Microsoft Sentinel Reviews

Our use case for Microsoft Sentinel is having a more holistic view by having all security events in one place.

We were likely the first partner in New Zealand. We've been able to manage the path forward early on and have helped small businesses adopt a really scalable solution.

It's one of the key areas we've focused on. We love the ability of having reliable threat intelligence.

Microsoft Sentinel's ability to integrate with other Microsoft products has been beneficial to our team's operations. We like the best of ecosystem versus the best of breed approach. We can have everyone have the same skillsets and not have individuals specialized. It's much more holistic. 

The threat detection has been useful. We like having everything managed by one solution. It simplifies everything. 

The automation feature helps with efficiency, specifically around security. 

It has good integration with other security features. It's a great product. The ease of use and ease of management are great. 

It's allowing us to have one Microsoft security pane of glass.

Microsoft Sentinel has improved cost efficiency, which is one of the key areas we're able to win business against the ability to have threat intelligence.

To improve Microsoft Sentinel specifically, giving us different functionality to handle tasks would be really amazing. I don't have any issues with what's currently available.

It would be nice to be able to leverage more AI to handle more data and recovery aspects in the future. 

I've used the solution for the last five years. 

Regarding the stability of Microsoft Sentinel, there haven't been any significant issues. There may have been one or two minor incidents over time, yet nothing substantial.

The scalability is very good. Our largest customer has 55,000 seats. Others have 100 to 200 seats. 

We've had a good experience with Microsoft support.

We decided early on we weren't going to partner with a lot of vendors. We liked what Microsoft was going to do with a best-of-ecosystem approach instead of best of breed. 

The initial setup is pretty easy. 

I have definitely seen a return on investment in the past five years. We attribute our growth to Sentinel. It became a product that everyone suddenly wanted. 

My experience with the pricing setup has been positive.

There were a couple of other products available, however, we were quite certain we were going to go with Microsoft Sentinel.

The reason why having a best-of-ecosystem is crucial for our customers is that it eliminates the need to set up multiple different products, so it was really attractive to have everything in one place.

I'd rate the solution ten out of ten. 

We use Sentinel for our SOC operations. We set up analytics rules and SOAR playbooks. Sentinel covers our entire security operation. It is deployed across multiple locations and covers around 4,000 users.

Sentinel gives us alerts, identifies vulnerabilities, and helps us remediate issues. Some of it is automated, but we also do manual remediation through the ticketing process. We have integrated Sentinel with ServiceNow, so the alerts are routed to the engineers.

Sentinel has reduced our mean time to resolution, one of our KPIs, by about 30 to 40 percent and enabled us to identify vulnerabilities faster. The co-pilot capability saves us a lot of time, too. We're also doing mapping with the MITRE framework, improving our MITRE coverage. We started to see results after the initial deployment and configuration. It took about two or three months. It's an ongoing process, but we realized the benefits within three months. 

The solution correlates signals from native and third-party sources into a single incident. Before implementing Sentinel, we used multiple tools to investigate and remedy vulnerabilities. Having that single pane of glass has significantly increased the efficiency.

Sentinel has improved our overall visibility. We get data about user behavior and correlate it. It also gives us alerts about network vulnerabilities. Having a single pane of glass and one consolidated security tool allows us to capture multiple layers, from the endpoints to the servers. One solution gives us visibility into all the layers. 

The SOAR playbooks are Sentinel's most valuable feature. It gives you a unified toolset for detecting, investigating, and responding to incidents. That's what clearly differentiates Sentinels from its competitors. It's cloud-native, offering end-to-end coverage with more than 120 connectors. All types of data logs can be poured into the system so analysis can happen. That end-to-end visibility gives it the advantage.

Sentinel's AI and automation capabilities make our SOC team's job easy. When logs come into Sentinel, the AI engine analyzes, contextualizes, and correlates them. The AI is correlating the data from multiple log sources and giving us alerts. We depend on that. We also perform automated remediation based on our SOAR playbooks. 

I would like Sentinel to have more out-of-the-box analytics rules. There are already more than 400 rules, but they could add more industry-specific ones. For example, you could have sets of out-of-the-box rules for banking, financial sector, insurance, automotive, etc., so it's easier for people to use it out of the box. Structuring the rules according to industry might help us. 

They could also add some more connectors. Sentinel has 120 connectors, including most of the essential data ones, but they could add some more legacy connectors.

I have used Microsoft Sentinel for three years.

Our SOC team relies on Sentinel from end to end, and it has been quite stable. It's always up, and we've never had any issues with the connectors.

Scalability isn't a problem because we have an Azure environment, and Sentinel is native.

I rate Microsoft support nine out of 10. They resolve our tickets within an acceptable time frame. That is pretty much okay for us.

Positive

Initially, we used Splunk, but I've mostly worked on Sentinel at this company. It was a company decision. Splunk works well in an on-premise or legacy environment, but our entire digital estate shifted to the cloud, so it makes more sense to move to Microsoft Sentinel because we moved to Azure.

Our deployment went smoothly. We spent about three or four months setting up the entire thing, and it all went according to plan without any undue complications. About three months of that was the configuration phase, and we had a transitional month before starting operations. 

The implementation steps included enabling Sentinel, setting up Log Analytics Workspace, and connecting the data connectors. After that, the logs started flowing in. Next, we created the analytic rules and remediation use cases. The deployment team included seven full-time staff. After deployment, Sentinel requires some ongoing maintenance when we add new analytics rules or log sources. We have one engineer responsible for that.

