Microsoft Sentinel Reviews

We use Sentinel to monitor events and incidents that occur on our tenant. It covers all the servers and applications in the cloud, too. 

We can use Sentinel's playbook to block threats. It covers all of the environment, giving us great visibility.  

If Sentinel had a graphical user interface, it would be easier to use. I would also like it to be more customizable. 

We've been using Microsoft Sentinel for nearly 20 years. 

Sentinel isn't very easy to set up, especially when we're trying to connect to a server at the entry point. We run into some configuration issues when connecting. 

I rate Microsoft Sentinel eight out of 10. 

Azure Sentinel is a SIEM solution. It offers security information on an event management solution and also security orchestration automation response. It actually looks into events coming into your environment and events from a lot of sources, or whatever you might have in your network.

There are a lot of events and logs generated by all of these resources - sometimes in the thousands or millions. Azure Sentinel helps you investigate a lot of these logs faster. It uses artificial intelligence, called threat intelligence, to look into all the events that might be coming into your environment.

For example, on a daily basis, you might be receiving two million events coming from all the resources you have, including your users. If you're a very big enterprise and you have thousands of users, there are logs coming in from each of these users. You also have some resources, such as your web application, virtual machine, and a lot of your resources that span across both Azure AWS, GCP, and other solution providers like Sophos, Fortinet, Cisco, and your on-premise environment. You can get all these logs together with this.

The solution is still new, and there are a lot of new things coming out each and every day. Microsoft is trying to improve the solution constantly. In the last two weeks, there was a section of the Azure Sentinel code solutions that was integrated. It's something organizations could explore. Recently, they just included automation rules that you can use with Logic Apps to automate threat responses.

Azure Sentinel works with artificial intelligence. With AI by your side, you are able to investigate everything very fast. Within a blink of an eye, it's going to help you look into all these things. Before it can do that, however, you need to set up some form of analytics rules to help you look into all the events that might be coming into your environment.

There's also a security orchestration and automation response. Sentinel is able to identify and spot threats in our environment. We can also set up some automation rules to be able to automate when there is any form of an incident in our environment. For example, if there is a brute force attack on a user account, we can automate a response such that we can block the user account for a time while an investigation is done on that account. There are automation rules that can help to automate responses as well.

There are a lot of things you can explore as a user. You can even go and actively hunt for threats. You can be on the offensive rather than on the defensive.

It's quite different from a traditional SIEM solution whereby you need to have a couple of security analysts to be able to help you manage it. All of these traditional SIEM solutions don't have the capability to look into threats as fast. For instance, if a DDoS attack was placed on our web application hosted with a cloud solution provider and we hosted this web application on our virtual machine, if we have a DDoS attack (a denial-of-service attack), we can spot the threats very quickly. AI will also help to stop these attacks before they can do damage.

You can bring in your own machine learning algorithms to help you look into the threats community environment. If you are someone who's very fast at developing AI, you can have your own custom machine learning set up to help you look into any form of threat. It’s a very powerful tool.

Recently, I deployed Azure Sentinel for a client. I could tell immediately it was able to spot a lot of threats. Just within an hour, it was able to spot about five to ten threats. Also, at that very moment, Sentinel recorded around 500,000 events coming into the log analytics workspace. Typically, if you have something like 500,000 events coming into your environment and you have to involve the physical human efforts to be able to look into 500,000 events, it's going to be a lot of work - too much for one person.

The product has a lot of built-in features. There is a lot that it adds, and there is a lot it can do. It's the kind of solution that you can even bring in your own model.

We have a machine learning model that we train. Apart from it having some kind of already made solution, you can even create your own custom rules and custom machine learning.

Having to analyze threats every day, as a person, can be stressful. However, when you have something like Sentinel, which uses threat intelligence to be able to help you respond and remediate against threats at scale, it takes the pressure off.

It can span across your on-premise resources. If you have your own data center, you can deploy Azure Sentinel in the cloud, and you can have it monitor your data center. You can have it working as a solution to your data center.

As a user, you are able to integrate your on-premise with the data center to Azure Sentinel, in just a few clicks. It’s very simple to use. In just a few clicks, you'll be able to connect Azure Sentinel with your on-premise resources, web server, or SQL server - anything you can think of.

It can help you investigate threats coming into your laptop. You can connect Azure Sentinel to your personal computer.

It doesn't affect end users. They don't have access to Sentinel. They don't even see what is happening. They don't know what is happening.  

