who's very fast at developing AI, you can have your own custom machine learning set up to help you look into any form of threat. It’s a very powerful tool.

    Recently, I deployed Azure Sentinel for a client. I could tell immediately it was able to spot a lot of threats. Just within an hour, it was able to spot about five to ten threats. Also, at that very moment, Sentinel recorded around 500,000 events coming into the log analytics workspace. Typically, if you have something like 500,000 events coming into your environment and you have to involve the physical human efforts to be able to look into 500,000 events, it's going to be a lot of work - too much for one person.

    The product has a lot of built-in features. There is a lot that it adds, and there is a lot it can do. It's the kind of solution that you can even bring in your own model.

    We have a machine learning model that we train. Apart from it having some kind of already made solution, you can even create your own custom rules and custom machine learning.

    Having to analyze threats every day, as a person, can be stressful. However, when you have something like Sentinel, which uses threat intelligence to be able to help you respond and remediate against threats at scale, it takes the pressure off.

    It can span across your on-premise resources. If you have your own data center, you can deploy Azure Sentinel in the cloud, and you can have it monitor your data center. You can have it working as a solution to your data center.

    As a user, you are able to integrate your on-premise with the data center to Azure Sentinel, in just a few clicks. It’s very simple to use. In just a few clicks, you'll be able to connect Azure Sentinel with your on-premise resources, web server, or SQL server - anything you can think of.

    It can help you investigate threats coming into your laptop. You can connect Azure Sentinel to your personal computer.

    It doesn't affect end users. They don't have access to Sentinel. They don't even see what is happening. They don't know what is happening.  

    A lot of organizations have lost a lot of money due to a loss of virtual information. With this kind of strong security system and some strong security protocols, they are well protected.

    What needs improvement?

    New things are already being incorporated just to improve on the already existing solution.

    There is a GitHub community for this solution. There are a lot of contributors worldwide and a lot of people building playbooks and building machine learning models. Someone can just build a machine learning model and say, "Okay, just mention in the model, 'Do this,' and it does this." There is room for improvement. However, things are improving in Sentinel with the help of this community.

    I've seen playbooks where people have pushed to the GitHub repository, and I've been able to make use of one or two of these solutions on GitHub. That said, it may not be possible to eradicate all of the cyber threats.

    There are webinars going on almost every week. Last week I attended a couple of webinars on Azure security. When you are doing things, you also need to be thinking about the security aspect. You have to be thinking about the security aspect of a cloud. You need to enforce a zero-trust model. You can't assume something cannot harm you, as everybody is a threat to your security.

    The only issue is that sometimes you can have a false positive alert. For example, sometimes it detects something is happening, however, you're actually the one doing that thing. If someone is trying to sign into their environment and provide an incorrect password, they will try it a few times. The system will look at that event and think it's an attacker and it might be an indication of a threat. However, it's just a user that got the password wrong. I consider that a false positive alert. 

    For how long have I used the solution?

    I have been using this solution for about a year now.

    What do I think about the stability of the solution?

    The stability seems to be fine for now. It's not an issue. 

    How are customer service and support?

    I have not really used technical support. That said, on the first day when I was starting with Sentinel, I used technical support for some free advice.

    In the past, I've worked as a Microsoft technical support engineer. I was very good at what I did then. The support person that I spoke with when I needed free advice on that first day was helpful. When I raised a support request to ask a few questions, the support engineer was able to do justice to all those questions and shared some things to put me in the right direction. I appreciated their helpfulness as I used to be that helpful as well.

    Which solution did I use previously and why did I switch?

    There are a lot of solutions Microsoft has that have to do with security. However, they are not what I would describe Sentinel to be. Nothing I have used in the past has been similar to Sentinel.

    How was the initial setup?

    For every project, you need to have your functional requirements. Once you have that in place, the initial setup depends on the number of things you want to bring into Azure Sentinel. It's a powerful tool.

    You can set it to AWS, GCP, DigitalOcean, Sophos, Fortinet, Cisco - even your PC. You can set it up for everything and there is no lagging. It just takes just a few clicks to connect these things. For instance, if you need to get the logs of a user, you just go to the data connector. Once you are in the data connector, you click on Connect. Once you click on Connect, a lot from that environment just comes into Sentinel. Once it's coming into Sentinel, you can create various analytics rules.

    Which other solutions did I evaluate?

