Microsoft Sentinel Reviews

Name: Microsoft Sentinel
Brand: Microsoft
Rating: 4.1 (92 reviews)

Vendor: Microsoft

4.1 out of 5

92 reviews
93% willing to recommend

301 followers

Start review

What is Microsoft Sentinel?

Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution that lets you see and stop threats before they cause harm. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs. With Microsoft Sentinel, you can:

Get the Microsoft Sentinel Buyer's Guide and find out what your peers are saying about Microsoft Sentinel, CrowdStrike Falcon, Wazuh and more!

Microsoft Sentinel is the #1 ranked solution in SOAR tools, #3 ranked solution in top Security Information and Event Management (SIEM) solutions, #5 ranked solution in top AI-Powered Cybersecurity Platforms solutions, and #6 ranked solution in top Microsoft Security Suite solutions. PeerSpot users give Microsoft Sentinel an average rating of 8.2 out of 10. Microsoft Sentinel is most commonly compared to CrowdStrike Falcon: Microsoft Sentinel vs CrowdStrike Falcon. Microsoft Sentinel is popular among the large enterprise segment, accounting for 58% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 16% of all views.

Helped 849,686 peers since 2012

Featured Microsoft Sentinel reviews

KrishnanKartik

Cyber Security Consultant at Inspira Enterprise

It's a Big Data security analytics platform. Among the unique features is the fact that it has built-in UEBA and analytical capabilities. It allows you to use the out-of-the-box machine learning and AI capabilities, but it also allows you to bring your own AI/ML, by bringing in your own IPs and allowing the platform to accept them and run that on top of it. In addition, the SOAR component is a pay-per-use model. Compared to any other product, where customization is not available, you can fine-tune the SOAR and you'll be charged only when your playbooks are triggered. That is the beauty of the solution because the SOAR is the costliest component in the market today. Other vendors charge heavily for the SOAR, but with Sentinel it is upside-down: the SOAR is the lowest-hanging fruit. It's the least costly and it delivers more value to the customer. The SOAR engine also uniquely helps us to automate most of the incidents with automated enrichment and that cuts out the L1 analyst work. And combining M365 with Sentinel, if you want to call it integration, takes just a few clicks: "next, next finish." If it is all M365-native, it is a maximum of three or four steps and you'll be able to ingest all the logs into Sentinel. That is true even with AWS or GCP because most of the connectors are already available out-of-the-box. You just click, put in your subscription details, include your IAM, and you are finished. Within five to six steps, you can integrate AWS workloads and the logs can be ingested into Sentinel. When it comes to a third party specifically, such as log sources in a data center or on-premises, we need a log collector so that the logs can be forwarded to the Sentinel platform. And when it comes to servers or something where there is an agent for Windows or Linux, the agent can collect the logs and ship them to the Sentinel platform. I don't see any difficulties in integrating any of the log sources, even to the extent of collecting IoT log sources. Microsoft Defender for Cloud has multiple components such as Defender for Servers, Defender for PaaS, and Defender for databases. For customers in Azure, there are a lot of use cases specific to protecting workloads and PaaS and SaaS in Azure and beyond Azure, if a customer also has on-premises locations. There is EDR for Windows and Linux servers, and it even protects different kinds of containers. With Defender for Cloud, all these sources can be seamlessly integrated and you can then track the security incidents in Microsoft's XDR platform. That means you have one more workspace, under Azure, not Defender for Cloud, where you can see the security incidents. In addition, it can be integrated with Sentinel for EDR deep-dive analytics. It can also protect workloads in AWS. We have customers for whom we are protecting their AWS workloads. Even EKS, Elastic Kubernetes Service, on AWS can be integrated, as can the GKE (Google Kubernetes Engine). And with Defender for Cloud, security alert ingestion is free

