Coming October 25: PeerSpot Awards will be announced! Learn more

Microsoft Sentinel OverviewUNIXBusinessApplication

Microsoft Sentinel is #3 ranked solution in top Security Information and Event Management (SIEM) tools. PeerSpot users give Microsoft Sentinel an average rating of 8.0 out of 10. Microsoft Sentinel is most commonly compared to AWS Security Hub: Microsoft Sentinel vs AWS Security Hub. Microsoft Sentinel is popular among the large enterprise segment, accounting for 63% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 19% of all views.
Microsoft Sentinel Buyer's Guide

Download the Microsoft Sentinel Buyer's Guide including reviews and more. Updated: September 2022

What is Microsoft Sentinel?

Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution that lets you see and stop threats before they cause harm. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs. With Azure Sentinel, you can:

- Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds

- Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence from Microsoft

- Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft

- Respond to incidents rapidly with built-in orchestration and automation of common tasks

To learn more about our solution, ask questions, and share feedback, join our Microsoft Security, Compliance and Identity Community.

Microsoft Sentinel was previously known as Azure Sentinel.

Microsoft Sentinel Customers

Microsoft Sentinel is trusted by companies of all sizes including ABM, ASOS, Uniper, First West Credit Union, Avanade, and more.

Microsoft Sentinel Video

Microsoft Sentinel Pricing Advice

What users are saying about Microsoft Sentinel pricing:
  • "The are two native advantages for customers that use M365 Security and Sentinel. The first advantage is that the log or security-event ingestion into Sentinel is free. Cost-wise, they're saving a lot and that is a major advantage."
  • "Some of the licensing models can be a little bit difficult to understand and confusing at times, but overall it's a reasonable licensing model compared to some other SIEMs that charge you a lot per data."
  • "Sentinel's pricing is on the higher side, but you can get a discount if you can predict your usage. You have to pay ingestion and storage fees. There are also fees for Logic Apps and particular features. It seems heavily focused on microtransactions, but they may be slightly optional. By contrast, Splunk requires no additional fee for their equivalent of Logic. You have a little more flexibility, but Sentinel's costs add up."
  • "It varies on a case-by-case basis. It is about $2,000 per month. The cost is very low in comparison to other SIEMs if you are already a Microsoft customer. If you are using the complete Microsoft stack, the cost reduces by almost 42% to 50%. Its cost depends on the number of logs and the type of subscription you have. You need to have an Azure subscription, and there are charges for log ingestion, and there are charges for the connectors."
  • "The pricing isn't very high. It depends on the number of logs you have. If you're expecting to ingest 50 to 60G in a day, but you're only ingesting 20 to 25G per day at first and you have a good team to analyze the logs, then you can segregate the ingestion at under 15G."
  • Microsoft Sentinel Reviews

    Filter by:
    Filter Reviews
    Industry
    Loading...
    Filter Unavailable
    Company Size
    Loading...
    Filter Unavailable
    Job Level
    Loading...
    Filter Unavailable
    Rating
    Loading...
    Filter Unavailable
    Considered
    Loading...
    Filter Unavailable
    Order by:
    Loading...
    • Date
    • Highest Rating
    • Lowest Rating
    • Review Length
    Search:
    Showingreviews based on the current filters. Reset all filters
    KrishnanKartik - PeerSpot reviewer
    Cyber Security Consultant at Inspira Enterprise
    Consultant
    Every rule enriched at triggering stage, easing the job of SOC analyst
    Pros and Cons
    • "You can fine-tune the SOAR and you'll be charged only when your playbooks are triggered. That is the beauty of the solution because the SOAR is the costliest component in the market today... but with Sentinel it is upside-down: the SOAR is the lowest-hanging fruit. It's the least costly and it delivers more value to the customer."
    • "Only one thing is missing: NDR is not available out-of-the-box. The competitive cloud-native SIEM providers have the NDR component. Currently, Sentinel needs NDR to be powered from either Corelight or some other NDR provider."

    What is our primary use case?

    It's mostly used for cloud-based analytics for proactive incident response. As an enterprise product, it falls under next-gen SIEM.

    How has it helped my organization?

    An advantage of Sentinel is that Microsoft has acquired RiskIQ as a threat intel platform and they've amalgamated it into the platform. When any analytical (or correlation) rule triggers, the enrichment is bundled within the solution. We don't need to input anything, it is there by default. Every rule is enriched right at the triggering or detection stage, which eases the job of the SOC analyst. The platform has become so intelligent compared to other solutions. When an alert is triggered, the enrichment happens so that we know exactly at that moment the true or false posture. This is a mature feature compared to the rest of the providers.

    Most of our customers use M365 with E3 or E5 licenses, and some use Business Premium, which provides the entire bundle of M365 Security including EDR, DLP, Zero Trust, and email security. There are two native advantages for customers that use M365 Security and Sentinel. The first advantage is that the log or security-event ingestion into Sentinel is free. Cost-wise, they're saving a lot and that is a major advantage.

    The other advantage is that when you use M365 Security with Sentinel, you get multi-domain visibility. That means when attacks happen with different kill-chains, in different stages through the email channel or a web channel, there is intelligence-sharing and that is a missing piece when customers integrate non-Microsoft solutions with Sentinel. With Microsoft, it is all included and the intelligence is seamlessly shared. The moment an email security issue is detected, it is sent to the Sentinel platform as well as to the M365 Defender platform. The moment it is flagged, it can trigger.

    That way, if the email security missed something, the EDR will pick up a signal triggered by a payload or by a script being shared and will trigger back to the email security to put that particular email onto a blacklist. This cross-intelligence is happening without even a SIEM coming into play.

    And a type of SOAR functionality is found within M365 Defender. It can run a complete, automated investigation response at the email security level, meaning the XDR platform level. When M365 Security is combined with Sentinel it gives the customer more power to remediate attacks faster. Detection and response are more powerful when M365 Defender and Sentinel are combined, compared to a customer going with a third-party solution and Sentinel.

    Sentinel has an investigation pane to investigate threats and respond holistically from one place, where SOC analysts can drill down. It will gather all the artifacts so that the analysts can drill down without even leaving the page. They can see the start of the attack and the sequence of events from Sentinel. And on the investigation page, SOC analysts can create a note with their comments. They can also call for a response action from that particular page.

    Also, most of the next-gen cloud analytics vendors don't provide a common MSSP platform for the service provider to operate. That means we have to build our own analytics in front of those solutions. Sentinel has something called Lighthouse where we can query and hunt and pull all the metadata into an MSSP platform. That means multi-customer threat prioritization can be done because we have complete visibility of all our customers. We can see how an attack pattern is evolving in different verticals. Our analysts can see exactly what the top-10-priority events are from all of our customers. Even if we have a targeted vertical, such as BFSI, we can create a use case around that and apply it to a customer that has not been targeted. We can leverage multiple verticals and multiple customers and see if a new pattern is emerging around it. Those processes are very easy with Sentinel as an MSSP platform.

    Because we use 75 percent of the automation possible through the platform we are able to reduce MTTA. It is also helpful that we get all the security incidents including the threat, vulnerability, and security score in one place of control. We don't have to go to one place for XDR, another for email, another for EDR, and a fourth for CASB. Another time saver is the automated investigation response playbooks that are bundled with the solution. They are available for email, EDR, and CASB. As soon as a threat is detected, they will contain it and it will give you a status of partially or fully remediated. Most of our customers have gone for 100 percent automation and remediation. These features save at least 50 percent of the time it would otherwise take.

    In terms of cost savings, in addition to the savings on log-ingestion, Microsoft Sentinel uses hyperscaler features with low-tier, medium-tier, and hot storage. For customers that need long-term data storage, this is the ideal platform. If you go with Securonix or Palo Alto, you won't see cost savings. But here, they can choose how long they want to keep data in a hot tier or a low or medium tier. That also helps save a lot on costs.

    What is most valuable?

    It's a Big Data security analytics platform. Among the unique features is the fact that it has built-in UEBA and analytical capabilities. It allows you to use the out-of-the-box machine learning and AI capabilities, but it also allows you to bring your own AI/ML, by bringing in your own IPs and allowing the platform to accept them and run that on top of it.

    In addition, the SOAR component is a pay-per-use model. Compared to any other product, where customization is not available, you can fine-tune the SOAR and you'll be charged only when your playbooks are triggered. That is the beauty of the solution because the SOAR is the costliest component in the market today. Other vendors charge heavily for the SOAR, but with Sentinel it is upside-down: the SOAR is the lowest-hanging fruit. It's the least costly and it delivers more value to the customer.

    The SOAR engine also uniquely helps us to automate most of the incidents with automated enrichment and that cuts out the L1 analyst work.

    And combining M365 with Sentinel, if you want to call it integration, takes just a few clicks: "next, next finish." If it is all M365-native, it is a maximum of three or four steps and you'll be able to ingest all the logs into Sentinel.

    That is true even with AWS or GCP because most of the connectors are already available out-of-the-box. You just click, put in your subscription details, include your IAM, and you are finished. Within five to six steps, you can integrate AWS workloads and the logs can be ingested into Sentinel. When it comes to a third party specifically, such as log sources in a data center or on-premises, we need a log collector so that the logs can be forwarded to the Sentinel platform. And when it comes to servers or something where there is an agent for Windows or Linux, the agent can collect the logs and ship them to the Sentinel platform. I don't see any difficulties in integrating any of the log sources, even to the extent of collecting IoT log sources.

    Microsoft Defender for Cloud has multiple components such as Defender for Servers, Defender for PaaS, and Defender for databases. For customers in Azure, there are a lot of use cases specific to protecting workloads and PaaS and SaaS in Azure and beyond Azure, if a customer also has on-premises locations. There is EDR for Windows and Linux servers, and it even protects different kinds of containers. With Defender for Cloud, all these sources can be seamlessly integrated and you can then track the security incidents in Microsoft's XDR platform. That means you have one more workspace, under Azure, not Defender for Cloud, where you can see the security incidents. In addition, it can be integrated with Sentinel for EDR deep-dive analytics. It can also protect workloads in AWS. We have customers for whom we are protecting their AWS workloads. Even EKS, Elastic Kubernetes Service, on AWS can be integrated, as can the GKE (Google Kubernetes Engine). And with Defender for Cloud, security alert ingestion is free

    What needs improvement?