    I don't know of similar solutions or if any really exist.

    What other advice do I have?

    The company I work with now is a Microsoft partner.

    It's a very, very powerful tool that I recommend to my customers. I work as a consultant. I advise customers. I do not sell it directly.

    It's something that organizations should use. I would advise people to use it. It doesn't look into only your Azure environment. It spans other cloud solution providers.

    I'd rate the solution at a ten out of ten.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    Sean Moore - PeerSpot reviewer
    Lead Azure Sentinel Architect at a financial services firm with 10,001+ employees
    Real User
    Top 20
    Quick to deploy, good performance, and automatically scales with our requirements
    Pros and Cons
    • "The most valuable feature is the performance because unlike legacy SIEMs that were on-premises, it does not require as much maintenance."
    • "If Azure Sentinel had the ability to ingest Azure services from different tenants into another tenant that was hosting Azure Sentinel, and not lose any metadata, that would be a huge benefit to a lot of companies."

    What is our primary use case?

    Azure Sentinel is a next-generation SIEM, which is purely cloud-based. There is no on-premises deployment. We primarily use it to leverage the machine learning and AI capabilities that are embedded in the solution.

    How has it helped my organization?

    This solution has helped to improve our security posture in several ways. It includes machine learning and AI capabilities, but it's also got the functionality to ingest threat intelligence into the platform. Doing so can further enrich the events and the data that's in the backend, stored in the Sentinel database. Not only does that improve your detection capability, but also when it comes to threat hunting, you can leverage that threat intelligence and it gives you a much wider scope to be able to threat hunt against.

    The fact that this is a next-generation SIEM is important because everybody's going through a digital transformation at the moment, and there is actually only one true next-generation SIEM. That is Azure Sentinel. There are no competing products at the moment.

    The main benefit is that as companies migrate their systems and services into the Cloud, especially if they're migrating into Azure, they've got a native SIEM available to them immediately. With the market being predominately Microsoft, where perhaps 90% of the market uses Microsoft products, there are a lot of Microsoft houses out there and migration to Azure is common.

    Legacy SIEMs used to take time in planning and looking at the specifications that were required from the hardware. It could be the case that to get an on-premises SIEM in place could take a month, whereas, with Azure Sentinel, you can have that available within two minutes. 

    This product improves our end-user experience because of the enhanced ability to detect problems. What you've got is Microsoft Defender installed on all of the Windows devices, for instance, and the telemetry from Defender is sent to the Azure Defender portal. All of that analysis in Defender, including the alerts and incidents, can be forwarded into Sentinel. This improves the detection methods for the security monitoring team to be able to detect where a user has got malicious software or files or whatever it may be on their laptop, for instance.

    What is most valuable?

    It gives you that single pane of glass view for all of your security incidents, whether they're coming from Azure, AWS, or even GCP. You can actually expand the toolset from Azure Sentinel out to other Azure services as well.

    The most valuable feature is the performance because unlike legacy SIEMs that were on-premises, it does not require as much maintenance. With an on-premises SIEM, you needed to maintain the hardware and you needed to upgrade the hardware, whereas, with Azure Sentinel, it's auto-scaling. This means that there is no need to worry about any performance impact. You can send very large volumes of data to Azure Sentinel and still have the performance that you need.

    What needs improvement?

    When you ingest data into Azure Sentinel, not all of the events are received. The way it works is that they're written to a native Sentinel table, but some events haven't got a native table available to them. In this case, what happens is that anything Sentinel doesn't recognize, it puts it into a custom table. This is something that you need to create. What would be good is the extension of the Azure Sentinel schema to cover a lot more technologies, so that you don't have to have custom tables.

    If Azure Sentinel had the ability to ingest Azure services from different tenants into another tenant that was hosting Azure Sentinel, and not lose any metadata, that would be a huge benefit to a lot of companies.

    For how long have I used the solution?

    I have been using Azure Sentinel for between 18 months and two years.

    What do I think about the stability of the solution?

    I work in the UK South region and it very rarely has not been available. I'd say its availability is probably 99.9%.

    What do I think about the scalability of the solution?

    This is an extremely scalable product and you don't have to worry about that because as a SaaS, it auto-scales.

    We have been 20 and 30 people who use it. I lead the delivery team, who are the engineers, and we've got some KQL programmers for developing the use cases. Then, we hand that over to the security monitoring team, who actually use the tool and monitor it. They deal with the alerts and incidents, as well as doing threat hunting and related tasks.