We see an ROI. Our efficiency increased once we created the initial set of analytics rules and SOAR automation, and we review our automation use cases every six months to find more ways to save money. It comes out to roughly a 10 percent return annually on a three-year contract.

I am not involved on the financial side, but from an enterprise-wide use perspective, I think the price is good enough. We have bundled pricing with Azure Monitor Log Analytics. We would be using Log Analytics Workspace even if we didn't have Sentinel, and we would need to pay a separate license for IBM QRadar or Splunk. It optimizes costs when we use both in our digital estate. 

We considered IBM QRadar. 

I rate Microsoft Sentinel eight out of 10. It's a plug-and-play solution, so you can start seeing benefits quickly using the out-of-the-box analytics rules and use cases. Of course, you need more time to create custom use cases and playbooks, but it's simple to get started. It might be challenging to migrate from a legacy system because you may have trouble connecting to the old data, but this is the best tool for a greenfield deployment. 

My role thus far has been to integrate security log sources into the platform. This includes developing or troubleshooting some of the data connectors for different sources, such as web application firewall interfaces.

Sentinel is a SOAR platform. It represents the next generation beyond traditional SIM and SIEM platforms. Its powerful SOAR functionality orchestrates and automates responses to security events, eliminating the need for manual intervention. Instead of relying on human analysts to monitor events and react, Microsoft Sentinel leverages pre-defined automation rules. These rules correlate relevant events, generating a holistic understanding of the situation. Based on this analysis, automated responses are triggered, expediting the resolution process and eliminating any delays associated with manual identification and decision-making.

Sentinel provides us with a unified set of tools for detecting, investigating, and responding to incidents. This centralized approach offers both advantages and challenges. On the one hand, it grants us the flexibility to tailor Sentinel's capabilities to various situations. However, this flexibility demands a deep understanding of the environments and activities we're dealing with to effectively utilize Sentinel's features. While this presents a challenge, it also highlights the potential benefits of this unified approach. The unified view is important to me because I get all the information together in a single pane of glass instead of having to switch between multiple applications. The ability to consolidate all of that information into a single application or dashboard and to centrally evaluate its intelligence is a significant advantage.

Sentinel's ability to secure our cloud environment is of the utmost importance.

Sentinel Cloud Protection offers a collection of customizable content that caters to our specific requirements, demonstrating the solution's flexibility. The versatility of this content allows us to address a wide range of needs. However, in most instances, we need to adapt the material to suit our unique circumstances. While Sentinel Cloud Protection provides a comprehensive set of resources, including pre-written responses, it often requires tailoring to fit specific situations. This customization process is not a drawback but rather an essential aspect of effectively utilizing the tool. It's crucial to understand the nuances of each situation to apply the content appropriately. While I wouldn't consider this a negative aspect, I've encountered individuals who believe they can purchase a solution, implement it without modification, and achieve optimal results. However, such unrealistic expectations often lead to disappointment.

The Sentinel Content Hub is essentially the central repository where we acquire the content to build upon. Therefore, it serves as the starting point for our efforts. Some of the hunt rules have been quite beneficial in terms of what they provide from the Content Hub, allowing for a plug-and-play approach. This means we can immediately benefit from what's available without having to do any additional work. We can then build upon this foundation and extend the capabilities beyond what's provided by the Content Hub. The Content Hub itself is a valuable asset that gives us a head start in achieving our objectives.

Content Hub helps us centralize out-of-the-box SIM content. This has made our workload more manageable.

The ability to correlate and centralize all of that information together, rather than having to manage it across multiple platforms and potentially miss things between different platforms, makes it more likely that we will not miss anything. The workload and the missed threats that we need to respond to have been reduced because of that unified approach. The mean time to detect has been reduced, and the mean time to respond has been reduced.

Sentinel correlates signals from first- and third-party sources into a single, high-confidence incident. The third-party integrations provided through Microsoft offer all the tools we need to integrate those sources. In other cases, we have to build the integrations from the ground up. Currently, we are struggling to integrate some of the sources that don't have existing connectors. However, the platform is flexible enough to allow us to build these integrations. It is just a matter of finding the time to address this issue.

Our security team's overall efficiency has improved. The build phase is still ongoing. We have not yet fully transitioned to an operational model. We are still in the build implementation stage because we need to integrate some third-party sources into the existing platform and ensure that they are included in the scope of the analytics rules. However, this has significantly reduced the amount of time spent working between different platforms.

The automation capabilities are perhaps the platform's most significant advantage. The force multiplier capability is exceptional. Traditional SIM or SIEM-like platforms were effective in gathering and presenting security information to security personnel. However, security personnel were still responsible for evaluating the information and determining whether a response was necessary. One of the benefits of Sentinel's automation capabilities is the ability to automatically trigger an action or response activity, which is a significant advantage.

The automation capabilities have helped reduce our mean time to respond. Automated events can prevent a problem from escalating beyond a single incident to multiple occurrences before we have to respond to it. In this way, automation effectively catches problems right away.

Sentinel has helped to improve our visibility into user and network behavior. This is extremely important because it allows us to have a better understanding of how users and networks are behaving.

Sentinel has helped reduce our team's time.

Sentinel has streamlined our event investigation process by eliminating the need to manually track down specific event activities. The rules are now automatically identifying and processing these activities, significantly reducing the time required for investigation. Tasks that previously took half an hour can now be completed in under five minutes.