    Only one thing is missing: NDR is not available out of the box. The competitive cloud-native SIEM providers have the NDR component. Currently, Sentinel needs NDR to be powered from either Corelight or some other NDR provider. It needs a third-party OEM. Other than that, it supports the entire gamut of solutions.

    Also, we are helping customers build custom data-source integration. Microsoft needs to look at some strategic development on the partner front for out-of-the-box integration.

    Buyer's Guide
    Microsoft Sentinel
    September 2022
    Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
    633,572 professionals have used our research since 2012.

    For how long have I used the solution?

    We are an MSSP and we have offered Microsoft Sentinel as a service to our customers for close to one and half years. Before I joined this organization, I worked with another organization that provided Microsoft Sentinel as a service for close to one year.

    What do I think about the stability of the solution?

    The platform is pretty stable. I generally do not have any problems with it unless an issue arises while deploying a playbook. The platform is 98 percent stable. That other 2 percent only happens when you start working deep on customization. Out-of-the-box, everything has been tested and there aren't any problems. But when you try to create something on your own, that's where you may need Microsoft support.

    What do I think about the scalability of the solution?

    You can scale it as much as you want. There are no limitations on scaling it.

    It supports multi-region environments. Even if it is a large organization with multiple regions and multiple subscriptions, it can collect the data within the regions. With GDPR, logs should stay within the country. The solution can comply with the law of the land and still serve multiple locations.

    Sentinel Lighthouse is not only meant for MSSPs. A large organization with diverse geography can meet the local data-residency laws, and Lighthouse will still act as a platform to connect all the regions and provide a centralized dashboard and visibility as an organization. So it can work if the customer has only one region and if there are multiple regions. It is a unique platform.

    Also, every six months they develop a lot of playbooks as well as from the marketplace, the Microsoft Sentinel Content hub. MSSPs like us can use it to create content and put it into the marketplace so that other customers or service providers can use them. Similarly, when those parties develop things, they are available to us.

    Microsoft is almost too active. We receive something new to offer to our customers every month or two. We also operate Splunk and QRadar but we see a lot of activity from Microsoft compared to the other vendors. That means we have a lot of value-adds to offer to our customers. These updates do not go to the customer by default. As a service provider, that helps us. We are the enablers, and a lot of these updates are free of cost for Sentinel users.

    How are customer service and support?

    I would rate Microsoft technical support at five out of 10 because we have to go through a lot of steps before we get to the right technical stakeholder. They have to improve a lot.

    How would you rate customer service and support?

    Neutral

    Which solution did I use previously and why did I switch?

    As an MSSP we also use Splunk, Qradar, and Micro Focus ArcSight. We added Microsoft as well because of customer demand. 

    Existing customers that are doing a tech refresh are going for cloud-native. Digital transformation has been the driving factor. A lot of our customers have embraced microservices and they're looking for a new-age, cloud-native SIEM to support cloud-native solutions. For most of our customers that are looking at migrating to Sentinel, the major factor is the cloud. They have moved their data center servers to AWS or GCP or Azure.

    How was the initial setup?

    The initial deployment is straightforward. There are only two or three methods, depending on whether it is on-premises log collection or M365 all-cloud, in which case it is API-based with out-of-the-box APIs. Within a few clicks, we can integrate it. It is simple and fast.

    If we're dealing with all-M365 components and Azure components, we can complete deployment within a day. If we're dealing with the customer-log collection, it depends on the customer. There are some prerequisites required, but if the prerequisites are ready, then it takes, again, a day or so.

    The number of people involved depends on the situation, but if there is not much more than out-of-the-box deployment, a maximum of two L1 engineers can complete all the activity.

    What was our ROI?

    From my perspective, the ROI is good because Microsoft keeps getting new things done without any additional cost. Every quarter there is at least a 10 to 15 percent increase with add-on components and content that are free. That is a type of enrichment that customers receive that they do not get from any other platform.

    What's my experience with pricing, setup cost, and licensing?

    Microsoft gives a discount of 50 percent but only for customers that are clocking 100 GB and above. They should also look at medium and SMB customers in that regard.

    There are a lot of advantages for customers with a Microsoft ecosystem. They need to know the tricks for optimizing the cost of Microsoft Sentinel. They need to work with the right service provider that can help them to go through the journey and optimize the cost.

    For Microsoft security products there is a preview mode of up to six months, during which time they are non-billable. The customer is free to take that subscription and test it. If they like it, they will be billed but they have six months where they can evaluate the product and see the value. That is the best option and no other vendor gives a free preview for six months.

    Other solutions will have two updates a year, maximum. And most of them are not updates to the features but are security or platform-stability updates. Microsoft is completely different. Because the platform is managed by them, they don't give platform updates. They give updates on the content that are free. They keep adding this data, which is helping customers to stay relevant and updated.

    Our customers see a lot of value from that process. Some 60 to 70 percent move from preview mode to production.

    Which other solutions did I evaluate?

    The challenge with competitive products, or any SIEM, is that they are use-case specific: You define some correlation and they will detect it. Some of the next-gen solutions today work with analytics but the analytics are limited to the logs that have been registered. Other platforms are also not able to pinpoint the inception point of the attack. Once the attack is being reviewed, they will use log sources of that particular attack and will drill down into that particular attack scenario, but they're not able to group the attack life cycle: the initiation of that attack, and the different stages of the attack. The visibility is limited when it comes to other SIEMs.

    But Sentinel has something called Fusion, which can give you multi-stage attack visibility. That is not something available from other SIEM vendors. Fusion is a very special kind of detection. It will only trigger when it sees the linkage between multiple attacks detected by multiple data sources. It will try to relate all the attacks and see if there is a link between them. It gives you a complete footprint of how that attack started, how it evolved, how it is going, and which phase it is in now. It will give a complete view of the attack, and that is a missing link compared with other SIEM vendors. This is a unique feature of Microsoft Sentinel.

    Sentinel's UEBA is around 90 percent effective, and the threat intel is a 10 out of 10, but it is an add-on. If a customer takes that add-on package, it will give complete threat intel and visibility into the deep and dark web. In addition, it helps a customer to track the external attack surface. It is a comprehensive threat intel platform. 

    The Sentinel SOAR is a 10 out of 10 and, if I could, I would rate it higher. Other SOAR platforms do not help reduce the price. A customer may not be able to use them after some time because they charge per SOC analyst. With Microsoft, there is no limitation on SOC analysts. It is purely billed based on consumption, which is a great advantage. Every customer can use it. It is free for up to 4,000 actions. Even if a customer goes to 50,000 actions per day, which is normally what a large-volume customer will do, he'll be charged $50, and no competitive SOAR vendor is in that league.

    What other advice do I have?

    Understand the product capabilities first and, before finalizing your product, see how we can optimize your solutions. Also, try to see a roadmap. Then plan your TCO. Other SIEMs do not give you the advantage of free log ingestion, but if you want to understand the TCO, you need to know what your organization is open to adopting. If you integrate Microsoft solutions in different places, like cloud or CASB, it is going to give you more free ingestion and your TCO is going to be reduced drastically.

    Organizations that have a Microsoft E5 license have an advantage because all the Microsoft components we have talked about are free. Unfortunately, we have also witnessed that most of our customers with an E5 license are not using the product features effectively. They need to see how they can leverage these services at the next level and then start integrating with Sentinel. That will give them a better return on investment and a proper TCO.

    The platform gives you the ability to do 100 percent automation, but it is up to the service provider or the customer to decide what the percentage should be. The percentage varies from organization to organization. In our organization, we are using 75 percent of the automation before it reaches a SOC analyst. At a certain point, we want to see our SOC Analyst intervene. We want to do that remaining 25 percent manually, where the analyst can call for further responses.

    Threat intelligence, in my opinion, is not generally going to work in a predictive mode. It is more a case of enrichment and indicators of compromise. It can only help in direction and correlation, but may not take you to a predictive mode, except if we talk about external attack surface management. The threat intel feed is going to give you an indicator of compromise and that will help you to be proactive but not predictive.

    Whereas the external attack surface management and deep and dark web monitoring will monitor all your public assets. If a hacker is doing something in your public-facing assets, it will give a proactive alert that suspicious activities are happening in those assets. That will help my SOC analysts to be predictive, even before an attack happens. If somebody is trying brute force, that's where the predictive comes into play. The deep and dark web monitoring will help to monitor my brand and my domain. If hackers discuss my critical assets or my domain within a dark web chat, this intel can pick that up. In that case, they can say something predictively and that they are planning for an attack on your assets.

    In terms of going with a best-of-breed strategy rather than a single vendor's security suite, customers need to be smart. Every smart solution keeps its intelligence within the solution. If the landscape includes email, web, EDR, et cetera, at a bare minimum there are eight different attack surfaces and everyone can have different controls. A SOC analyst will have to manage eight different consoles and have eight unique skill sets with deep knowledge of each product. So although individual solutions bring a lot of things to the table, the customer is not able to use those features 100 percent. We are failing when we go with individual products. An individual product may be more capable, but an organization will not be able to use the product effectively. The silos of intelligence, the number of different consoles, and the right skill sets to apply to each product are problems.

    In addition, attacks are evolving and the software is evolving along with them. A product vendor may release some new features but the customer won't have the right skill set internally to understand them and apply them.

    But with a single-vendor situation like Microsoft, the SOC analyst has nowhere else to go. It is one XDR platform. All the policies, all the investigation, and everything they need to apply is right in one place. There are also more Microsoft-Certified resources in the market, people who are certified in all the Microsoft products. All of a sudden, my skill set problem is solved and there is no need to look at multiple consoles, and the silos of intelligence are also solved. All three pain points are resolved.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    AidanMcLaughlin - PeerSpot reviewer
    SIEM Engineer at a tech services company with 501-1,000 employees
    Real User
    Top 20
    Enables us to monitor many different environments for cybersecurity incidents, and we use it as our main alerting tool to let us know when this activity happens
    Pros and Cons
    • "The automation rules and playbooks are the most useful that I've seen. A number of other places segregate the automation and playbook as separate tools, whereas Microsoft is a SIEM and SOAR tool in one."
    • "Documentation is the main thing that could be improved. In terms of product usage, the documentation is pretty good, but I'd like a lot more documentation on Kusto Query Language."

    What is our primary use case?