A lot of organizations have lost a lot of money due to a loss of virtual information. With this kind of strong security system and some strong security protocols, they are well protected.

New things are already being incorporated just to improve on the already existing solution.

There is a GitHub community for this solution. There are a lot of contributors worldwide and a lot of people building playbooks and building machine learning models. Someone can just build a machine learning model and say, "Okay, just mention in the model, 'Do this,' and it does this." There is room for improvement. However, things are improving in Sentinel with the help of this community.

I've seen playbooks where people have pushed to the GitHub repository, and I've been able to make use of one or two of these solutions on GitHub. That said, it may not be possible to eradicate all of the cyber threats.

There are webinars going on almost every week. Last week I attended a couple of webinars on Azure security. When you are doing things, you also need to be thinking about the security aspect. You have to be thinking about the security aspect of a cloud. You need to enforce a zero-trust model. You can't assume something cannot harm you, as everybody is a threat to your security.

The only issue is that sometimes you can have a false positive alert. For example, sometimes it detects something is happening, however, you're actually the one doing that thing. If someone is trying to sign into their environment and provide an incorrect password, they will try it a few times. The system will look at that event and think it's an attacker and it might be an indication of a threat. However, it's just a user that got the password wrong. I consider that a false positive alert. 

I have been using this solution for about a year now.

The stability seems to be fine for now. It's not an issue. 

I have not really used technical support. That said, on the first day when I was starting with Sentinel, I used technical support for some free advice.

In the past, I've worked as a Microsoft technical support engineer. I was very good at what I did then. The support person that I spoke with when I needed free advice on that first day was helpful. When I raised a support request to ask a few questions, the support engineer was able to do justice to all those questions and shared some things to put me in the right direction. I appreciated their helpfulness as I used to be that helpful as well.

There are a lot of solutions Microsoft has that have to do with security. However, they are not what I would describe Sentinel to be. Nothing I have used in the past has been similar to Sentinel.

For every project, you need to have your functional requirements. Once you have that in place, the initial setup depends on the number of things you want to bring into Azure Sentinel. It's a powerful tool.

You can set it to AWS, GCP, DigitalOcean, Sophos, Fortinet, Cisco - even your PC. You can set it up for everything and there is no lagging. It just takes just a few clicks to connect these things. For instance, if you need to get the logs of a user, you just go to the data connector. Once you are in the data connector, you click on Connect. Once you click on Connect, a lot from that environment just comes into Sentinel. Once it's coming into Sentinel, you can create various analytics rules.

I don't know of similar solutions or if any really exist.

The company I work with now is a Microsoft partner.

It's a very, very powerful tool that I recommend to my customers. I work as a consultant. I advise customers. I do not sell it directly.

It's something that organizations should use. I would advise people to use it. It doesn't look into only your Azure environment. It spans other cloud solution providers.

I'd rate the solution at a ten out of ten.

We are running an MDR service for our customers and use Azure Sentinel as the SIEM product to allow us to have an overview of all our customers, but also to easily push configurations to different customers.

We use Azure Sentinel as an alert aggregator to import all of the incidents/alerts from the different (Microsoft) security products in order to have a single pane of glass. On top of that, we create our own custom Analytics Rule that can be used to add our own added value. This enables us to create our own IP to protect customers. 

It's really convenient for us to aggregate the logs/alerts from all our customers into a single pane of glass. By using the automation capabilities, it's relatively easy to sync all incidents to our ITSM tool which we can use to follow up on incidents. As it's based on the Microsoft stack, it's convenient for our engineers to learn the product. As Azure Sentinel is also a big focus for Microsoft, we have the ability to work with them on certain products. This creates visibility within the community and for new customers.

There are three valuable aspects of the solution: MSSP support, integration with Microsoft, and Automation. By using Azure Lighthouse, an MSSP can easily integrate their applications into their own baseline of policies/configurations.

Because Sentinel is built as an MS-first product, it integrates natively with other Microsoft products, which is really convenient as we are standardized on it. Without much work, you can connect any Microsoft product to it. 

Last, but not least, Sentinel uses Azure Logic Apps for automation, which is really powerful. This allows us to easily automate responses to incidents.

