Microsoft Sentinel Reviews

We actually use it for queuing logs and checking log systems that we have downloading from other devices to see if there are any issues. For example, if we get an alert, then we triage it and query the logs and the devices that we're looking for.

Microsoft Sentinel has greatly increased our security. We can quickly complete our investigation by using Sentinel and get to the results and escalation points.

The log query feature has been the most valuable because it's very good. You can put your data on the cloud and run queues from Sentinel. It will do it all very fast. I love that I don't have to upload it to an Excel file and then manually look for a piece of information. Sentinel is much faster and is good for big databases.

Microsoft Sentinel is able to figure out what type of attack is occurring. It will tell you whether it is a DDoS attack, whether someone's trying to scam the site, or if someone is doing a group force attack. That is, Microsoft Sentinel will actually tell you what it is based on the type of activities it's seeing on the web server. It's a smart tool.

If I'm typing queries, it knows what I'm looking for.

If I can use Sentinel offline at home and use it on a local network, it would be great. I'm not sure if I can use Sentinel offline versus the tools I have.

I just started using Microsoft Sentinel and have used it for two months.

As for availability, I haven't seen any downtime or any issues with the services yet. The stability looks like it's 99.9% and is great.

I believe that Sentinel is good at scaling up their database or services. We are a large company with big data and have thousands of users.

I have used Splunk, which has similar log type of queries. I feel that Sentinel is smarter. It is able to detect what type of attacks are occurring, unlike Splunk, which is just a query log tool.

There's Elastic ELK, which is similar to Splunk, but it isn't a smart tool like Sentinel is. 

Sentinel is at the top of the tools that I've used so far in terms of smart tools.

Pricing is pay-as-you-go with Sentinel, which is good because it all depends on the number of users and the number of devices to which you connect.

If you're using the cloud and Azure, I would really recommend Sentinel as it will keep making sure that the devices that you have in your environment are safe. Sentinel is very smart at detecting what type of attack is occurring and is actually able to detect and tell us the type of hash file. It is is able to go on the internet, look at the virus total, and see if this is a virus, scam, or phishing. I like how it's able to detect it and how we can make it learn what type of spam or email issue query it is. So, it's a very adaptive type of tool.

I would rate Microsoft Sentinel at ten on a scale from one to ten.

We primarily use many Microsoft products, including Microsoft 365 with a focus on the security aspect. We have Defender for endpoints and Defender for servers. We also use Azure Sentinel with these.

This product has improved the way our organization functions. I won't be able to provide exact metrics as I don't directly work with metrics, however, from an improvement perspective, it is just a more streamlined deployment. 

We also use Intune as part of the MDM. If there are any agents that need to be deployed, then we can use that or we can just configure Windows from MDM directly. A lot of things can be just set up out-of-the-box and are ready to go and it sends logs right to Azure Sentinel. Therefore, while I don't have hard numbers, it's definitely made deployments easier and is much less time-intensive for our organization.

Coming from other SIEM solutions, Sentinel seems to be pretty good. 

It's pretty powerful and its performance is good.

The most powerful aspect is the whole integration with the Microsoft ecosystem. If you have the Microsoft 365 subscription, E5, then it integrates pretty seamlessly with everything you're trying to do. 

You obviously have connectors with other third-party, non-Microsoft stuff as well. They have pretty good integration with those. 

Azure Sentinel has a lot of built-in analytics rules, that help us get started in terms of triggering anomalous activity. In terms of performance, they're pretty fast. I've used QRadar and Splunk. Compared to Azure Sentinel those are pretty slow. Some searches in Sentinel are pretty instantaneous. For bigger searches, it's a very noticeable and impressive turnaround.

There are a lot of features that I don't touch just because I'm in the SOC. That said, I know customers have deployed different items that are quite useful. 

The end-user experience is good. It's just pretty seamless. When I was onboarded, it was just a simple download and then a sign-in to my account. It'll basically configure everything for you and download the necessary stuff that the company has defined - including Defender, et cetera. 

Microsoft needs to stop renaming their stuff. A lot of their products are very confusing due to the names they choose. The first time I heard of Defender I assumed it's just their antivirus, anti-malware, or a package that covers those things. However, there's Defender, Windows Defender, and then there's Defender for Endpoint, and there's also Defender for servers, et cetera. That really needs to be streamlined. As far as Defender's concerned, they want just a protective device. The differences are confusing.