Read full review

Jalan Cruz

Cyber Security Analyst at CoinFlip

In terms of visibility, Microsoft Sentinel captures a lot of useful data. Microsoft Sentinel helps us prioritize threats across our enterprise. It shows us the most vulnerable assets, and because we have agents on every machine, we know exactly where to go to investigate. This is important for staying secure as a company. It allows us to cover our own bases by seeing what is happening in real-time and taking proactive steps to address threats, rather than reacting to them after they have already occurred. We can stay up-to-date with security measures and ensure that we follow through and execute our security plan. We integrated Microsoft Sentinel with Defender for Cloud, Endpoint, and Defender Vulnerability Management. Microsoft is not the most vendor-friendly company in terms of integrations and connections, but we were able to get it working in the end, so we cannot really complain. Microsoft's security tools work natively together to deliver coordinated detection responses across our environment. The comprehensive threat protection that Microsoft Sentinel provides is good. They provide really good information. We are able to create documents, perform root cause analysis, and analyze anything we need to. Log integration is also key. We are able to find potentially malicious files, correlate events to alerts, and then take action on alerts. So, the comprehensiveness is pretty straightforward. We use Cloud and Endpoint security. We have our Defender cloud, and then Defender agents on each endpoint. The bidirectional sync capability is important, and it is a work in progress. We are in the process of off-boarding our contract with CrowdStrike. We are moving all of our cybersecurity needs to Microsoft Defender, which is included in our existing Microsoft licenses. This makes financial sense, and CrowdStrike was not providing us with much value. The system allows us to ingest data from our entire ecosystem, which is very important. This is our main source of correlation of logs to alerts. Therefore, we definitely need to get every single log source, and possibly a few more. The system allows us to investigate and respond holistically from one place. It is a very comprehensive tool to use. However, the supporting documentation is limited to initial troubleshooting. This is where I find the most difficulty in explaining how good the tool is. Other than that, the tool is pretty straightforward. There is enough documentation to get us started. However, beyond that, we will need to rely on online forums and other open-source resources to learn more about the tool. When comparing Microsoft Sentinel to other SIEMs in terms of cost, we are saving money because it is included with our Microsoft 365 E5 licenses. This also helps us to reduce the number of different types of software that we need to use. We do like redundancy in terms of coverage, but the cost of multiple solutions adds up. We want to be able to use one central location for all of our security software. This is one of the reasons why we choose Microsoft Sentinel over third-party solutions. As we move into larger projects, we need to have a centralized place for all of our security policies and procedures. Microsoft Sentinel helps us automate routine tasks and find high-value alerts. We also use Sentinel as a store for our alerts. This allows us to automate most of our responses if not all of them. We also tailored our alerts to specific events that occur in our environment. Microsoft Sentinel helps eliminate the need to use multiple dashboards by providing a single XDR dashboard. We currently use Sentinel's workbooks, which provide a dashboard that we can use for metrics, reporting, and other purposes. This makes it easier to relay information upwards, as it is presented in a more visually appealing and easy-to-understand manner. For example, we can use pie charts, bar charts, and line charts to represent data in a way that is easy to understand. This makes it easier to convey information to upper management, such as where we are most vulnerable and what steps we need to take to improve our security. Microsoft Sentinel helps us prepare for potential threats before they hit by taking proactive steps. We can also detect ongoing incidents. For example, if we receive a ticket or alert that is ongoing and will not go away, we can automate a response to it and add it to our playbook. This way, if a similar incident occurs in the future, we will know what to do to respond immediately. In terms of automation, I believe we save about 20 to 22 hours per week by closing tickets. We receive about 50 to 100 tickets per day, and we automated about 80 percent of those. This means that we can now close tickets without having to manually review them. This saved us a significant amount of time, which we can now use on other tasks. We are on the smaller side in terms of the number of logs that come in. So, I don't think it's necessary to compare at this level of data ingestion. However, I can definitely see that if we scale and grow in the future, it will save us a lot of money, especially in terms of manpower and hours that we have to dedicate to automation or non-automated tasks. For example, in the six months that we've had Sentinel up and running, we've saved 755 hours in automation alone. We currently meet all of our service level agreements in terms of incident response. This definitely saved us time, and we also receive email alerts directly so that we know as soon as something happens.