Azure Sentinel is constantly growing. Throughout the two years we have been using it, we have seen it expand tremendously. A lot of the limitations we had originally seen have already been mitigated. A couple of potential improvements could be: allow for a streamlined CI/CD procedure. Now it's a combination of using API/Powershell and ARM which is not ideal. Also, it should allow us to ingest on-prem logs by using a SaaS platform to ingest CEF/Syslog logs that also allow for prefiltering. This would allow us to minimize the cost of the solution.

I've been using the solution for 1.5 years.

We didn't use another SIEM product before Azure Sentinel. 

The cost can be a little confusing at first, but the Azure calculator is a great place to start. I would advise to start with integrating Microsoft products first, as this is the most convenient way forward and allows you to learn the product as you go.

In general, Azure Sentinel can be set up really quickly.

We use this solution for analyzing Microsoft cloud-based log services and for security data. The services include Microsoft 365, Azure Security Center logs and Microsoft cache logs. We are gold security partners with Azure. 

The UI-based analytics are excellent, it's something I haven't seen with any other SIEM products. Microsoft has excellent tools for cleaning data, sorting out irrelevant log data and even fixing log data.

There's not much that needs improvement but the on-prem log sources still require a lot of development. It's clear that there are limitations there. I also think that the implementation and on-prem data sources could be done in a better way. We've used some functions with Python and whole scripting on FortiSIEM, which is something that Microsoft could easily provide, but so far hasn't.

The product has been very reliable. I don't know that there have been any service outbreaks. We haven't had any problems. 

We have 700 users and from our perspective, it has unlimited processing power, but this is quite common for cloud services. I think the scalability has to be some kind of ABM and feeding all of the log stats, which could possibly have limits, but Azure has huge computing power behind it.

The support is good, the only issue is getting past the level one people who ask if you've tried rebooting. If you have Microsoft's Unified Support, the most expensive support, then you'll be very happy. It's not the best support in the industry, but it's pretty good and they also support Sentinel. 

The initial setup was extremely straightforward. It was the easiest I have seen because it's an SaaS service. I think anybody can do it by just clicking and clicking and saying yes. Straight out of the box and that's the strength of the SaaS service because there's no installation, you just use it. 

We compared Azure to Splunk and to our current mainstream implementation, FortiSIEM. If you have a lot of security data, then you feel that Azure is quite expensive but it's nowhere near as costly as Splunk which is four or five times more expensive. FortiSIEM wasn't good enough and Splunk was way to expensive. 

I would definitely recommend this solution. If you have cloud-based workloads and different cloud or cloud lookalike services that require security data, or if you are looking for SOAR functionalities, then it's a no brainer. It's the best in that market. On the other hand, if you are mainly working and operating with on-prem stuff then there's no advantage over FortiSIEM or other solutions. 

I rate this solution a nine out of 10. 

Security incident and event management. Threat detection and automated response.

It is a software as a service from Microsoft.

Reduced mean time to detect and resolve

Quickly able to cover a majority of mitre att&ck techniques

Free to ingest Azure logs with E5 license

Free ingestion for Azure logs (with E5 licence)

It is easy to implement (turn on) - does need a skilled analyst to develop queries and playbooks.

It has basic out-of-the-box integrations with multiple log sources.

Add more out-of-the-box connectors with other SaaS platforms/applications.

12 months

No stability issues encountered.

It is scalable as a SaaS offering, but there is a consumption cost to consider.

Cybersecurity team uses this on a daily basis.

We work together very well with local MS Team.

The initial setup was simple. All that was needed was to put agents onto our infrastructure.

Integration more complex for non-MS SaaS and OS, but do-able using middleware.

It was done in-house.

It is an evergreen service.

What is the cost of lack of visibility?  Average cost of breach = $$$

It is a consumption-based license model. bands at 100, 200, 400 GB per day etc. Azure Sentinel Pricing | Microsoft Azure

Good monthly operational cost model for the detection and response outcomes delivered, M365 logs don't count toward the limits which is a good benefit.

Others were considered however being an E5 M365 and Azure user this was by far the preferred solution.

It is fairly new but making a charge up the market anayses.  Should be considered if you have E5 licence due to native and 'free' ingestion of M365 logs.

We haven't used all of its capability yet because we haven't had the time yet to implement it all, and it appears that the MS roadmap for Sentinel is being actively invested in.

The primary use case is the same use case as Splunk.

Requirements differ. We're still doing fine-tuning. However, lots of users are added to its security group to note activities.

So far, the solution has been perfect. 

The pricing of the product is excellent.

So far, we have found the stability to be very good.