The analytic rule is the most valuable feature. It allows us to assess the various use cases we've developed and then automate those processes accordingly. I consider it a force multiplier. It empowers a small team to achieve a significant impact, whereas previously, I would have relied on multiple individuals. By utilizing it, we can accomplish more with fewer resources.

While I appreciate the UI itself and the vast amount of information available on the platform, I'm finding the overall user experience to be frustrating due to frequent disconnections and the requirement to repeatedly re-authenticate. Microsoft needs to address these usability issues to enhance the user experience.

I have been using Microsoft Sentinel for seven months.

The stability is exceptionally reliable. I tend to be quite vocal when things don't function as expected. The web interface requires using a browser for interaction, and I often find myself multitasking between Sentinel-related tasks and other activities, such as responding to emails. When I return to the Sentinel interface, I'm prompted to re-enter my credentials, which causes me to lose my previous work. If I'm using KQL to query data, I frequently have to restart my work from scratch. This can be frustrating, but I've learned to copy my work periodically to avoid losing it. I haven't encountered this issue with previous platforms, even those that use web interfaces.

Sentinel boasts exceptional scalability. While it's crucial to monitor data ingestion costs, Microsoft has effectively crafted a platform capable of expanding to accommodate far greater volumes than initially anticipated.

The technical support has room for improvement.

Neutral

The initial deployment was straightforward. Our strategy was to consolidate onto a common platform. We have a significant portion of our security information being handled through SysLog events. As a result, it was almost as straightforward as simply rerouting data from the old platform to the new one. This served as a preliminary test of the new platform to ensure it was functioning as intended and could effectively redirect and handle the increased volume.

The deployment likely involved six people, but not all at the same time. There were six people involved in the deployment overall, but we probably had four people working on it at any given time. From a headcount perspective, I believe four people is the appropriate number.

We employed a third-party company for the implementation because we sought expertise in Sentinel and the Azure platform, and we aimed to augment our existing staff.

We have achieved a positive return on our investment. In my previous jobs of comparable size, I would have needed approximately three people to manage the event activity and to handle and respond to it. Here, we can accomplish this with two people. As a result, we have saved at least one headcount with our current staffing levels. Additionally, as we expand the platform, we will not need to increase the headcount to manage the growth.

Microsoft Sentinel can be costly, particularly for data management. While Microsoft provides various free offerings to attract users, these benefits can quickly become overwhelmed by escalating data management expenses if proper precautions are not taken.

I don't think it's Microsoft engaging in underhanded tactics. I believe the issue lies with customers not paying close enough attention to what they're enabling. Initially, they're excited and eager to incorporate everything, but before they realize it, they've incurred unexpected costs.

Azure Monitor Log Analytics and Sentinel have different subscription plans and pricing tiers. This segmentation was implemented to accommodate the distinct business relationships within our organization. Sentinel costs are managed separately from Azure costs.

The decision to adopt Microsoft Sentinel was made before I joined the organization. I understand that they evaluated all the major solutions available, including Splunk and QRadar. However, due to the selection of a cloud-based solution, they opted for Microsoft Sentinel as it aligned with their overall strategy.

I would rate Microsoft Sentinel eight out of ten.

We've got a user base globally of about 5,000 people.

Microsoft Sentinel does require maintenance, which includes monitoring the incoming data and ensuring that everything is functioning as expected. While automation simplifies many tasks, it doesn't eliminate the need for oversight. We still need to verify that everything is working correctly. Part of the maintenance cycle involves ensuring that the automation agents are operational and performing their intended tasks and that events are being collected and evaluated properly.

Users need to have a clear understanding of their goals before selecting a solution. I have encountered too many people who believe that simply choosing a solution will resolve all of their problems. It is crucial to understand the desired outcome and the specific requirements of the use case to determine whether or not Sentinel is the appropriate fit.

My recent experience with Microsoft Sentinel involves my current work at another Government of Canada client where we are rolling out Microsoft Sentinel as their SIEM product of choice. In doing so, we are looking at connectors and data sources that we are going to be ingesting into Microsoft Sentinel. We are also examining the determination of whether it makes sense to look at a LAW or a Log Analytics Workspace on a per-subscription basis versus an aggregated approach where it is one subscription, but we are ingesting data from many different sources. It comes down to how much data has to be parsed by Microsoft Sentinel and what the volume is because you are paying essentially for Microsoft Sentinel to ingest the data. These are the analytical discussions taking place right now.

Some of the best features of Microsoft Sentinel are that it is cloud-based, which from a CapEx perspective saves clients money in procuring on-premises infrastructure. It proves to be a dynamic tool because we use it for not just IaaS related resources, but also for SaaS related resources. Additionally, we have some on-premises infrastructure that will be feeding Microsoft Sentinel log data as well. Looking at it as a SaaS tool makes it easier to leverage, procure, and configure without the need to be concerned about buying hundreds of thousands of dollars in gear from a CapEx perspective.

The automated response capability in Microsoft Sentinel enhances our security posture quite beneficially from a SOAR perspective. One of the things that we are looking to do is alleviate some of the day-to-day actions and functionalities from our SOC personnel. Anything that can be automated from an investigative or event-related perspective is helpful. Microsoft Sentinel is a great example of a SOAR tool, and that is the intent for the current client; they want to be able to automate as many of these functionalities as possible.

To improve Microsoft Sentinel currently, focusing on the quality of the telemetry is essential. The data sources are critical, so understanding where they are located, how much there is, and what kind of telemetry is coming in from these data sources is vital. We are looking to reduce the amount of non-critical data; it is important to ensure that the quality of the log data ingested by Microsoft Sentinel is high.