Maybe it's a transitional choice, however, they've been doing a lot of migrations to a new portal in the security center or office privacy center. There's a bunch of portals where some things are repeated or duplicated. You have the same features in the portals, yet, in some cases, there are some things that you have to go to one portal and not the other, as it hasn't been migrated or the feature is just not there.

If their UI was a bit more streamlined and easy to find when I need it, then that would be a great improvement.

I've been using the solution for one year.

The stability is pretty good. However, there is one flaw. We did have an issue where Microsoft had some issues with some components that caused issues with their cloud. It might have been an authentication issue or something like that, however, it basically took down everything. We weren't able to work. While integration is good if something comes from one vendor and if that vendor goes down, then everyone is pretty unhappy.

While at my previous organization we had about 50 or 60 users, as a small company, we had customers that could have users in the thousands.

I didn't notice any scalability issues, and therefore I assume it's quite good. With respect to Azure Sentinel, I've never had an issue.

As far as I know, we're using pretty much everything that Microsoft has from a security perspective. I don't know how we can expand anymore.

I've never had to call technical support or reach out to technical support, therefore, I can't speak to how they operate.

I've previously used SentinelOne for endpoints and antimalware, et cetera, and Splunk for the SIEM.

I was specifically working in SOC; I was more responsible for the day-to-day operations. Unfortunately, I cannot speak to the deployment so much. I would not have information on the implementation strategy, for example.

We handled the deployment internally.

I was in the SOC. I don't deal directly with that pricing. They do have multiple licensing levels. It's just about knowing what you need. One good thing about Microsoft is that they do have quite a few options depending on your needs. That said, sometimes it could be hard to pick because there are so many. 

As an organization, you need to understand the company's needs. For example, if you don't have a security team to look at your alerts or to set up all the stuff, then you probably don't need some of their most expensive services. You need to purchase the subscriptions accordingly if you're able to leverage them.

They have premium and enterprise subscription levels. I don't know what the standard would be. They have E3 and E5 level licensing. I don't know off the top of my head the differences, however, E5 likely has more security features. Companies need to be aware of all the differences.

I was not part of any evaluation process. I came to the company afterward. 

I'm not sure which version of the solution we're on. We have another team that does the deployment and they would take care of the versioning, et cetera, however, we usually run the latest.

Microsoft makes Windows. They know their stuff. Having everything streamlined can be time-saving. It's good to have an integrated system rather than using something else. You don't need to jump through a lot of hoops or install additional software in order to get everything up and running.

I'd rate the solution at an eight out of ten.

It is a tool for compliance for us. Every department and agency in the government is trying to get to the cloud as fast as they can. Because of that, there's a lot of SA&A work—service authorization and accreditation. In that, you're assessing the environment against a set of controls. We use Sentinel to provide us with a core piece of evidence that ensures these environments are compliant.

If you know how to do KQL (kusto query language) queries, which are how you query the log data inside Sentinel, the information is pretty rich. You can get down to a good level of detail regarding event information or notifications. It's all about how detailed and accurate your queries need to be and what log sources you are actually ingesting log information from. Sentinel is that central piece that allows you to correlate security events across your Azure environment. It's a pretty critical piece of the puzzle.

You can create both custom connectors as well as use the canned connectors that Sentinel ships with. When you start the service, those connectors will look at on-prem log sources and ingest them. So Sentinel works both in the cloud and on-prem.

There is some relatively advanced knowledge that you have to have to properly leverage Sentinel's full capabilities. I'm thinking about things like the creation of workbooks, how you do threat-hunting, and the kinds of notifications you're getting. There are a lot of pieces in motion with Sentinel to use it effectively. It takes time for people to ramp up on that and develop a familiarity or expertise with it.

Does it need to be simplified? There is that old saying: "The simpler the front end, the more complex the back end." A novice would probably not be able to effectively use Sentinel unless they were able to ramp up pretty quickly on a lot of its functionality. You need to understand the interfaces and all the components that are part and parcel of the service.

I've been involved with Sentinel since early 2018. Sentinel was only acquired by Microsoft four or five years ago.

I own a professional services company and I do a lot of government consulting and engineering work for clients. I've had good exposure to Microsoft technology, whether through their support services, or through Azure, or through a myriad of on-prem solutions as well. My partnership efforts have really been around AWS because, outside of government, AWS has a far larger footprint than Microsoft, as far as the cloud is concerned.