    We use Microsoft Sentinel to monitor many different environments for cybersecurity incidents, and we use it as our main alerting tool to let us know when this activity happens. It also interfaces with all of our other Defender products, such as Defender for Office 365, Defender for Endpoint, et cetera.

    Almost all of our solutions are based in Azure. We use Defender for Endpoint, Defender for Office 365, Defender for cloud, Sentinel, and Azure Active Directory Identity Protection.

    I use the latest version of Sentinel.

    Sentinel is mostly used within our security operations center and our security team. We have about 50 endpoint users.

    How has it helped my organization?

    The backbone of our organization is built on Microsoft Sentinel, its abilities, and the abilities of our Defender stack. Ideally, we'd have more data, but a lot of data and functionality are in one place. The Lighthouse feature is outside Sentinel, but it allows us to have multiple environments integrated into one and to access lots of different Sentinel environments through that. It's very easy to manage a security workload with Sentinel. 

    I would like to see better integration with CICD. It should be easier to use GitHub, Jenkins, or whatever our code management stack looks like. Whether or not you use Azure DevOps, being able to manage the code you have is fairly important.

    Since using Sentinel, we've experienced a faster response time and easier development features. There aren't as many hurdles to moving a configuration.

    I'm not sure how long it took to realize the benefits because it was deployed before my time here. It took me about three months to get familiar with what Sentinel has to offer and how we could leverage it, so it will be about three months before you start getting proper value from it.

    There are still elements of Sentinel that I haven't used to their fullest potential, like the Jupyter Notebooks and internet hunting queries.

    The solution is good at automating routine tasks and alleviating the burden for analysts.

    Automation has moderately affected our security operations, although there is scope for it to significantly affect SecOps. There is definitely the capability for Sentinel to do pretty much all of your first-line response, which would be a significant improvement. It's a moderate effect because we only use automation in a few areas.

    There are a few different dashboards for each of the Microsoft tools. We have a dashboard for Defender, one for Sentinel, and one for Active Directory Identity Protection. It consolidated alerts in some aspects, but a lot of information is still scattered.

    It's fairly good for being reactive and responding to threats and looking for indicators of compromise. Overall, it helped us prepare for potential threats before they hit.

    Sentinel saves us time. The automation feature especially saves us time because we can automate a lot of menial tasks. If other businesses could do that, it would eliminate a lot of their first-line response.

    Sentinel saves us about 20 hours per week, which is the equivalent of a part-time staff member.

    It saved us money. It's a very cost-efficient SIEM to use and still provides a good level of coverage despite that. 

    Sentinel saved us about 50% of the cost of Splunk. It decreased our time to detect and respond by about 10-15%.

    What is most valuable?

    The automation rules and playbooks are the most useful that I've seen. A number of other places segregate the automation and playbook as separate tools, whereas Microsoft is a SIEM and SOAR tool in one.

    It provides us with very high visibility. It allows us to see a lot holistically across our environment in Azure. It integrates very well with other products like Defender.

    It helps us prioritize threats across our enterprise. There are many things we can do to deal with prioritizing threats, such as having automation rules that automatically raise the priority of certain incidents. We're also able to make changes to the rule sets themselves and say, "I believe this to be a higher priority than is listed in the tool."

    Prioritization is probably the most important thing to us because as an organization, we have a number of threats coming in at any moment, and each of them has its own valid investigation path. We need to know which ones are business critical and which ones need to be investigated and either ruled out or remediated as soon as possible. Prioritizing what to work on first is the biggest thing for us.

    If you have the right licenses and access to all the products, it's fairly easy to integrate these products into Sentinel. Sometimes they don't pull as much information as possible, and I've noticed that there is a cross-functional issue where these tools will flag and alert themselves.

    We can have it configured to create an alert in Microsoft Sentinel, but sometimes it doesn't create a bridge between them. When we finish our investigation and close the ticket on Sentinel, it sometimes doesn't go back to the tool and update that. That's the only issue that I have found with the integration. Everything else is straightforward and works well.

    The solutions work natively together to deliver coordinated detection responses across our environment. It's probably one of the better-engineered suites. In other places, I've experienced an endpoint detection and response system that's completely different: proprietary coupled with a proprietary and different SIEM tool or maybe a different sort of tool. They are individual tools, and it can sometimes feel like they're engineered differently, but at the same time, they integrate better than anything else on the market as a suite of tools.

    These solutions provide pretty comprehensive threat protection. A lot of them are technology agnostic, so you can have endpoints on Linux and Mac OS. It's pretty comprehensive. There's always a little oversight in any security program where you have to balance the cost of monitoring everything with the risk of having some stuff unmonitored, but that's probably an issue outside of this tool.

    It enables us to ingest data from our entire ecosystem. It's difficult to ingest non-native data. It's not as easy as in Splunk because Splunk is probably the leading SIEM tool. If you have a native tool that's out of the Microsoft security stack, you can bring it into Sentinel and have an alert on it.

    This ingestion of data is vital for our security operations. It's the driver behind everything we do. We can do threat hunting, but if we don't have logs or data to run queries, then we're pretty much blind. I've worked in places where compliance and regulatory adherence are paramount and having logs, log retention, and evidence of these capabilities is extremely important. One of the more vital things that our organization needs to operate well, is good data.

    A lot of the alerts come in from other tools, so sometimes we have to actually use that tool to get the proper information. For example, if we get an alert through Defender for Office 365, to actually see an offending email or attachment or something like that, we have to go into the Defender console and dig that out, which is inconvenient. As an aggregator, it's not bad compared to the other solutions on the market. In an ideal scenario, having more information pulled through in the alerts would be an improvement.

    A lot of Sentinel's data is pretty comprehensive. The overarching theme with Sentinel is that it's trying to be a lot of things in one. For a UEBA tool, people will usually have separate tools in their SIEM to do this, or they'll have to build their own complete framework from scratch. Already having it in Sentinel is pretty good, but I think it's just a maturity thing. Over the next few years, as these features get more fleshed out, they will get better and more usable. At the moment, it's a bit difficult to justify dropping a Microsoft-trained UEBA algorithm in an environment where it doesn't have too much information. It's good for information purposes and alerting, but we can't do a lot of automation or remediation on it straight away.

    What needs improvement?

    Although the integrations are good, it can sometimes be information overload. A number of the technologies run proprietary Microsoft algorithms, like machine learning algorithms and detection algorithms, as well as having out-of-the-box SIEM content developed by Microsoft. As an engineer that focuses on threat detection, it can sometimes be hard to see where all of the detections are coming from. Although the integrations are good, it can sometimes be information overload.

    Documentation is the main thing that could be improved. In terms of product usage, the documentation is pretty good, but I'd like a lot more documentation on Kusto Query Language. They could replicate what Splunk has in terms of their query language documentation. Every operator and sub-operator has its own page. It really explains a lot about how to use the operators, what they're good for, and what they're not good for in terms of optimizing CPU usage.

    In Splunk, I would like to see some more advanced visualization. There are only some basic ones in Sentinel.

    For how long have I used the solution?

    I've been using Microsoft Sentinel for about one year, but more heavily over the past five months.

    What do I think about the stability of the solution?

    It's pretty stable. We don't have any performance or capacity issues with it.

    What do I think about the scalability of the solution?

    It's scalable when using solutions like Lighthouse.

    How are customer service and support?

    I haven't needed to use technical support yet, but the documentation in the community is very good.

    Which solution did I use previously and why did I switch?

    I previously used Splunk. The move to Sentinel was definitely cost-based. A lot of people are moving away from Splunk to a more cost-effective SIEM like Sentinel. We also chose Sentinel because of the ease of maintenance. Splunk's enterprise security has some good queries out of the box, but if I were a small organization, I would use Sentinel because it has more out-of-the-box features.

    How was the initial setup?

    The log collection facilities must be maintained. Maintaining the solution requires a team of fewer than five people. It mainly involves ensuring that the rules are up to date, the connectors and log collection mechanisms are working correctly, and that they're up to date. It also involves ensuring that the right rules are deployed and the automation rules are in place.

    What was our ROI?

    Our ROI is 50% over and above what we spend on it in terms of what we can get back from Microsoft Sentinel, everything we use it for, and the time we save.

    What's my experience with pricing, setup cost, and licensing?

    Some of the licensing models can be a little bit difficult to understand and confusing at times, but overall it's a reasonable licensing model compared to some other SIEMs that charge you a lot per data.

    There are additional fees for things like data usage and CPU cycles. When you're developing queries or working on queries, make sure that they're optimized so you don't use as much CPU when they run.

    Which other solutions did I evaluate?

    We spoke with Google about Chronicle Backstory. It looks pretty powerful, but it wasn't mature enough for what we were looking for at that time.

    The only other real standalone solution I've had a good experience with is Splunk and Splunk Phantom. In terms of cost, it's astronomically different. Microsoft Sentinel can sometimes be expensive depending on how many logs you're taking, but it will never be in the same realm as Splunk. Sentinel is easy to use, but Splunk is so expensive because it's very easy to use.

    Microsoft Sentinel is a better SOAR solution than Phantom. Phantom has good integrations, but it isn't really built for custom scripting. If you're going to be paying more, you would expect that to be better. Sentinel is better in that aspect. Sentinel's cost-effectiveness blows a lot of other solutions out of the water, especially if you're already in Azure and you can leverage some relationships to bring that cost down.

    What other advice do I have?

    I would rate this solution eight out of ten. It's heading in the right direction, but it's already pretty good and mature.

    If a security colleague said it's better to go with the best-of-breed strategy rather than a single vendor security suite, I would understand that completely. Some people see tying yourself into a single vendor as a vulnerability. It's not quite spread out, but I think you can manage a single vendor security solution if you have a good relationship with the vendor and you really leverage your connections within that business.

    It's good to diversify your products and make sure that you have a suite of products available from different companies and that you use the best that's available. In terms of this technology stack, it's pretty good for what it does.

    My advice is to really focus on what's possible and what you could do with the SIEM. There are a lot of features that don't get used and maximized for their purpose from day one. It takes a couple of months to properly deploy the solution to full maturity.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Microsoft Sentinel
    September 2022
    Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: September 2022.
    633,572 professionals have used our research since 2012.
    Cyber Security Engineer at a retailer with 10,001+ employees
    Real User
    It helps us automate routine tasks and findings of high-value alerts from a detection perspective
    Pros and Cons
    • "The native integration of the Microsoft security solution has been essential because it helps reduce some false positives, especially with some of the impossible travel rules that may be configured in Microsoft 365. For some organizations, that might be benign because they're using VPNs, etc."
    • "Sentinel could improve its ticketing and management. A few customers I have worked with liked to take the data created in Sentinel. You can make some basic efforts around that, but the customers wanted to push it to a third-party system so they could set up a proper ticketing management system, like ServiceNow, Jira, etc."