The government deals with international entities, so it is necessary to ensure from a threat hunting and workbook perspective that if suspicious event information is generated by Microsoft Sentinel, there is good quality telemetry and understanding of where this is coming from and what kind of alerts are being generated. It is about being able to use as many features of the tool as possible and making sure that with these connectors in place, the quality of the data sources is high.

We are currently implementing Microsoft Sentinel.

We have dealt with Microsoft support, and I would rate their support highly. We have good relations with the Microsoft resources in Ottawa, and the account manager we have dealt with is leading our efforts. We have to speak to what is referred to as one of the support ninjas, who is our point of contact. He has been very helpful, and where needed, we have been directed to other support resources, so overall it works well.

Positive

The initial setup of Microsoft Sentinel is a gradual iterative process for this case. There is the initial deployment of Microsoft Sentinel itself, setting up the Log Analytics Workspace, and then going through the configuration again, looking at what we want the tool to ingest.

We have a Power Platform tenant, so we are pulling in SaaS data from the Power Platform tenant. We do have an IaaS environment as well, so there will be some endpoints and other services that we will be pulling data in from that. Additionally, the majority of our applications are located on-premises, so we will be ingesting on-premises log data as well. This is done through an Event Hub, where you set up an Event Hub to ingest that on-premises data, which gets repackaged through an API call and sent to Microsoft Sentinel.

With those three environments actively generating log data, the full deployment of Microsoft Sentinel is realized over time. We have SOC personnel that are not highly knowledgeable about the tool, which is why it is taking more time to ensure that the configurations are correct and appropriate while tracking costs. At the end of the day, we want to use as many features of the tool as possible, and I estimate that over a year, maybe a year and a half timeframe, we will go from the initial setup to a fully blown deployment with all of the connectors in place and all of the threat hunting configuration done; it is a gradual process.

The AI is helping us improve threat detection from a generative perspective, although not yet from an agentic perspective. When looking to leverage LLMs for various tasks and for seeking information, it is great. However, given where we are in the deployment lifetime for the tool, we are not really leveraging AI as it is incorporated into the tool yet, such as looking for various analytics and data sources and suspicion around those data sources. That functionality will come, but it certainly is helpful when looking for information right now. I rate Microsoft Sentinel 8 out of 10.

In our Security Operations Center, we rely on Microsoft Sentinel for continuous security monitoring. We collect logs from various customer environments and define security use cases with correlation rules to analyze activities. These rules leverage predefined criteria to identify potential malicious behavior. Microsoft Sentinel serves as our central platform for security monitoring, investigation, and remediation of security threats detected through alerts.

The biggest challenge in security monitoring is managing the vast amount of logs generated daily from various devices like web servers and firewalls. Microsoft Sentinel tackles this by collecting all logs in a central location and allowing us to define rules. Using its query language, we can search across these logs for specific conditions, like malicious activity. If a suspicious event is identified, Sentinel generates an immediate security alert, enabling our team to investigate and take appropriate action to stop potential attacks.

Microsoft Sentinel helps us identify security threats through built-in machine learning. It analyzes network traffic patterns and can detect anomalies, like unusually high data transfers outside typical hours. These anomalies trigger alerts, allowing for early intervention.

Microsoft Sentinel shines in its ability to bridge hybrid and multi-cloud environments. It seamlessly integrates with on-premises infrastructure through Azure Arc, and even private clouds can be connected via Azure Gateway and a VPN to the Azure Log Analytics workspace. This unified approach ensures all our security data, regardless of origin, is ingested and analyzed for potential threats.

Microsoft recently launched Content Hub, a marketplace for pre-configured security solutions within Azure Sentinel. Unlike our previous experience setting up data connectors a few years ago, Content Hub offers a one-stop shop for integrating security tools. When we choose a data connector, we also get pre-built correlation rules, playbooks, and workbooks – all packaged together for faster and more effective security monitoring. The content hub streamlines onboarding pre-built SIEM content, especially during the initial SOC setup. When starting fresh with a new environment and unsure of specific use cases, we can search for relevant data sources in the hub. Once integrated, the content hub provides pre-configured rules alongside those connectors. Simply enabling these rules offers substantial coverage for our MITRE ATT&CK mapping, a framework that assesses our ability to detect various attack techniques. By leveraging these out-of-the-box tools, we gain significant initial security coverage with minimal effort.

The content hub helps us centralize all of the out-of-the-box content available from Sentinel.

Sentinel acts as a central hub, bringing together information from various sources both internal, first-party, and external, third-party into a single, unified view. This allows us to analyze logs stored in different tables, regardless of their naming conventions. By defining correlation routes, Sentinel can examine specific activities across these disparate sources. For example, we could create a route that checks firewall logs for suspicious activity and then correlates it with specific user actions in Windows device logs, providing a more comprehensive picture of potential security incidents.

Sentinel improves our visibility into user and network behavior through a feature called User Entity Behavior Analytics. This leverages Microsoft's machine learning to analyze user and device activity. If we're investigating multiple security incidents involving a user or device, UEBA provides a broader view. We can directly access the user's history of incidents and visualize their connections to other alerts and impacted devices in a graph format. This allows for efficient investigation of complex incidents impacting multiple users and devices.

Microsoft Sentinel streamlines security incident investigation. The incident page clearly displays involved entities and details of triggered alerts, including logs. This allows SOC analysts to quickly assess the situation and potentially predict the nature of the activity, even before diving into event logs. Sentinel's powerful query language further simplifies investigation by enabling easy data visualization, formatting, and custom functions, all within various timeframes. This significantly accelerates the overall investigation process.

