Microsoft Sentinel OverviewUNIXBusinessApplication

Microsoft Sentinel is the #1 ranked solution in SOAR tools, #2 ranked solution in top Security Information and Event Management (SIEM) tools, and #4 ranked solution in top Microsoft Security Suite tools. PeerSpot users give Microsoft Sentinel an average rating of 8.2 out of 10. Microsoft Sentinel is most commonly compared to AWS Security Hub: Microsoft Sentinel vs AWS Security Hub. Microsoft Sentinel is popular among the large enterprise segment, accounting for 62% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 19% of all views.
Microsoft Sentinel Buyer's Guide

Download the Microsoft Sentinel Buyer's Guide including reviews and more. Updated: January 2023

What is Microsoft Sentinel?

Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution that lets you see and stop threats before they cause harm. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs. With Azure Sentinel, you can:

- Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds

- Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence from Microsoft

- Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft

- Respond to incidents rapidly with built-in orchestration and automation of common tasks

To learn more about our solution, ask questions, and share feedback, join our Microsoft Security, Compliance and Identity Community.

Microsoft Sentinel was previously known as Azure Sentinel.

Microsoft Sentinel Customers

Microsoft Sentinel is trusted by companies of all sizes including ABM, ASOS, Uniper, First West Credit Union, Avanade, and more.

Microsoft Sentinel Video

Microsoft Sentinel Pricing Advice

What users are saying about Microsoft Sentinel pricing:
  • "From a cost perspective, Microsoft Sentinel is quite costly."
  • "I'm not happy with the pricing on the integration with Defender for Endpoint. Defender for Endpoint is log-rich. There is a lot of information coming through, and it is needed information. The price point at which you ingest those logs has made a lot of my customers make the decision to leave that within the Defender stack."
  • "The are two native advantages for customers that use M365 Security and Sentinel. The first advantage is that the log or security-event ingestion into Sentinel is free. Cost-wise, they're saving a lot and that is a major advantage."
  • "The price is reasonable because Sentinel includes features like user behavior analytics and SOAR that are typically sold separately. Overall, a standalone on-prem solution would require some high-end servers, and there's a different cost. It is a cloud-based solution, so there are backend cloud computing costs, but they are negligible."
  • "Microsoft can enhance the licensing side. I feel there is confusion sometimes... They should have a single license in which we have the opportunity to use the EDR or CASB solution."
  • "Some of the licensing models can be a little bit difficult to understand and confusing at times, but overall it's a reasonable licensing model compared to some other SIEMs that charge you a lot per data."
  • "Sentinel's pricing is on the higher side, but you can get a discount if you can predict your usage. You have to pay ingestion and storage fees. There are also fees for Logic Apps and particular features. It seems heavily focused on microtransactions, but they may be slightly optional. By contrast, Splunk requires no additional fee for their equivalent of Logic. You have a little more flexibility, but Sentinel's costs add up."
  • Microsoft Sentinel Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    Assistant Manager at a consultancy with 10,001+ employees
    Real User
    A straightforward solution that provides comprehensiveness and coverage of multiple different on-prem, and cloud solutions
    Pros and Cons
    • "Investigations are something really remarkable. We can drill down right to the raw logs by running different queries and getting those on the console itself."
    • "I think the number one area of improvement for Sentinel would be the cost."

    What is our primary use case?

    My client has a huge environment in Azure. They have around 30,000 resources spread across the globe. They also have a huge presence on-premises itself. So, for on-prem, they have a SIEM solution already in place. But for the cloud, they didn't have anything. So, basically, no visibility into any kind of attacks or any kind of logging or monitoring in the cloud. We could not scale up our on-prem counterpart for it due to various reasons of cost and how much resources it would take. Microsoft Sentinel seemed like a pretty good solution since it's cloud-native, it's hosted by Azure itself. So we went ahead with the solution.

    How has it helped my organization?

    Microsoft Sentinel has given us great visibility into our cloud workloads and cloud environment as a whole. And not just that, but even, in fact, with the MCAS and email-security solutions also. We get a lot of visibility into what kind of emails we are getting and how many of them are malicious versus legitimate. From a visibility and compatibility perspective, it's really a nice product to have as a SIEM solution for your cloud environment. In fact, we have integrated this with our AWS, as well. At this point in time, it's just one account, but we plan on expanding more. So all the logs from our AWS environment flow to the solution. Microsoft Sentinel performs the analytics and gives us the alert for that.

    The comprehensiveness and coverage of multiple different solutions, on-prem solutions, and cloud solutions, are the two aspects, Microsoft Sentinel really has an edge over other products.

    Visibility into threats is above average. Since I also went through some slides of Microsoft and they receive a lot of telemetry because of their Windows platform, because of Azure. What I saw in those slides is that they benefit from this telemetry and create a rich threat-intelligence, kind of a backend service, which supports Sentinel and literally enriches the detection capabilities for Microsoft Sentinel.

    Correlation is something that helps us instead of looking at every single alert. So, if we get a phishing email and five users click on it, instead of going through five individual detections, it correlates all of that and presents it in one single incident correlating all these five events. So, in terms of that correlation, it is pretty good. In terms of responding to these alerts, I know there is some automation. There were multiple calls with Microsoft when we were setting up this solution. They showed us how we can do this and they gave us a demo, which was really nice to see the automation. But from the response point of view, we haven't enabled any automation as of now because we are still in the nascent stages of setting this up. We have done multiple integrations, but, still, there's a lot of ground to cover. So, the response is something we would look at last. I think the response side also has a lot of automation and correlation, but we haven't worked on that as of now.

    The time to detect and time to respond has been reduced considerably. Detect, because the analytics that is done by Microsoft Sentinel is near real-time, and response is based on us. So, when we see the alert, we respond to it, and we wait on the teams to receive an answer. Previously, the SOC guys were doing this. It was really slow and, sometimes, proceeded at a snail's pace. With Microsoft Sentinel, at least one part of it got addressed, which was running these queries with the SIEM and getting to analyze multiple events to go onto a specific security incident. That time has been saved by Sentinel. I would say 20 to 30% of the time to respond and detect has been saved.

    What is most valuable?

    In terms of Microsoft Sentinel, I think a large part of it has been automated by Azure itself. From a customer point of view, all you have to do is just run some queries and get the data. In terms of connections or the connectors for multiple data sources or multiple log sources, it's very easy to just set it up, be it Azure-native services or something customized, like some connection with the on-prem servers or things like that, or even connections with the other cloud platforms, such as AWS. The connectors are really one thing I appreciate. I think it sets Microsoft Sentinel apart from other solutions. Apart from that, the analytics that it performs and the built-in queries that it has, are valuable. A lot of automation on part of Microsoft Sentinel is really commendable.

    Microsoft Sentinel definitely helps prioritize threats across our enterprise. I think Microsoft Defender for Cloud would also come in when we talk about this because Microsoft Defender for Cloud and Microsoft Sentinel work in conjunction with each other. We can set it up that way so any alerts that are found in Microsoft Defender for Cloud are forwarded to Microsoft Sentinel. Then, the prioritization is set based on the standard criticality, high, medium, low and informational. So, from our sense, what we can do is, we can simply target the high incidents.

    Another thing is that it very efficiently correlates all the events. So if multiple emails have been sent from a single email ID, which is supposed to be a phishing email, Sentinel identifies it, flags all the emails, and it can very beautifully track all of it from their console such as who clicked it, when did they click it, which ID was it, who received it. So, in terms of all that, correlation also helps us prioritize those events.

    Prioritization is important. If we have a bunch of alerts and we started investigating some alerts that are not of that much value, some alerts would get ignored if the prioritization was not set correctly. So if it's a phishing attempt and, in another area, we find that there's a brute-force attack going on, we would first want to address the phishing attempt since, in my opinion, in my experience, the probability of getting a link clicked is high rather than a password getting compromised by a brute-force attack. So, in those terms, prioritization really helps us.

    Microsoft Sentinel definitely enables us to ingest data from the entire ecosystem. Microsoft Sentinel has around 122 or 123 connectors. Although we haven't set up the solution for our whole ecosystem, be it on-prem, Azure Cloud, AWS cloud, or any other cloud for that matter, looking at the connectors, I feel like there's a whole lot of support, and possibly, we can cover our whole ecosystem, with some exceptions for some solutions. Exceptions are always there. From a coverage point of view, I think it's pretty good. We can cover at least 80 to 90% of our ecosystem. Obviously, it comes at a cost. So at that point in time, it could get very costly. That is one downside.

    From the SOC point of view, everything depends on how good the data you are ingesting is and the amount of data you are ingesting. So, the more data we have, the better insights we would have into what activities are going on in our cloud environment, and in our on-prem environment. So it's very critical to have the right data ingested into things like Microsoft Sentinel. Otherwise, you could have a great solution but an ineffective solution in place if you don't have data ingestion configured in the right manner.

    Investigations are something really remarkable. We can drill down right to the raw logs by running different queries and getting those on the console itself.

    What needs improvement?

    The number one area of improvement for Sentinel would be the cost. 
    At this point in time, I feel like, simply because we are a huge organization spread across the globe, we can afford it, but small and medium businesses cannot afford it. Maybe it's not meant for them? I don't know; that's a debatable topic. But even for organizations like ours, a problem that we face and for some of my other friends that I have talked to, it's a great solution, but we cannot deploy it everywhere because, frankly, we overrun our budget.

    One thing that would really help or benefit would be the alerts that get thrown up. I've seen multiple alerts. For example, external file activity or external user activity. I open those alerts and there is absolutely no information in them. If there's external user activity, then who is that user, what is something that they are doing, how did Microsoft Sentinel detect this, or what were the analytics based on this outcome that it was a malicious activity or there was something anomalous or something like that? There is some particular type of alerts where a bit more data enrichment would help us.

    The alerts get thrown out, and this is something we generally see with any kind of SIEM or any kind of other detection-based solution. For example, in an EDR solution or a vulnerability solution, the typical problem is alert fatigue. We get so many alerts that we start to see a large amount of them, and then we don't know where to start. Although here, we have the prioritization already shared by Microsoft Sentinel, so we have a starting point, but then it never ends. Perhaps tweaking and reducing the number of alerts that get thrown out, and enriching those alerts with more data would help. A lot of these alerts are just very normal things. They are not security incidents in their truest form, but it does take up our time just viewing those alerts. And sometimes, it also lacks a lot of information, like who did what, at exactly what time, and why did Microsoft Sentinel think that it was a malicious incident. That is one question I see a lot of times myself and don't get an answer for, like, "Okay, I get this a lot, but why do you think it's a security event?" So, enriching those alerts with more data might be a good area of improvement for Microsoft Sentinel.

    The number of dashboards is something we complained a lot to Microsoft about, "You have great solutions, but you have a different console or a different dashboard for everything. So, as a person who is responding to these alerts, it really becomes overwhelming juggling between multiple different screens, dashboards, tabs, and windows." They have acknowledged this and they have mentioned to us that a lot of other customers made the same complaint and they're working on integrating these dashboards. So, for example, if you are using Microsoft Defender for Cloud, in one click you can reach a Microsoft Sentinel page wherein it would show you the raw logs. It sometimes gets overwhelming viewing the same alert on multiple different dashboards. In one sense, if I had to give an example, you might see an alert on Microsoft Sentinel, but it won't have much data to it. To drill down to the very specific raw data, you would have to go to some other console. You would have to go to the source of that event or detection, be it Microsoft Defender for Cloud, MDI, or MCAS. So in those terms, we have to sometimes juggle through all these dashboards and tabs of multiple solutions.

    Buyer's Guide
    Microsoft Sentinel
    January 2023
    Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: January 2023.
    670,331 professionals have used our research since 2012.

    For how long have I used the solution?

    I have been using the solution for eight months.

    What do I think about the stability of the solution?

    I think the solution is pretty stable. I didn't see any aberrations or anomalous behavior of Microsoft Sentinel. And that's the benefit of having a managed service. Downtime is quite less. Especially from providers like Microsoft. With Microsoft Sentinel, we didn't feel like there were any hiccups in the operations or any sort of problems we faced with the solution, as of now.

    What do I think about the scalability of the solution?

    This is something good about having a managed product, you don't have to worry about scaling. And this is exactly the problem we felt with our existing on-prem solution LogRhythm: the scaling was not possible because of the cost included. With Microsoft Sentinel, you have to pay extra, but you don't have to worry about setting up more servers, configuring them, patching them, doing all the maintenance, and doing additional administrative work. The solution is pretty scalable.

    How are customer service and support?

    Based on our interactions at the time of setup, after that, we didn't really require that much assistance from Microsoft. So, at the time of setup, they really helped us with insights and with decisions that we had to take based on our organization type and how we work. We have teams distributed globally across multiple time zones, and similarly, we have data and operations distributed all over the world. So this becomes a challenge when dealing with anything related to IT. So, Microsoft did really help us with setting it up. From a technical-assistance point of view, at the initial stages, it was a good experience.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    Our on-prem solution is LogRhythm and the reason we decided to add Microsoft Sentinel was scaling up of LogRhythm would have been a huge cost to us. Because right now, on-prem LogRhythm is running on multiple VMs, so their cost structure is very different. If you run the same setup on Azure, it's just an exorbitant amount of money. So that was one factor that we chose not to scale up LogRhythm to our cloud environment and looked for some other solution. The other reason we went for Microsoft Sentinel was that it is cloud-native. Since it's a managed service from Microsoft and from Azure themselves, not just time but also a lot of responsibility on our end gets transferred to the cloud provider of just setting up and maintaining that infrastructure, updating and patching all those systems, and doing that maintenance work. That overhead gets taken off our heads. That's why we were looking for a cloud-native solution. And hence, in our comparison, in our multiple rounds of discussion with internal stakeholders within the cybersecurity team, Microsoft Sentinel seemed like a perfect fit, so we went ahead with the solution.

    How was the initial setup?