    We use this solution extensively and our usage will only increase.

    How are customer service and support?

    I would rate the Microsoft technical support a nine out of ten.

    Support is very good but there is always room for improvement.

    Which solution did I use previously and why did I switch?

    I have personally used ArcSight, Splunk, and LogRythm.

    Comparing Azure Sentinel with these other solutions, the first thing to consider is scalability. That is something that you don't have to worry about anymore. It's excellent.

    ArcSight was very good, although it had its problems the way all SIEMs do.

    Azure Sentinel is very good but as it matures, I think it will probably be one of the best SIEMs that we've had available to us. There are too many pros and cons to adequately compare all of these products.

    How was the initial setup?

    The actual standard Azure Sentinel setup is very easy. It is just a case where you create a log analytics workspace and then you enable Azure Sentinel to sit over the top. It's very easy except the challenge is actually getting the events into Azure Sentinel. That's the tricky part.

    If you are talking about the actual platform itself, the initial setup is really simple. Onboarding is where the challenge is. Then, once you've onboarded, the other challenge is that you need to develop your use cases using KQL as the query language. You need to have expertise in KQL, which is a very new language.

    The actual platform will take approximately 10 minutes to deploy. The onboarding, however, is something that we're still doing now. It's use case development and it's an ongoing process that never ends. You are always onboarding.

    It's a little bit like setting up a configuration management platform and you're only using one push-up configuration.

    What was our ROI?

    We are getting to the point where we see a return on our investment. We're not 100% yet but getting there.

    What's my experience with pricing, setup cost, and licensing?

    Azure Sentinel is very costly, or at least it appears to be very costly. The costs vary based on your ingestion and your retention charges. Although it's very costly to ingest and store data, what you've got to remember is that you don't have on-premises maintenance, you don't have hardware replacement, you don't have the software licensing that goes with that, you don't have the configuration management, and you don't have the licensing management. All of these costs that you incur with an on-premises deployment are taken away.

    This is not to mention running data centers and the associated costs, including powering them and cooling them. All of those expenses are removed. So, when you consider those costs and you compare them to Azure Sentinel, you can see that it's comparative, or if not, Azure Sentinel offers better value for money.

    All things considered, it really depends on how much you ingest into the solution and how much you retain.

    Which other solutions did I evaluate?

    There are no competitors. Azure Sentinel is the only next-generation SIEM.

    What other advice do I have?

    This is a product that I highly recommend, for all of the positives that I've mentioned. The transition from an on-premises to a cloud-based SIEM is something that I've actually done, and it's not overly complicated. It doesn't have to be a complex migration, which is something that a lot of companies may be reluctant about.

    Overall, this is a good product but there are parts of Sentinel that need improvement. There are some things that need to be more adaptable and more versatile.

    I would rate this solution a nine out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    Guray Oguzgiray - PeerSpot reviewer
    Information Security Lead at Enerjisa Üretim
    Real User
    Its rule sets work perfectly with our cloud resources. They need to integrate better with other security vendors.
    Pros and Cons
    • "It is always correlating to IOCs for normal attacks, using Azure-related resources. For example, if any illegitimate IP starts unusual activity on our Azure firewall, then it automatically generates an alarm for us."
    • "They need to work with other security vendors. For example, we replaced our email gateway with Symantec, but we couldn't collect these logs with Azure Sentinel. Instead of collecting these logs with Azure Sentinel, we are collecting them on Qradar. We couldn't do it with Sentinel, which is a problem for us."

    What is our primary use case?

    We are using Microsoft Office 365 E5 license right now, which means we are using Windows Defender ATP because of its cloud application security platform. We also have Exchange Online Protection. The main thing is we are replacing all of our on-prem solutions with Microsoft Office 365 and Azure solutions.

    Our use case is for Azure Active Directory, Advanced Threat Protection, Windows Defender ATP, Microsoft cloud applications, Security as a Platform, Azure Firewall, and Azure Front Door. All of the Azure Front Doors logs are coming to Azure Sentinel and correlating. However, for our correlation rules that exist on the QRadar, we are still implementing these rules in Azure Sentinel because we have more than 300 different correlation rules that exist from the QRadar.  

    How has it helped my organization?