Sentinel has streamlined our event investigation process. By allowing us to predefine keyword queries for specific alerts, it eliminates the need to manually craft queries each time. Similar to how SOCs use pre-defined playbooks for various incidents, Sentinel lets us define queries that return relevant data quickly. This cuts down on investigation time by allowing us to focus on the specific alert and the data it generates.

Microsoft Sentinel stands out among SIEM tools for its user-friendliness and powerful built-in query language. This language, included at no additional cost, allows for easy data collection, sorting, formatting, and visualization, making it accessible even to non-experts. Additionally, its seamless integration with other Azure products eliminates the need for custom parsing logic, saving time and resources.

Microsoft Sentinel's search efficiency can be improved, especially for queries spanning large datasets or long timeframes like 90 days compared to competitors like Splunk. While Sentinel might take several minutes to return results for such investigations, Splunk queries are significantly faster.

I have been using Microsoft Sentinel for two years.

Since the entire Azure Sentinel analytics workspace resides within the Azure environment, we've never experienced lag or downtime. This is because Microsoft handles all data storage, hosting, and infrastructure maintenance. As a result, we're relieved of those burdens and haven't encountered any Sentinel downtime.

Microsoft Sentinel's cloud-based deployment on Azure allows it to scale automatically. This likely involves built-in load-balancing mechanisms that distribute processing across different Azure resources when needed. This ensures Sentinel can handle increased workloads without manual intervention.

While I wasn't involved in deploying Microsoft Sentinel myself, I did help configure and set it up on our end. The initial setup process wasn't particularly simple, but it wasn't overly complex either.

While the user interface in Azure simplifies the deployment process of Microsoft Sentinel, some architectural knowledge is still necessary. The initial configuration might involve just a few selections, deciding on the deployment architecture, data replication workspace locations, etc. requires experience. This prior experience, however, should make integration with existing systems smoother. Three people on average are required for the initial deployment.

Our Microsoft Sentinel implementation approach depended on available time. For complex deployments, we handled it directly. In time-sensitive situations, we collaborated with teams managing the devices, providing them with implementation steps and troubleshooting support as needed.

While I wasn't involved with the specifics of Microsoft Sentinel's pricing, my understanding is it scales based on data ingestion. This means we only pay for the amount of data we bring in, which is fair. However, if a device generates excessive data like hundreds of GBs daily, investigating the cause becomes crucial to avoid unnecessary costs. In most cases though, the pay-as-you-go model shouldn't be an issue.

I would rate Microsoft Sentinel eight out of ten. I've tried Splunk, QRadar, and Azure Sentinel. While Splunk requires knowledge of SPL for deeper exploration and QRadar's query language isn't powerful, Azure Sentinel strikes a great balance. It offers a user-friendly interface for basic investigations without needing a query language but also allows for custom queries and visualizations for advanced users. This makes it the most versatile of the three.

Splunk requires users to learn SPL for full functionality, making it less accessible for basic investigations. Conversely, Microsoft Sentinel's intuitive UI allows even those without KQL knowledge to conduct basic security analysis through its built-in features and informative interface.

Because our service is hosted on Microsoft's cloud, they completely manage all maintenance tasks, freeing us from infrastructure management responsibilities.

Microsoft Sentinel is a monitoring tool. It is a SIEM solution and is used to gather logs. It allows us to analyze and understand the flow of information based on the events that happen and the systems we connect it to. 

I explain it to my customers as being almost like an octopus. It sits in the middle of a tank, and it has all these tentacles that connect to different systems. We bring that information in via those connections, and then we query them. We can centrally analyze, examine, and understand the data that comes in through the analytics or the capabilities that Azure links to Microsoft Sentinel, which is Azure Log Analytics Workspace. We then use queries to help us understand or make sense of the data. We can have dashboards and visualize them. 

We use it to set up monitoring for cloud infrastructure and we use it as part of a larger monitoring capability around setting up a SOC capability. We are then able to keep track of infrastructure and mitigate risks.

Microsoft Sentinel gives visibility to some degree to all of the customers that I work with. It has given us more visibility into the accurate state of the endpoints being monitored in near real-time. 

With the solution, we are now able to respond to incidents in a more timely fashion, which helps us. It helped us to understand what is happening and make informed decisions as a result. It has given us a more comprehensive and holistic view of the ecosystem that exists, and not just an individual piece of that ecosystem. It does not give a view of just one server. It also gives a view of the supporting infrastructure around it. It has given us a lot more visibility, and it has made us smarter in terms of being able to defend ourselves against bad threat actors and the harm they look to do. It made us better armed and more informed, and therefore we can offer a better defense that will hopefully ward off some of those bad actions.

Microsoft Sentinel helps to prioritize threats across the enterprise in several ways. This capability is linked to other technology elements that make up the overall security posture of the Microsoft offering. Microsoft Sentinel, in particular, allows us to look at the flow of information coming through the connectors from various systems. This helps us create alerts and analyze that data so that we can bubble up and see what is happening. We can tie that into the Microsoft Defender stack or the products in the Microsoft Defender ecosystem, and we can take action and monitor. 