    The initial setup is pretty straightforward. We didn't face many problems or complexity. We had everything running in a couple of weeks. The deployment was just me and one other person from the security team. She had a lot more experience with Microsoft 365 and the MCAS side of things. And I was more from an Azure infrastructure point of view, Defender for Cloud and the like.

    What about the implementation team?

    We started the deployment from scratch and we brought on Microsoft for assistance. We already have a huge presence in Azure, so we already had a Microsoft contact. We reached out to them. We mentioned that we want Microsoft Sentinel on board. We got in touch with their own cloud security and Microsoft Sentinel experts. They advised us, but I can say all the setup and all the operational side of things we did because if Microsoft did it then that would be handled by the consulting arm of Microsoft and that would be a full-fledged project, which would have its own cost. So Microsoft had to play a role as an advisor. We used to get about four IT calls to set it up. Whatever Microsoft recommended us to do, we went ahead with that.

    First of all, we enabled everything that was free of cost. When you onboard Microsoft Sentinel, you pay some fee for the solution itself, and with that, you get some free connectors. So Azure AD sign-in and audit logs are one thing, Azure activity logs, and Microsoft Defender for Cloud are another. All these integrations don't cost anything extra over and above. So we started off with integrating all of that, and later on, slowly and steadily, we scaled up our integrations. There's still a lot of ground to cover. We aren't there yet with what we envisioned initially.

    What was our ROI?

    At this time I don't have an answer about a return on investment but it is something we have been contemplating inside our own team and we have been thinking of since we talked about how good a solution Microsoft Sentinel is. We cannot enable it across the organization, so we are thinking about creating a story of how much value, not in just terms of money but how much value in terms of security has the solution brought for us, and communicating this idea to other stakeholders in other teams and probably to the leadership, and maybe getting a little more budget for this project.

    What's my experience with pricing, setup cost, and licensing?

    Microsoft Sentinel is definitely costly. If we factor in the cost of other services, MCAS, MDI, and Microsoft Defender for Cloud, it gets seriously costly, to the extent that we cannot enable it across the organization. It simply overshoots the budget by a huge margin. When talking about the Microsoft Sentinel piece itself, let's say we have set up custom integrations and it does not cost us that much, it is definitely costly. If we talk about log retention, then it is even more costly. Comparing it to the other solutions, in fact, when we started off with the SIEM solutions for the cloud, we did do a comparison between which one would be the best: the classic Splunk, like we used in our on-prem, or maybe Microsoft Defender for Cloud. So, for our use case, Splunk was also a bit costly but less than Microsoft Sentinel. We went ahead with Microsoft Sentinel being a cloud-native platform on our side, the effort would be a lot less. Splunk would require to be set up from scratch. From a cost perspective, Microsoft Sentinel is quite costly.

    Which other solutions did I evaluate?

    We compared Splunk with Microsoft Sentinel.

    What other advice do I have?

    I give the solution an eight out of ten.

    We have used and tested additional Microsoft solutions. At one point in time, we used Microsoft Defender for Identity, MDI solution, but it was for three to four months only. We discontinued it because it was more of an experiment and the guys from Microsoft gave us the license for that product for a limited time for testing. We were short on budgets, hence we could not leverage or we could not go ahead and purchase it. Another product was MCAS, Microsoft Cloud App Security. Primarily, we use Microsoft Sentinel. Microsoft Defender for Cloud is also used, but it has not been enabled on a lot of resources because it has a cost implication. So cost is a huge factor that we have to think about every time we do anything in security related to all these four products. 

    Wherever it is possible, wherever we have identified some critical resources and we had the budget, we enabled Microsoft Defender for Cloud and then integrated it with Microsoft Sentinel. Integration is super easy for anything which is an Azure service. It's mostly about doing a couple of clicks or maybe running a couple of commands. For Azure-native services, it's very easy, be it integrating the Azure AD logs or Microsoft Defender for Cloud or things like that. If I remember correctly, I integrated Microsoft Defender simply by flipping a toggle on the console. So it was easy to integrate Microsoft Defender for Cloud.

    The coordination among all these tools is really marvelous. Although my role is not exactly that of an incident responder or from a SOC point of view, if I was a SOC person or an incident responder, it really takes the load off of my work to look around and to correlate that, and open four, five tabs and just juggling through them and trying to make a story. Microsoft Defender for Cloud, Microsoft Sentinel, and MCAS, all of them do it for us. So you just have a single pane of glass. Although these are four different products and you sometimes do have to juggle around, but not to that extent. Many times, it happens that your job gets done with just a single pane of glass.

    I think the coverage is comprehensive from a protection point of view for all these four, or five products from Microsoft.

    The bi-directional sync capabilities of Microsoft Defender is an option that we get at the time of integrating the solution. This is exactly what I mean by using the toggle button to integrate Microsoft Defender for Cloud with Microsoft Sentinel.

    I would say the sync capabilities are both critical and a nice add-on to have. Even if it's not critical and there was no sync between Microsoft Defender for Cloud and Microsoft Sentinel, we would still be doing our job of looking at two multiple portals. But since Microsoft does it for us, then it's really good to have. It takes the load off our shoulders and we could do other tasks and possibly look at more alerts instead of juggling through these portals between Microsoft Defender for Cloud, Microsoft Sentinel, MCAS, and MDI.

    Investigations are something really remarkable. We can drill down right to the raw logs by running different queries and getting those on the console itself.
    In terms of response, I do not have that much experience in automating the responses or letting Azure handle it, because we feel like the automation here might go wrong and we might have to face another incident caused by some sort of misconfiguration. So, at this point in time, we respond manually to the alerts. We don't use many of the response capabilities of Microsoft Sentinel. I did have a look at what I think, these are called playbooks, which are based on LogicHub. They do seem very promising, but we haven't used those functionalities as of now.

    If I had to rank the three capabilities in terms of comprehensiveness, at the top would be SOAR. I would put threat intelligence and UEBA second. I haven't used both of these capabilities that much. We haven't enabled UEBA in our environment. Threat intelligence is the default one. Again, this is something we haven't enabled on a custom basis or something add-on; it's the default one that Microsoft provides.

    In regards to proactiveness, I don't feel like there is anything proactive about the solution. It's mostly reactive. The nature of the whole SIEM is reactive: you analyze the logs, you get some alerts, and then you react to those alerts. I think in terms of prediction, I don't see it like that. But in terms of using threat intelligence, I definitely think that it really adds value when, for example, there's something legitimate in the email, there's something malicious. But when it comes to the unknown, when you cannot determine if it's good or bad, it adds value there, its threat intelligence, by simply stating that. Just a couple of days back, we had an alert that said that "URL was clicked," and it wasn't able to determine the nature of the URL: Was it malicious? Was it bad? So it gave us a low or an informational alert. Threat intelligence helps us in those situations.

    The solution has saved us time in two aspects. A tremendous amount of time is saved in terms of integration. Nowadays every organization across any sector you talk about has a lot of IT solutions and security solutions in place. You talk about network devices, VPNs, security devices, these collaboration services, et cetera, all of these generate a lot of data integrating and investing all of that data into SIEM is really critical for the SIEM to function properly. That is something that Microsoft Sentinel does quite well. And I see that they are always working on not just creating those integrations but also making them very easy to configure, from a customer point of view. So, those integrations are one thing that I really like about Microsoft Sentinel. The second is the correlation of these alerts across multiple of these integrations. So, integrations and correlations are two aspects that I really like about the solution. I would say the solution saved me around 50% of the time. Simply, it's less of running the queries on a standard SIEM solution and more of clicking on the dashboards. So the typing time gets taken off and the loading time of getting the results back, and doing this over and over again with a typical SIEM solution, that has been absorbed, by the solution. Microsoft Sentinel does it for us. Our time has been saved in that sense.

    I would say that, since the solution saved us time, and time is money, in that sense, the solution has saved us money. On the other, hand the solution's cost is such that it might have balanced out. So, I can say it saved us money in one sense, but I don't think it's because of the solution, it's because of how the processes are set up in our firm. When we find some detections primarily from Microsoft Defender for Cloud, we share it with the team and we get to know that "XYZ resource is not in use anymore," and it probably gets deleted. So, in that sense, resource getting deleted, obviously, would stop incurring the money and the extra cost that we would have been paying. In that sense, our money is saved, but I wouldn't really put Microsoft Sentinel there because if there was any other solution that would also do the same, the resource would eventually get deleted.

    Microsoft Sentinel runs on top of Log Analytics. And right now, we have it just hosted in the European region, but logs get ingested from all over the world, and the logs are of all types. Such as Microsoft Defender for Cloud, Azure AD sign-in logs, audit logs, Azure activity logs, and MCAS. We stopped using MDIs. We also have AWS. From AWS, there is a couple of log types. I think it's the CloudTrail, and events around S3 buckets and Kubernetes, although we don't use Kubernetes. That is all that is configured as of now with Microsoft Sentinel.

    Four people in our organization use the solution. We have a dedicated SOC team, two guys are from the SOC team: one is me, and one is another person who has experience with Microsoft 365, and two people from the cybersecurity team.

    I don't think there is any maintenance required. But there is overhead administration. So far, what I have experienced, it's just about integration. If you have to get started with the integration, then that's the overhead administrative effort on your head. Otherwise, it's not much of a problem. Everything is pretty smooth and automated with regard to maintenance.

    There's one guy in our organization who for some reason, doesn't really like Microsoft and its products. He thinks that it's a way for them to catch us in a net and then upsell all their services to us. But I have a different, opposing view. I think, yes, they do have their own strategy of upselling and cross-selling all their products and solutions, but I think they are pretty good when working with them with those solutions, be it Azure as a whole cloud service, or just one part of it like Microsoft Sentinel. It takes off a lot of overhead, also, in terms of when you want some support, since it's a one-vendor-based solution, they would be much more helpful to support you and give you the right resolution in comparison to having three different products from three different vendors. What happens is, more often than not, they all start blaming each other, and then there's a blame game going on, and we, as a customer, have to suffer with whatever problem we are dealing with. So, I would go with having one vendor's solution, provided the vendor is not the kind of vendor that just sees you as a cash cow.

    The only advice I would give to someone is that when you are evaluating the solution, if possible, you onboard people from Microsoft so they can help you and guide you. It's their product, they know how to best use it. So you would be in a better position right from the get-go, and it would also save a lot of time and effort in case you did something wrong or you chose a bad design decision, which might end up wasting a lot of time in the future. So, one piece of advice I would say is, simply to onboard Microsoft and it won't cost you extra. I don't think it would cost you extra. If you are already using any good Azure service or Azure itself, then that could be possible with the help of the account manager and the relationship that you have already with Microsoft. 

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: My company has a business relationship with this vendor other than being a customer: MSSP
    Flag as inappropriate
    PeerSpot user
    Senior Cloud Infrastructure Consultant at a tech services company with 201-500 employees
    Consultant
    Allows us to configure what we need and monitor multiple workspaces from one portal, and saves countless amounts of money
    Pros and Cons
    • "The part that was very unexpected was Sentinel's ability to integrate with Azure Lighthouse, which, as a managed services solution provider, gives us the ability to also manage our customers' Sentinel environments or Sentinel workspaces. It is a big plus for us. With its integration with Lighthouse, we get the ability to monitor multiple workspaces from one portal. A lot of the Microsoft Sentinel workbooks already integrate with that capability, and we save countless amounts of money by simply being able to almost immediately realize multitenant capabilities. That alone is a big plus for us."
    • "Improvement-wise, I would like to see more integration with third-party solutions or old-school antivirus products that have some kind of logging capability. I wouldn't mind having that exposed within Sentinel. We do have situations where certain companies have bought licensing or have made an investment in a product, and that product will be there for the next two or three years. To be able to view information from those legacy products would be great. We can then better leverage the Sentinel solution and its capabilities."

    What is our primary use case?

    We needed a SIEM solution that could integrate with our Microsoft 365 stack. Being a Microsoft product, that was the first SIEM we looked at, and we haven't looked back. We're still growing with the product over the last couple of years. It is phenomenal.

    We're mainly focused on the cloud, but one of our selling points is that you can integrate with on-prem. We push to get the Azure Arc implementation done on top of Sentinel so that we can ingest data from your on-prem environment into Azure Monitor, which is then exposed to Sentinel. That's how we drive that integration, but we mainly have the cloud. We have 80% cloud and 20% on-prem.

    How has it helped my organization?

    The specific focus on entity behavior is where the gold is within Sentinel. The machine learning and AI capabilities that Microsoft already provides within their toolset are exposed through entity behavior analytics. That really is magic. It is something we don't live without. We have specific key metrics we measure against, and this information is very relevant information to our security approach. That's because not everything is an alert and not everything is a threat. In some cases, the anomalous sign or the anomalous behavior is more important than the actual alert coming up and saying that something has been infected. It could be those sign-ins a week before or a month before into a database that you don't always look into that end up being the actual threat. The entity behavior or the overall feature that Sentinel has is absolute gold for us.

    In terms of the visibility into threats, because I set up the product, I'm very much aware of the fact that you see what you configure. That's probably a plus in terms of if you have an appetite only for product one, you ingest and you consume only product one. In our company, we have the full E5 solution, and we tend to have a lot of endpoints or metrics that we can pull into one space. So, each and every sub-component, such as Defender for Endpoint, Defender for Identity, and all the incidents end up within Sentinel. It is one spot from where we can manage everything. That works very well for us. We do have small customers with one or two Microsoft solutions, and even third-party solutions, and we can still integrate or expose those product-specific incidents within Sentinel. For me, that's a big plus.

    It definitely helps us to prioritize threats across our enterprise. There is not just a clear classification of severity but also the ability to team certain alerts together. It can chain events and bring you a bigger picture to tell you this is something that you need to take care of or look at because it is tied or chained to multiple events or alerts. That ability is again a big plus.