    It is always correlating to IOCs for normal attacks, using Azure-related resources. For example, if any illegitimate IP starts unusual activity on our Azure firewall, then it automatically generates an alarm for us. 

    We do not get so many attacks, but if any attacks occur on our Azure Firewall site, then we are able to understand where the attack came from. Sentinel lets us know who introduced it.

    What is most valuable?

    It is perfect for Azure-native solutions. With just one click, integrations are complete. It also works great with some software platforms, such as Cloudflare and vScaler. 

    The rule sets of Azure Sentinel work perfectly with our cloud resources. They have 200 to 300 rule sets, which is perfect for cloud resources.

    What needs improvement?

    They need to work with other security vendors. For example, we replaced our email gateway with Symantec, but we couldn't collect these logs with Azure Sentinel. Instead of collecting these logs with Azure Sentinel, we are collecting them on Qradar. We couldn't do it with Sentinel, which is a problem for us.

    It is difficult right now because there are not so many consultants who exist for Azure Sentinel, like there are for QRadar. We are not able to find a Sentinel consultant right now.

    For how long have I used the solution?

    In Turkey, we are the biggest energy generation company for the public sector. We head more than 20 power plants right now and have more than 1,000 people working in the energy sector. Two years ago, we started to work with Microsoft to shift our infrastructure and workloads to the Azure and Office 365 platforms. So, our story starts two years ago.

    What do I think about the stability of the solution?

    It is stable. We have had one or two issues, but those are related to QRadar. We are creating and pushing logs all the time to QRadar, because the Microsoft security API does not send these logs to QRadar.

    One resource is enough for day-to-day maintenance of our environment, which has 1,000 clients and 200 or 300 servers. However, our servers are not integrated with Azure Sentinel, because most of our servers are still on-prem.

    What do I think about the scalability of the solution?

    For Azure- and Office 365-related products, it is perfectly fine. It is scalable. However, if you want to integrate your on-prem sources with Azure Sentinel, then Azure will need to improve the solution. 

    How are customer service and support?

    We are using Microsoft support for other Microsoft-related issues. They have been okay. They always respond to our issues on time. They know what to do. They solve our issues quickly, finding solutions for our problems.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    Right now, we are using QRadar for on-prem devices. On the other hand, we have Azure Sentinel for log collecting in the cloud products. All of the Microsoft components give logs to Azure Sentinel, but all of the on-premises resources are being collected on IBM QRadar. So, Sentinel has been helping us because this is causing complications for us. While it is possible to collect logs from QRadar to Sentinel to QRadar, it is difficult to do. So, we are collecting incidents from our QRadar, then our associates monitor Azure Sentinel-related incidents from QRadar.

    We have been starting to use Azure Kubernetes Service. However, our developers are afraid of shifting our production environment to the Azure Kubernetes so this whole process can continue. At the end of the day, our main goal is still completely replacing our on-premises sources with serverless architecture. 

    We also started to use Azure Firewall and Azure Front Door as our web application firewall solutions. So, we are still replacing our on-prem sources. Azure Sentinel works perfectly in this case because we are using Microsoft resources. We have replaced half of our on-premises with Azure Firewalls. The other half exists in our physical data centers in Istanbul.

    How was the initial setup?

    The initial setup is getting more complex since we are using two different solutions: One is located on-prem and the other one is Azure Sentinel. This means Azure Sentinel needs to inspect both SIEMs and correlate them. This increased our environment's complexity. So, our end goal is to have one SIEM solution and eliminate QRadar.

    The initial setup process takes only one or two weeks. For the Azure-related and Office 365-related log sources, they were enabled for Azure Sentinel using drag and drop, which was easy. However, if you need to get some logs from Azure Sentinel to your on-prem or integrate your on-prem resources with Azure Sentinel, then it gets messy. 

    This is still an ongoing process. We are still trying to improve our Azure Sentinel environment right now, but the initial process was so easy.

    We had two three guys on our security team do the initial setup, which took one or two weeks. 

    What was our ROI?

    We are not seeing cost savings right now, because using Azure Sentinel tools has increased our costs.

    What's my experience with pricing, setup cost, and licensing?

    Pricing and licensing are okay. On the E5 license, many components exist for this license, e.g., Azure Sentinel and Azure AD.

    I am just paying for the log space with Azure Sentinel. It costs us about $2,000 a month. Most of the logs are free. We are only paying money for Azure Firewall logs because email logs or Azure AD logs are free to use for us.