The stability of Sentinel is fine, as long as those who are configuring the service and using it have a good grasp of its operational nature. It takes time to develop that knowledge, but it's a pretty stable service.

Microsoft has a service called FastTrack, which basically pairs my clients up with a local Microsoft partner. That FastTrack partner is the intermediary between the client and Microsoft. If there's a problem or a support issue, that partner will typically be the client-facing entity.

Larger departments will purchase Premium Support and that provides them with a more face-to-face support experience with Microsoft personnel, specifically. Many of my clients are larger departments and, generally speaking, there is pretty good support in place for them from Microsoft.

Most clients are looking at getting E5 licensing, which opens up a whole bunch of security features and support services. But E5 licensing is pretty darn expensive. So bigger departments with bigger pockets have a very good support experience with Microsoft. The smaller departments, which may need to take advantage of services like FastTrack, assuming that the Microsoft partner has good resources available, may not have a problem at all. But I have heard some feedback that FastTrack is not a great program. Support is only as good as the weakest link in the chain.

My job as a consultant is to work with many different departments and agencies, whether it's on their architecture or assessing their environments, as they all move to the cloud. I've seen many different environments and a lot of them have some common overlaps in terms of security services. Sentinel can be expensive. When you ingest data from sources that are outside of the cloud, you're paying a fair amount for that data ingestion. When you're ingesting data sources from within the cloud, depending on what your retention periods are, it's not that expensive. For certain customers, depending on the requirements, it can be a pricey service.

Personally, I like the tool. From a SOC perspective, the visibility into government operations in particular is key, and I'm seeing a lot of advanced usage of it for some of my clients.

The federal government, here in Canada, has primarily centralized on Azure as opposed to AWS. That's because most of these departments also have SaaS environments that are M365-centric. As a result, because they are already Microsoft on the SaaS side, a lot of departments maintain that Microsoft synergy, even if, in my opinion, AWS is a better platform.

As a cloud SIEM, I would rate Sentinel at an eight out of 10. The only reason I'm not ranking it higher is that, as I said, there is some complexity with it. You have to tweak the service to get the outputs you want, by doing things like creating workbooks or rules for Sentinel, doing the threat-hunting, setting up the connectors, the log analytics, and workspaces. There's a lot of "heavy lifting" done to get Sentinel into a state where you can effectively use it. But as far as the actual outputs are concerned, if you know what you're doing with the queries, Sentinel is a great tool.

Microsoft offers training around Sentinel. In our region, among the support guys that deal with the government departments and agencies, there are some Sentinel subject matter experts available. And when more advanced knowledge is needed, Microsoft can provide what are called "support ninjas." They have more advanced knowledge and can be flown in from wherever. There are a lot of opportunities to learn how to properly use Sentinel's tools. Once you get that familiarity, Sentinel is a valuable tool for your cloud security posture.

On Azure, we have workloads on virtual machines, Kubernetes clusters, and SQL Servers. The way Sentinel works is that logs from our Kubernetes services, virtual machines, and database servers go into what is called Log Analytics on Azure. Log Analytics connects to Azure Sentinel, then all the logs move from the resources to Log Analytics down to Sentinel. Sentinel is configured to do some form of threat detection on these logs. For example, there is a firewall log connected to Log Analytics. Sentinel looks at those firewall logs for repeated IPs that are trying to either do an attack on our system or get access into our system. There is some form of machine learning and AI implemented in it to be able to tell us which particular IP address is trying to do this. 

It is mainly used for securing our platform. As the infrastructure person who works on it, I have some automated ways of seeing threats. We have seen a few possible issues that might come up. So, our customers are safe on some level when we are using Sentinel.

It improves our security posture by using automated threat detection.

Having your logs put all in one place with machine learning working on those logs is a good feature. I don't need to start thinking, "Where are my logs?" My logs are in a centralized repository, like Log Analytics, which is why you can't use Sentinel without Log Analytics. Having all those logs in one place is an advantage. 

We have not really had any major threats. We have had alarms about four times. In the end, they were false positive alarms. Over time, the machine learning feature understands that something is a false positive, then you don't see them anymore. So, it reduces the number of false positives.