    We probably use all of the Microsoft products. We use Azure Active Directory, and we use Defender for pretty much everything, such as Defender for Identity, Defender for Endpoint, Defender for Cloud, and Defender for Cloud Apps. As a senior cloud infrastructure consultant, it is a part of my role to provide or customize and configure these products on behalf of our customers. We have integrated these products for multiple customers. One of my favorite benefits of Sentinel is its integration with the entire stack. I am yet to find a Microsoft product with which it does not integrate well. All of the Microsoft products are fairly simple to integrate with it. Anyone can set up their own environment. It is only third-party products where you tend to have a bit of technicality to configure, but even that is not a difficult process. It is fairly straightforward and easy to follow.

    All these solutions work natively together to deliver coordinated detection and response across our environment. Microsoft Defender stack does that quite well. One of the reasons why Microsoft personally favors the Microsoft Defender stack is because of the integration with the rest of the products.

    I'm a big fan of the layered approach, and it should be in every environment. Microsoft does a good job of providing you with that layered approach without too much of an oversight or a combination of a bunch of products. They work well individually, and they stack together quite well based on the individual requirements or the needs of each.

    We use Microsoft Defender for Cloud. Our footprint in the cloud is limited. We only have two or three customers that fully make use of the product, but it is something that I do make use of and will. We do make use of its bi-directional sync capabilities. Especially within the organization, we have a very small team dedicated to assisting in our cloud-managed servers. If one person has to run around and duplicate these efforts in multiple portals, that wouldn't be an effective use of their time. So, the simple ability to just be in one portal or one place and apply the remediation or the management of an item is a big plus for us.

    It allows us to ingest data from our ecosystem. I have found only one or two third-party antivirus products that still don't integrate fully with Sentinel, but for my use case within my own environment, as well as the environments we manage through our inSOC offering, there hasn't been any case or instance I know of where we could not find a solution to ingest necessary logs.

    I work with security, and I also work with compliance. On the compliance side, the ability to have an audit trail and all your logs in one central location is important. The data is queryable. The KQL language is not a difficult language to get under. So, for me, having it all in one place and being able to query it and slice the data to what I need to provide or expose is a key feature of a SIEM solution.

    It enables us to investigate threats and respond holistically from one place. It is very important, and bidirectional ties into this. We have a small team. So, the following capabilities are critical to our managed solution:

    • The ability to hunt from one location or one stream.
    • The ability to integrate with multiple sources and data tables for ingestion.
    • The ability to expose information from those tables from one stream or portal.

    We probably would end up having to hire twice as many people to accomplish what we can do simply by integrating Sentinel with the rest of our product stack.

    It helps automate routine tasks and the finding of high-value alerts. Being able to automate routine tasks or routine alerts is a big save for us because our analysts are not bogged down trying to just close alerts in a portal. This freeing up of time alone is a big save for us.

    It helps eliminate having to look at multiple dashboards and gives us one XDR dashboard. The workbooks already integrate well with Azure Lighthouse. So, right out the bat, we had that multitenant capability from one dashboard or one screen. It is just absolutely brilliant.

    It saves time on a daily basis. For example, as a desktop engineer, if I have to go through 20,000 devices, it would take a long time to go one device at a time. To make sure everything is fine, if I have to log in, upload some logs, do some metrics, log off, and go to the next office, it would take us a good part of a year to be able to work on each of these devices. With Sentinel, once your logs are configured and analytics rules are in place, a simple hunting query could accomplish exactly the same in a month.

    Previously, four hours of my day were spent on just dashboards here and there, logging into tenants one time to the next, running the same view in the same portals, and looking through, for example, the alerts for the day or the threats for the day. With Sentinel, all that is in one place. I can just log on with my company-provided credentials, do MFA once, and through a portal with multiple links, seamlessly go through entity after entity. My whole exercise of four hours per day is now probably down to half an hour just because everything is in one place.

    It has decreased our time to detection and time to respond. In the past, we would have to get someone to physically log onto a portal once there is an alert, and if that alert was in multiple places or multiple customers, it would mean multiple portals and multiple logins. The ability to manage from one screen and run an effective service has alone saved us 60% of our day.

    What is most valuable?

    I work with the Microsoft 365 products stack quite a bit, and I'm a big fan of the granularity that the products have. For example, the Defender stack is very focused on endpoints, identities, and so forth. With Sentinel, we have the ability to integrate with each of these components and enhance the view that we would have through the Defender portal. It also gives us the ability to customize our queries and workbooks to provide the solution that we have in mind on behalf of our team to our customers.

    The part that was very unexpected was Sentinel's ability to integrate with Azure Lighthouse, which, as a managed services solution provider, gives us the ability to also manage our customers' Sentinel environments or Sentinel workspaces. It is a big plus for us. With its integration with Lighthouse, we get the ability to monitor multiple workspaces from one portal. A lot of the Microsoft Sentinel workbooks already integrate with that capability, and we save countless amounts of money by simply being able to almost immediately realize multitenant capabilities. That alone is a big plus for us. Never mind everything else, such as the security benefits, visibility, and the ability to query the data. They all are great, but the ability to see multiple workspaces is a big money saver and a big time saver for our team.

    We offer a managed service where we are geared toward a proactive approach rather than a reactive one. Sentinel obviously covers quite a lot of the proactive approach, but if you engage all of your Microsoft products, especially around the Microsoft endpoint stack, you also gain the ability to manage your vulnerability. For us, gaining the ability to realize a full managed service or managed solution in one product stack has been valuable.

    Its threat intelligence helps us prepare for potential threats before they hit and take proactive steps. It highlights items that are not really an alert yet. They are items that are running around in the wild that Microsoft or other threat intelligence providers have picked up and would expose to you through Sentinel by running a query. This ability to integrate with those kinds of signals is a big plus. Security is not only about the alerts but also about what else is going on within your environment and what is going on unnoticed. Threat intelligence helps in highlighting that kind of information.

    What needs improvement?

    Improvement-wise, I would like to see more integration with third-party solutions or old-school antivirus products that have some kind of logging capability. I wouldn't mind having that exposed within Sentinel. We do have situations where certain companies have bought licensing or have made an investment in a product, and that product will be there for the next two or three years. To be able to view information from those legacy products would be great. We can then better leverage the Sentinel solution and its capabilities. It is being enhanced, and it has been growing day to day. It has gone a long way since it started, but I would like to see some more improvement on the integration with those third parties or old products that some companies still have an investment in.

    In terms of additional features, one thing that I was hoping for is now being introduced through Microsoft Defender Threat Intelligence. I believe that is going to be integrated with Sentinel completely. That's what I've been waiting for.

    For how long have I used the solution?

    I have been working with this solution for close to two years.

    What do I think about the stability of the solution?

    It is very much stable. We've had one or two issues in the last two years where we had a Microsoft-reported incident, and there were data flow issues, but overall, they are 99.9999% available. We've not had an unrecoverable event across the solution. We've had incidents where users ended up not paying the subscription and the subscription got disabled. It simply required just turning it back on and paying your bill, and you were back up and running. It is quite robust.

    What do I think about the scalability of the solution?

    It definitely is scalable. It will adapt to your needs. It is really about how much you're willing to spend or what your investment is like. That's basically the only limitation. We've seen customers or deployed to customers with thousands of endpoints across the world, ingesting tons and tons of data. We're talking 200, 300 gigabytes per day, and the product is able to cope with that. It does a great job all the way up there at 200, 300 gigs per day to all the way down to the 10, 20 megs per day. It is really scalable. I am quite a fan of the product.

    It is being used at multiple locations and multiple departments, and in our case, multiple companies as well. In terms of user entities, the number is probably close to 40,000 in total across our state. In terms of endpoints, we probably are looking at close to 30,000 endpoints.

    How are customer service and support?

    I've dealt with Microsoft technical support in the recent past, and I'm overall quite happy with it. Being a big company with big solutions and lots of moving parts, overall, their approach to troubleshooting or fault finding is great. I'm going to give them an eight out of ten. There is always some room for improvement, but they're doing well.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We didn't really use a full SIEM solution at the time. We hovered between dashboards and certain portals. We didn't have a SIEM in place. The first solution we looked at was Sentinel, and we fell in love. It does everything we want and everything we need, and we haven't looked back. We're not even looking at any other solutions right now. For us, it is unnecessary. We're very happy with Sentinel and what Sentinel can do.

    How was the initial setup?

    It is very straightforward. As a service provider, we'd love to be part of that integration or setup. That's where we make our bread and butter. It is simple enough for the average IT enthusiast to get going, but if you do want to get the best out of your product and if you want to start with some customization, reaching out to a service provider or to a specialist does make sense because they have learned a few things on your behalf. Other than that, it is easy enough to get going on your own. It is a very straightforward configuration, and it does make sense. It is easy to follow.

    If you already have a subscription in place, you could be fully operational in less than one business day.

    What about the implementation team?

    For its deployment, it is a one consultant kind of approach. What is important is that everyone from within the company that is part of the decision-making chain is present as part of it. That's because the main pushback is not the implementation of Sentinel, but the connection to it for the data. So, you would have your firewall guys push back and say, "I don't want to give my data to you." You have your Defender guys saying, "No, I don't want to give my data to you." That's more important in terms of the deployment. One person can easily manage the deployment in terms of the workload.

    There is some maintenance. There are some daily, monthly, and weekly tasks that we set out for ourselves. It is normally in the form of query updates, workbook updates, or playbook updates. If some schema update has happened to the underlying data, that needs to be deployed within your environment. Microsoft does a great job of alerting you, if you are within the portal, as to what element needs updating. We have 16 customers in total, and we have one person dedicated to maintenance.

    What was our ROI?

    We could realize its benefits very early from the time of deployment. Probably within the first three months, we realized that this tool was a lot more than just a simple SIEM, SOAR solution.

    It has absolutely saved us money. Of course, there is an upfront investment in Sentinel, which has to be kept in mind, but overall, after two years, the return on investment has been absolutely staggering. In security, you don't always have people available 24/7. You don't have people awake at two o'clock in the morning. By deploying Sentinel, we pretty much have a 24/7 AI that's looking at signals, metrics, and alerts coming in, making decisions on those, and applying automated actions. It is like a 24-hour help desk service from a solution that is completely customizable. We have programmatic access to the likes of playbooks to be able to further enhance that capability. The savings on that alone have been astronomical. If we did not have Sentinel, we would have had to double the amount of staff that we have now. There is about a 40% reduction in costs.

    What's my experience with pricing, setup cost, and licensing?

    I'm not happy with the pricing on the integration with Defender for Endpoint. Defender for Endpoint is log-rich. There is a lot of information coming through, and it is needed information. The price point at which you ingest those logs has made a lot of my customers make the decision to leave that within the Defender stack. The big challenge for me right now is having to query data with the Microsoft Defender API and then querying a similar structure. That's a simple cost decision. If that cost can be brought down, I'm sure more of my clients would be interested in ingesting more of the Defender for Endpoint data, and that alone will obviously drive up ingestion. They are very willing to look at that, but right now, it is at such a price point that it is not cost-effective. Most of them are relying on us to recreate our solution, to integrate with two portals rather than having the data integrator Sentinel. If we can make a way there, it'll be a big one.

    Which other solutions did I evaluate?

    We have had some assessments where we were asked to do a comparison with the likes of Splunk and other similar tools. What I love about Sentinel is the granularity. You can configure what you need. Whether it just logs from a server or logs from any of the Microsoft solutions, you have the ability to limit data depending on your use or your need. You can couple that with the ability to archive data, as well as retain data, on a set schedule.

    Its cost is comparable to the other products that we've had, but we get much more control. If you have a large appetite for security, you can ingest a lot of information right down to a server event type of log. That obviously would be costly, but for ingesting from the Microsoft stack itself, a lot of the key logs are free to use. So, you could get up and running for a very small amount per month or very small investment demand, and then grow your appetite over time, whereas with some of the other solutions, I believe you buy a commitment. So, you are in it for a certain price from the beginning. Whether you consume that, whether you have an appetite for that, or whether there are actual people in your company who can make use of that tool is separate from that commitment. That commitment is upfront, whereas Sentinel is much more granular. You have much more control, and you can grow into a fully-fledged product. You don't need to switch everything on from day one and then run and see what it will cost. You can grow based on your needs, appetite, and budget until you find that sweet spot between what you ingest and what you can afford.

    What other advice do I have?

    Having worked with the product and knowing the capabilities of the product, it is worth investing in a product that Microsoft has spent a great deal on integrating with the rest of its product stack. Now, we can argue how far along the third-party vendors are in terms of integration with the rest of the security landscape, but if you're a Microsoft house, there is literally no better solution right now in terms of integration and highlighting the best out of your investment. Of course, every use case is different, but I'm happy to look at any challenge in terms of what a third-party solution can bring and what they reckon Sentinel can't.

    My advice to others evaluating the solution is that Sentinel isn't a silver bullet solution. It is not something you deploy and set up, and it is going to work 100% well and you're going to be happy. There is going to be some upfront investment. You're going to have to spend some time getting the product in place and getting it configured to your needs. To showcase in a PoC environment is quick and easy, but to realize real-world day-to-day benefits from this product, there is going to be some investment. Keep that in mind. If you're willing to spend that time upfront within the first couple of days or a couple of weeks of you deploying the solution, you'll immediately realize the benefit, but you have to have that mindset. It is not going to just be next, next, next, where it is deployed, and congratulations, you are now secure. That's never going to be the case, but after spending a bit of time on this product, there is nothing it can't do.

    I want to give it a 10 out of 10 just because I'm very passionate about this product. I've seen it grow from a very basic SIEM solution to a fully-fledged SIEM, SOAR solution. Some of the capabilities that are built in right now make my day so much easier. Overall, it is a brilliant product, and I love what Microsoft is doing to it. It is a great product.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Microsoft Sentinel
    January 2023
    Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: January 2023.
    670,331 professionals have used our research since 2012.
    KrishnanKartik - PeerSpot reviewer
    Cyber Security Consultant at Inspira Enterprise
    Consultant
    Every rule enriched at triggering stage, easing the job of SOC analyst
    Pros and Cons
    • "You can fine-tune the SOAR and you'll be charged only when your playbooks are triggered. That is the beauty of the solution because the SOAR is the costliest component in the market today... but with Sentinel it is upside-down: the SOAR is the lowest-hanging fruit. It's the least costly and it delivers more value to the customer."
    • "Only one thing is missing: NDR is not available out-of-the-box. The competitive cloud-native SIEM providers have the NDR component. Currently, Sentinel needs NDR to be powered from either Corelight or some other NDR provider."