    What is our primary use case?

    We're a managed security service provider using Sentinel for its primary SIEM capability. Our company looks after multiple Sentinel instances for a variety of customers. However, we don't do anything through Lighthouse because every customer we monitor wants everything in their own tenant space. 

    The company ensures suitable detections are created and loaded into the Sentinel side, and we provide them with KQL to help them with some in-house use cases with a security focus. We also made some dashboards so they could visualize their data and what their issues would look like. We adopt different deployment models depending on the customer. It's usually a public cloud or hybrid in some instances.

    We work with a few Microsoft products, but it's mostly the Defender for Cloud Suite, including Defender for Endpoint and Defender for Cloud. It's undergone a rebrand from the Cloud Application Security side. We also use Azure Active Directory, Microsoft Cloud Security, and several other Azure and Office 365 applications.

    How has it helped my organization?

    Sentinel made it easier to put everything into one place instead of checking multiple tools, especially when working with Microsoft shops. They focus a lot of the efforts on the Sentinel side, so the data is being correctly pushed across and easily integrated with third-party capabilities. Palo Alto and Cisco feeds can work almost side by side with the native Microsoft feeds seamlessly.

    Sentinel helps us automate routine tasks and findings of high-value alerts from a detection perspective. Still, I haven't made much use of the SOAR capabilities with the Logic Apps side of things because of the cost associated with them, especially at volume from an enterprise environment. It was felt that using those features might push some of the usage costs up a bit. We thought it was more of a nice-to-have than something essential for the core services we wanted to leverage. We avoided using that again, but it was more of a cost issue than anything. 

    Instead of having to look at dashboards from multiple parties, we have one place to go to find all the information we want to know. This consolidation has simplified our security operations. 

    Usually, it isn't good to have all your eggs in one basket. However, with Azure replicating across the data center, it's better to have all your eggs in one basket to effectively leverage the raw data that would typically be going into multiple other tools. Having everything in one place allows a nice, clear, concise view if you want to see all your network data, which you can do easily with Sentinel.

    Some of the UEBA features helped us identify abnormal behaviors and challenge users to ensure it's undertaking particular activities. You can isolate accounts that may have been compromised a bit quicker.

    Sentinel reduced implementation time and sped up our response. I can't give a precise figure for how much time we've saved. Onboarding an Azure feed to a third-party SIEM system might take a couple of days or weeks to get the relevant accounts, etc., in place. Onboarding is a matter of minutes with Sentinel if it's a Microsoft feed. Having everything in one place makes our response a little quicker and easier. The KQL can be easily transferred to support the threat-hunting side because all the information is just there.

    Our threat visibility also improved. Sentinel changed a lot since I started using it. It's like a whole new product, especially with the tighter integrations on the Defender for Cloud. For customers heavily reliant on Microsoft and Azure, it's much cleaner and more accessible than logging in to multiple tools. 

    I think some of the two-way integrations started to come through for the Defender for Cloud suite as well, so whenever you closed off notifications and threats, et cetera, that were being flagged up in Sentinel, it replicated that information further back to the source products as well, which I thought was a very nifty feature.

    It helps us prioritize threats, especially with the way that the various signatures and alerts are deployed. You can flag priority values, and we leveraged Sentinel's capabilities to dynamically read values coming through from other threat vendors. We could assign similar alerts and incidents being created off the back of that. It was good at enabling that customizability.

    The ability to prioritize threats is crucial because every business wants to treat threats differently. One organization might want to prioritize specific threats or signatures more than another customer based on how they've structured and layered their defense. It's useful from that perspective.

    The native integration of the Microsoft Security solution has been essential because it helps reduce some false positives, especially with some of the impossible travel rules that may be configured in Microsoft 365. For some organizations, that might be benign because they use VPNs, etc.

    What is most valuable?

    Sentinel lets you ingest data from your entire ecosystem. When I started using it, there wasn't a third-party ingestion capability. We could get around that using Logstash. It was straightforward. The integration with the event hub side allowed us to bring in some stuff from other places and export some logs from Sentinel into Azure Data Explorer when we had legal requirements to retain logs longer. 

    I've used  UEBA and the threat intel, which are about what I expect from those sorts of products, especially the threat intel. I like how the UEBA natively links to some Active Directory servers. It's excellent. Integration with the broader Microsoft infrastructure is painless if your account has the correct permissions. It was just ticking a box. It's clear from the connector screen what you need to do to integrate it.

    The integration of all these solutions helped because they all feed into the same place. We can customize and monitor some of the alert data from these various products to create other derivative detections. It's like an alert for our alerts.  

    For example, we could look at a particular user IP or similar entity attribute and set an alert if they've met specific conditions. If there are more than a given number of alerts from different products, we treat that as a higher priority. It's beneficial for that.

    What needs improvement?

    Sentinel could improve its ticketing and management. A few customers I have worked with liked to take the data created in Sentinel. You can make some basic efforts around that, but the customers wanted to push it to a third-party system so they could set up a proper ticketing management system, like ServiceNow, Jira, etc.  

    It would be helpful for incident responders to be able to assign tickets and have permissions assigned to them. Once you have escalated tickets from Level 1 to Level 2, there may be areas where you want to control who has access to the raw Sentinel tool. 

    For how long have I used the solution?

    I started using Sentinel in July of last year.

    What do I think about the stability of the solution?

    Sentinel's stability is great. We only had one outage for a couple of hours, but that was a global Azure issue. 

    What do I think about the scalability of the solution?

    I think I've not had to worry too much about the scaling. It seems to be able to handle whatever has been thrown at it. I assume that's part of the SaaS piece that Sentinel falls under. Microsoft will worry about what's happening behind the scenes and spin up whatever resources are needed to make sure it can do what it needs to do.

    How are customer service and support?

    I rate Microsoft support a ten out of ten. We had a few issues with certain filters working with some connectors. There were problems with certain bits of data being truncated and potentially lost. I spoke to some people from the Israeli team. They responded quickly and tried to be as helpful as they could. 

    Support made a solid effort to understand the problem and resolve it. They maintained regular communications and provided reassurance that they were sorting out the problems.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    I used Elasticsearch, Kibana, and Splunk. We switched to Sentinel because of the ease of use and integration. Microsoft infrastructure forms the backbone of our environment. We use Azure for hosting, Active Directory for user accounts, and Office 365 for communications and data storage. 

    Sentinel made a lot of sense, especially given our difficulties getting our data onboarded into the Elasticsearch stack. We saw similar challenges with Splunk. Sentinel works natively with Microsoft, but we've still had some pain points with some of the data sources and feeds. I think that's just more about how the data has been structured, and I believe some of those issues have been rectified since they've been flagged with Microsoft support.

    At the same time, Sentinel is a little more costly than Splunk and the Elasticsearch stack. However, it's easier to manage Sentinel and get it up and running. That's where a cost-benefit analysis comes in. You're paying more because it's easier to integrate with your environment than some of the other providers, but I'd say it is a little on the costly side.

    How was the initial setup?

    I've spun up my instance of Sentinel for development purposes at home, and it was quick and easy to get through. The documentation was thorough. From the Azure portal, you click Sentinel to ensure all the prerequisites and dependencies are up and running. On the connector side, it's just a matter of onboarding the data. It's straightforward as long as you have the correct permissions in place.

    Deployment requires two or three people at most. You probably don't even need that many. Two of the three were just shadowing to get experience, so they could run with their deployments.

    It doesn't require much maintenance. Microsoft does a great job of building a SaaS solution. Any problems in the region where Sentinel is hosted are visible on the Azure portal. Once the initial configuration and data sources are deployed, it takes minimal upkeep.

    What about the implementation team?

    The deployment was done in-house.

    What was our ROI?

    It's hard to say whether Sentinel saved us money because you only know the cost of a breach after the fact. We'll probably spend more on Sentinel than other products, but hopefully, we'll see a return by identifying and remediating threats before they've become an actual cost for our clients. 

    Sentinel has made it a little easier to get the initial Level 1 analysts onboarded because they don't need to know how to use, say, Palo Alto's Panorama. They can focus their efforts on one query language that enables them to go across multiple different vendors, products, and tools. It's quicker for a Level 1 analyst to get up to speed and become useful if they don't need to learn five or six different ways to query various technologies.

    What's my experience with pricing, setup cost, and licensing?

    Sentinel's pricing is on the higher side, but you can get a discount if you can predict your usage. You have to pay ingestion and storage fees. There are also fees for Logic Apps and particular features. It seems heavily focused on microtransactions, but they may be slightly optional. By contrast, Splunk requires no additional fee for their equivalent of Logic. You have a little more flexibility, but Sentinel's costs add up. 

    What other advice do I have?

    I rate Sentinel an eight out of ten. My only issue is the cost. I would recommend Sentinel, but it depends on what you want to get from your investment. I've seen Sentinel deployed in everything from nonprofits to global enterprises. With multiple vendors, you're more at risk of causing analyst fatigue.

    Microsoft has done a great job of integrating everything into one place. The setup and configuration of Azure's general hosting environments reduce the risk. Most services are on the cloud, so Sentinel makes it much quicker and easier to get up and running. You don't need to worry about training and getting multiple certifications to have an effective SOC.

    I recommend sticking with Sentinel and putting in as many data sources as you can afford. Put it through its paces based on a defense-in-depth model. Take advantage of all the information Microsoft and others have made available in places like GitHub, where there is a vast repository of valuable detections that can be tweaked depending on your environment.

    It makes it a lot easier to get started. Many people approaching security with a blank canvas aren't sure where to go. There are a lot of valuable resources and information available.

    Disclosure: My company has a business relationship with this vendor other than being a customer: MSSP
    Flag as inappropriate
    PeerSpot user
    Associate Manager at a tech services company with 10,001+ employees
    Real User
    Easy to manage with good automation and machine learning capabilities
    Pros and Cons
    • "The machine learning and artificial intelligence on offer are great."
    • "Azure Sentinel will be directly competing with tools such as Splunk or Qradar. These are very established kinds of a product that have been around for the last seven, eight years or more."

