Microsoft Sentinel Reviews

The primary use case of Microsoft Sentinel is for user and entity behaviors, detecting unauthorized access to services, identifying malicious IP addresses, and preventing brute force attacks on services. These are generic security use cases.

The AI-driven analytics of Microsoft Sentinel have significantly improved our customers' incident detection and response. It reduces the workload and decreases the number of tickets and incidents to triage.

The query language of Microsoft Sentinel is easy to understand and use. It allows querying across numerous agents quickly and efficiently. Being cloud-based, it does not require much hardware to utilize.

While I have not used Microsoft Sentinel extensively to suggest specific improvements, there is always room for improvement. The pricing could be improved, as it is considered quite expensive, especially considering the costs for workspace, Sentinel, and storage.

I have been working with Microsoft Sentinel for a good three years.

The stability of Microsoft Sentinel is rated ten out of ten. It is considered highly stable.

Microsoft Sentinel is very scalable because it is a cloud service and does not rely on our own resources. It depends on the payment capacity, however, it is considered very scalable overall.

The customer service and support for Microsoft Sentinel are quite good. They provide numerous articles and training materials and are quick to respond, usually within an SLA of two to three hours.

Neutral

The initial setup of Microsoft Sentinel can be challenging, with a learning curve. Configuring a workspace and adding connectors can be complex, especially for those not familiar with Azure or Microsoft. I would rate the setup around five or six out of ten.

The pricing of Microsoft Sentinel is considered expensive, particularly due to the cloud-related costs for workspace, Sentinel, and storage.

I am still quite new to Microsoft Sentinel, so I can't provide specific advice or recommendations. It is a good product with capabilities that might not be found in other SIEM solutions.

I'd rate the solution eight out of ten.

We provide managed security services to customers in Myanmar using Microsoft Sentinel as a cloud media SIEM. Most of the use cases involve retention, and we use all the features of Microsoft Sentinel. We also use other Microsoft security products like Defender for Endpoint, and most of them are integrated with Sentinel. 

Microsoft Sentinel is a cloud-native SIEM solution, so it helped us reduce our infrastructure costs and deliver better services to our customers. We don't need to pay upfront costs because it is in the cloud. We used an open-source SIEM solution before implementing Microsoft Sentinel, but that wasn't satisfactory for our customers. Sentinel helped us provide more robust managed security services to our customers.

It consolidated multiple dashboards into one and helped us be more proactive. However, our team is still trying to mature to a level that we can adopt a more preventative approach to security. Sentinel significantly reduced our detection time. Without Microsoft Sentinel, our SOC analyst might take 30 minutes to an hour to detect an issue, but now it's practically in real-time. 

The biggest advantage of Sentinel is scalability. In addition, we don't need to worry about paying for infrastructure costs upfront. It gives us the flexibility to choose the kind of infrastructure based on each client's needs. Sentinel is also much simpler than other SIEM solutions. The UI is smoother and easier to use.

Native integration with Microsoft security products or other Microsoft software is also crucial. For example, we can integrate Sentinel with Office 365 with one click. Other integrations aren't as easy. Sometimes, we have to do it manually. 

The bi-directional sync is helpful. For example, we have one client using our managed security service, but they don't want to use Microsoft Sentinel. If those products are not syncing or if the solution is not bi-directional, some alerts may be missed. It's essential for both portals and the two folders to be in the same channel it's pushing. The UEBA features are also perfect. We don't see the same caliber of user behavior analytics in other SIEM. Microsoft's UEBA is great for our SOC analysts. 

Microsoft threat intelligence and UEBA still have some room for improvement. There are currently only two connectors available for Microsoft threat intelligence. the threat intelligence platform and the FTIA commander.
Sentinel should offer another option for a third-party threat intelligence platform. There are lots of open-source threat intelligence solutions available. 

Threat handling could be great for our team and for our SOC analyst, but some are unusable depending on our SOC analytics.

Sentinel can ingest data from most of our ecosystem, but some data cannot be called up. For example, if an SAP product is hosted, it will do a specific version, but it cannot be called back to Sentinel. It cannot be directly connected to Sentinel.

Our team has been using Microsoft Sentinel for about two and a half years.