    What is our primary use case?

    It's mostly used for cloud-based analytics for proactive incident response. As an enterprise product, it falls under next-gen SIEM.

    How has it helped my organization?

    An advantage of Sentinel is that Microsoft has acquired RiskIQ as a threat intel platform and they've amalgamated it into the platform. When any analytical (or correlation) rule triggers, the enrichment is bundled within the solution. We don't need to input anything, it is there by default. Every rule is enriched right at the triggering or detection stage, which eases the job of the SOC analyst. The platform has become so intelligent compared to other solutions. When an alert is triggered, the enrichment happens so that we know exactly at that moment the true or false posture. This is a mature feature compared to the rest of the providers.

    Most of our customers use M365 with E3 or E5 licenses, and some use Business Premium, which provides the entire bundle of M365 Security including EDR, DLP, Zero Trust, and email security. There are two native advantages for customers that use M365 Security and Sentinel. The first advantage is that the log or security-event ingestion into Sentinel is free. Cost-wise, they're saving a lot and that is a major advantage.

    The other advantage is that when you use M365 Security with Sentinel, you get multi-domain visibility. That means when attacks happen with different kill-chains, in different stages through the email channel or a web channel, there is intelligence-sharing and that is a missing piece when customers integrate non-Microsoft solutions with Sentinel. With Microsoft, it is all included and the intelligence is seamlessly shared. The moment an email security issue is detected, it is sent to the Sentinel platform as well as to the M365 Defender platform. The moment it is flagged, it can trigger.

    That way, if the email security missed something, the EDR will pick up a signal triggered by a payload or by a script being shared and will trigger back to the email security to put that particular email onto a blacklist. This cross-intelligence is happening without even a SIEM coming into play.

    And a type of SOAR functionality is found within M365 Defender. It can run a complete, automated investigation response at the email security level, meaning the XDR platform level. When M365 Security is combined with Sentinel it gives the customer more power to remediate attacks faster. Detection and response are more powerful when M365 Defender and Sentinel are combined, compared to a customer going with a third-party solution and Sentinel.

    Sentinel has an investigation pane to investigate threats and respond holistically from one place, where SOC analysts can drill down. It will gather all the artifacts so that the analysts can drill down without even leaving the page. They can see the start of the attack and the sequence of events from Sentinel. And on the investigation page, SOC analysts can create a note with their comments. They can also call for a response action from that particular page.

    Also, most of the next-gen cloud analytics vendors don't provide a common MSSP platform for the service provider to operate. That means we have to build our own analytics in front of those solutions. Sentinel has something called Lighthouse where we can query and hunt and pull all the metadata into an MSSP platform. That means multi-customer threat prioritization can be done because we have complete visibility of all our customers. We can see how an attack pattern is evolving in different verticals. Our analysts can see exactly what the top-10-priority events are from all of our customers. Even if we have a targeted vertical, such as BFSI, we can create a use case around that and apply it to a customer that has not been targeted. We can leverage multiple verticals and multiple customers and see if a new pattern is emerging around it. Those processes are very easy with Sentinel as an MSSP platform.

    Because we use 75 percent of the automation possible through the platform we are able to reduce MTTA. It is also helpful that we get all the security incidents including the threat, vulnerability, and security score in one place of control. We don't have to go to one place for XDR, another for email, another for EDR, and a fourth for CASB. Another time saver is the automated investigation response playbooks that are bundled with the solution. They are available for email, EDR, and CASB. As soon as a threat is detected, they will contain it and it will give you a status of partially or fully remediated. Most of our customers have gone for 100 percent automation and remediation. These features save at least 50 percent of the time it would otherwise take.

    In terms of cost savings, in addition to the savings on log-ingestion, Microsoft Sentinel uses hyperscaler features with low-tier, medium-tier, and hot storage. For customers that need long-term data storage, this is the ideal platform. If you go with Securonix or Palo Alto, you won't see cost savings. But here, they can choose how long they want to keep data in a hot tier or a low or medium tier. That also helps save a lot on costs.

    What is most valuable?

    It's a Big Data security analytics platform. Among the unique features is the fact that it has built-in UEBA and analytical capabilities. It allows you to use the out-of-the-box machine learning and AI capabilities, but it also allows you to bring your own AI/ML, by bringing in your own IPs and allowing the platform to accept them and run that on top of it.

    In addition, the SOAR component is a pay-per-use model. Compared to any other product, where customization is not available, you can fine-tune the SOAR and you'll be charged only when your playbooks are triggered. That is the beauty of the solution because the SOAR is the costliest component in the market today. Other vendors charge heavily for the SOAR, but with Sentinel it is upside-down: the SOAR is the lowest-hanging fruit. It's the least costly and it delivers more value to the customer.

    The SOAR engine also uniquely helps us to automate most of the incidents with automated enrichment and that cuts out the L1 analyst work.

    And combining M365 with Sentinel, if you want to call it integration, takes just a few clicks: "next, next finish." If it is all M365-native, it is a maximum of three or four steps and you'll be able to ingest all the logs into Sentinel.

    That is true even with AWS or GCP because most of the connectors are already available out-of-the-box. You just click, put in your subscription details, include your IAM, and you are finished. Within five to six steps, you can integrate AWS workloads and the logs can be ingested into Sentinel. When it comes to a third party specifically, such as log sources in a data center or on-premises, we need a log collector so that the logs can be forwarded to the Sentinel platform. And when it comes to servers or something where there is an agent for Windows or Linux, the agent can collect the logs and ship them to the Sentinel platform. I don't see any difficulties in integrating any of the log sources, even to the extent of collecting IoT log sources.

    Microsoft Defender for Cloud has multiple components such as Defender for Servers, Defender for PaaS, and Defender for databases. For customers in Azure, there are a lot of use cases specific to protecting workloads and PaaS and SaaS in Azure and beyond Azure, if a customer also has on-premises locations. There is EDR for Windows and Linux servers, and it even protects different kinds of containers. With Defender for Cloud, all these sources can be seamlessly integrated and you can then track the security incidents in Microsoft's XDR platform. That means you have one more workspace, under Azure, not Defender for Cloud, where you can see the security incidents. In addition, it can be integrated with Sentinel for EDR deep-dive analytics. It can also protect workloads in AWS. We have customers for whom we are protecting their AWS workloads. Even EKS, Elastic Kubernetes Service, on AWS can be integrated, as can the GKE (Google Kubernetes Engine). And with Defender for Cloud, security alert ingestion is free

    What needs improvement?

    Only one thing is missing: NDR is not available out of the box. The competitive cloud-native SIEM providers have the NDR component. Currently, Sentinel needs NDR to be powered from either Corelight or some other NDR provider. It needs a third-party OEM. Other than that, it supports the entire gamut of solutions.

    Also, we are helping customers build custom data-source integration. Microsoft needs to look at some strategic development on the partner front for out-of-the-box integration.

    For how long have I used the solution?

    We are an MSSP and we have offered Microsoft Sentinel as a service to our customers for close to one and half years. Before I joined this organization, I worked with another organization that provided Microsoft Sentinel as a service for close to one year.

    What do I think about the stability of the solution?

    The platform is pretty stable. I generally do not have any problems with it unless an issue arises while deploying a playbook. The platform is 98 percent stable. That other 2 percent only happens when you start working deep on customization. Out-of-the-box, everything has been tested and there aren't any problems. But when you try to create something on your own, that's where you may need Microsoft support.

    What do I think about the scalability of the solution?

    You can scale it as much as you want. There are no limitations on scaling it.

    It supports multi-region environments. Even if it is a large organization with multiple regions and multiple subscriptions, it can collect the data within the regions. With GDPR, logs should stay within the country. The solution can comply with the law of the land and still serve multiple locations.

    Sentinel Lighthouse is not only meant for MSSPs. A large organization with diverse geography can meet the local data-residency laws, and Lighthouse will still act as a platform to connect all the regions and provide a centralized dashboard and visibility as an organization. So it can work if the customer has only one region and if there are multiple regions. It is a unique platform.

    Also, every six months they develop a lot of playbooks as well as from the marketplace, the Microsoft Sentinel Content hub. MSSPs like us can use it to create content and put it into the marketplace so that other customers or service providers can use them. Similarly, when those parties develop things, they are available to us.

    Microsoft is almost too active. We receive something new to offer to our customers every month or two. We also operate Splunk and QRadar but we see a lot of activity from Microsoft compared to the other vendors. That means we have a lot of value-adds to offer to our customers. These updates do not go to the customer by default. As a service provider, that helps us. We are the enablers, and a lot of these updates are free of cost for Sentinel users.

    How are customer service and support?

    I would rate Microsoft technical support at five out of 10 because we have to go through a lot of steps before we get to the right technical stakeholder. They have to improve a lot.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    As an MSSP we also use Splunk, Qradar, and Micro Focus ArcSight. We added Microsoft as well because of customer demand. 

    Existing customers that are doing a tech refresh are going for cloud-native. Digital transformation has been the driving factor. A lot of our customers have embraced microservices and they're looking for a new-age, cloud-native SIEM to support cloud-native solutions. For most of our customers that are looking at migrating to Sentinel, the major factor is the cloud. They have moved their data center servers to AWS or GCP or Azure.

    How was the initial setup?

    The initial deployment is straightforward. There are only two or three methods, depending on whether it is on-premises log collection or M365 all-cloud, in which case it is API-based with out-of-the-box APIs. Within a few clicks, we can integrate it. It is simple and fast.

    If we're dealing with all-M365 components and Azure components, we can complete deployment within a day. If we're dealing with the customer-log collection, it depends on the customer. There are some prerequisites required, but if the prerequisites are ready, then it takes, again, a day or so.

    The number of people involved depends on the situation, but if there is not much more than out-of-the-box deployment, a maximum of two L1 engineers can complete all the activity.

    What was our ROI?

    From my perspective, the ROI is good because Microsoft keeps getting new things done without any additional cost. Every quarter there is at least a 10 to 15 percent increase with add-on components and content that are free. That is a type of enrichment that customers receive that they do not get from any other platform.

    What's my experience with pricing, setup cost, and licensing?

    Microsoft gives a discount of 50 percent but only for customers that are clocking 100 GB and above. They should also look at medium and SMB customers in that regard.

    There are a lot of advantages for customers with a Microsoft ecosystem. They need to know the tricks for optimizing the cost of Microsoft Sentinel. They need to work with the right service provider that can help them to go through the journey and optimize the cost.

    For Microsoft security products there is a preview mode of up to six months, during which time they are non-billable. The customer is free to take that subscription and test it. If they like it, they will be billed but they have six months where they can evaluate the product and see the value. That is the best option and no other vendor gives a free preview for six months.

    Other solutions will have two updates a year, maximum. And most of them are not updates to the features but are security or platform-stability updates. Microsoft is completely different. Because the platform is managed by them, they don't give platform updates. They give updates on the content that are free. They keep adding this data, which is helping customers to stay relevant and updated.

    Our customers see a lot of value from that process. Some 60 to 70 percent move from preview mode to production.

    Which other solutions did I evaluate?

    The challenge with competitive products, or any SIEM, is that they are use-case specific: You define some correlation and they will detect it. Some of the next-gen solutions today work with analytics but the analytics are limited to the logs that have been registered. Other platforms are also not able to pinpoint the inception point of the attack. Once the attack is being reviewed, they will use log sources of that particular attack and will drill down into that particular attack scenario, but they're not able to group the attack life cycle: the initiation of that attack, and the different stages of the attack. The visibility is limited when it comes to other SIEMs.

    But Sentinel has something called Fusion, which can give you multi-stage attack visibility. That is not something available from other SIEM vendors. Fusion is a very special kind of detection. It will only trigger when it sees the linkage between multiple attacks detected by multiple data sources. It will try to relate all the attacks and see if there is a link between them. It gives you a complete footprint of how that attack started, how it evolved, how it is going, and which phase it is in now. It will give a complete view of the attack, and that is a missing link compared with other SIEM vendors. This is a unique feature of Microsoft Sentinel.

    Sentinel's UEBA is around 90 percent effective, and the threat intel is a 10 out of 10, but it is an add-on. If a customer takes that add-on package, it will give complete threat intel and visibility into the deep and dark web. In addition, it helps a customer to track the external attack surface. It is a comprehensive threat intel platform. 

    The Sentinel SOAR is a 10 out of 10 and, if I could, I would rate it higher. Other SOAR platforms do not help reduce the price. A customer may not be able to use them after some time because they charge per SOC analyst. With Microsoft, there is no limitation on SOC analysts. It is purely billed based on consumption, which is a great advantage. Every customer can use it. It is free for up to 4,000 actions. Even if a customer goes to 50,000 actions per day, which is normally what a large-volume customer will do, he'll be charged $50, and no competitive SOAR vendor is in that league.

    What other advice do I have?

    Understand the product capabilities first and, before finalizing your product, see how we can optimize your solutions. Also, try to see a roadmap. Then plan your TCO. Other SIEMs do not give you the advantage of free log ingestion, but if you want to understand the TCO, you need to know what your organization is open to adopting. If you integrate Microsoft solutions in different places, like cloud or CASB, it is going to give you more free ingestion and your TCO is going to be reduced drastically.

    Organizations that have a Microsoft E5 license have an advantage because all the Microsoft components we have talked about are free. Unfortunately, we have also witnessed that most of our customers with an E5 license are not using the product features effectively. They need to see how they can leverage these services at the next level and then start integrating with Sentinel. That will give them a better return on investment and a proper TCO.