    Which other solutions did I evaluate?

    In Turkey, Microsoft is more powerful than other vendors. There are not so many partners who exist for AWS or G Cloud. This is the reason why we have been proceeding with Microsoft.

    QRadar rules are easier to create than on the Azure Sentinel. It is possible to create rules with Sentinel, but it is very difficult.

    What other advice do I have?

    There have been no negative effects on our end users.

    I would rate Azure Sentinel as seven out of 10.

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Technical Lead at a manufacturing company with 10,001+ employees
    Real User
    Powerful, with great performance and a seamless user experience
    Pros and Cons
    • "It's pretty powerful and its performance is pretty good."
    • "If their UI was a bit more streamlined and easy to find when I need it, then that would be a great improvement."

    What is our primary use case?

    We primarily use many Microsoft products, including Microsoft 365 with a focus on the security aspect. We have Defender for endpoints and Defender for servers. We also use Azure Sentinel with these.

    How has it helped my organization?

    This product has improved the way our organization functions. I won't be able to provide exact metrics as I don't directly work with metrics, however, from an improvement perspective, it is just a more streamlined deployment. 

    We also use Intune as part of the MDM. If there are any agents that need to be deployed, then we can use that or we can just configure Windows from MDM directly. A lot of things can be just set up out-of-the-box and are ready to go and it sends logs right to Azure Sentinel. Therefore, while I don't have hard numbers, it's definitely made deployments easier and is much less time-intensive for our organization.

    What is most valuable?

    Coming from other SIEM solutions, Sentinel seems to be pretty good. 

    It's pretty powerful and its performance is good.

    The most powerful aspect is the whole integration with the Microsoft ecosystem. If you have the Microsoft 365 subscription, E5, then it integrates pretty seamlessly with everything you're trying to do. 

    You obviously have connectors with other third-party, non-Microsoft stuff as well. They have pretty good integration with those. 

    Azure Sentinel has a lot of built-in analytics rules, that help us get started in terms of triggering anomalous activity. In terms of performance, they're pretty fast. I've used QRadar and Splunk. Compared to Azure Sentinel those are pretty slow. Some searches in Sentinel are pretty instantaneous. For bigger searches, it's a very noticeable and impressive turnaround.

    There are a lot of features that I don't touch just because I'm in the SOC. That said, I know customers have deployed different items that are quite useful. 

    The end-user experience is good. It's just pretty seamless. When I was onboarded, it was just a simple download and then a sign-in to my account. It'll basically configure everything for you and download the necessary stuff that the company has defined - including Defender, et cetera. 

    What needs improvement?

    Microsoft needs to stop renaming their stuff. A lot of their products are very confusing due to the names they choose. The first time I heard of Defender I assumed it's just their antivirus, anti-malware, or a package that covers those things. However, there's Defender, Windows Defender, and then there's Defender for Endpoint, and there's also Defender for servers, et cetera. That really needs to be streamlined. As far as Defender's concerned, they want just a protective device. The differences are confusing.

    Maybe it's a transitional choice, however, they've been doing a lot of migrations to a new portal in the security center or office privacy center. There's a bunch of portals where some things are repeated or duplicated. You have the same features in the portals, yet, in some cases, there are some things that you have to go to one portal and not the other, as it hasn't been migrated or the feature is just not there.

    If their UI was a bit more streamlined and easy to find when I need it, then that would be a great improvement.

    For how long have I used the solution?

    I've been using the solution for one year.

    What do I think about the stability of the solution?

    The stability is pretty good. However, there is one flaw. We did have an issue where Microsoft had some issues with some components that caused issues with their cloud. It might have been an authentication issue or something like that, however, it basically took down everything. We weren't able to work. While integration is good if something comes from one vendor and if that vendor goes down, then everyone is pretty unhappy.

    What do I think about the scalability of the solution?

    While at my previous organization we had about 50 or 60 users, as a small company, we had customers that could have users in the thousands.

    I didn't notice any scalability issues, and therefore I assume it's quite good. With respect to Azure Sentinel, I've never had an issue.

    As far as I know, we're using pretty much everything that Microsoft has from a security perspective. I don't know how we can expand anymore.

    How are customer service and support?

    I've never had to call technical support or reach out to technical support, therefore, I can't speak to how they operate.

    Which solution did I use previously and why did I switch?