Read full review

Nitin Arora

Security Delivery Senior Analyst at Accenture

The most amazing aspect of Microsoft Sentinel is the daily upgrading of the product. They have third-party connectors that their people are enhancing on a daily basis. That is what I like about the product. Their people are not sitting idly and saying, "Okay, we have created the product, now just use it." It's nothing like that. They are continuously working on it to make it number one in the market. It also has a playbook feature so that we can do automation in Sentinel itself, based on the data sources and the logs that we are receiving. That means we don't need to do manual stuff again and again. Using Sentinel, we can collect all the logs of third-party vendors and use them to analyze what kinds of scenarios are going on in the environment. On top of that, we can create analytics rules to monitor the environment and take action accordingly if there is a suspicious or malicious event. Something else that is great is the visibility into threats. We have an AI feature enabled in Sentinel and that gives us great visibility into the data sources we have integrated. And for data sources that we don't have integrated, we have a Zero Trust feature and we get great visibility into the threat log. Visibility-wise, Sentinel is fantastic. The ingestion of data from our entire environment is very important to our security operations. We have clients in insurance and multiple firms that deal with taxation, and we need to do an audit yearly. To do that, we need the data from the whole environment to be ingested into the workspace.

Read full review

Microsoft Sentinel mindshare

Product category:

As of May 2025, the mindshare of Microsoft Sentinel in the Security Information and Event Management (SIEM) category stands at 7.2%, down from 9.0% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Security Information and Event Management (SIEM)

PeerResearch reports based on Microsoft Sentinel reviews

Type	Title	Date
Category	Security Information and Event Management (SIEM)	Apr 30, 2025	Download
Product	Reviews, tips, and advice from real users	Apr 30, 2025	Download
Comparison	Microsoft Sentinel vs Splunk Enterprise Security	Apr 30, 2025	Download
Comparison	Microsoft Sentinel vs Wazuh	Apr 30, 2025	Download
Comparison	Microsoft Sentinel vs IBM Security QRadar	Apr 30, 2025	Download

Title	Rating	Mindshare	Recommending
CrowdStrike Falcon	4.3	4.7%	96%	126 interviews Add to research
Wazuh	3.7	13.9%	79%	46 interviews Add to research

Valuable Features

Microsoft Sentinel is recognized for its seamless integration with Microsoft products, powerful automation, built-in AI, and machine learning features. Users appreciate the extensive data connectors, robust analytics, and threat detection capabilities. It provides a single pane of glass for security operations, enabling efficient monitoring and incident response. Its ability to scale in the cloud and automate routine tasks significantly enhances security posture, offering comprehensive protection and reducing false positives.

"We have seen at least a 60% increase in efficiency with Microsoft Sentinel and the ability to reduce the MTTD down to under five minutes and MTTR down to under fifteen."
"Microsoft Sentinel is cloud native, which is a significant advantage. The data connectors that provide the ability to connect third-party log sources are highly valuable."
"The best feature of Microsoft Sentinel is its ability to unify all dashboards or functions into one modern SecOps dashboard."

Room for Improvement

Microsoft Sentinel users suggest improvements in areas such as integration with non-Microsoft tools, user-friendly interfaces, and more intuitive use of queries. Connectivity and cost issues are challenging for some, with difficulties in log ingestion and configuration. Enhanced AI features, streamlined dashboards, and better documentation are desired. There are concerns about alert accuracy and the need for more native connectors, with frequent updates. Some organizations find the high cost prohibitive and seek more industry-specific analytics rules.

"Their support can be challenging at times, particularly around unique experiences or circumstances with Microsoft Sentinel."
"Driving deeper integration with the Defender XDR portal within Microsoft Sentinel, which is being done, and continuing to increase the number of third-party data connectors available is important."
"The pricing tiers of Microsoft Sentinel should be improved. There are complexities in calculating the right pricing tier for different customers, which makes it difficult for me as a consultant during upfront pricing."