    What is our primary use case?

    Sentinel is a solution called SIEM - security information event management. It's for monitoring an entire organization from a security point of view. Along with the monitoring, what happens in the SIEM is you have to raise incidents. If there are any kind of security issues or breaches or people are trying to get into the system, you have to raise an incident ticket. You collect the event information from the systems. You'll be able to see if it's, for example, a machine or account, or an active directory outage. You can process that information using machine learning AI, and then raise incidents. It's basically helping a security operations center team (SOC). With the help of Azure Sentinel, we can build a SOC.

    There are plenty of use cases. You have to cover your entire security environment. For example, a brute force attack against your Azure Portal. If someone is trying to guess your password, you will see the incident. When somebody puts four, five wrong passwords, and then a correct password, it could mean someone is trying to guess your password and you would see that. Basically, there are a lot of use cases, however, all of them revolve around monitoring security. Whenever something happens, we should get alerted or we can proactively assess our environment.

    With Sentinel, you can also do the hunting. It'll try to identify if your environment is compromised with any kind of attack. In most cases, it'll try to protect your organization before this attack can happen. If somebody is trying to snoop in your environment, we can track him. Or if somebody is trying to guess your password, we can protect the password. If somebody is injecting the malware, we can identify and protect the organization.

    How has it helped my organization?

    The solution has improved functionality as most of the organization will be in the cloud. If an organization is already on the Azure cloud, then they don't have to go for any other solution for the SIEM. They can easily integrate Sentinel. Most of us are on the Microsoft products, so it's very easy to deploy this with the Microsoft products as well as to the other products. 

    What is most valuable?

    In terms of Sentinel, it's a best-in-class solution. The SIEM solution is hosted in the cloud. When you compare it with the other tools, the on-premises tools may not be that great.

    The best piece about it is when it comes to the traditional SIEM solutions, it's very hard to manage them. First of all, licensing will be there. Then you need to manage underlying infrastructure as well. You also need a big setup. All these things aren't necessary with Sentinel due to the fact that it's on the cloud. You just get a cloud subscription and do a pay-as-you-go model.

    The machine learning and artificial intelligence on offer are great. These are the things that happen in the background that we do not see. Whenever you have an incident, it will provide you with all the options so that you can drill down. For example, I have identified one incident where somebody was trying to do a brute-force attack. When this incident was generated, I had a lot of data with which I could start to investigate things.

    It provides the best-in-class hunting capabilities. It's very easy to write the hunting logic. You have to write some searching queries. It's very easy to write those all queries and identify the test.

    It'll give you the capabilities of automation. Azure is not only about security or infrastructure. It has a lot of programming features, functions, logic apps, and automation. You can easily integrate. If you can do a little bit more programming, then you can integrate it with functions or automation, or anything else.

    There is a different tool for security postures. That's called Azure Security Center. From November, it's going to be called Azure Defender. This tool does not do posture management, however, it can integrate with Azure Security Center. There is also this XDR tool, Microsoft Defender. It can easily integrate it. Once you set up the integration between these tools, then you will have the advantage of both the tools. You will have a unified ticketing system where you can view the alerts from XDR and you can view the alerts from the posture management and from the SIEM.

    What needs improvement?

    Every month there are new features in Sentinel and the tools are stable. All the features and functionality that those tools provide are slowly coming to the Azure Sentinel as well. So it's improving a lot day by day. 

    Initially, we had the data connector that could bring the data from any of the platforms that we wanted to monitor. Now, Microsoft has improved the solutions and they're providing a lot of options. While you can (and now have) almost all the functionalities that are needed for SIEM capabilities, it's still adapting to new things as well. 

    Azure Sentinel will be directly competing with tools such as Splunk or Qradar. These are very established kinds of a product that have been around for the last seven, eight years or more. They have a lot of good things going for them and are slightly ahead of Microsoft, which is new to the game. However, Microsoft is adapting. Microsoft keeps working on its solutions and offers feature request platforms as well. We have given them a lot of feedback in terms of some customizations - and they keep adding to it. There are a lot of new things that are in the pipeline. In the next four to six months, we will see more new features which will further enhance the existing tools.

    For example, there were some custom fields that were missing. We wanted to do mapping of the custom fields and this capability wasn't there in the Sentinel. However, when we requested it they implemented it.

    For how long have I used the solution?

    I have been on Sentinel for the last two to two and a half years. Initially, I was just doing it for my own self-interest, however, for the last one and a half years, it's been more of a professional relationship and I've been working with it for customers.

    What do I think about the stability of the solution?

    The solution is quite stable. I have not seen any downtime so far. It is working for customers as well. It's good. It's on a cloud and therefore we need not worry about maintaining the databases or maintaining the platforms, or wherever the data is stored. It's all Microsoft's responsibility.

    What do I think about the scalability of the solution?

    The scalability is a unique selling proposition for Sentinel. Due to the fact that it's on the cloud, you can scale it up to any limit. Of course, you have to pay for whatever data you are storing. As compared to an on-premises tool the sometimes they may fail to scale, however, this is great. You don't have to bring up a lot of hardware with Sentinel. 

    This solution is being used quite extensively right now.

    Whether or not the usage will increase depends on the pricing that comes up the more you use it. We have to pay for whatever data, telemetry, that gets into the Sentinel. For example, let's say today I collected 1GB of data, tomorrow I'm going to collect 5GB of data. Microsoft can easily hold this, however, then they also provide you with some kind of plans. You can reserve the space. You can say "I will use 100GB of data per month." Microsoft will give you a discount and you have to pay for the reserved 100GB. It is a pay-as-you-go model.

    The solution is used by the development team, which sets it up, and then by the SOC team, which takes over and starts monitoring for security incidents.

    How are customer service and support?

    Technical support depends on what kind of agreement you have with Microsoft. If you are a premier customer, under the top 100, then they can provide you with some direct connection with the Microsoft program managers. You can have a conversation with them once every two weeks. If you are not in the premier tier, if you are just directly buying it from Azure, then technical support, again, depends. There are two types of technical service. One is the professional and the second one is the premier. Premier support is good. Obviously, you will be paying extra for it. Professional support is not that great. Often, I'd rather not involve them. They will simply mess up things. It's better to just post your questions on the forums and try to get some answers from the experts.

    I use all kinds of support. If you are working for a customer who has a very good rapport with Microsoft and they are their top Azure consumer, then they can do things for you. If you give them feedback and you are potentially a big customer for Sentinel, then they will try to adjust things according to your environment. However, if you are not, you are just using Sentinel, then it's okay. It all depends on how much money you are paying and how much business you are doing with Microsoft. 

    If a customer is planning to buy Sentinel, then they should initially negotiate with Microsoft for premier support. They can ask for 100 hours of premier support or the fast-track service. You can initially negotiate for a situation where, if some technical issues arise, then you will only work with premier support, and you can reserve your 100 or so hours for that. 

    Initially, it's better to agree in advance with Microsoft that you will be needing X number of technical support or the fast-track service or engagement with the Sentinel development team.

    Which solution did I use previously and why did I switch?

    I did not use a different solution. I'm from the Azure Log Analytics Monitoring part. I came from that side.

    We directly jumped into Sentinel. I've heard that people are doing migrations from Splunk. That's the number one tool that's available for SIEM. However, I directly started from Sentinel.

    How was the initial setup?

    The initial setup is very easy. You just need some basic knowledge of the monitoring platform called Azure Log Analytics. If you have the knowledge of Azure Log Analytics, then you can easily set up this.

    If you just want to set up over the Azure Portal, then it will hardly take 15 to 20 minutes to deploy. Of course, this is not the final setup. The final setup is when you will be connecting it with different sources. For example, if you have 100 machines, you will have 100 Linux machines, you will have routers and switches too. Everything you want to monitor needs to be there. You have to implement these all solutions one by one as per your requirement. If your requirement is you will want Linux machine monitoring, you want firewall monitor, then it can take time, however, it is pretty easy to accomplish.

    What's my experience with pricing, setup cost, and licensing?

    The pricing model is good. Microsoft does the reservations as well. Perfect planning is needed, as, once you reserve the space, you can save up to 30% or 40% of the cost. If you are not doing good planning, then it'll cost you a lot. However, from a costing point of view, it's fair and comparatively low. It's not a costly service.

    Which other solutions did I evaluate?

    I'm not the decision-maker. I was mostly from the Azure Log Analytics Monitoring background, however, when this was released, even the Microsoft CEO and CTO were touting its abilities. Initially, I looked at it for self-interest, and then we thought of implementing it for our labs, and then we found it fruitful. Then we started getting Sentinel projects. 

    What other advice do I have?

    I'm a consultant and service provider.

    It's hosted on a cloud. There is nothing like versioning or anything. It's just software as a service.

    I would rate the solution at around eight out of ten. When we do the migration, there are still few people who are used to it. Not many have hands-on experience. Sometimes we struggle in maintaining gaps.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Amazon Web Services (AWS)
    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    JimMiller - PeerSpot reviewer
    Director Cybersecurity at a pharma/biotech company with 201-500 employees
    Real User
    Good documentation, helps with our security posture and has a straightforward setup
    Pros and Cons
    • "We’ve got process improvement that's happened across multiple different fronts within the organization, within our IT organization based on this tool being in place."
    • "They're giving us the queries so we can plug them right into Sentinel. They need to have a streamlined process for updating them in the tool and knowing when things are updated and knowing when there are new detections available from Microsoft."

    What is our primary use case?

    It's a SIEM tool. Our process right now is to put as much data as we possibly can from all of our network devices into it. We use it as a centralized logging mechanism and the feature that is nice there is that it's agnostic against the types of devices you're using. I have firewalls that can log onto it. I have Linux boxes that can log onto it. I have Windows boxes that can log to it and I can collect a variety of logs from around the organization into it. I can analyze those logs, I can get detections against those logs and use them to take a look at the security footprint of the organization.

    All of the different security centers within Microsoft are alerting systems like Azure Defender ATP, the Security Centers, and Azure. All of those products, when they generate incidents and alerts, send feedback into this tool. With this product, you get a single dashboard for managing your security footprint, both from the 365 Azure environment, as well as your on-premise environment.

    How has it helped my organization?