    The platform gives you the ability to do 100 percent automation, but it is up to the service provider or the customer to decide what the percentage should be. The percentage varies from organization to organization. In our organization, we are using 75 percent of the automation before it reaches a SOC analyst. At a certain point, we want to see our SOC Analyst intervene. We want to do that remaining 25 percent manually, where the analyst can call for further responses.

    Threat intelligence, in my opinion, is not generally going to work in a predictive mode. It is more a case of enrichment and indicators of compromise. It can only help in direction and correlation, but may not take you to a predictive mode, except if we talk about external attack surface management. The threat intel feed is going to give you an indicator of compromise and that will help you to be proactive but not predictive.

    Whereas the external attack surface management and deep and dark web monitoring will monitor all your public assets. If a hacker is doing something in your public-facing assets, it will give a proactive alert that suspicious activities are happening in those assets. That will help my SOC analysts to be predictive, even before an attack happens. If somebody is trying brute force, that's where the predictive comes into play. The deep and dark web monitoring will help to monitor my brand and my domain. If hackers discuss my critical assets or my domain within a dark web chat, this intel can pick that up. In that case, they can say something predictively and that they are planning for an attack on your assets.

    In terms of going with a best-of-breed strategy rather than a single vendor's security suite, customers need to be smart. Every smart solution keeps its intelligence within the solution. If the landscape includes email, web, EDR, et cetera, at a bare minimum there are eight different attack surfaces and everyone can have different controls. A SOC analyst will have to manage eight different consoles and have eight unique skill sets with deep knowledge of each product. So although individual solutions bring a lot of things to the table, the customer is not able to use those features 100 percent. We are failing when we go with individual products. An individual product may be more capable, but an organization will not be able to use the product effectively. The silos of intelligence, the number of different consoles, and the right skill sets to apply to each product are problems.

    In addition, attacks are evolving and the software is evolving along with them. A product vendor may release some new features but the customer won't have the right skill set internally to understand them and apply them.

    But with a single-vendor situation like Microsoft, the SOC analyst has nowhere else to go. It is one XDR platform. All the policies, all the investigation, and everything they need to apply is right in one place. There are also more Microsoft-Certified resources in the market, people who are certified in all the Microsoft products. All of a sudden, my skill set problem is solved and there is no need to look at multiple consoles, and the silos of intelligence are also solved. All three pain points are resolved.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Senior Cloud and Network Security Architect at a cloud provider with 51-200 employees
    Real User
    Comes with different playbooks you can execute with one click or program to run automatically in response to an incident
    Pros and Cons
    • "I've worked on most of the top SIEM solutions, and Sentinel has an edge in most areas. For example, it has built-in SOAR capabilities, allowing you to run playbooks automatically. Other vendors typically offer SOAR as a separate licensed solution or module, but you get it free with Sentinel. In-depth incident integration is available out of the box."
    • "We have been working with multiple customers, and every time we onboard a customer, we are missing an essential feature that surprisingly doesn't exist in Sentinel. We searched the forums and knowledge bases but couldn't find a solution. When you onboard new customers, you need to enable the data connectors. That part is easy, but you must create rules from scratch for every associated connector. You click "next," "next," "next," and it requires five clicks for each analytical rule. Imagine we have a customer with 150 rules."

    What is our primary use case?

    Sentinel is Microsoft's SIEM solution, similar to QRadar, Splunk, etc. It is the primary tool used by our Security Operations Center.

    How has it helped my organization?

    Sentinel enhances our visibility by integrating with on-prem and cloud log sources. It provides visibility into any cloud environment, including GCP and AWS, not just Azure. With Sentinel, we get end-to-end coverage of all types of infrastructure. Last week, I was talking to a client who already had a SIEM solution, and they had just deployed Sentinel through us. I asked them why they wanted Sentinel when they already have an MSP. They told me their SIEM solution doesn't cover the cloud, so there's clearly a gap. Sentinel covers on-premise and all the cloud providers. It has a highly flexible ingestion method. There are seven or eight ways to ingest.

    A lack of total visibility is a significant pain point for security analysts working on a SIEM solution. Furthermore, even if they have visibility, they might not be able to take remedial action because the company lacks a license or a separate SOAR solution. In that case, you need to have integration for each playbook. Sentinel addresses all of these issues out of the box. 

    The SOAR component of Sentinel can automate some routine tasks. Sentinel comes with around 180 different playbooks you can execute with one click. If you face a type of incident, you can run a specific playbook or automate it to run each time the incident is triggered. These automation features make our lives easier. Analysts have to do the same tasks over and over again. It's a nightmare that makes you want to give up sometimes. You are dealing with the same incidents many times daily for many MSPs and customers. The playbook is incredibly beneficial.

    It also reduces the number of dashboards we need to check, and you can create a custom dashboard. There are also several preset dashboards from Microsoft that are solution-specific. For example, if I'm using Defender for Office, it has a separate dashboard for Office that I can customize. I can also see everything from one console if I want. It's highly flexible.

    Sentinel saves time because you don't need to look at multiple SIEM solutions, like IBM, Splunk, AlienVault, McAfee, etc. You need to spend time deploying those solutions, and there's a learning curve, whereas Sentinel is cloud-native. You click "next," "next," and "next," and the whole solution is deployed in the cloud in five minutes. Other parts, like integration, are native. It takes only a click to integrate all the services. Sentinel has its own agent, so it's easy to deploy the agent and start collecting logs. Overall, Sentinel requires less effort than other solutions.

    It also saves us money because deployment costs less. Many SIEM solutions charge for the log forwarders deployed in the client's system. Sentinel is free. You have a VM in the cloud or on the client infrastructure, and there is just a script to turn that server into a log forwarder. 

    Sentinel speeds up our response, but I don't have any hard numbers. It depends on how well you have configured it. You can go to an incident and then click on each playbook in sequence, or it can be automated to run a playbook when an incident is triggered. You don't need to go into the interface and do anything.

    Sentinel proactively responds by detecting IOCs in our environment and automatically triggering an incident. The threat intelligence feed is typically based on IOCs, like malicious IP, UR, hostname, file hash, etc. However, real proactive response requires you to buy threat intel from different providers. Those companies provide you with information before an attack occurs anywhere. For example, there could be dark web forums where attackers discuss an attack on organization XYZ, and the threat intel provider informs us about that. That's an entirely different thing, but Microsoft has built-in rules for any threat intelligence matches. 

    What is most valuable?

    I've worked on most of the top SIEM solutions, and Sentinel has an edge in most areas. For example, it has built-in SOAR capabilities, allowing you to run playbooks automatically. Other vendors typically offer SOAR as a separate licensed solution or module, but you get it free with Sentinel. In-depth incident integration is available out of the box. 

    Having all these solutions built into a single platform is an advantage. Once any malware is detected, it only takes a single click to run the playbook, and it will do the desired actions. It may be blocking an IP address or isolating a machine. 

    The SOAR, UEBA, automated detection and response, and threat intelligence capabilities are comprehensive. I have 10-plus years of experience working with different SIEM solutions. This is the best by far. Everything is integrated, and there is so much flexibility, whether you're trying to customize ingestion or run custom playbooks.

    Sentinel performs well when searching a large amount of data, like two months of logs. Sentinel uses underlying big data and KQL, which is highly efficient in query performance. I also like Sentinel's user behavior analytics. UEBA is another solution vendors typically sell as a separate product, but it's included with Sentinel for free. It has integration with other multiple cloud platforms, whereas most vendors lack this capability. 

    When comparing visibility, we need to also compare at the company level. Microsoft doesn't only provide a security solution. They have a cloud platform with many services and security products that feed threat intelligence into Sentinel. There are many backend things that Microsoft does in cybersecurity. That is an added advantage that comes with this solution.

    The native integration with the vast Microsoft ecosystem is a huge advantage. Another good aspect about Sentinel is that you can integrate all the Microsoft technologies with one click using the backend APIs. It's a seamless process because Sentinel is a Microsoft-native solution. It doesn't take much effort to do the integration.

    We also use Defender for Endpoint, Defender for Cloud, and Azure firewall. Most of our customers already use some Microsoft services, so when we integrate their environments, we integrate Defender for Endpoint and Defender for Office 365. We also have Azure Activity, Azure Identity Protection, and many other solutions from Microsoft.

    Microsoft products can be integrated with one click. You check a box, and it integrates with that service on the backend. You only need to set the permissions only. Integrating third-party solutions requires the same effort that would be necessary for any other SIEM solution. 

    All the solutions work together seamlessly to protect our environment. For example, Defender for Endpoint detects threats on the endpoints, and you see the same alerts within Sentinel. If Defender for Office detects a malicious email, it feeds that incident to Sentinel. The whole ecosystem is integrated there.

    Sentinel ingests data from our entire environment. There are seven or eight ways to ingest data. You can install agents through LogStack or do it through APA calls. There are many ways to ingest everything that's required. We have had cases of custom applications running critical services for clients who wanted to ensure they were being monitored. 

    The out-of-the-box integration wasn't there, but other methods of ingesting the solution exist. We used one of the custom methods with LogStack, and we could use onboard these applications. Managed services need to have that kind of flexibility for product onboarding.

    What needs improvement?

    We have been working with multiple customers, and every time we onboard a customer, we are missing an essential feature that surprisingly doesn't exist in Sentinel. We searched the forums and knowledge bases but couldn't find a solution. When you onboard new customers, you need to enable the data connectors. That part is easy, but you must create rules from scratch for every associated connector. You click "next," "next," "next," and it requires five clicks for each analytical rule. Imagine we have a customer with 150 rules.

    It can be a nightmare. It would be much easier if Microsoft provided a way to select all the rules you need, and you can click once to create them. I went to multiple forums to find a way to automate this. Unfortunately, the best I can do is a semi-automated method. Half of them can be automated, but you must do the rest manually. 

    For now, we are doing it manually, and our DevOps team is assigned to do this. Some APIs could be used. We leverage the Azure Insights PowerShell module to do the automation part. Currently, the team is working on it, but I know from the discussion that the solution would only be semi-automated. We can't fully automate this because it simply lacks that capability. Many people in the Microsoft community have already requested this solution. Hopefully, Microsoft will implement this feature.

    These solutions provide comprehensive protection, but there is always room for improvement. For example, virus removal has 98 different antivirus engines associated. Still, if you are searching for a malicious IP address or a hostname, some solutions will pick it up, and others won't. It's okay overall. I wouldn't say it isn't good enough. It does what we need, but sometimes another solution does it better. It depends on who detects it first.

    For how long have I used the solution?

    I've been using Sentinel for nearly a year.

    What do I think about the stability of the solution?

    Sentinel is a cloud-based solution, so everything is handled by Microsoft. We haven't experienced any outages. With any on-premise solution, you will see downtime when there are problems or changes in the infrastructure.

    What do I think about the scalability of the solution?

    Sentinel is highly scalable. It's on the cloud, so we can scale up to any level. There are two models: pay-go and commitment tier. The commitment tier is there to help reduce costs. If you're a large organization with high volumes of data coming in, Microsoft recommends the commitment tier, which will save you 40-60%. Scalability isn't a problem.

    How are customer service and support?

    I rate Microsoft support nine out of 10. Within all Microsoft services, there is a link you can use to contact support and raise a ticket based on severity. If it's something that will impact business, they are available 24/7. Once we get a call from them, they follow up around the clock until it's closed. It isn't bad.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I've worked on Splunk, QRadar, LogRhythm, AlienVault, McAfee, Juniper STRM, etc. I started using Sentinel when I joined this company. We are Microsoft Gold partners. However, my feedback is neutral as an analyst. Compared to other solutions I've used, Microsoft is easier in terms of integration and deployment.

    What was our ROI?

    We've seen an ROI. Having used multiple SIEM solutions, I would recommend Microsoft Sentinel for the ROI, integration, cloud visibility, customization, etc. 

    What's my experience with pricing, setup cost, and licensing?

    The price is reasonable because Sentinel includes features like user behavior analytics and SOAR that are typically sold separately. Overall, a standalone on-prem solution would require some high-end servers at a different cost. It is a cloud-based solution, so there are backend cloud computing costs, but they are negligible. 

    The most significant cost factor is log ingestion. The best approach with any SIEM solution is only to ingest the necessary security-specific logs. You consume the EPS licenses, memory, bandwidth, and CPU. It doesn't make sense to forward and dump everything into any SIEM solution. If you are doing the architecture correctly, you send the right amount of logs.

    On top of that, Sentinel provides you with a workbook that tells you which log costs how much. You can optimize that part so it's cost-effective. Its dashboard offers clear graphs and charts, showing which log sources ingest the most logs, contributing to the cost. We can easily cut 40-60% of the price if we do appropriate fine-tuning. As long as you're doing the fine-tuning regularly, it's a highly cost-efficient solution.

    What other advice do I have?

    I rate Sentinel 10 out of 10. At the same time, I understand no solution is perfect. I've had multiple issues with SIEM solutions I've used previously. Sentinel is missing one minor feature that could be added eventually. I have no complaints about the core functionality.

    A large enterprise client contacted us about replacing Splunk with Sentinel, and their team wanted a side-by-side comparison. They're pretty new to SOC, and I've been in the field for a long time, so I told them that it's hard to do an apples-to-apples comparison. In many instances, you won't see much difference between the two, and Sentinel might beat Splunk in certain cases.

    However, the essential component they would be missing in the comparison is the ecosystem. Sentinel can leverage a huge ecosystem on the backend that Splunk or any other solution simply can't. Splunk specializes in SIEM, but Microsoft covers the full cybersecurity spectrum. When comparing solutions, customers should look at the whole ecosystem and not only product features. 

    A best-in-breed strategy works for some categories of security products. For example, it was an organizational policy that we would not purchase all of our firewall-related products from one vendor. However, SIEM only does detection based on the type of logs ingested. An organization might have firewalls from Cisco, Fortinet, and Juniper. At the end of the day, these three firewall brands are feeding the logs into one security solution, which is Sentinel. It's a single pane of glass that correlates all threats across your enterprise. It doesn't make sense to have multiple SIEM solutions.