    I've previously used SentinelOne for endpoints and antimalware, et cetera, and Splunk for the SIEM.

    How was the initial setup?

    I was specifically working in SOC; I was more responsible for the day-to-day operations. Unfortunately, I cannot speak to the deployment so much. I would not have information on the implementation strategy, for example.

    What about the implementation team?

    We handled the deployment internally.

    What's my experience with pricing, setup cost, and licensing?

    I was in the SOC. I don't deal directly with that pricing. They do have multiple licensing levels. It's just about knowing what you need. One good thing about Microsoft is that they do have quite a few options depending on your needs. That said, sometimes it could be hard to pick because there are so many. 

    As an organization, you need to understand the company's needs. For example, if you don't have a security team to look at your alerts or to set up all the stuff, then you probably don't need some of their most expensive services. You need to purchase the subscriptions accordingly if you're able to leverage them.

    They have premium and enterprise subscription levels. I don't know what the standard would be. They have E3 and E5 level licensing. I don't know off the top of my head the differences, however, E5 likely has more security features. Companies need to be aware of all the differences.

    Which other solutions did I evaluate?

    I was not part of any evaluation process. I came to the company afterward. 

    What other advice do I have?

    I'm not sure which version of the solution we're on. We have another team that does the deployment and they would take care of the versioning, et cetera, however, we usually run the latest.

    Microsoft makes Windows. They know their stuff. Having everything streamlined can be time-saving. It's good to have an integrated system rather than using something else. You don't need to jump through a lot of hoops or install additional software in order to get everything up and running.

    I'd rate the solution at an eight out of ten.

    Which deployment model are you using for this solution?

    Public Cloud
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Muhammad Junaid Raza - PeerSpot reviewer
    Sr. Security Engineer at Ebryx
    Real User
    Top 20
    Because it is a cloud-based deployment, we don't need to worry about hardware infrastructure
    Pros and Cons
    • "Azure Application Gateway makes things a lot easier. You can create dashboards, alert rules, hunting and custom queries, and functions with it."
    • "There are certain delays. For example, if an alert has been rated on Microsoft Defender for Endpoint, it might take up to an hour for that alert to reach Sentinel. This should ideally take no more than one or two seconds."

    What is our primary use case?

    We work as a managed security services provider (MSSP). We have different clients who have their own security team. 

    One company that I worked for recently had a security team of three people, then they hired us for 24/7 analysis and monitoring. For that, I solely worked on building this product, then there are the eight to nine people who do 24/7 monitoring and analysis.

    Sentinel is a full-fledged SIEM and SOAR solution. It is made to enhance your security posture and entirely centered around enhancing security. Every feature that is built into Azure Sentinel is for enhancing security posture.

    How has it helped my organization?

    It has increased our security posture a lot because there are a lot of services natively integrated to Azure Sentinel from Microsoft, e.g., Microsoft Defender for Endpoint and Defender for Office 365. 

    From an analyst's point of view, we have created a lot of automation. This has affected the productivity of analysts because we have automated a lot of tasks that we used to do manually. From an end user's perspective, they don't even notice most of the time because most of our end users are mostly non-technical. They don't feel the difference. It is all about the security and operations teams who have felt the difference after moving from LogRhythm to Azure Sentinel.

    What is most valuable?

    It is cloud-based, so there isn't an accessibility issue. You don't have to worry about dialing a VPN to access it. Azure does require that for an on-prem solution that the security part is entirely on Microsoft's and Azure's sign-in and login processes.

    Because it is a cloud-based deployment, we don't need to worry about hardware infrastructure. That is taken care of by Microsoft.

    Azure Application Gateway makes things a lot easier. You can create dashboards, alert rules, hunting and custom queries, and functions with it.

    Its integration capabilities are great. We have integrated everything from on-prem to the cloud.

    What needs improvement?

    There are certain delays. For example, if an alert has been rated on Microsoft Defender for Endpoint, it might take up to an hour for that alert to reach Sentinel. This should ideally take no more than one or two seconds.

    There are a couple of delays with the service-to-service integration with Azure Sentinel as well as the tracking point.

    For how long have I used the solution?

    I have been using it for 14 to 15 months.

    What do I think about the stability of the solution?

    Azure Sentinel is pretty stable. Sometimes, the agents installed on endpoints go down for a bit. Also, we have faced a lot of issues with its correctors in particular. However, the platform is highly stable, and there have been no issues with that.