The solution, as a SIEM tool, has very good integration capabilities, at least, according to our needs.

We have just recently migrated to this product. We haven't used it long enough to note all of the features. Therefore, it would be impossible to note what is lacking just yet.

The interface could be more user-friendly. It''s a small improvement that they could make if they wanted to.

We've recently migrated to this solution. We've only been using it for a month.

The stability of the product is very good. It doesn't have bugs. It's not glitchy. It doesn't crash or freeze. It's been reliable so far.

As a Microsoft product, customers get scalability and elasticity. We have policies in place, and, based on them, we can upgrade if we need to. A company shouldn't have issues scaling should they have the need to expand. 

Only the security team uses this product. It's not accessible for every user. We have a team of about 20.

We have just invested in the solution, and therefore we have plans to use it for the foreseeable future.

We do have access to support, and if we need them, we can call on them. However, the solution is so new, we have yet to need their services. Therefore, I can't speak to their level of responsiveness or knowledgeability just yet.

The installation is very straightforward and easy. It's not complex. It's a cloud deployment, and therefore, it is very quick. You just connect the APIs to the data center.

The product is extremely cost-effective and affordable for customers.

I'm more on the technical side. Therefore, I don't have any insights into the actual cost or the structure of the license.

We looked at Splunk as well and compared to that solution, this one is less expensive.

We're using the latest version of the solution.

Choosing this solution was a management decision. Due to cost-effectiveness, they opted for Azure Sentinel.

Whether this product would work for another organization or not depends on the company's requirements.

As it is still very early in terms of our experience with the solution, I would rate the product at a six out of ten.

We primarily use the solution for security operations. 

It has a lot of great features. 

The integrations on offer are very good. They have a lot of frequent updates on the integrations as well. 

We also use other Microsoft products with it, such as Active Directory and Defender for Endpoint and Identity. Everything is well integrated together. The integration itself is seamless.

Its connectors are helpful.

We get good logs from the solution.

Threat visibility is good so far. We are able to prioritize threats based on many factors.

The comprehensiveness of the solution is good. 

The alert response could be better. We'd also like a better ticketing system, which is older.

I've been using the solution for two years.

I'd rate the solution nine out of ten.

We use it on a public cloud. We have integrated Azure Lighthouse with Azure Sentinel Security. By integrating all of these, Azure Security Center and Azure Defender, we are providing an MSSP platform to our customers.

With other solutions, you see some restrictions for collecting the log from custom connectors. With Azure Sentinel, we do have some restrictions or sometimes we need to struggle with the connection, but there is no need to struggle with the log connection. There is 100% integration to your enterprise environment. This makes it easy to monitor and keep a track record for vulnerabilities and track whatever things are lurking in your network. They also have their custom alert tools, alerting the analytics team, where we can receive custom alerts based on our custom requirements. This has helped our organization a lot. Then with Azure Lighthouse, we can manage multiple customers with one platform, so on a single interface, we manage a number of customers that are using the Lighthouse service from the Azure.

In Azure Sentinel, we have found, they do have a store in their capability. AI and intelligence features. We found that to be very helpful for us because some other things we do need to integrate again or find another vendor for the store With Azure it is a built-in thing, so there is no need to go and search for another vendor or integrate your solution for the store with a third-party.

They could use some kind of workbook. There is some limitation doing the editing and creating the workbook. That would improve it. Sometimes you will find some network issue, and network error with the Azure Sentinel portal. That's the biggest drawback I found with the Sentinel. It would be great if would provide PIP platforms. They do have PI platforms but they don't have PIP.

My organization partners with Microsoft, so we are working on an MSSP with Azure.

The technical support for Azure Sentinel is quite good. You have one level up from the basic support so you will definitely get to Microsoft support directly and actually have a conversation with Microsoft technical guys for the support team and they will resolve your issues very quickly.

The setup for Azure Sentinel is very straightforward. You only need a subscription and for that subscription, you just need the admin roles. So if you are an admin and if you do have the Microsoft certification, you can make a Microsoft Azure account then it's very easy to setup and it's very easy to onboard the Sentinel.

Azure Sentinel s actually quite handy, and very adaptive to the market trends. Anyone who is looking for the same store, creating their complete security solution for their enterprise, for the effective security solution, and for data integration, they must go with the Azure Sentinel as they are going to get everything in one place. I would rate Azure Sentinel at an eight on a scale of ten.