Whether it is being alerted, manually choosing to do something, or automating through the broader security capabilities of the platform, we can take action. When we tie in the broader security capabilities that involve governance, risk management, and compliance (GRC), and we have all the tools at our disposal to do that, Microsoft Sentinel becomes a huge ingestion engine that brings in signals. The telemetry and data from all the monitored endpoints allow other capabilities to access that data so that we can monitor it. We are then not only well-informed, but we can also choose how to respond. We can respond through a combination of automation and manual actions. If something occurs, we can then kick off an incident response to deal with it. If needed, we can quarantine and mitigate it. We have a rich set of capabilities but also a very flexible set of opportunities to respond because we are given near real-time information. We can analyze that information in near real-time to make informed choices when it comes to threat intelligence, threat mitigation, and threat assessment.

I use all of the products that Microsoft has in the market in various architectures or configurations with different customers, and I have used them for many years. Various customers use the entire suite of offerings that Microsoft has in the security space in terms of governance, risk management, and compliance, such as Microsoft Sentinel and Microsoft Defender. There are also solutions like Privileged Identity Management (PIM), which is now a part of Microsoft Entra, which has been renamed. I have integrated these products and set up the architectures or designs for customers. The setup depends on the size of the customer and some smaller businesses do not use all of them. They license at lower levels and do not have the business case, the resources, or the need to use them all. Larger companies tend to utilize more of them. Because I work with different-sized companies, I set the solutions up and have used them in a variety of circumstances across the board for different companies. 

In the beginning, like any technology, it was a little harder to integrate when the products were new. As they matured and went through iterations, they became easier to work with. Utilizing a new product is more painful than using a product that has perhaps been out for a year or two, that has been vetted and maybe has gone through one major update or release. The integration has gotten better over time, and the product lines continue to mature and become more powerful as a result.

Microsoft security products work natively together to deliver coordinated detection and response across the environment. For this, you need to use the appropriate connectors to bring in the information from both Microsoft-centric and third-party systems that you want to incorporate and monitor. It is bounded by the vision of the architecture that allows you to connect those systems and the availability of those connectors. Assuming those systems are connected properly, brought online, and are reporting, it gives you the depth of visibility that you need to manage both Microsoft and non-Microsoft systems.

Microsoft security products provide a very thorough set of security. Microsoft is looking at billions, perhaps a trillion, individual data points a day at this point across the Microsoft ecosystem, which includes everything Microsoft does, all customers, and all interactions. They take all that information and analyze it with dedicated security teams, machine learning and artificial intelligence, business analytics, etc. They turn that information around and make it available for customers who are consuming the threat analysis and threat intelligence capabilities on the platform. Some of the solutions are available for free to everybody regardless of licensing. For others, you need enhanced licensing to take advantage of it fully. The threat intelligence feeds, the live analysis, and the security posture that Microsoft provides to its customers globally as part of the shared responsibility model have matured tremendously. They are the best. You get incredible value for the amount of work that goes into providing that. The customers I work with are very happy with the work that Microsoft does and continues to do in that space.

We use the bi-directional sync capabilities of Microsoft Defender for Cloud in some cases. It is a very useful feature for myself and my customers. It is very important because it allows us to use the Defender product, which is made up of maybe 20 individual offerings at this point. There are a lot of different sub-areas that you have that you can attach the Defender product to. This concept allows us to be able to have the endpoints monitored, whether they are the servers or the service that Defender would monitor and protect. It allows us to understand what is happening with them and to have near real-time updates about their status. We can see the impact of potential threats that are attaching and risks that may become apparent, and we can see the impact of remediation or the things that are being done to stop those things or perhaps forestall them, hopefully, to prevent them from harming. This capability is very important, and it is one of the secrets that allow that platform to not only be very flexible but also very impactful in terms of monitoring the bulk of the infrastructure and services that most customers would have running in a public cloud, whether it is Microsoft or any other public cloud, such as Amazon, Google, etc. We can monitor any infrastructure and understand it, especially customers' environments that are hybrid where they have on-premises as well as cloud or multi-cloud infrastructure with more than one cloud. To be able to monitor both on-premises and multi-cloud environments is a requirement today, and Microsoft provides those capabilities but not all other providers do. 

It enables us to ingest data from the entire ecosystem as long as we are using a connector to link to the infrastructure that we need to monitor and as long as there is a connector for monitoring that infrastructure. So, as long as the pipe exists, we connect the pipe, and we can monitor the infrastructure. For a majority of mainline infrastructure or a majority of third-party vendor systems today, there are connectors. For some smaller systems or proprietary or custom systems that some companies run, there might not be connectors, but for mainline systems that you would buy, acquire, or use from large-scale SaaS vendors, connectors have been there for a while. As long as we are running connectors to that infrastructure, we can monitor almost anything that we have.

Sentinel enables us to investigate threats and respond holistically from one place. We have a central dashboard that we can use to monitor and then from there, do the analysis and also create the remediation if necessary. This functionality is very important. The biggest mistake vendors make in tool design from a UI/UX or user interface/user experience perspective is that they do not make things centrally available and obvious for the administrator or the end user who is going to run or use that system. Generally, if something is overly complicated and not very intuitive, it is hard to get people to buy into using something. With Microsoft Sentinel, you can have everything in one place and visualize the impact of the threats, the risks, the incoming data, and the number of incidents, events, or alerts that are happening. All those things are visually represented in the opening part of the dashboard. You could drill down from there with a navigation area that is intuitive and easily understood. That makes it very easy for different users, such as administrators and managers, and other user profiles that have different reasons for being in the tool, and that is the hallmark of a good design.