I rate Microsoft support a seven out of ten. They take too long to respond, but sometimes they are great. 

Neutral

We previously had an open-source SIEM, but it lacked the detection and automation capabilities of Sentinel.

The initial deployment was straightforward but configuring integration for some of our projects was challenging because there are few connectors for solutions like Cisco. I rate Sentinel a five out of ten for ease of setup. 

We performed our integration in-house, but sometimes we get support from Microsoft.

Sometimes, it is hard for us to estimate the costs of Microsoft Sentinel.

I rate Microsoft Sentinel a nine out of ten. I recommend it, but it takes time to evaluate because Sentinel is unlike other cloud solutions. 

Microsoft Sentinel is basically a major log, on top of which you can build queries that can analyze the data you get. It's used to build up security operations centers. In addition, it is a SIEM and SOAR solution.

The first benefit is that you have one place to close incidents. That's definitely an advantage. 

Another benefit is KQL, Kusto Query Language, and the analytic rules with which you can spot suspicious behavior of all kinds. It's definitely a step up when it comes to security. You see the benefits almost instantly.

In addition, automation helps prioritize what needs to be looked at, and what can just be closed and forgotten.

And when you combine the threat intelligence with Defender for Endpoint's recommendations, it's a really strong way to protect things or be proactive when it comes to security, with the CVEs, et cetera.

Overall, our Microsoft solution saves time. Without it, you might have to navigate six or seven portals, but with it, you only have to look at one place, and that saves some time. Most of the time, it eliminates having to look at multiple dashboards and gives you one XDR dashboard. Ideally, that should make working with IT security easier. It also decreases the time it takes to detect and respond.

As a consultant, none of the customers I work for has been hacked or has been close to being hacked. That would be the best way to judge if it saves money because just putting Sentinel on top of all these security products doesn't save you money. It's possible it saves you money. 

I like the unified security console. You can close incidents using Sentinel in all other Microsoft Security portals when it comes to incident response.

The solution helps prioritize threats across your enterprise and that is quite important. There is a concept called "alert fatigue," and Sentinel can also cause that because it detects so many false positives. But usually, the high and medium risks it identifies are things you need to take a look at. So prioritization is quite important.

We also use Defender for Cloud, Defender for Endpoint, and Defender for Cloud Apps. It's quite easy to integrate these Microsoft products because they can easily communicate with other Microsoft products. The tricky part is to integrate other vendors' products, like Cisco or Linux, with Microsoft Sentinel. The actual integration is easy, but they generate a lot of data. But with its entire Defender suite, Microsoft is trying to cover everything in Azure and that is a really strong point.

Sentinel enables you to ingest data from your entire ecosystem and that is vital, but sometimes it's a bit hard to figure out what data you actually need.

Also, the UEBA is a neat feature.

The built-in SOAR is not really good out-of-the-box. The SOAR relies on logic apps and you almost need to have some kind of developer background to be able to make these logic apps. Most security people cannot develop anything, but if you want to make full use of the SOAR part of Microsoft Sentinel, you need to be able to develop these logic apps. You can say, "Okay, that's simple," but it's not simple for someone who doesn't develop.

Also, the bi-directional sync in Microsoft Defender for Cloud should be enabled out-of-the-box. Otherwise, while you can close incidents in Sentinel, they will not be closed in all the other portals. That is really important.

In addition, the watch list could be improved. Microsoft could develop some analytic templates based on these watch lists, for example.

And if you don't have any KQL knowledge, Sentinel is actually quite hard to use or to get the most out of.

I have been working with Microsoft Sentinel for approximately one year.

It's a stable solution.

My clients are looking to increase their usage of Sentinel. Every time I look, there is a new data connector, so it seems like it's a product that is constantly in development.

I haven't used their technical support.

The initial deployment, for me, is not really complex. It takes one hour or less. But to be able to use Sentinel to its full capabilities, you must definitely know something.

In terms of an implementation strategy, you need to really think ahead about who should be able to do this, and who should be able to do that, and respond to that, et cetera. A proof of concept would include dealing with the architecture, gathering initial data sources and/or automation, and then learning how to navigate in Sentinel. One person can do it.