    From a security perspective, it has clearly improved our alerting in our incident management processes. We've also been able to improve other processes for network monitoring and for trouble remediation within the environment. Our infrastructure team and some of our application team are now plugging into the data that's in that tool as they can use it to find issues within their applications rather quickly - a lot more easily than the other tools that they've got, which has been a huge boom. 

    We also see that some of our help desk processes have now been informed by it. We have queries that run against the data set that's behind that same tool and they are built specifically for the help desk. For example, if a user's account has been locked out due to the fact that we have all of the data from all the different systems plugged into that tool, we can give the help desk a complete picture of authentication failures against that device so that they can quickly identify where the problem is and resolve the issue for the user.

    What is most valuable?

    This system has a list of data connectors and you choose what connects to it. By default, it has access to any of the core Azure data that you have access to, however, those are due to the fact that it lives in that environment. It would naturally have access to that data. Then, you choose which data sources you want to connect to it. Many of them are very easy to set up. They're within the 365 of the Azure portion and a point and click away with a lot of the third-party services. You click a button and do authentication and things connect right up. With some of the Linux, there are setups of Syslogs.

    Microsoft has pretty good documentation. It doesn't take long. It's not hard to set up.

    The biggest feature we've got out of it is visibility into our environment and what's going on across our estate. Being able to see, for example, anomalous RDP logins, to be able to see deviations from our standard traffic flows on the firewalls, things like that, give us insight into when we may have potential issues or a breach type situation.

    The second thing you get is when you’re managing security within the Microsoft environment with Azure 365 you're on-premise you're bouncing between three or four or five, six different tools to do that. This centralizes the management of all of those. You get one pane of glass in all of those tools that give you a very easy way to see what's going on.

    It also allows you to correlate between those tools. I can see if I have, for example, a low-priority incident in one tool. If I have another low-priority incident on the other tool made against the same user, that may force me to say, “Hey, maybe those things combined generate a higher level incident that I maybe need to put up for investigation.” That's the advantage of the tool.

    The solution does not have specific features that have helped improve our security posture. Rather, the whole idea of making security a little bit easier while also being able to correlate data between multiple disparate systems has, as a whole, improved our security posture overall.

    We’ve got process improvement that's happened across multiple different fronts within the organization and within our IT organization based on this tool being in place.

    We were tracking in the neighborhood of 20 to 30 incidents a month coming out of one or two source systems within the environment. What Sentinel has given us the ability to do is move up. We're now evaluating somewhere in the neighborhood of 10 to 12 a day.

    They're much more robust as a product. What we've been able to do is tune the alerts so that the things that are common, that are false positives that we see all the time, we've been able to filter those out and give ourselves this complete picture as things change and work but we're filtering out the standard data sets. There are things we’re going to look at and walk away from as we know they're false positives.

    In terms of receiving false positives, it does take some work to tune the environment, to get it to get rid of all those false positives. It's not ridiculous work, however. I didn't find it to be the hardest problem. It took us a couple of months, doing an hour or so a day to clean them up. Going through that process offered a tremendous amount of learning about the environment. In looking at those false positives, you start to learn things about how people use the environment - things that we didn't realize before. That's extremely valuable for a security team to understand how your assets are used and what your users are doing.

    The end users are barely involved in the process. They see our security team more proactively reaching out to them when they may have a problem. For example, I may have a user who has got an excessive amount of login failures against their ID and it's coming from, say, a mobile phone. We'll see that in the SIEM and what we'll do is reach out to the user proactively. Maybe they've been seeing lockout events, or, most likely, they have been seeing lockout events but they haven't quite figured out what's going on and we'll be able to proactively go to them and say, “Hey, we're seeing this, here's the device it's coming from and here's the action you should take and see if we can fix the problem.” It's given us the ability to reach out to the user. In some cases, it's an incident where we want to reach out, get more information from the user to understand whether it was them or not. In other cases, we're reaching out to them proactively and helping solve problems for them that they may or may not even be aware they're having.

    What needs improvement?

    Microsoft has a number of detections that they bundle with the product and there's a number of detections that are out against GitHub that are available. We have more and more of those going out every day. Microsoft periodically is releasing more updates. I love the fact that they're giving it to us. They're giving us the queries so we can plug them right into Sentinel. 

    We have to do very little editing of the plugins, however, I would love to see the ability to have those queries immediately, as Microsoft updates them. They need to have a streamlined process for updating them in the tool and knowing when things are updated and knowing when there are new detections available from Microsoft.

    For how long have I used the solution?

    I've used the solution for two years.

    What do I think about the stability of the solution?

    The solution has been extremely stable. We haven't had any downtime that I can recall.

    What do I think about the scalability of the solution?

    The scalability is great. It's all backed by the log analytics infrastructure. All of the data that we stuff in it is stuck with the log analytics retention times and data storage capabilities which scale wonderfully.

    We are using it pretty heavily. At this point, we're plumbing pieces of data from all of our systems into it. We're actively in it every day.

    We're constantly adding new data sets too.

    How are customer service and support?

    I haven't used technical support yet.

    In general, the Microsoft technical support unit is okay. There are times when you get help and it's wonderful and there are times when things are not as good. It's not what I would consider the best support I've ever received. That said, they're trying. They could work on their response times.

    Which solution did I use previously and why did I switch?

    We did not previously use a different solution. We did a little bit of data consolidation, however, nothing at this level.

    We adopted Sentinel as we were looking to mature our security footprint. We started looking at tools that could help us do that, and Sentinel was very easy to dig into, primarily due to the fact that you could bite little pieces off at a time. I didn't have to consume a massive cost. I could throw a little bit of data and consume at a pretty minor cost and prove its value before I started increasing my cost.

    How was the initial setup?

    The initial setup is very easy.

    It's a point-and-click Azure environment. You just click the button and say "yep, I want this."

    The solution does not need a lot of maintenance. Once you have the log analytics infrastructure configured, as in your retention times, et cetera, there's your maintenance of the systems that becomes the analytics that you're using. There's a little bit of work that needs to be done there. That was the part that needed some streamlining, however, that's about it. It's managing your rules and your playbooks, et cetera, that needs to be handled.

    What was our ROI?

    It's hard to measure ROI on these types of processes. I can't give hard numbers on what the return is. What I can say is that the organization is much better off having this tool in place than not having it in place. The fact is we are improving processes around the organization and the visibility. We recently had some huge vulnerabilities in Exchange that were being breached, and knowing that we have tools like this in place that have detections to help us establish whether we were having an issue or not was useful. The product helps to make us aware of issues and we're not guessing and not spending too much time digging.

    Which other solutions did I evaluate?

    We did evaluate other options. Most had a larger acquisition cost associated with them. That was obviously a big factor. The other thing that helped the decision was that we live in a Microsoft-centric environment and most of the Microsoft tools were prebuilt and correctly connected very easily.

    What other advice do I have?

    The product is part of the Azure platform - now the Microsoft platform. It's all fully managed by Microsoft at that level. We're using it as a SAFe solution.

    I'd advise potential users to take a good look at your analytical rules and feed it with data. The more data you give it, the more valuable it becomes.

    I'd rate the solution at an eight out of ten.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    PeerSpot user
    Head of IT and security at a tech services company with 51-200 employees
    Real User
    Gives granular and concise information, helps with compliance, and integrates very well with Microsoft stack
    Pros and Cons
    • "The AI and ML of Azure Sentinel are valuable. We can use machine learning models at the tenant level and within Office 365 and Microsoft stack. We don't need to depend upon any other connectors. It automatically provisions the native Microsoft products."
    • "Sometimes, we are observing large ingestion delays. We expect logs within 5 minutes, but it takes about 10 to 15 minutes."

    What is our primary use case?

    Our first use case is related to centralized log aggregation and security management. We have a number of servers at the user level and data center level, and I cannot use multiple tools to correlate all the information. My overall infrastructure is on Azure. We have a hybrid approach for the security environment by using Sentinel. So, hybrid security is one of the use cases, and unified security management is another use case.

    How has it helped my organization?

    It has helped us in three ways. One is IT, one is security, and one is compliance. Before Sentinel, our IT was mature, but our security and compliance were not mature enough in terms of certain controls, client requirements, and global-level regulatory compliance. By implementing the SIEM along with Security Center, we have improved security to a mature level, and we are able to meet the compliance reporting and client requirements for security within the organization.

    It has an in-depth defense strategy. It is not limited to giving an alert; it also does correlation. There are three things involved when it comes to a SIEM solution: threats, alerts, and incidents. Sentinel gives you granular and concise information in the UI format about where the log has been generated. It doesn't only not give the timestamp, etc. This information is useful for the L1 and L2 SOC managers.

    It has good built-in threat intelligence tools. You can configure a policy set and connectors, and you don't need to have any extra tools to investigate a particular platform. We can directly use the built-in threat intelligence tools and investigate a particular threat and get the answers from that.

    We are using Microsoft stack. We use SharePoint. We use OneDrive for cloud storage. We use Teams for our internal productivity and communication, and we use Outlook for emails. For us, it provides 100% visibility because our infrastructure is on Microsoft stack. That's the reason why I'm very comfortable with Sentinel and its security. However, that might not be the case if we were not in Microsoft's ecosystem.

    We are using Microsoft Defender. The integration with Microsoft Defender takes a few seconds. In the connector, you just need to click a button, and it will automatically connect. However, for data ingestion, it will take some time to configure the backend log, workspaces, etc.

    It is useful for comprehensive reporting. We need to prepare RFPs for our clients. We need to do reporting on particular threats and their resolution. So, it is useful for our RFPs and our internal security enhancements.

    It is helpful for security posture management. It has good threat intelligence, and it provides deep analysis. The security engine of Microsoft Sentinel takes the raw data of the logs and correlates and analyses them based on the security rules that we have created. It uses threat-intelligence algorithms to map what's happening within a particular log. For example, if somebody is trying to log into an MS Office account, it will try to see what logs are available for this particular user and whether there is any anomaly or unwanted access. It gives you all that information, which is very important from the compliance perspective. It is mandatory to have such information if you have ISO 27001, HIPAA, or other compliances.

    It enables us to investigate threats and respond holistically from one place. It is not only about detecting threats. It is also all about investigating and responding to threats. I can specify how the alerts should be sent for immediate response. Microsoft Sentinel provides a lot of automation capabilities around reporting.

    With the help of incidents that we are observing and doing the analysis of the threats, we are able to better tune our infrastructure. When we come across an incident or a loophole, we can quickly go ahead and review that particular loophole and take action, such as closing the ports. A common issue is management ports being open to the public.