When you look at it holistically and look at what it is linked to in terms of the broader security platform that Microsoft provides, it is very strong, and it continues to get better. When you ask anyone about their thoughts about a product and how it works for their customers, the mistake that people often make in describing something is that they say, "I think it is great, and it is great for us. It does everything we need." That is good, and it should be. I can say that for the majority of my customers without any ambiguity or concern about being accurate, but the thing you have to add is that there are always things that we do not know that we need to do until they occur. We might not have seen that threat before. Maybe there is a new advanced persistent threat or zero-day exploit that we have to contend with, which we have not been aware of until now. The hallmark of a really good tool is its ability to integrate that new information in a timely fashion and have the flexibility to mature the tool over time based on feedback and iterative use. The strength that Microsoft has brought to the platform over time is the ability to listen to its customers and make sure they are offering based on that feedback. It is good, and it continues to get better. Today, it is good, and tomorrow, it will be better because of that thought process in the way they engineer over time.

Microsoft Sentinel helps automate routine tasks and the finding of high standards. If you set it up the right way, it does that as one of the key things that it is designed to do. It has streamlined our ability to respond, so response time has gone down. It has enhanced our understanding because automation is managing some of the remediation and the menial, repetitive ongoing tasks of:

• Paying attention to information flows.

• Picking out the most important elements.

• Prioritizing them and bubbling them up.

• Creating alerts around them and then telling people that these things are happening. 

Automation lets you do that without having to spend human or people cycles to do that. The automation never gets tired and it never gets bored. It never needs to take a break. It never gets distracted. Because of that, we find not only more things we need to react to, but we react to the things that we truly should be chasing. We are not distracted as much by things that seem to be important, but we find out that they are just ghosts. They are false flags. The ability to bring machine learning, artificial intelligence, business analytics, and data visualization as a part of automation has filtered out a lot of the background noise that distracts. It has allowed us to hone in and refine our activity cycles around the most important things that we have to pay attention to.

Microsoft Sentinel helps eliminate having to look at multiple dashboards and gives one XDR dashboard if you set it up the right way. I have seen it set up in ways where it does not do that because it is not optimized, but if you are using it the right way, if you understand the tool and how to integrate it properly, then it gives you that single dashboard where you can directly find the information or link through a smaller visual tile that will take you to that information that you need if you need to drill down in a deeper, more meaningful way.

Its threat intelligence helps to prepare for potential threats before they hit and take proactive steps. If you are integrating the threat intelligence feeds from Microsoft and looking at them, everything is relative. They are there if you are smart enough to consume them and understand what you are looking at. In other words, people who are paying attention to them and are using them properly are getting tremendous value out of them. Microsoft globally examines billions, if not a trillion, of individual telemetry data points every day and incorporates that into their threat analysis feeds, so no individual company, irrespective of how big they are and how much money they have, can bring that kind of at-scale analysis to that problem. As a result, you are getting a tremendous amount of data that is being vetted, analyzed, and distilled down to meaningful actionable intelligence. It is consumable because it is presented in a very summarized and succinct way. It is very valuable, but you have to be able to understand that and utilize that to draw value from it.

We have saved me time with Sentinel. The ability to have the power of Microsoft as a global scanning organization service provider at my disposal is helping me to better understand the environment I operate in through threat intelligence and threat analysis. In addition, the ability to automate at scale across the platform and to have the research and design that is being done to continuously upgrade and add features to those platforms has made me a much more capable and therefore, more successful security practitioner. It is hard to quantify the time saved. It would probably be a very extreme exercise to go back and do that, but it is fair to say that over a year, we have probably saved a thousand or more human hours. I look across a team for one of the customers that I work with, it is fair to say that we have saved at least a thousand human hours for a year by relying more on the automation toolsets. That is about ninety hours a month on average. We can break it down to 15 or 20 hours a week or something like that, but the reality is that it is about a thousand or more hours that we have saved in a year.

Time to detection has decreased, and the time to respond has gone. They both have decreased. That has been an outcome that we have seen and is measurable. It goes back to the investments you make in building out that architecture in terms of:

• How many systems are you monitoring or how many are you connecting?

• How much data do you have coming in? 

• What are you doing with that data and how are you using it? 

If you are building out a full SOC analysis capability or a full monitoring solution, and you are typing this into incident response and alerting and event continuous monitoring through automation, time to respond and time to solution is going to decrease as a result.

It can connect to an ever-growing number of platforms and systems within the Microsoft ecosystem, such as Azure Active Directory and Microsoft 365 or Office 365, as well as to external services and systems that can be brought in and managed. We can manage on-premises infrastructure. We can manage not just the things that are running in Azure in the public cloud, but through Azure Arc and the hybrid capabilities, we can monitor on-premises servers and endpoints. We can monitor VMware infrastructure, for instance, running as part of a hybrid environment. The continuing evolution of what we call the connectors, which is the marketplace that lets us connect these systems to Microsoft Sentinel, is probably one of the most important features.

The reliance on a very simple but very powerful query language called Kusto Query Language or KQL that Microsoft uses to allow us to log into the analytics workspace to assess and analyze the data is also valuable. That has made it very approachable and very scalable. Those are very big and important things for me as a consultant, as an architect, and as a person who is implementing these solutions for customers and who is explaining them, and ultimately working with them. This makes the product not only usable but also very flexible. Those are two very important elements.

Everyone has their favorites. There is always room for improvement, and everybody will say, "I wish you could do this for me or that for me." It is a personal thing based on how you use the tool. I do not necessarily have those thoughts, and they are probably not valuable because they are unique to the context of the user, but broadly, where it can continue to improve is by adding more connectors to more systems. 