    The only cases where it makes sense are in large enterprises like oil and gas. For example, they may have an IT environment and an OT environment. In the IT environment, they have one solution and a different solution in the OT environment. They are silos being managed by different teams. They may have separate budgets and decision-making processes. That's why they have different solutions. Other than that, I really don't see any reason for having two different SIEM solutions in place.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Nitin Arora - PeerSpot reviewer
    Security Delivery Senior Analyst at Accenture
    Real User
    Top 20
    Gives us one place to investigate and respond to threats, and automation eliminates manual work
    Pros and Cons
    • "Another area where it is helping us is in creating a single dashboard for our environment. We can collect all the logs into a log analytics workset and run queries on top of it. We get all the results in the dashboard. Even a layman can understand this stuff. The way Microsoft presents it is really incredible."
    • "They can work on the EDR side of things... Every time we need to onboard these kinds of machines into the EDR, we need to do it with the help of Intune, to sync up the devices, and do the configuration. I'm looking for something on the EDR side that will reduce this kind of work."

    What is our primary use case?

    I'm using it as a SIEM solution. If I consider the leading clouds, especially Google and Amazon, so we don't have a dedicated SIEM solution available in either and we have to create a SIEM solution by using the native services of those clouds. But Microsoft Sentinel gives us an opportunity to use a direct SIEM solution. 

    I have clients from different regions and they already have environments on the cloud with various vendors, as well as on-prem. The problem they came to me with was that they wanted to secure their environments. They wanted to monitor all the vulnerability management, patches, and vulnerability scans in a single place. They have third-party data sources that they wanted to monitor things in a single dashboard. I suggested they use Microsoft Sentinel because it can integrate many third-party vendors into a single picture.

    Those are the kinds of scenarios in which I suggest that my clients use Microsoft Sentinel.

    How has it helped my organization?

    One thing that makes our work easier is that Sentinel enables you to investigate threats and respond from one place. We don't need to jump into different portals. We configure the rules there and we have the response plans as well as the recommendations from the Sentinel itself and, from there, we can take action. It saves time. That is a good and really important feature.

    Working with Sentinel, trust is something we have gained. My company is a consulting firm and we have multiple clients in different regions. We have Australian clients and have to deal with Australian policies, as well as in India where there are different kinds of government policies. With all these policies that our clients have to accommodate, when we deploy Sentinel, the trust we are gaining from them is good.

    We are also able to optimize costs, have stability, and an improved work culture by using Sentinel.

    Another benefit is the automation of routine functions, like the creation of incidents. Our SOC doesn't need to create incidents manually. We have playbooks to automate things. That saves time on a daily basis.

    A monotonous job was the need to send an email to an affected user to tell them to take an action because their third-party tool was something we didn't have access to. For example, we do not have visibility into the portal of Palo Alto, CyberArk, or Zscaler. My team's job in that situation was to send an email for every alert to tell someone to take action. Now, they don't need to waste their time. With automation, we can create a playbook for that. When an alert is generated, it automatically triggers the affected user to take action accordingly. In the time we have saved, my team has been able to learn and customize KQL queries and enhance their KQL skills.

    Another area where it is helping us is in creating a single dashboard for our environment. We can collect all the logs into a log analytics workset and run queries on top of it. We get all the results in the dashboard. Even a layman can understand this stuff. The way Microsoft presents it is really incredible. We can download that dashboard or a report from the dashboard and present it in a team meeting. That is really useful.

    Overall, per week, Sentinel saves us 40 to 45 hours, per person. We have a team of 20 people who log in to Sentinel and each of those people is saving something like 40 to 45 hours by using it. In that time we can work on different technologies. It has also definitely decreased our time to detection by 80 percent.

    What is most valuable?

    The most amazing aspect of Microsoft Sentinel is the daily upgrading of the product. They have third-party connectors that their people are enhancing on a daily basis. That is what I like about the product. Their people are not sitting idly and saying, "Okay, we have created the product, now just use it." It's nothing like that. They are continuously working on it to make it number one in the market.

    It also has a playbook feature so that we can do automation in Sentinel itself, based on the data sources and the logs that we are receiving. That means we don't need to do manual stuff again and again.

    Using Sentinel, we can collect all the logs of third-party vendors and use them to analyze what kinds of scenarios are going on in the environment. On top of that, we can create analytics rules to monitor the environment and take action accordingly if there is a suspicious or malicious event.

    Something else that is great is the visibility into threats. We have an AI feature enabled in Sentinel and that gives us great visibility into the data sources we have integrated. And for data sources that we don't have integrated, we have a Zero Trust feature and we get great visibility into the threat log. Visibility-wise, Sentinel is fantastic.

    The ingestion of data from our entire environment is very important to our security operations. We have clients in insurance and multiple firms that deal with taxation, and we need to do an audit yearly. To do that, we need the data from the whole environment to be ingested into the workspace.

    What needs improvement?

    They can work on the EDR side of things. It is already really superb, because of the kinds of features we get with the EDR solution. It's not a standard EDR and they have recently enhanced things. But the problem is with onboarding devices. I have different OS flavors, including a large number of Linux, Windows, macOS, and some on-prem machines as well.

    Every time we need to onboard these kinds of machines into the EDR, we need to do it with the help of Intune, to sync up the devices, and do the configuration. I'm looking for something on the EDR side that will reduce this kind of work. They can eliminate having to do manual configuration for the machines, and check the different types of configurations for each OS. In some cases, it does not support some OSs. If they could reduce this type of work, that would be really amazing.

    For how long have I used the solution?

    I have been using this product for the last three and a half years.

    What do I think about the stability of the solution?

    It is reliable. I would rate it a nine out of 10 for performance and reliability.

    What do I think about the scalability of the solution?

    The scalability is also a nine out of 10.

    We have the solution in different locations and regions. Most of my clients are in Singapore, Australia, and India and we have some European clients as well. On average, our clients have 2,200 employees.

    How are customer service and support?

    Most of the time, their technical support is very good and very supportive. But sometimes we feel that they don't want to help us. Recently, we had a major issue and we tried to involve a Microsoft engineer. I felt he was not aware of the things we were asking for. 

    I said, "That machine is hosted on Microsoft Azure and you and people are managing that stuff, so you need to know that machine inside and out." He said, "No, the configuration and integration parts, in the machine itself, is something I'm not aware of. You people did this, and you need to take care of it." I told him that the challenge we were facing was with the configuration and we do not get those kinds of logs. I suggested he engage some Linux OS expertise for this call, but he said, "No, we don't have a Linux OS expert."

    Sometimes we face this kind of challenge, but most of the time their people are very helpful.

    How would you rate customer service and support?

    Neutral

    How was the initial setup?

    It is a very simple process to integrate things. On a scale of one to 10, where 10 is "easy," I would rate it at nine. We have a team that takes part with me in the implementation and we divide the work.

    And we don't need to worry too much about maintenance. Microsoft takes care of that part.

    What about the implementation team?

    We do it all in-house.

    What's my experience with pricing, setup cost, and licensing?

    Microsoft can enhance the licensing side. I feel there is confusion sometimes. They should have a list of features when we opt for Microsoft Sentinel. They should have a single license in which we have the opportunity to use the EDR or CASB solution. Right now, for Sentinel, we have to pay for a license for something in the Azure portal. Then, if we want to work with CASB, we need to buy a different license. And if we want to go for EDR, we need to buy another license. They do provide a type of comparison with a combo of licenses, but I feel very confused sometimes about subscriptions and licensing.

    Also, sometimes it's quite tough to reach them when we need a license. We have to wait for some time. When we drop an email to contact them, it is at least 24 until they reply. They should be able to get back to us in one hour or even 30 minutes. They do have a premium feature where, within one or two hours, they are bound to respond to a query. But with licensing, sometimes this is a challenge. They don't respond on time.

    Which other solutions did I evaluate?

    If I compare Sentinel with standalone SIEM and SOAR solutions when it comes to cost, Sentinel is good. It is really cheap but that does not mean it compromises on features, ease of use, or flexibility, compared to what the other vendors are providing. When I look at other similar solutions, like Splunk, QRadar, and ArcSight, they are charging more than Microsoft, but ultimately they are not giving us the features that Microsoft is offering us.

    Sentinel is far better than these other solutions. I have worked with Splunk in the past and many of my colleagues are working in the QRadar as well. When I talk to them, and when I compare the features, these solutions are not at all near to Microsoft Sentinel.

    So while we do create a type of SIEM solution in other platforms in the cloud, using the native services, Microsoft gives us a direct solution at a very reasonable rate. They are charging less money, but they will never compromise the quality or the features. Microsoft is updating Sentinel on a regular basis. If I look at Sentinel three and a half years back, and the Sentinel of today, the difference is really unbelievable.

    As part of our consulting team, I have never suggested that someone go for a third-party solution. Some of my clients have a whole environment on AWS and GCP and they have said, "Can we create some kind of SIEM solution for my cloud by using something we have in Microsoft?" I give them a comparison between using the native services and Microsoft Sentinel. The main point I tell them is about the cost. They are convinced and say, "Okay, if we get those kinds of features at that cost, we are good to go with the Microsoft Sentinel." And they don't need to migrate their whole environment into Sentinel or Microsoft Azure. They can continue to use whatever they are using. We can onboard their logs into Sentinel and, on top of that, create use cases and dashboards, and they can monitor things.

    What other advice do I have?

    Microsoft is proactive in helping you be ready for potential threats, but I'm not involved in that part. It's something my counterpart takes care of. But I have heard from them that it is proactive.

    We also use Microsoft's CASB solution, Microsoft Defender for Cloud, and Defender for Endpoint. There is some complexity when it comes to integration of Defender for Endpoint. This is the feedback I have submitted to Microsoft. When we do the integration of Defender for Endpoint, we have more than 12,000 machines, with different OSs. Onboarding all those machines into the environment is a challenge because of the large number of machines.

    Although it's not creating any kind of mess, compared with Sentinel or the CASB product, Defender for Endpoint is something Microsoft can work on to create an option where we don't need to onboard all these machines into Intune and then into Defender for Endpoint. If that step can be omitted, Defender for Point will also be a good solution because it is also working on an AI basis.

    These Microsoft products do work together to deliver coordinated detection and response. We simultaneously get the benefits of all these products.

    We are also using Microsoft Defender for Cloud to see the security posture of our environment and it also has some great features. It helps us understand vulnerability issues and, on the top of that, we get recommendations for resolving those issues. The security posture is based on the policies it has, as well as third-party CIS benchmarks that people are using in the backend to provide the recommendations. It's good.

    We have created an automation rule, but not directly using Defender for Cloud's bi-directional feature. The automation we have created is logic using a bidirectional aspect for Sentinel incidents. When we get incidents in Sentinel, we can trigger those same incidents in ServiceNow as well. We have a SOC team that manages our incident response plan and ServiceNow. Once they take an action in ServiceNow, they don't need to go to Microsoft Sentinel again and take action on the incident. It will automatically reflect the action they have taken.

    Between best-of-breed versus a single vendor for security, Microsoft is on top. They are continuously enhancing their product and other cloud platforms don't have a direct SIEM solution. We need to customize other solutions every time if we want to opt for another cloud vendor. This is the advantage of Microsoft Sentinel at this point in time.

    I would recommend Microsoft Sentinel to anybody.

    I and my colleagues feel that Microsoft Sentinel is the number-one product for anyone considering something similar. We have other tools as well, but none compare with Sentinel.

    Disclosure: My company has a business relationship with this vendor other than being a customer: MSSP
    Flag as inappropriate
    PeerSpot user
    AidanMcLaughlin - PeerSpot reviewer
    SIEM Engineer at a tech services company with 501-1,000 employees
    Real User
    Top 20
    Enables us to monitor many different environments for cybersecurity incidents, and we use it as our main alerting tool to let us know when this activity happens
    Pros and Cons
    • "The automation rules and playbooks are the most useful that I've seen. A number of other places segregate the automation and playbook as separate tools, whereas Microsoft is a SIEM and SOAR tool in one."
    • "Documentation is the main thing that could be improved. In terms of product usage, the documentation is pretty good, but I'd like a lot more documentation on Kusto Query Language."

    What is our primary use case?

    We use Microsoft Sentinel to monitor many different environments for cybersecurity incidents, and we use it as our main alerting tool to let us know when this activity happens. It also interfaces with all of our other Defender products, such as Defender for Office 365, Defender for Endpoint, et cetera.

    Almost all of our solutions are based in Azure. We use Defender for Endpoint, Defender for Office 365, Defender for cloud, Sentinel, and Azure Active Directory Identity Protection.

    I use the latest version of Sentinel.

    Sentinel is mostly used within our security operations center and our security team. We have about 50 endpoint users.

    How has it helped my organization?

    The backbone of our organization is built on Microsoft Sentinel, its abilities, and the abilities of our Defender stack. Ideally, we'd have more data, but a lot of data and functionality are in one place. The Lighthouse feature is outside Sentinel, but it allows us to have multiple environments integrated into one and to access lots of different Sentinel environments through that. It's very easy to manage a security workload with Sentinel. 

    I would like to see better integration with CICD. It should be easier to use GitHub, Jenkins, or whatever our code management stack looks like. Whether or not you use Azure DevOps, being able to manage the code you have is fairly important.

    Since using Sentinel, we've experienced a faster response time and easier development features. There aren't as many hurdles to moving a configuration.

    I'm not sure how long it took to realize the benefits because it was deployed before my time here. It took me about three months to get familiar with what Sentinel has to offer and how we could leverage it, so it will be about three months before you start getting proper value from it.

    There are still elements of Sentinel that I haven't used to their fullest potential, like the Jupyter Notebooks and internet hunting queries.

    The solution is good at automating routine tasks and alleviating the burden for analysts.