ROI

Initially, costs increased, but over time organizations experienced significant cost savings and efficiency improvements with Microsoft Sentinel. Reduced manual tasks, enhanced security posture, and quick detection of threats were highlighted. The integration capabilities and automation brought value by decreasing resource needs. Many users saw a rapid return thanks to a lack of massive upfront investment. Some noted that value evolves over time, seeing benefits manifest after a couple of months.

Pricing

Microsoft Sentinel's pricing is primarily based on a pay-as-you-go model, with expenses driven by data ingestion and retention. Enterprise users appreciate its seamless integration with Microsoft ecosystems, often leading to significant cost reductions. However, for some, the pricing can be perceived as high, especially when data ingestion surpasses predicted levels. Discounts and free services for specific integrations may help, but understanding usage patterns and optimization is crucial to managing costs effectively.

"Pricing for Microsoft Sentinel could always be lower, but it's workable. The ingestion costs for the data analytics is usually the highest cost, but the licensing per Microsoft Sentinel is fairly straightforward and transparent."
"We only pay for the amount of data we bring in, which is fair."
"It is consumption-based pricing. It is an affordable solution."

Popular Use Cases

Microsoft Sentinel is widely used for centralized log aggregation, security incident and event management, threat detection, and automated response. Users employ it to provide managed security services, analyze cloud-based log services, and integrate with various Microsoft security products like Azure Security Center and Defender. It supports hybrid and public cloud deployments, leveraging machine learning and AI for proactive incident response and threat intelligence, serving as a central platform for monitoring and enhancing security postures.

Service and Support

Microsoft Sentinel support is generally efficient, especially with premium plans. Many appreciate quick responses and knowledgeable engineers, but some encounter delays with basic support tiers. Issues often resolve promptly, though some report needing multiple interactions or relying on third-party resources. The community and documentation offer additional help. Unified or premium support users frequently experience better service, while others highlight challenges with response times and initial contact with technical support.

Deployment

Microsoft Sentinel's initial setup is largely straightforward and user-friendly, especially for organizations with cloud-based environments. Most organizations find the process quick, particularly when deploying online. However, complexity arises when integrating non-cloud platforms or requiring custom configurations. While basic deployment is simple, ongoing onboarding and configuring specific integrations can be challenging. Maintenance is minimal, as Microsoft handles much of it. Prior experience and documentation can facilitate the initial setup process.

Scalability

Microsoft Sentinel provides strong scalability, leveraging the cloud for auto-scaling capabilities. Organizations appreciate its ease of scale and integration across various environments, with many benefiting from significant Azure resources. It handles extensive log ingestion efficiently, accommodating thousands of users and endpoints. The pay-as-you-go model supports varied scaling needs, making it suitable for diverse and large-scale deployments. Many companies utilize its capabilities for seamless expansion within and across multiple regions.

Stability

Microsoft Sentinel exhibits strong stability, receiving high remarks for reliability and minimal downtime. Users appreciate its resilience with a record of high availability and secure performance, backed by Microsoft’s robust infrastructure. Some challenges arise from occasional service issues or regional internet disruptions, but these are rare. While some users mention component-related problems, most report stable and effective security operations, benefiting particularly from its cloud-based nature which handles data storage and infrastructure.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Microsoft Sentinel Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Computer Software Company

16%

Financial Services Firm

11%

Manufacturing Company

Government

University

Comms Service Provider

Educational Organization

Retailer

Healthcare Company

Insurance Company

Energy/Utilities Company

Construction Company

Media Company

Non Profit

Real Estate/Law Firm

Legal Firm

Hospitality Company

Outsourcing Company

Transportation Company

Wholesaler/Distributor

Performing Arts

Recreational Facilities/Services Company

Consumer Goods Company

Pharma/Biotech Company

Aerospace/Defense Firm

Logistics Company

Marketing Services Firm

Compare Microsoft Sentinel with alternative products

Learn more about Microsoft Sentinel

- Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds

- Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence from Microsoft

- Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft

- Respond to incidents rapidly with built-in orchestration and automation of common tasks

To learn more about our solution, ask questions, and share feedback, join our Microsoft Security, Compliance and Identity Community.

Microsoft Sentinel was previously known as Azure Sentinel.