    For operations, one to two people are actively using the solution. For analysis, there are eight to 10 people who are actively using it.

    What do I think about the scalability of the solution?

    Sentinel is scalable. If you want, you can hook up a lower balance security corrector. So, there are no issues with scalability.

    We have coverage for around 60% to 70% of our environment. While this is not an ideal state, it has the capability to go to an ideal state, if needed.

    How are customer service and support?

    I have worked with Azure Sentinel for four clients. With only one of those clients, the support was great. For the last three clients, there were a lot of delays. For example, the issues that could have been resolved within one or two hours did not get resolved for a month or two. So, it depends on your support plan. It depends on the networking connections that you have with Microsoft. If you are on your own with a lower priority plan, it will take a lot of time to resolve minor issues. Therefore, Microsoft support is not that great. They are highly understaffed. I would rate them as six or seven out of 10.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    We had a full-fledged SIEM, LogRhythm, already working, but we wanted to migrate towards something that was cloud-based and more inclusive of all technologies. So, we shifted to Azure Sentinel and migrated all our log sources onto Azure Sentinel. We also added a lot of log sources besides those that were reporting to LogRhythm.

    We have used a lot of SIEMs. We have used Wazuh, QRadar, Rapid7's SIEM, EventLog Analyzer (ELA), and Splunk. We used Wazuh with ELK Stack, then we shifted to Azure Sentinel because of client requirements.

    How was the initial setup?

    The initial setup was really straightforward because I had already worked with FireEye Security Orchestrator, so the automation parts were not that difficult. There were a couple of things that got me confused, but it was pretty straightforward overall.

    Initially, the deployment took seven and a half months.

    What about the implementation team?

    We used a lot of forums. We used Microsoft support and online help. We used a lot of things to get everything into one picture. There is plenty of help available online for any log sources that you want to move to Azure Sentinel.

    What's my experience with pricing, setup cost, and licensing?

    I have worked with a lot of SIEMs. We are using Sentinel three to four times more than other SIEMs that we have used. Azure Sentinel's only limitation is its price point. Sentinel costs a lot if your ingestion goes up to a certain point.

    Initially, you should create cost alerts in the cost management of Azure. With one of my clients, we deployed the solution. We estimated that the ingestion would be up to this particular mark, but that ingestion somehow got way beyond that. Within a month to a month and a half, they got charged 35,000 CAD, which was a huge turn off for us. So, at the very beginning, do your cost estimation, then apply a cost alert in the cost management of Azure. You will then get notified if anything goes out of bounds or unexpected happens. After that, start building your entire security operation center on Sentinel.

    Which other solutions did I evaluate?

    The SOAR capabilities of Azure Sentinel are great. FireEye Security Orchestrator looks like an infant in front of Azure Sentinel's SOAR capabilities, which is great.

    What other advice do I have?

    The solution is great. As far as the product itself is concerned, not the pricing, I would rate it as nine out of 10. Including pricing, I would rate the product as five to six out of 10.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    Dale Walker-Hyde - PeerSpot reviewer
    Cloud and Security Transformation Specialist at Comtact
    Real User
    Offers advanced threat-hunting, improves security posture, and is very scalable
    Pros and Cons
    • "The solution has features that helped improve the security posture of our clients. It provides the ability to correlate a large variety of log sources very cost-effectively, especially for Microsoft sources."
    • "We do see continuous improvement all the time, however, I haven't got a specific feature that is lacking or not well designed."

    What is our primary use case?

    I work with Azure Sentinel from a commercial perspective. We use Azure Sentinel to provide services to our customers. We use it as a security analytics platform for our customer base.

    How has it helped my organization?

    About half of our customers that are using it have migrated from an alternative solution, and half of them are using it for the first time or using something like this for the first time. It enabled customers that previously found it difficult to justify the cost of a security-analytics platform to actually deploy one without enormous upfront costs. It’s been cost-effective and it's pay-as-you-go.

    What is most valuable?

    Its capability in the advanced threat-hunting area is its most valuable aspect.

    The solution has features that helped improve the security posture of our clients. It provides the ability to correlate a large variety of log sources very cost-effectively, especially for Microsoft sources.