    Automation has moderately affected our security operations, although there is scope for it to significantly affect SecOps. There is definitely the capability for Sentinel to do pretty much all of your first-line response, which would be a significant improvement. It's a moderate effect because we only use automation in a few areas.

    There are a few different dashboards for each of the Microsoft tools. We have a dashboard for Defender, one for Sentinel, and one for Active Directory Identity Protection. It consolidated alerts in some aspects, but a lot of information is still scattered.

    It's fairly good for being reactive and responding to threats and looking for indicators of compromise. Overall, it helped us prepare for potential threats before they hit.

    Sentinel saves us time. The automation feature especially saves us time because we can automate a lot of menial tasks. If other businesses could do that, it would eliminate a lot of their first-line response.

    Sentinel saves us about 20 hours per week, which is the equivalent of a part-time staff member.

    It saved us money. It's a very cost-efficient SIEM to use and still provides a good level of coverage despite that. 

    Sentinel saved us about 50% of the cost of Splunk. It decreased our time to detect and respond by about 10-15%.

    What is most valuable?

    The automation rules and playbooks are the most useful that I've seen. A number of other places segregate the automation and playbook as separate tools, whereas Microsoft is a SIEM and SOAR tool in one.

    It provides us with very high visibility. It allows us to see a lot holistically across our environment in Azure. It integrates very well with other products like Defender.

    It helps us prioritize threats across our enterprise. There are many things we can do to deal with prioritizing threats, such as having automation rules that automatically raise the priority of certain incidents. We're also able to make changes to the rule sets themselves and say, "I believe this to be a higher priority than is listed in the tool."

    Prioritization is probably the most important thing to us because as an organization, we have a number of threats coming in at any moment, and each of them has its own valid investigation path. We need to know which ones are business critical and which ones need to be investigated and either ruled out or remediated as soon as possible. Prioritizing what to work on first is the biggest thing for us.

    If you have the right licenses and access to all the products, it's fairly easy to integrate these products into Sentinel. Sometimes they don't pull as much information as possible, and I've noticed that there is a cross-functional issue where these tools will flag and alert themselves.

    We can have it configured to create an alert in Microsoft Sentinel, but sometimes it doesn't create a bridge between them. When we finish our investigation and close the ticket on Sentinel, it sometimes doesn't go back to the tool and update that. That's the only issue that I have found with the integration. Everything else is straightforward and works well.

    The solutions work natively together to deliver coordinated detection responses across our environment. It's probably one of the better-engineered suites. In other places, I've experienced an endpoint detection and response system that's completely different: proprietary coupled with a proprietary and different SIEM tool or maybe a different sort of tool. They are individual tools, and it can sometimes feel like they're engineered differently, but at the same time, they integrate better than anything else on the market as a suite of tools.

    These solutions provide pretty comprehensive threat protection. A lot of them are technology agnostic, so you can have endpoints on Linux and Mac OS. It's pretty comprehensive. There's always a little oversight in any security program where you have to balance the cost of monitoring everything with the risk of having some stuff unmonitored, but that's probably an issue outside of this tool.

    It enables us to ingest data from our entire ecosystem. It's difficult to ingest non-native data. It's not as easy as in Splunk because Splunk is probably the leading SIEM tool. If you have a native tool that's out of the Microsoft security stack, you can bring it into Sentinel and have an alert on it.

    This ingestion of data is vital for our security operations. It's the driver behind everything we do. We can do threat hunting, but if we don't have logs or data to run queries, then we're pretty much blind. I've worked in places where compliance and regulatory adherence are paramount and having logs, log retention, and evidence of these capabilities is extremely important. One of the more vital things that our organization needs to operate well, is good data.

    A lot of the alerts come in from other tools, so sometimes we have to actually use that tool to get the proper information. For example, if we get an alert through Defender for Office 365, to actually see an offending email or attachment or something like that, we have to go into the Defender console and dig that out, which is inconvenient. As an aggregator, it's not bad compared to the other solutions on the market. In an ideal scenario, having more information pulled through in the alerts would be an improvement.

    A lot of Sentinel's data is pretty comprehensive. The overarching theme with Sentinel is that it's trying to be a lot of things in one. For a UEBA tool, people will usually have separate tools in their SIEM to do this, or they'll have to build their own complete framework from scratch. Already having it in Sentinel is pretty good, but I think it's just a maturity thing. Over the next few years, as these features get more fleshed out, they will get better and more usable. At the moment, it's a bit difficult to justify dropping a Microsoft-trained UEBA algorithm in an environment where it doesn't have too much information. It's good for information purposes and alerting, but we can't do a lot of automation or remediation on it straight away.

    What needs improvement?

    Although the integrations are good, it can sometimes be information overload. A number of the technologies run proprietary Microsoft algorithms, like machine learning algorithms and detection algorithms, as well as having out-of-the-box SIEM content developed by Microsoft. As an engineer that focuses on threat detection, it can sometimes be hard to see where all of the detections are coming from. Although the integrations are good, it can sometimes be information overload.

    Documentation is the main thing that could be improved. In terms of product usage, the documentation is pretty good, but I'd like a lot more documentation on Kusto Query Language. They could replicate what Splunk has in terms of their query language documentation. Every operator and sub-operator has its own page. It really explains a lot about how to use the operators, what they're good for, and what they're not good for in terms of optimizing CPU usage.

    In Splunk, I would like to see some more advanced visualization. There are only some basic ones in Sentinel.

    For how long have I used the solution?

    I've been using Microsoft Sentinel for about one year, but more heavily over the past five months.

    What do I think about the stability of the solution?

    It's pretty stable. We don't have any performance or capacity issues with it.

    What do I think about the scalability of the solution?

    It's scalable when using solutions like Lighthouse.

    How are customer service and support?

    I haven't needed to use technical support yet, but the documentation in the community is very good.

    Which solution did I use previously and why did I switch?

    I previously used Splunk. The move to Sentinel was definitely cost-based. A lot of people are moving away from Splunk to a more cost-effective SIEM like Sentinel. We also chose Sentinel because of the ease of maintenance. Splunk's enterprise security has some good queries out of the box, but if I were a small organization, I would use Sentinel because it has more out-of-the-box features.

    How was the initial setup?

    The log collection facilities must be maintained. Maintaining the solution requires a team of fewer than five people. It mainly involves ensuring that the rules are up to date, the connectors and log collection mechanisms are working correctly, and that they're up to date. It also involves ensuring that the right rules are deployed and the automation rules are in place.

    What was our ROI?

    Our ROI is 50% over and above what we spend on it in terms of what we can get back from Microsoft Sentinel, everything we use it for, and the time we save.

    What's my experience with pricing, setup cost, and licensing?

    Some of the licensing models can be a little bit difficult to understand and confusing at times, but overall it's a reasonable licensing model compared to some other SIEMs that charge you a lot per data.

    There are additional fees for things like data usage and CPU cycles. When you're developing queries or working on queries, make sure that they're optimized so you don't use as much CPU when they run.

    Which other solutions did I evaluate?

    We spoke with Google about Chronicle Backstory. It looks pretty powerful, but it wasn't mature enough for what we were looking for at that time.

    The only other real standalone solution I've had a good experience with is Splunk and Splunk Phantom. In terms of cost, it's astronomically different. Microsoft Sentinel can sometimes be expensive depending on how many logs you're taking, but it will never be in the same realm as Splunk. Sentinel is easy to use, but Splunk is so expensive because it's very easy to use.

    Microsoft Sentinel is a better SOAR solution than Phantom. Phantom has good integrations, but it isn't really built for custom scripting. If you're going to be paying more, you would expect that to be better. Sentinel is better in that aspect. Sentinel's cost-effectiveness blows a lot of other solutions out of the water, especially if you're already in Azure and you can leverage some relationships to bring that cost down.

    What other advice do I have?

    I would rate this solution eight out of ten. It's heading in the right direction, but it's already pretty good and mature.

    If a security colleague said it's better to go with the best-of-breed strategy rather than a single vendor security suite, I would understand that completely. Some people see tying yourself into a single vendor as a vulnerability. It's not quite spread out, but I think you can manage a single vendor security solution if you have a good relationship with the vendor and you really leverage your connections within that business.

    It's good to diversify your products and make sure that you have a suite of products available from different companies and that you use the best that's available. In terms of this technology stack, it's pretty good for what it does.

    My advice is to really focus on what's possible and what you could do with the SIEM. There are a lot of features that don't get used and maximized for their purpose from day one. It takes a couple of months to properly deploy the solution to full maturity.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Cyber Security Engineer at a retailer with 10,001+ employees
    Real User
    It helps us automate routine tasks and findings of high-value alerts from a detection perspective
    Pros and Cons
    • "The native integration of the Microsoft security solution has been essential because it helps reduce some false positives, especially with some of the impossible travel rules that may be configured in Microsoft 365. For some organizations, that might be benign because they're using VPNs, etc."
    • "Sentinel could improve its ticketing and management. A few customers I have worked with liked to take the data created in Sentinel. You can make some basic efforts around that, but the customers wanted to push it to a third-party system so they could set up a proper ticketing management system, like ServiceNow, Jira, etc."

    What is our primary use case?

    We're a managed security service provider using Sentinel for its primary SIEM capability. Our company looks after multiple Sentinel instances for a variety of customers. However, we don't do anything through Lighthouse because every customer we monitor wants everything in their own tenant space. 

    The company ensures suitable detections are created and loaded into the Sentinel side, and we provide them with KQL to help them with some in-house use cases with a security focus. We also made some dashboards so they could visualize their data and what their issues would look like. We adopt different deployment models depending on the customer. It's usually a public cloud or hybrid in some instances.

    We work with a few Microsoft products, but it's mostly the Defender for Cloud Suite, including Defender for Endpoint and Defender for Cloud. It's undergone a rebrand from the Cloud Application Security side. We also use Azure Active Directory, Microsoft Cloud Security, and several other Azure and Office 365 applications.

    How has it helped my organization?

    Sentinel made it easier to put everything into one place instead of checking multiple tools, especially when working with Microsoft shops. They focus a lot of the efforts on the Sentinel side, so the data is being correctly pushed across and easily integrated with third-party capabilities. Palo Alto and Cisco feeds can work almost side by side with the native Microsoft feeds seamlessly.

    Sentinel helps us automate routine tasks and findings of high-value alerts from a detection perspective. Still, I haven't made much use of the SOAR capabilities with the Logic Apps side of things because of the cost associated with them, especially at volume from an enterprise environment. It was felt that using those features might push some of the usage costs up a bit. We thought it was more of a nice-to-have than something essential for the core services we wanted to leverage. We avoided using that again, but it was more of a cost issue than anything. 

    Instead of having to look at dashboards from multiple parties, we have one place to go to find all the information we want to know. This consolidation has simplified our security operations. 

    Usually, it isn't good to have all your eggs in one basket. However, with Azure replicating across the data center, it's better to have all your eggs in one basket to effectively leverage the raw data that would typically be going into multiple other tools. Having everything in one place allows a nice, clear, concise view if you want to see all your network data, which you can do easily with Sentinel.

    Some of the UEBA features helped us identify abnormal behaviors and challenge users to ensure it's undertaking particular activities. You can isolate accounts that may have been compromised a bit quicker.

    Sentinel reduced implementation time and sped up our response. I can't give a precise figure for how much time we've saved. Onboarding an Azure feed to a third-party SIEM system might take a couple of days or weeks to get the relevant accounts, etc., in place. Onboarding is a matter of minutes with Sentinel if it's a Microsoft feed. Having everything in one place makes our response a little quicker and easier. The KQL can be easily transferred to support the threat-hunting side because all the information is just there.

    Our threat visibility also improved. Sentinel changed a lot since I started using it. It's like a whole new product, especially with the tighter integrations on the Defender for Cloud. For customers heavily reliant on Microsoft and Azure, it's much cleaner and more accessible than logging in to multiple tools. 

    I think some of the two-way integrations started to come through for the Defender for Cloud suite as well, so whenever you closed off notifications and threats, et cetera, that were being flagged up in Sentinel, it replicated that information further back to the source products as well, which I thought was a very nifty feature.

    It helps us prioritize threats, especially with the way that the various signatures and alerts are deployed. You can flag priority values, and we leveraged Sentinel's capabilities to dynamically read values coming through from other threat vendors. We could assign similar alerts and incidents being created off the back of that. It was good at enabling that customizability.

    The ability to prioritize threats is crucial because every business wants to treat threats differently. One organization might want to prioritize specific threats or signatures more than another customer based on how they've structured and layered their defense. It's useful from that perspective.

    The native integration of the Microsoft Security solution has been essential because it helps reduce some false positives, especially with some of the impossible travel rules that may be configured in Microsoft 365. For some organizations, that might be benign because they use VPNs, etc.

    What is most valuable?

    Sentinel lets you ingest data from your entire ecosystem. When I started using it, there wasn't a third-party ingestion capability. We could get around that using Logstash. It was straightforward. The integration with the event hub side allowed us to bring in some stuff from other places and export some logs from Sentinel into Azure Data Explorer when we had legal requirements to retain logs longer. 

    I've used  UEBA and the threat intel, which are about what I expect from those sorts of products, especially the threat intel. I like how the UEBA natively links to some Active Directory servers. It's excellent. Integration with the broader Microsoft infrastructure is painless if your account has the correct permissions. It was just ticking a box. It's clear from the connector screen what you need to do to integrate it.

    The integration of all these solutions helped because they all feed into the same place. We can customize and monitor some of the alert data from these various products to create other derivative detections. It's like an alert for our alerts.  

    For example, we could look at a particular user IP or similar entity attribute and set an alert if they've met specific conditions. If there are more than a given number of alerts from different products, we treat that as a higher priority. It's beneficial for that.

    What needs improvement?

    Sentinel could improve its ticketing and management. A few customers I have worked with liked to take the data created in Sentinel. You can make some basic efforts around that, but the customers wanted to push it to a third-party system so they could set up a proper ticketing management system, like ServiceNow, Jira, etc.  