    It saves time and reduces the response time to incidents. We have all the information on the dashboard. We don't need to go ahead and download the reports.

    There are a lot of dashboards available out of the box, and we can also create custom dashboards based on our requirements. There is also one dashboard where we can see the summary of all incidents and alerts. Everything can be correlated with the main dashboard.

    We can use playbooks and data analytics. We have one system called pre-policy definitions where our internal team can work on the usability of a particular product. We get a risk-based ranking. Based on this risk-based ranking, we will create policies and incorporate data analytics to get the threats and alerts. We are almost 100% comfortable with Sentinel in terms of the rules and threat detections.

    It improves our time to detect and respond. On detecting a threat, it alerts us within seconds.

    What is most valuable?

    The AI and ML of Azure Sentinel are valuable. We can use machine learning models at the tenant level and within Office 365 and Microsoft stack. We don't need to depend upon any other connectors. It automatically provisions the native Microsoft products.

    Playbooks are also valuable. When I compare it with the playbooks in other SIEM solutions, such as Splunk, AlienVault, or QRadar, the playbooks that Sentinel is providing are better.

    The SOAR architecture is also valuable. We use productivity apps, such as Outlook and Teams. If a security breach is happening, we automatically get security alerts on Teams and Outlook. Automation is one of its benefits.

    What needs improvement?

    We are working with a number of products around the cybersecurity and IoT divisions. We have Privileged Identity Management and a lot of firewalls to protect the organizations, such as Sophos, Fortinet, and Palo Alto. Based on my experience over three years, if you have your products in the Microsoft or Azure environment or a hybrid environment around Microsoft, all these solutions work well together natively, but with non-Microsoft products, there are definitely integration issues. Exporting the logs is very difficult, and the API calls are not being generated frequently from the Microsoft end. There are some issues with cross-platform integration, and you need to have the expertise to resolve the issues. They are working on improving the integration with other vendors, but as compared to other platforms, such as Prisma Cloud Security, the integration is not up to the mark.

    The second improvement area is log ingestion. Sometimes, we are observing large ingestion delays. We expect logs within 5 minutes, but it takes about 10 to 15 minutes.

    They can work on their documentation. For Sentinel, not many user or SOP information documents are available on the internet. They should provide more information related to how to deploy your Sentinel and various available options. Currently, the information is not so accurate. They say something at one place, and then there is something else at other places.

    For how long have I used the solution?

    It has been about two years.

    What do I think about the stability of the solution?

    It is stable. They are enhancing it and upgrading it as well.

    What do I think about the scalability of the solution?

    It is scalable. It is being used across all departments. We took it for about 80 devices, but, within 24 hours, we mapped it to 240 devices.

    How are customer service and support?

    Technical support is very straightforward. They will not help you out with your specific use cases or requirements, but they will give you a basic understanding of how a particular feature works in Sentinel.

    How would you rate customer service and support?

    Positive

    Which solution did I use previously and why did I switch?

    We didn't use any other solution in this company. We went for this because as per our compliance requirements, we needed to have this installation in place. About 80% of our environment is on Microsoft, and we could just spin up Azure Sentinel.

    How was the initial setup?

    It is straightforward. Usually, you can deploy within seconds, but in order to replicate an agent on your Sentinel, it will take about 12 to 24 hours.

    We engaged Microsoft experts to deploy the agents across the devices on the cloud. It didn't take much time on the cloud, but for on-prem, it takes some time.

    It has saved a lot of time. Implementing a SIEM solution from a third-party vendor, such as AlienVault OSSIM, can take about 45 days to 60 days of time, but we can roll out Sentinel within 15 days if everything is on Microsoft.

    What about the implementation team?

    For implementation, we have about three people. One is from the endpoint security team. One is from the compliance team, and one is from the security operations team.

    It is a cloud solution. So, no maintenance is required.

    What was our ROI?

    We have reached our compliance goals, and we have been able to meet our client's requirements. We are getting a lot of revenue with this compliance.

    It has saved us money. It would be about $2,500 to $3,000 per month.

    What's my experience with pricing, setup cost, and licensing?

    It varies on a case-by-case basis. It is about $2,000 per month. The cost is very low in comparison to other SIEMs if you are already a Microsoft customer. If you are using the complete Microsoft stack, the cost reduces by almost 42% to 50%.

    Its cost depends on the number of logs and the type of subscription you have. You need to have an Azure subscription, and there are charges for log ingestion, and there are charges for the connectors.

    What other advice do I have?

    I would strongly recommend it, but it also depends on the infrastructure. I would advise understanding your infrastructure and use cases, such as whether your use case is for compliance or for meeting certain client requirements. Based on that, you can go ahead and sign up for Sentinel.

    If you have the native Microsoft stack, you can easily ingest data from your ecosystem. There is no need to think about all the other things or vendors. However, in a non-Microsoft environment where, for example, you have endpoint security from Trend Micro, email security for Mimecast, and IPS and IDS from Sophos, FortiGate, or any other solution, or cloud workloads on AWS, Microsoft Sentinel is not recommended. You can go for other solutions, such as Splunk or QRadar. If about 80% of your infrastructure is on Microsoft, you can definitely go with Microsoft Sentinel. It will also be better commercially.

    I would rate it a 10 out of 10 based on my use case.

    Which deployment model are you using for this solution?

    Public Cloud

    If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

    Microsoft Azure
    Disclosure: I am a real user, and this review is based on my own experience and opinions.
    Flag as inappropriate
    PeerSpot user
    Oluwaseun Oluwatomisin - PeerSpot reviewer
    Cloud Infrastructure and Security Consultant
    Consultant
    Top 20
    Good security orchestration and automation response with very useful AI functionality
    Pros and Cons
    • "There are a lot of things you can explore as a user. You can even go and actively hunt for threats. You can go on the offensive rather than on the defensive."
    • "The only thing is sometimes you can have a false positive."

    What is our primary use case?

    Azure Sentinel is a SIEM solution. It offers security information on an event management solution and also security orchestration automation response. It actually looks into events coming into your environment and events from a lot of sources, or whatever you might have in your network.

    There are a lot of events and logs generated by all of these resources - sometimes in the thousands or millions. Azure Sentinel helps you investigate a lot of these logs faster. It uses artificial intelligence, called threat intelligence, to look into all the events that might be coming into your environment.

    For example, on a daily basis, you might be receiving two million events coming from all the resources you have, including your users. If you're a very big enterprise and you have thousands of users, there are logs coming in from each of these users. You also have some resources, such as your web application, virtual machine, and a lot of your resources that span across both Azure AWS, GCP, and other solution providers like Sophos, Fortinet, Cisco, and your on-premise environment. You can get all these logs together with this.

    What is most valuable?

    The solution is still new, and there are a lot of new things coming out each and every day. Microsoft is trying to improve the solution constantly. In the last two weeks, there was a section of the Azure Sentinel code solutions that was integrated. It's something organizations could explore. Recently, they just included automation rules that you can use with Logic Apps to automate threat responses.

    Azure Sentinel works with artificial intelligence. With AI by your side, you are able to investigate everything very fast. Within a blink of an eye, it's going to help you look into all these things. Before it can do that, however, you need to set up some form of analytics rules to help you look into all the events that might be coming into your environment.

    There's also a security orchestration and automation response. Sentinel is able to identify and spot threats in our environment. We can also set up some automation rules to be able to automate when there is any form of an incident in our environment. For example, if there is a brute force attack on a user account, we can automate a response such that we can block the user account for a time while an investigation is done on that account. There are automation rules that can help to automate responses as well.

    There are a lot of things you can explore as a user. You can even go and actively hunt for threats. You can be on the offensive rather than on the defensive.

    It's quite different from a traditional SIEM solution whereby you need to have a couple of security analysts to be able to help you manage it. All of these traditional SIEM solutions don't have the capability to look into threats as fast. For instance, if a DDoS attack was placed on our web application hosted with a cloud solution provider and we hosted this web application on our virtual machine, if we have a DDoS attack (a denial-of-service attack), we can spot the threats very quickly. AI will also help to stop these attacks before they can do damage.

    You can bring in your own machine learning algorithms to help you look into the threats community environment. If you are someone who's very fast at developing AI, you can have your own custom machine learning set up to help you look into any form of threat. It’s a very powerful tool.

    Recently, I deployed Azure Sentinel for a client. I could tell immediately it was able to spot a lot of threats. Just within an hour, it was able to spot about five to ten threats. Also, at that very moment, Sentinel recorded around 500,000 events coming into the log analytics workspace. Typically, if you have something like 500,000 events coming into your environment and you have to involve the physical human efforts to be able to look into 500,000 events, it's going to be a lot of work - too much for one person.

    The product has a lot of built-in features. There is a lot that it adds, and there is a lot it can do. It's the kind of solution that you can even bring in your own model.

    We have a machine learning model that we train. Apart from it having some kind of already made solution, you can even create your own custom rules and custom machine learning.

    Having to analyze threats every day, as a person, can be stressful. However, when you have something like Sentinel, which uses threat intelligence to be able to help you respond and remediate against threats at scale, it takes the pressure off.

    It can span across your on-premise resources. If you have your own data center, you can deploy Azure Sentinel in the cloud, and you can have it monitor your data center. You can have it working as a solution to your data center.

    As a user, you are able to integrate your on-premise with the data center to Azure Sentinel, in just a few clicks. It’s very simple to use. In just a few clicks, you'll be able to connect Azure Sentinel with your on-premise resources, web server, or SQL server - anything you can think of.

    It can help you investigate threats coming into your laptop. You can connect Azure Sentinel to your personal computer.

    It doesn't affect end users. They don't have access to Sentinel. They don't even see what is happening. They don't know what is happening.  

    A lot of organizations have lost a lot of money due to a loss of virtual information. With this kind of strong security system and some strong security protocols, they are well protected.

    What needs improvement?

    New things are already being incorporated just to improve on the already existing solution.

    There is a GitHub community for this solution. There are a lot of contributors worldwide and a lot of people building playbooks and building machine learning models. Someone can just build a machine learning model and say, "Okay, just mention in the model, 'Do this,' and it does this." There is room for improvement. However, things are improving in Sentinel with the help of this community.