The learning curve could be improved. I am still learning it. We were able to implement the basic features to get them up and running, but there are still so many things that I don't know about all its features. They have a lot of features that we have not been able to use or apply. If they could work on reducing the solution's learning curve, that would be good. While there is a training course held by Microsoft to learn more about this solution, there is a cost associated with it. 

We have been using it in our organization for six months.

It is quite stable. It is one of the most mature SIEM solutions that I know.

Currently, I am the person maintaining the solution since we are a startup. However, it probably needs a team of four people to work on it. It needs an infrastructure person to configure it, a security analyst to tell us what they want configured, and a business person to tell us what kind of security targets are needed.

Scalability is good. We are increasing usage for different use cases. For compliance reasons, we will probably expand usage in the future.

Also, there are a lot of features that we have still not tested.

I have not had to use the technical support yet.

We were starting from scratch with Azure Sentinel.

We started using it because we were trying to get PCI certified. The updated PCI requirements requested that we have a security information and event management tool. If it wasn't for PCI compliance, then we probably would not have used Sentinel.

The initial setup was complex, not straightforward. Connecting it is easy once you have an Azure resource on the cloud. We also have on-prem resources, but we have not been able to connect those. Trying to create your on-prem resource with Azure Sentinel is not straightforward. I have not seen many implementation videos that I can watch on YouTube to learn how to do it. 

It is not just Azure. Other SIEMs solutions are a bit complex when trying to connect them. 

Deployment took no more than 10 minutes. Configuring it in our workloads was the major issue, not the deployment. The configuration timeframe depends on the number of resources that you are connected to and your prior knowledge of Sentinel before starting your configuration. 

I did the deployment.

From a cost perspective, there are certain Azure resources that we don't need to additionally pay for when using Sentinel.

When we looked at other SIEM tools, they were quite expensive. Sentinel is also expensive for a startup, but we were able to configure it so there are some logs that Azure frees up, like your firewall, Office 365, or Kubernetes logs. From a cost perspective, this works well financially for us.

Sentinel is a bit expensive. If you can figure a way of configuring it to meet your needs, then you can find a way around the cost.

We looked at so many tools, like Elastic Search and IBM. We went with Sentinel because the majority of our workloads were on Azure already, so the integration was easier rather than going with something external and integrating it. 

If you are purely on Azure, Sentinel is the way to go. Also, it easily works with on-premise workloads from what I have been able to determine. When I look at connectors, it integrates with other cloud providers. I see it integrates with GCP. 

I would rate Sentinel as seven out of 10.

Our clients use it for just an overall health check and security check for their deployments, whether it's on-prem or in Azure. Azure Sentinel basically collects the data from any kind of endpoint or server that is enrolled in the service, irrespective of whether they are on-prem or in the cloud. It can be laptop servers, virtual machines. It is a cloud solution, but it does extend to on-prem deployment.

I have been using the most up-to-date version. 

One of the most valuable features is that it creates a kind of a single pane of glass for organizations that already use Microsoft software. So, when they have things like Microsoft 365, it is very easy for them to kind of plug in or enroll those endpoints into the Azure Sentinel service.

I can't think of anything other than just getting the name out there. I think a lot of customers don't fully understand the full capabilities of Azure Sentinel yet. It is kind of like when they're first starting to use Azure, it might not be something they first think about. So, they should just kind of get to the point where it is more widely used.

I have been using Azure Sentinel since it came out, so it has been at least a couple of years.

It is very stable. It has been around for a while, and it is a Microsoft product. So, it is pretty secure and pretty stable.

Like all Azure services, it is definitely very scalable. You can very easily and very quickly enroll devices and other data points into Azure. 

Microsoft tech support is pretty good when it comes to Azure. It is really easy to open a ticket because you can do that right through the Azure portal. In addition, my company and other companies that kind of resell Azure services, oftentimes have our own help desk included with the consumption of Azure services. So, we have a 24/7 help desk that works on top of that. There are many managed services partners, like my company, that provide additional services in tech support on top of what Microsoft already has.

It is very straightforward.

It is kind of like a sliding scale. There are different tiers of pricing that go from $100 per day up to $3,500 per day. So, it just kind of depends on how much data is being stored. There can be additional costs to the standard license other than the additional data. It just kind of depends on what other services you're spinning up in Azure, or if you're using something like Azure log analytics.

For any customers who are either looking at Azure or already have Azure or Microsoft 365, this is a great service to look at because it does provide an additional layer of protection and security for all of their data points, whether they are on-prem or in the cloud.