    While the solution has affected our client’s security posture, it’s difficult to give a concise answer to how. All customers that have deployed our Azure-Sentinel-based services have quickly found situations that they weren't already aware of and therefore have been able to take appropriate action. They feel much more confident that potential threats will be discovered in a more timely fashion.

    Sentinel affected the end-user experience, in that we get visibility of much more useful data in an easy-to-digest format that provides easy-to-understand value.

    What needs improvement?

    It is difficult for me to give a straight answer as to what needs improvement, being that I'm not one of the hands-on users. What we do find is that Microsoft is continuously introducing improvements to the platform. We do see continuous improvement all the time, however, I haven't got a specific feature that is lacking or not well designed.

    For how long have I used the solution?

    I've been using the solution for about one year.

    What do I think about the stability of the solution?

    I've not been aware of any issues or outages that we've experienced with it. We've been very pleased in that respect. There is nothing negative to report in that area.

    What do I think about the scalability of the solution?

    Scalability is one of the product's big strengths and one of the reasons that we are migrating. One of the issues with traditional platforms is that generally speaking, you have to be very careful sizing them, otherwise, if you undersize it, you're going to have expensive upgrade requirements, particularly if it's an on-premise solution. On the other hand, if you oversize it, you'll be paying too much. Whereas, with Azure Sentinel, it's pay-as-you-go. You don't really concern yourself too much with sizing, apart from budgeting for it. If you just size it for what you need today, and tomorrow, if you need more, it scales at cloud scale. It's one of its big strengths.

    How are customer service and support?

    Dealing with technical support is not something I do directly. I don't know specifically anything about it, although it's likely that our team has dealt with them in the past.

    Which solution did I use previously and why did I switch?

    The solutions that I've had personal experience with are AlienVault, Splunk, LogRhythm, and QRadar. I'm sure there's at least one other main one, however, they're the main ones I'm familiar with. We've seen migrations from quite a lot of different traditional platforms.

    How was the initial setup?

    The initial setup is reasonably straightforward, however, previous experience is very useful, which is why we offer to assist with setup. If customers are looking to do it themselves, it would probably be sensible to work with a partner who has previous experience to be able to deliver the value quickly and not waste time going down a dead end. That said, it's reasonably easy. I don't consider it a difficult platform to deploy.

    We usually follow a specific implementation or deployment strategy. The first steps would include a thorough analysis of the clients' environment, understanding from them where the valuable log sources are, and making sure that we fine-tune the system to, again, only be including valuable, relevant information, not a whole load of noise. 

    There isn't really much maintenance required. Microsoft maintains the platform. What we do, or what a customer will do if they're managing it themselves, is just manage it for their requirements. Maintenance is not an issue, as Microsoft provides that as part of the platform.

    What about the implementation team?

    We offer a range of services around Azure Sentinel. There are two main ones. Either we help a customer deploy and configure Azure Sentinel, which they then might manage themselves. However, for most of our customers, we actually provide a complete 24/7 managed service for it. This is due to the fact that the market that we target, which is typically medium-size organizations, would find it difficult to be able to justify the cost of setting up a 24/7 operation for this. We do the 24/7 bit and work as a partner providing the security services.

    What was our ROI?

    I don't have any specific numbers, however, we've seen customers that have switched from previous solutions have said that the ROI on this has been much quicker, within a couple of months, basically, due to the fact that there is no massive upfront investment. It's pay-as-you-go. We've seen a quick and impressive ROI.

    Which other solutions did I evaluate?

    I haven't personally evaluated any other solution, although chances are members of my team have.

    What other advice do I have?

    We are independent, however, we are a Microsoft gold partner. They supply us with the technology and we help customers use it. There's a relationship. That said, our company is not part of Microsoft or anything like that.

    I would not necessarily call Azure Sentinel a SaaS solution, however, I suppose it is in a way as it's all provided as a service by Microsoft. PaaS might be the best way of describing it. 

    The one thing I would advise new users is to make sure that Azure Sentinel is on the list of platforms to evaluate, and particularly if they are heavy Microsoft users. By that, I mean, Azure and Microsoft 365. Obviously, pretty much everyone's on Microsoft 365, however, particularly if a user is a heavy Azure user, then they should find the proposition pretty compelling. 

    I'd rate the solution at a nine out of ten. We've been very impressed with it, and customers that have gone in this direction have been as well.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    Buyer's Guide
    Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.
    Updated: May 2022
    Buyer's Guide
    Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.