    It would be helpful for incident responders to be able to assign tickets and have permissions assigned to them. Once you have escalated tickets from Level 1 to Level 2, there may be areas where you want to control who has access to the raw Sentinel tool. 

    For how long have I used the solution?

    I started using Sentinel in July of last year.

    What do I think about the stability of the solution?

    Sentinel's stability is great. We only had one outage for a couple of hours, but that was a global Azure issue. 

    What do I think about the scalability of the solution?

    I think I've not had to worry too much about the scaling. It seems to be able to handle whatever has been thrown at it. I assume that's part of the SaaS piece that Sentinel falls under. Microsoft will worry about what's happening behind the scenes and spin up whatever resources are needed to make sure it can do what it needs to do.

    How are customer service and support?

    I rate Microsoft support a ten out of ten. We had a few issues with certain filters working with some connectors. There were problems with certain bits of data being truncated and potentially lost. I spoke to some people from the Israeli team. They responded quickly and tried to be as helpful as they could. 

    Support made a solid effort to understand the problem and resolve it. They maintained regular communications and provided reassurance that they were sorting out the problems.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I used Elasticsearch, Kibana, and Splunk. We switched to Sentinel because of the ease of use and integration. Microsoft infrastructure forms the backbone of our environment. We use Azure for hosting, Active Directory for user accounts, and Office 365 for communications and data storage. 

    Sentinel made a lot of sense, especially given our difficulties getting our data onboarded into the Elasticsearch stack. We saw similar challenges with Splunk. Sentinel works natively with Microsoft, but we've still had some pain points with some of the data sources and feeds. I think that's just more about how the data has been structured, and I believe some of those issues have been rectified since they've been flagged with Microsoft support.

    At the same time, Sentinel is a little more costly than Splunk and the Elasticsearch stack. However, it's easier to manage Sentinel and get it up and running. That's where a cost-benefit analysis comes in. You're paying more because it's easier to integrate with your environment than some of the other providers, but I'd say it is a little on the costly side.

    How was the initial setup?

    I've spun up my instance of Sentinel for development purposes at home, and it was quick and easy to get through. The documentation was thorough. From the Azure portal, you click Sentinel to ensure all the prerequisites and dependencies are up and running. On the connector side, it's just a matter of onboarding the data. It's straightforward as long as you have the correct permissions in place.

    Deployment requires two or three people at most. You probably don't even need that many. Two of the three were just shadowing to get experience, so they could run with their deployments.

    It doesn't require much maintenance. Microsoft does a great job of building a SaaS solution. Any problems in the region where Sentinel is hosted are visible on the Azure portal. Once the initial configuration and data sources are deployed, it takes minimal upkeep.

    What about the implementation team?

    The deployment was done in-house.

    What was our ROI?

    It's hard to say whether Sentinel saved us money because you only know the cost of a breach after the fact. We'll probably spend more on Sentinel than other products, but hopefully, we'll see a return by identifying and remediating threats before they've become an actual cost for our clients. 

    Sentinel has made it a little easier to get the initial Level 1 analysts onboarded because they don't need to know how to use, say, Palo Alto's Panorama. They can focus their efforts on one query language that enables them to go across multiple different vendors, products, and tools. It's quicker for a Level 1 analyst to get up to speed and become useful if they don't need to learn five or six different ways to query various technologies.

    What's my experience with pricing, setup cost, and licensing?

    Sentinel's pricing is on the higher side, but you can get a discount if you can predict your usage. You have to pay ingestion and storage fees. There are also fees for Logic Apps and particular features. It seems heavily focused on microtransactions, but they may be slightly optional. By contrast, Splunk requires no additional fee for their equivalent of Logic. You have a little more flexibility, but Sentinel's costs add up. 

    What other advice do I have?

    I rate Sentinel an eight out of ten. My only issue is the cost. I would recommend Sentinel, but it depends on what you want to get from your investment. I've seen Sentinel deployed in everything from nonprofits to global enterprises. With multiple vendors, you're more at risk of causing analyst fatigue.

    Microsoft has done a great job of integrating everything into one place. The setup and configuration of Azure's general hosting environments reduce the risk. Most services are on the cloud, so Sentinel makes it much quicker and easier to get up and running. You don't need to worry about training and getting multiple certifications to have an effective SOC.

    I recommend sticking with Sentinel and putting in as many data sources as you can afford. Put it through its paces based on a defense-in-depth model. Take advantage of all the information Microsoft and others have made available in places like GitHub, where there is a vast repository of valuable detections that can be tweaked depending on your environment.

    It makes it a lot easier to get started. Many people approaching security with a blank canvas aren't sure where to go. There are a lot of valuable resources and information available.

    Disclosure: My company has a business relationship with this vendor other than being a customer: MSSP
    Flag as inappropriate
    PeerSpot user
    Associate Manager at a tech services company with 10,001+ employees
    Real User
    Easy to manage with good automation and machine learning capabilities
    Pros and Cons
    • "The machine learning and artificial intelligence on offer are great."
    • "Azure Sentinel will be directly competing with tools such as Splunk or Qradar. These are very established kinds of a product that have been around for the last seven, eight years or more."

    What is our primary use case?

    Sentinel is a solution called SIEM - security information event management. It's for monitoring an entire organization from a security point of view. Along with the monitoring, what happens in the SIEM is you have to raise incidents. If there are any kind of security issues or breaches or people are trying to get into the system, you have to raise an incident ticket. You collect the event information from the systems. You'll be able to see if it's, for example, a machine or account, or an active directory outage. You can process that information using machine learning AI, and then raise incidents. It's basically helping a security operations center team (SOC). With the help of Azure Sentinel, we can build a SOC.

    There are plenty of use cases. You have to cover your entire security environment. For example, a brute force attack against your Azure Portal. If someone is trying to guess your password, you will see the incident. When somebody puts four, five wrong passwords, and then a correct password, it could mean someone is trying to guess your password and you would see that. Basically, there are a lot of use cases, however, all of them revolve around monitoring security. Whenever something happens, we should get alerted or we can proactively assess our environment.

    With Sentinel, you can also do the hunting. It'll try to identify if your environment is compromised with any kind of attack. In most cases, it'll try to protect your organization before this attack can happen. If somebody is trying to snoop in your environment, we can track him. Or if somebody is trying to guess your password, we can protect the password. If somebody is injecting the malware, we can identify and protect the organization.

    How has it helped my organization?

    The solution has improved functionality as most of the organization will be in the cloud. If an organization is already on the Azure cloud, then they don't have to go for any other solution for the SIEM. They can easily integrate Sentinel. Most of us are on the Microsoft products, so it's very easy to deploy this with the Microsoft products as well as to the other products. 

    What is most valuable?

    In terms of Sentinel, it's a best-in-class solution. The SIEM solution is hosted in the cloud. When you compare it with the other tools, the on-premises tools may not be that great.

    The best piece about it is when it comes to the traditional SIEM solutions, it's very hard to manage them. First of all, licensing will be there. Then you need to manage underlying infrastructure as well. You also need a big setup. All these things aren't necessary with Sentinel due to the fact that it's on the cloud. You just get a cloud subscription and do a pay-as-you-go model.

    The machine learning and artificial intelligence on offer are great. These are the things that happen in the background that we do not see. Whenever you have an incident, it will provide you with all the options so that you can drill down. For example, I have identified one incident where somebody was trying to do a brute-force attack. When this incident was generated, I had a lot of data with which I could start to investigate things.

    It provides the best-in-class hunting capabilities. It's very easy to write the hunting logic. You have to write some searching queries. It's very easy to write those all queries and identify the test.

    It'll give you the capabilities of automation. Azure is not only about security or infrastructure. It has a lot of programming features, functions, logic apps, and automation. You can easily integrate. If you can do a little bit more programming, then you can integrate it with functions or automation, or anything else.

    There is a different tool for security postures. That's called Azure Security Center. From November, it's going to be called Azure Defender. This tool does not do posture management, however, it can integrate with Azure Security Center. There is also this XDR tool, Microsoft Defender. It can easily integrate it. Once you set up the integration between these tools, then you will have the advantage of both the tools. You will have a unified ticketing system where you can view the alerts from XDR and you can view the alerts from the posture management and from the SIEM.

    What needs improvement?

    Every month there are new features in Sentinel and the tools are stable. All the features and functionality that those tools provide are slowly coming to the Azure Sentinel as well. So it's improving a lot day by day. 

    Initially, we had the data connector that could bring the data from any of the platforms that we wanted to monitor. Now, Microsoft has improved the solutions and they're providing a lot of options. While you can (and now have) almost all the functionalities that are needed for SIEM capabilities, it's still adapting to new things as well. 

    Azure Sentinel will be directly competing with tools such as Splunk or Qradar. These are very established kinds of a product that have been around for the last seven, eight years or more. They have a lot of good things going for them and are slightly ahead of Microsoft, which is new to the game. However, Microsoft is adapting. Microsoft keeps working on its solutions and offers feature request platforms as well. We have given them a lot of feedback in terms of some customizations - and they keep adding to it. There are a lot of new things that are in the pipeline. In the next four to six months, we will see more new features which will further enhance the existing tools.

    For example, there were some custom fields that were missing. We wanted to do mapping of the custom fields and this capability wasn't there in the Sentinel. However, when we requested it they implemented it.

    For how long have I used the solution?

    I have been on Sentinel for the last two to two and a half years. Initially, I was just doing it for my own self-interest, however, for the last one and a half years, it's been more of a professional relationship and I've been working with it for customers.

    What do I think about the stability of the solution?

    The solution is quite stable. I have not seen any downtime so far. It is working for customers as well. It's good. It's on a cloud and therefore we need not worry about maintaining the databases or maintaining the platforms, or wherever the data is stored. It's all Microsoft's responsibility.

    What do I think about the scalability of the solution?

    The scalability is a unique selling proposition for Sentinel. Due to the fact that it's on the cloud, you can scale it up to any limit. Of course, you have to pay for whatever data you are storing. As compared to an on-premises tool the sometimes they may fail to scale, however, this is great. You don't have to bring up a lot of hardware with Sentinel. 

    This solution is being used quite extensively right now.

    Whether or not the usage will increase depends on the pricing that comes up the more you use it. We have to pay for whatever data, telemetry, that gets into the Sentinel. For example, let's say today I collected 1GB of data, tomorrow I'm going to collect 5GB of data. Microsoft can easily hold this, however, then they also provide you with some kind of plans. You can reserve the space. You can say "I will use 100GB of data per month." Microsoft will give you a discount and you have to pay for the reserved 100GB. It is a pay-as-you-go model.

    The solution is used by the development team, which sets it up, and then by the SOC team, which takes over and starts monitoring for security incidents.

    How are customer service and support?

    Technical support depends on what kind of agreement you have with Microsoft. If you are a premier customer, under the top 100, then they can provide you with some direct connection with the Microsoft program managers. You can have a conversation with them once every two weeks. If you are not in the premier tier, if you are just directly buying it from Azure, then technical support, again, depends. There are two types of technical service. One is the professional and the second one is the premier. Premier support is good. Obviously, you will be paying extra for it. Professional support is not that great. Often, I'd rather not involve them. They will simply mess up things. It's better to just post your questions on the forums and try to get some answers from the experts.

    I use all kinds of support. If you are working for a customer who has a very good rapport with Microsoft and they are their top Azure consumer, then they can do things for you. If you give them feedback and you are potentially a big customer for Sentinel, then they will try to adjust things according to your environment. However, if you are not, you are just using Sentinel, then it's okay. It all depends on how much money you are paying and how much business you are doing with Microsoft. 

    If a customer is planning to buy Sentinel, then they should initially negotiate with Microsoft for premier support. They can ask for 100 hours of premier support or the fast-track service. You can initially negotiate for a situation where, if some technical issues arise, then you will only work with premier support, and you can reserve your 100 or so hours for that. 

    Initially, it's better to agree in advance with Microsoft that you will be needing X number of technical support or the fast-track service or engagement with the Sentinel development team.

    Which solution did I use previously and why did I switch?

    I did not use a different solution. I'm from the Azure Log Analytics Monitoring part. I came from that side.

    We directly jumped into Sentinel. I've heard that people are doing migrations from Splunk. That's the number one tool that's available for SIEM. However, I directly started from Sentinel.

    How was the initial setup?

    The initial setup is very easy. You just need some basic knowledge of the monitoring platform called Azure Log Analytics. If you have the knowledge of Azure Log Analytics, then you can easily set up this.

    If you just want to set up over the Azure Portal, then it will hardly take 15 to 20 minutes to deploy. Of course, this is not the final setup. The final setup is when you will be connecting it with different sources. For example, if you have 100 machines, you will have 100 Linux machines, you will have routers and switches too. Everything you want to monitor needs to be there. You have to implement these all solutions one by one as per your requirement. If your requirement is you will want Linux machine monitoring, you want firewall monitor, then it can take time, however, it is pretty easy to accomplish.

    What's my experience with pricing, setup cost, and licensing?

    The pricing model is good. Microsoft does the reservations as well. Perfect planning is needed, as, once you reserve the space, you can save up to 30% or 40% of the cost. If you are not doing good planning, then it'll cost you a lot. However, from a costing point of view, it's fair and comparatively low. It's not a costly service.

    Which other solutions did I evaluate?

    I'm not the decision-maker. I was mostly from the Azure Log Analytics Monitoring background, however, when this was released, even the Microsoft CEO and CTO were touting its abilities. Initially, I looked at it for self-interest, and then we thought of implementing it for our labs, and then we found it fruitful. Then we started getting Sentinel projects. 

    What other advice do I have?

    I'm a consultant and service provider.

    It's hosted on a cloud. There is nothing like versioning or anything. It's just software as a service.

    I would rate the solution at around eight out of ten. When we do the migration, there are still few people who are used to it. Not many have hands-on experience. Sometimes we struggle in maintaining gaps.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Amazon Web Services (AWS)
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Buyer's Guide
    Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.
    Updated: January 2023
    Buyer's Guide
    Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.