I would rate Azure Sentinel a nine out of 10.

We internally do not use this solution. We provide advisory for Azure Sentinel because we are Microsoft's partner.

Our clients use it for Security Operations Centers. Some of the clients wish to build a Security Operation Center. They want to perform threat analysis and see that the environment is secure and monitor it. That's why we deploy SIEM solutions.

In terms of deployment, what we see here in Asia, specifically in Malaysia, are hybrid and public cloud deployments.

It helps our clients in enhancing their security. 

It is quite efficient. It helps our clients in identifying their security issues and respond quickly. Our clients want to automate incident response and all those things.

Its documentation is not so simple. It is easy for somebody who is Microsoft certified or more closely attached to Microsoft solutions. It is not easy for those who are working on open-source platforms. There isn't a central point where everything is documented, and there is no specific training or certification.

It has been almost three years.

It is stable. Those who have adopted it are okay with it.

It is a cloud solution, so it is scalable.

Most of us know how Microsoft operates. They are quite good at that.

Its setup is of moderate complexity for me, but I have heard it is complex for others because of the query language and other things.

There is documentation, but I don't think Microsoft is providing a central point where everything is documented. In fact, there is no specific training or certification. There is Microsoft Secure training, but it is not so dedicated. All these things make it moderate.

I have had mixed feedback. At one point, I heard a client say that it sometimes seems more expensive. Most of the clients are on Office 365 or M365, and they are forced to take Azure SIEM because of the integration.

We see that a lot of clients are trying to explore more apart from Azure. Some of the clients are interested in Splunk. Some of the clients are interested in seeing what's available from AWS. This year is quite different in Malaysia because the government has opened up the adoption of public cloud in all sectors, especially in the financial sector. So, we are seeing new requirements coming up. 

I would rate Azure Sentinel a seven out of 10.

For users that have been observing some malicious actions with their product and getting malicious mail, Azure Sentinel allows them to create a rule, which will show who exactly among their users is exposed to phishing attacks so that they can make some mitigation on that particular account.

There are about five people using this solution in my organization.

It helps to implement connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, and Microsoft 365 sources, including Office 365, Azure AD, Microsoft Defender for Identity (formerly Azure ATP), and Microsoft Defender for Cloud Apps, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions

The most valuable feature is the onboarding of the workloads. You can see all that has been onboarded in your account on the dashboards.

It has been a challenge with Azure Sentinel to onboard the Syslog server from FortiGate. Azure Sentinel can work better on that shift between the Syslog server and a firewall.

I have been using this solution for three years.

It's quite stable compared to other automation SIEM and SOAR solutions.

It's very scalable.

Technical support is good. Microsoft has engineers that are readily available to help you with a challenge.

Initial setup was user friendly. I would rate it a 4 out of 5. 

It's deployed by you onboarding your deliverables on the workload. For example, if you're using Office 365 or another third-party solution, you're going to upload those onto the server and have it protected with your Azure Sentinel.

It will draw logs from those your activities, and then bring it up as a workbook, where you can see into the actions on those programs you have onboarded on the Azure Sentinel.

We use a third-party for implementation.

For ROI, I would rate it 4 out of 5.

It's costly to maintain and renew.

It depends on how you want to pay for the solution. You can pay it on an annual basis or pay as you go, but I feel it's better to just keep it running as a product on your Azure subscription. If you have a $500 subscription, it will take part of your subscription.

I would rate this solution 7 out of 10.

It is for tracking the logs. I'm working on automation. So, the use case basically includes logs, incidents, automation, UEBA, and endpoint integration with Office 365 Defender.

We didn't have anything similar. So, it really provides value from the incidents and automation point of view. The overview of the security fabric is most valuable.

Its implementation could be simpler. It is not really simple or straightforward. It is in the middle. Sometimes, connectors are a little bit complex. 

I just started using it. I have just set it up.

It is stable.

It is scalable.

I haven't dealt with Microsoft's tech support. I haven't reached out to them.

It was of medium complexity. It wasn't too bad, but it can be complex because of the connectors.

I don't know yet because they gave us a 30-day test window for free. 

Because it is mainly artificial intelligence and machine learning, you would need some time to learn it. It is a good solution, and it is straightforward.

I would rate it a six out of 10. I haven't really dealt with other ones.