    I've seen playbooks where people have pushed to the GitHub repository, and I've been able to make use of one or two of these solutions on GitHub. That said, it may not be possible to eradicate all of the cyber threats.

    There are webinars going on almost every week. Last week I attended a couple of webinars on Azure security. When you are doing things, you also need to be thinking about the security aspect. You have to be thinking about the security aspect of a cloud. You need to enforce a zero-trust model. You can't assume something cannot harm you, as everybody is a threat to your security.

    The only issue is that sometimes you can have a false positive alert. For example, sometimes it detects something is happening, however, you're actually the one doing that thing. If someone is trying to sign into their environment and provide an incorrect password, they will try it a few times. The system will look at that event and think it's an attacker and it might be an indication of a threat. However, it's just a user that got the password wrong. I consider that a false positive alert. 

    For how long have I used the solution?

    I have been using this solution for about a year now.

    What do I think about the stability of the solution?

    The stability seems to be fine for now. It's not an issue. 

    How are customer service and support?

    I have not really used technical support. That said, on the first day when I was starting with Sentinel, I used technical support for some free advice.

    In the past, I've worked as a Microsoft technical support engineer. I was very good at what I did then. The support person that I spoke with when I needed free advice on that first day was helpful. When I raised a support request to ask a few questions, the support engineer was able to do justice to all those questions and shared some things to put me in the right direction. I appreciated their helpfulness as I used to be that helpful as well.

    Which solution did I use previously and why did I switch?

    There are a lot of solutions Microsoft has that have to do with security. However, they are not what I would describe Sentinel to be. Nothing I have used in the past has been similar to Sentinel.

    How was the initial setup?

    For every project, you need to have your functional requirements. Once you have that in place, the initial setup depends on the number of things you want to bring into Azure Sentinel. It's a powerful tool.

    You can set it to AWS, GCP, DigitalOcean, Sophos, Fortinet, Cisco - even your PC. You can set it up for everything and there is no lagging. It just takes just a few clicks to connect these things. For instance, if you need to get the logs of a user, you just go to the data connector. Once you are in the data connector, you click on Connect. Once you click on Connect, a lot from that environment just comes into Sentinel. Once it's coming into Sentinel, you can create various analytics rules.

    Which other solutions did I evaluate?

    I don't know of similar solutions or if any really exist.

    What other advice do I have?

    The company I work with now is a Microsoft partner.

    It's a very, very powerful tool that I recommend to my customers. I work as a consultant. I advise customers. I do not sell it directly.

    It's something that organizations should use. I would advise people to use it. It doesn't look into only your Azure environment. It spans other cloud solution providers.

    I'd rate the solution at a ten out of ten.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    PeerSpot user
    Arun-Raj - PeerSpot reviewer
    Associate Consultant, SIEM Engineer at a tech services company with 501-1,000 employees
    Consultant
    Gives us better security and allows us to capture all the data in a single console, which we can analyze from the cloud
    Pros and Cons
    • "The best feature is that onboarding to the SIM solution is quite easy. If you are using cloud-based solutions, it's just a few clicks to migrate it."
    • "If we want to use more features, we have to pay more. There are multiple solutions on the cloud itself, but the pricing model package isn't consistent, which is confusing to clients."

    What is our primary use case?

    We have multiple use cases based on the data sources we have onboarded, like Sophos UTM or Firewall.

    We also use Microsoft Defender for cloud and Microsoft Office.

    We have integrated MD with Sentinel to receive alerts. If there are any suspicious activities in any of our resources, MD will create an alert. Once an alert comes through MDC, it is converted to Sentinel.

    It was easy to integrate the solutions. It took about two or three clicks. The solutions work natively together, specifically to give us coordinated detection and response across our environment.

    There is a correlation with the mail-based algorithm. We have an AML model algorithm in Sentinel. It has the capability to catch the pattern of attacks and shows that to us in the Sentinel app.

    How has it helped my organization?

    We mostly have cloud-based solutions, so Sentinel gives us better security. There's a feature that allows us to capture all the data in a single console, which we can analyze from the cloud itself.

    We don't have to use third-party services to check these activities. If we see that one of our accounts is compromised or anything has happened, we can remove that person from other groups.

    There's a feature that allows us to see what is in a secure state and what is in a critical state.

    Sentinel helps automate routine tasks and find high-value alerts. We can have a custom playbook and create automation rules through that. If there is a false positive address, we can do the automation from there. If we want an email notification based on high-activated rules, we can provide the automation rules that will notify us on Outlook or through Teams.

    It minimizes our analyst's workload. Once a high activity comes up, we'll get a notification on Teams. As analysts, they will validate and send us the email or notification within 10 to 15 minutes with more valid data. If there's a playbook with the top 10 critical rules, we can create multiple playbooks and attach them with the data that we want to protect.

    Once that incentive is triggered, we'll get notifications with the full details of that incentive. If high severity comes up, that email is sent to the client, and we do more analysis on that rather than wasting time on the first analysis. We can directly get into the deeper version of the automation.

    If an incident comes up, we have to validate the load and find out the correlation of the users. We can focus on the advanced test rather than wasting time on the previous one. This saves five to ten minutes.

    On a monthly basis, the analyst team saves at least three to four hours with automation. We have multiple rules based on our more critical test. From that perspective, analysts don't want to work more on low priorities because we'll be automatically notified of low and high priorities. We focus more on critical users where the threat is high. By focusing on what is a high priority, our analysts save five to six hours per week.

    We have multiple dashboard views that allow us to see logs coming from different solutions and users who were involved in the previous incident.

    What is most valuable?

    The best feature is that onboarding to the SIM solution is quite easy. If you use cloud-based solutions, it's just a few clicks to migrate it.

    The console is user-friendly. We have almost 120 different types of data, so the solution helps us to onboard different types of third-party services to the SIM solution. We have UB features, and the SOAR capability in the Sentinel server is also a good feature.

    Sentinel's visibility into threats is very good. We have an investigation graph that allows us to see the correlation between the incident and the users. We can see if there are multiple incidents with the same IP address and if there are multiple breaches. We can correlate with the rules and check if any inside threat activities are going on with the malicious site or the malicious URL link that we have onboarded. The threat view provides good visibility.

    We can prioritize threats based on our investigation assets. It's very fast. We're able to see the rest of the threat activities and how impactful they are. Based on the AML algorithm, we can get all the stages of the attack as well.

    Sentinel enables us to ingest data from our entire ecosystem.

    The importance of this ingestion of data to our security operations depends on the data and the type of solutions we have to onboard. We onboard our critical servers and assets to the same solution so we'll have good visibility.

    We're able to investigate threats and respond holistically from one place.

    We can validate the logs from where the logs have been received. By doing the log analysis, we'll be able to find them. It's a straightforward function and isn't very hard.

    There's an incident pane in Sentinel. We have a query package, and we can have a deep dive alert through that, or we can have a deep look into the log. From the console itself, we have a great view of our threats and the current phase we're in.

    We have multiple source features. There are between 20 to 30 in addition to data. Microsoft provides custom features through which we can connect with third-party solutions and correlate the incident. For example, if we have multiple incidents, we can use the SOAR capabilities and correlate them with multiple third-party threats. It's an easier way of understanding whether or not we have a malicious bug.

    We can see how much time our analysts have taken to raise the ticket and how much time they have taken to resolve the issue assets. We can create a dashboard for that. They're able to notify us within five or ten minutes for high priorities. For the medium priorities, it is 10 to 12 minutes. Our detection time for low priorities is within three hours, but our team still performs under 15 to 18 minutes.

    What needs improvement?

    If we want to use more features, we have to pay more. There are multiple solutions on the cloud itself, but the pricing model package isn't consistent, which is confusing to clients.

    For how long have I used the solution?

    We have been using this solution for almost two years.

    What do I think about the stability of the solution?

    The stability is very good.

    What do I think about the scalability of the solution?

    I would rate the scalability an eight out of ten.

    How are customer service and support?

    I would rate technical support a six out of ten. Technical support doesn't understand the features well enough. They will give us links to reference, so we go through those links as a team or Google the solution. We reach out to them if we can't find the solution, but they provide us with the same links and URLs that we've already referred to. It's a hassle because it wastes a week and a half of our time. Their solutions and response time aren't very good.

    How would you rate customer service and support?

    Neutral

    How was the initial setup?

    The setup is based on our data sources. We have a segregated timeframe of two payments. It depends on the client or who is doing the operation. Onboarding on the cloud is pretty easy. It takes just a few clicks from migrating the data sources to getting the logs.

    For an on-premises or third-party software servicer, it will take more time and troubleshooting to do the setup. It won't be hard if you have a good team for the onboarding process. It can be complicated initially, but the rest of the timeframe will involve fine-tuning the logs and creating the custom rules based on your requirement.

    It doesn't require a lot of maintenance. It's pretty simple. We just had to play with it for a couple of months.

    What was our ROI?

    We haven't seen any financial ROI.

    What's my experience with pricing, setup cost, and licensing?

    Sentinel is the best solution that we use. It's a pay-as-you-go model. We can fine-tune the features we want and choose if we want to remove logs. We can also segregate logs, which helps us minimize costs. Sentinel provides free Office 365 and Azure-based logs without pricing assets. When it comes to the third-party solution or our server logs, we just have to do the fine-tuning of the logs.

    The pricing isn't very high. It depends on the number of logs you have. If you're expecting to ingest 50 to 60G in a day, but you're only ingesting 20 to 25G per day at first and you have a good team to analyze the logs, then you can segregate the ingestion at under 15G.

    What other advice do I have?

    I would rate this solution a nine out of ten.

    It's very user-friendly. The only issue is that Microsoft's technical support isn't very good. If you have a good team who can onboard the resources to the solution, then you'll be happy with the solution itself.

    For us, it's better to go for multiple solutions rather than a single suite because we cannot strictly trust one client. If you only have one cloud-based solution, it's better to use Sentinel to secure it. It's helpful to have a good team that can do the monitoring and onboarding smoothly. You can go with one solution if you have a trusted partner. If you don't, then I would use multiple solutions.

    You should purchase the features that Microsoft provides. It's a configured network, so they will correlate with the end resources, RMD, and receiver identity. The fusion-based algorithm rule will detect advanced multistage attacks to stop the attack.

    Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
    Flag as inappropriate
    PeerSpot user
    Buyer's Guide
    Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.
    Updated: September 2022
    Buyer's Guide
    Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.