My clients are enterprise-level companies and the solution requires maintenance. It includes updating analytics, importing, and creating new analytics. It depends on the company. If you have 100 employees, one employee might be enough to maintain things, but if you have 10,000 employees and 10,000 devices, you might need more employees.

No license is required to make use of Sentinel, but you need to buy products to get the data. In general, the price of those products is comparable to similar products.

My advice is to start out with a little bit of data and build on top of that. Don't enable too many data connectors in the beginning. Get familiar with the product, and remember to work with Sentinel every day. That's the only way the product gets better.

It comes with some out-of-the-box analytics, but to get the full and best usage out of it, you have to really keep developing it with hunting queries, analytics, et cetera. The visibility provided by the built-in analytics rules, what they detect, is rather good, but Microsoft Sentinel requires ongoing work. It helps automate routine tasks as well, but that's not something that comes "for free." It also requires ongoing work.

Threat intelligence is something that you must be more than just a novice in Sentinel to make use of.

Overall, I find Sentinel to be a really strong solution. Sentinel is where you can see the overall security status of your company. I really enjoy working with Microsoft Defender and the entire suite, combined with Microsoft Sentinel.

We use it to protect our Office 365 environment. We can also deploy it for the entire infrastructure, including on-premises, firewalls, and also users' devices.

I'm a partner with many customers using Sentinel. Some are small companies but I also have many banks that have implemented the solution.

It has helped to improve security posture because it's based on machine learning. You can protect the whole environment. While other solutions are based on rules, and you have to put rules in place to protect things, Sentinel is smarter because of the machine learning.

For example, one of my customers is a bank that was attacked by ransomware. They were using Symantec and it could not detect the attack. When we put in Sentinel, within 15 minutes it detected the malware and stopped the attack.

The most valuable features are its threat handling and detection. It's a powerful tool because it's based on machine learning and on the behavior of malware.

I have been using Microsoft Sentinel for one and a half years.

It's a stable solution.

It's a cloud solution so Microsoft handles the scaling. We haven't had a problem with performance because Microsoft is in charge. It's done automatically.

It's definitely the best technical support. When you open a new ticket you get a response within a maximum of one hour. You can open a case with Microsoft 24/7.

Positive

I used QRadar. I switched because QRadar is not smart and there was too much manual work.

It's easy to implement and not very hard to put it into production.

The deployment time depends on the customer's needs. It can be deployed in one hour. But if they have many end users and many servers, it can take one week. After that, you have to wait for the machine learning to learn the environment and start the detection.

The implementation strategy also depends on the environment. If it is an Office 365 environment, we can start by protecting email, the shares, and the docs. After that, we can move to the end-user machines. But it depends on the project.

Deployment and maintenance requires a maximum of three people. One would be an admin, one would be a security leader to maintain the solution, and the third would be a project manager. It also depends on the project, but in general, there will be two or three people involved.

It is certainly the most expensive solution. The cost is very high. We need to do an assessment using the one-month trial so that we can study the cost side. Before implementing it, we must do a careful calculation.

Something that could be improved is the documentation of the cost because there is none. All the other features are documented, but the pricing is not very clear.

The Office 365 connectors to Sentinel are free, as is the support.

Sentinel is generally the last option we go with because of the cost. Customers have their solutions but they contact us and say, "Okay, we have our solution but it's not smart. Can we move to Sentinel?"

I recommend implementing Sentinel because it's certainly the most powerful SIEM tool. It detects all malware based on the behavior of many things, including the files and anomalies. It detects things automatically.

We use it to monitor the cloud for any security issues. We are using it as a SIEM for our cloud workspace.

The most valuable feature is the UEBA. It's very easy for a security operations analyst. It has a one-touch analysis where you can search for a particular entity, and you can get a complete overview of that entity or user.

There is also something called workbooks in Sentinel that help us to monitor the complete cloud data and it gives knowledge about, and visibility into, our security posture.

It integrates seamlessly with Microsoft products, especially Office 365 and our Azure workspace, whether it's the Application Gateway or Azure DDoS or Azure Firewall. It has native integration that works very well.

You can also monitor Zero Trust security from Microsoft Sentinel.

There are a number of points they can improve. For example, if I see an alert and I want to drill down and get more details about the alert, it's not just one click. In other SIEM tools, you just have to click the IP address of the entity and they give you the complete picture. In Sentinel, you have to write queries or use saved queries to get details. For a security analyst, when there is an incident, it takes a lot of time to write queries, investigate, and then execute.

For example, if you want to search a particular entity or an IP address, or search the complete log instead of just the security alerts, it takes time to write a query for that. The MTTR is a little high, as is the mean time to investigate, compared to other SIEM tools.

I would also like to have more resources on KQL queries.

And using the data connectors is not straightforward when you want to create a use case that is not out-of-the-box. Creating a custom use case is a challenging process. You need to understand KQL queries and the support for regex is limited.

I've been using Microsoft Sentinel for between six months and a year.

The availability is good. But when you compare the stability with Splunk or ELK or QRadar, it still needs to be more reliable and stable, not from an installation or administration perspective, but when it comes to security operations.

We collect data from between 3,000 and 4,000 users, and our cloud workspace is somewhere around 100 or 200 servers.

The scalability is good because it has Azure in the back end.

We are still deciding whether to migrate completely to Sentinel or not. We are using two SIEM solutions in parallel. The other solution is LogRhythm. From an analyst perspective, Sentinel has to evolve more. Once it does, we can think of migrating to it fully.

The installation was straightforward and easy. With Azure Resource Manager, it was easy to deploy, and it was a straightforward integration, in terms of configuration, to connect the Log Analytics workspace with Sentinel and the solutions that Sentinel has.

Deploying the solution hardly took four hours, and the initial configuration took a single person one day, meaning eight hours.

We used to have an on-prem solution and we moved our workload to the cloud. Our users did not face any challenges or difficulties as a result.

We are still in the process of getting our ROI. We are waiting for the solution to improve and mature.

Sentinel is pretty competitive. The pricing is at the level of other SIEM solutions.

I have experience with Splunk and QRadar and they are the best. They are equivalent, one with the other. Both the solutions are mature enough, having been in the market for quite some time. They know what they're doing and are easy to use from an analyst's perspective. Both are scalable solutions as well.

The drawback of these two solutions is that it takes a little bit of time to do integrations, especially for Azure workloads, as they're not in-built in Azure.

Always record your KQL queries and stick to the basics.

We use Microsoft Sentinel for providing managed services and for security use cases, which include detecting anomalies or security events and collecting security events from various data sources.

What is most useful, is that it has a good connection to the Microsoft ecosystem, and I think that's the key part. If you are running the Microsoft ecosystem, you are running Azure and Microsoft 365 and have all of the security providers in that environment, for example, the E5 license, then Sentinel can easily collect those events and handle them within the same Azure environment. That, I believe, is the key point here.

Multi-tenancy, in my opinion, needs to be improved. I believe it can do better as a managed service provider.

It's a fairly mature product now.

Pricing could also improve, it's a bit expensive.

I have been working with Microsoft Sentinel for approximately two years.

There are private tenants, but it is deployed in a public Cloud.

Microsoft Sentinel is a stable solution.

Microsoft Sentinel is scalable. As it is in the cloud, you simply pay more. It's expensive, but it's very easy to scale.

We haven't used Microsoft's technical support. We rely on the online knowledge base. Essentially, the entire internet is based on the information they have. As a result, we have never contacted technical support. It hasn't been required. I suppose it's fine. We didn't use technical support in that sense. I would say that it's good.

I am familiar with SIEM. 

We run several CM systems as well as a security operation center.

I have worked with Microsoft, IBM, and McAfee. McAfee has an older CM, and we use Elastic as well.

Within the same cloud environment, it is very simple to set up and begin collecting data.

Microsoft Sentinel is expensive.

If you have the funds, I would recommend it. I think the pricing is important; it's quite expensive, but if you have that, I think I would recommend it. The advice is to think carefully about what data you send to the platform because it is costly. The price is data-driven, so make sure you know how much data you will send and that you only send what is required. That, I believe, is the key point.

We are Microsoft partners.

I would rate Microsoft Sentinel a seven out of ten.

We primarily use the solution for the surrounding management. 

The correlation is very useful.

We like that it is an integrated platform. 

It's very much an agile product.

Everything works very well across the product.

The initial setup is very simple and straightforward. 

It is a scalable solution. 

The performance has been good.

We'd like to see more connectors.

The solution needs to offer a bit more advancement, enhancement, and scalability with other products as well, including the market competitors.

The solution is stable. The performance is good. There are no bugs or glitches. 

The server is scalable.

We haven't really used support all that much. That said, we haven't really had issues with them.

Positive

I've worked with other solutions, including, for example, Splunk. For me, each solution has a limitation when it comes to some use cases. It all depends upon the business strategies. 

The initial implementation is very easy. It's straightforward. It's not complex or difficult at all. A company shouldn't have any problems executing a setup.

The deployment process itself is very quick. It only takes maybe 30 to 40 minutes. 

We don't really need any maintenance on the solution. We're usually required to do maintenance when the agent determines it.

We did not require any third parties when it came to setting it up. We didn't use any integrators or consultants. The implementation was handled by in-house personnel. 

There is a community version. Whether or not the pricing is expensive depends on what a company needs and if it covers its requirements. I've been satisfied with the pricing so far. I don't find it overly expensive. 

You do pay a subscription fee for the service if you aren't using the community version. 

We're always happy to evaluate any other products on the market.

We are a gold customer.

I would recommend the product if it made sense for an individual company's use case. 

For the people who are on the cloud, I would suggest they go for Sentinel regardless of any other SIEM. It will do a good integration with other solutions, and with other cloud providers while providing a holistic view as well.

I'd rate the solution an eight out of ten.

We are using mixed solutions. We are currently working with IBM solutions and Azure system services. We are using two SIEM solutions: Azure Sentinel and QRadar. Azure Sentinel is covering our cloud-based solutions, and QRadar is covering our on-premise solutions.

The best functionality that you can get from Azure Sentinel is the SOAR capability. So, you can estimate any type of activity, such as when an alert was triggered or an incident was found.

It integrates with Azure AD, Power BI, and other Microsoft solutions. It is very good in our view.

It would be good to have some connectors for third-party SIEM solutions. Many customers are struggling with the integration of Azure Sentinel with their on-premise SIEM. Microsoft is changing the log structure many times a year, which can corrupt a custom integration. It would be good to have some connectors developed by Microsoft or supply vendors, but they are not providing such functionality or tools.

It can be expensive for customers. Currently, we are not using Sentinel to collect logs from on-premise devices. The main reason for that is the budget because you need to pay for the internet traffic. You also need to calculate how much you can upload to the Azure site. 

I have been using this solution for one year.

It is stable, but it is also related to your country. I'm working in Kazakhstan, and sometimes, we have some problems with the internet connection at the government level. Sometimes, for some reason, which could also be political, they disable the internet connection, and we lose the connection to the Azure environment. It might be good for our country to have a private link to the Azure cloud environment to avoid such cases.

We have a lot of Microsoft partners who are helping us. Therefore, support is not a problem for us.

We have QRadar for our on-premise solutions. QRadar has a lot of connectors out of the box. It has a lot of predefined and pre-deployed connectors that you can use. 

QRadar also has a lot of good correlation rules. From a customer's point of view, it is one of the best solutions because you don't need to create correlation rules from scratch. You just review them and customize them as you want.

QRadar supports using SQL queries. Sentinel uses KQL, but you need to learn it from scratch.

QRadar doesn't have a SOAR system by default. You need to purchase it additionally, which is the main problem with QRadar.

It was easy.

We had some introduction to the system from a Microsoft Partner, but most of the analytics and playbooks were created by us.

For us, it is not expensive at this time, but if we start to collect all logs from our on-premise SIEM solutions, it will cost more than QRadar. If we calculate its cost over the next five or ten years, it will cost more than what we paid for QRadar.

Microsoft is proposing an identity management solution for Azure Active Directory systems and the Azure Cloud system, but we need an on-premise solution that can help us achieve the same with, for example, IBM. I know that Microsoft has a cloud-based solution, and previously, Microsoft provided an on-premise solution, but it is deprecated or no longer supported. It will be good to have such a service on-premises.

I would rate it an eight out of ten.