The really interesting area where we are already seeing the impact is the use of more artificial intelligence. There could be the ability to bring AI into the analysis capabilities of the toolset in more ways so that we can utilize the power that computer analysis at scale has. That is because we are limited. As humans, we can only look at so much information, see so many patterns, and absorb so much in any given cycle of a workday, but artificial intelligence and automation engines do not take breaks. They do not stop. They do not need to. They can go deeper, and they can see more data and ingest more to find patterns that, as humans, we are not going to be able to see. The evolving technology in this area is all moving towards the use of artificial intelligence, embedding it in multiple areas in the platform so that we can be told that there are things that we need to pay attention to that are becoming a problem as opposed to things that are already a problem. Where the biggest improvements can happen is how we move that ability to identify emerging threats closer to the point of contact so that we can interject and essentially stop and disrupt the kill chain of an event series before it harms. Currently, the problem we often have is that things get bad, and until they get bad, we do not really know what is happening, and we do not know how to respond, so we spend a lot of time responding to incidents that have already started or have unfortunately unfolded fully in a reactive manner. The value proposition in terms of improvement down the road is getting better at predictive defense and proactive response before events take place to stop them before they start. That is the future that we are moving towards, and that is where the biggest improvement lies.

Sentinel, which is now called Microsoft Sentinel, used to be called Azure Sentinel. It was renamed about a year and a half or two years ago, but I have used Sentinel for about four years. It was probably released in 2019.

It is very stable. I have had little to no difficulty with it in the more than four years that I have used it or deployed it. I cannot think of a time in the last four years when it was unstable or unstable enough that I had to open a support ticket. I have had issues with it because people have misconfigured it or not set it up properly, but those issues were not related to the platform itself. Those were human interactions that were complicating it because it was not set up the right way. When it is set up correctly, it is a very solid platform with minimal to no downtime. There were no major service disruptions that I remember that caused problems.

It is very scalable. You do not think of scalability necessarily the same way you would if you were setting up a cluster to run virtual machines, for instance, because there, you have to add resources, and you are monitoring to make sure that there are enough resources versus the load in the system. Microsoft Sentinel is a managed solution. You are deploying it, but then Microsoft is scaling it and managing it on the backend for you, so you do not control some of the things that would impact scalability directly. Microsoft is hosting it. It is essentially a service you are consuming. In my history with the product, it has always met my expectations, and I have never had an issue where it could not perform because of a resource constraint, so its scalability is solid, and it is always available when necessary. It is not scalable in the same sense as you would control it by adding hosts to a cluster. It is a different kind of scalability, but it has been rock solid all the time I have been working with it.

In terms of the environment, I have multiple customers, so each one is different, but generically, it is safe to say that it is deployed to monitor infrastructure that is in multiple geographies, multiple data centers, or multiple places both on-premises and in the cloud. It could be hybrid as well as multi-cloud. The infrastructure is being monitored from a variety of different locations. Microsoft Sentinel itself is typically installed and instantiated in one instance. You set it up inside of an Azure subscription and you have one instance. If you need more than one, you might set up more than one depending on the geography and the needs of the organization, but typically, we have one central Microsoft Sentinel instance running, and then you will bring that information into it through the connectors. It is typically going to be a single instance. It will usually monitor geographically distributed architecture, and it will usually operate at scale, so there will be quite a bit of information coming into that at any given moment.

Like anything else, you can get support depending on how you are using the tool and the level at which you are using it. You get basic support from Microsoft. If you have a problem, they are very good at telling you if there are service issues. If you are paying additionally, you can get premium support to support you with the tool. There is an additional fee for platinum-level support or premium support. Their support is very good if you are paying for it and you are able to utilize it. If you are just able to open a basic ticket because you are having a problem, support is good, but you are going to be limited in the help you are going to get. To talk to a high-level engineer to deal with complicated issues, you are going to need to pay extra money for support. Overall, I would rate their support an eight out of ten.

Positive

I have used several different solutions over time with different customers for different reasons. I work with a lot of different customers. I set up solutions for different customers. They have different technologies and different needs, and some of them have a bias towards certain products and against others, but I have used products like ConnectWise, which is a SIEM solution, and Splunk, which is probably one of the biggest ones out there that most people would name if you ask them. Splunk is probably at the top or near the top of everybody's list. Datadog would be another big one. I have used LogPoint and GrayLog. I have also used ManageEngine's Log360. SolarWinds is another popular one that I have come across pretty often. I have used many more than that, but those are probably the top five or six that I have used. They are the ones that customers tend to use a lot. Some of them are still using those products and have chosen not to move, but the ones that have chosen to move have done that because of two things. The cost plays a part. They have the ability to leverage a tool that is already built into the platform and that may be easier to work with and integrate in a more readily accessible fashion, and it would be as expensive and maybe less expensive over time. It might also seem to be a better architectural choice for them as they look at an upcoming renewal cycle, or they have heard or been told that they need a certain capability or feature and the vendor that they are currently using does not have that or it is not as easily accessible or readily available, but Microsoft Sentinel has that capability. It has connectors to those other platforms, but for whatever reason, their particular vendor does not have that connector, or they might promise to deliver it but it is not going to be ready for six months. It comes down to features and cost. These are the two main reasons or two main motivators to drive people to migrate.

In terms of the cost and ease of use of Microsoft Sentinel against standalone SIEM and SOAR solutions, it is difficult to do an apples-to-apples comparison. That is because, in theory, you can look at Microsoft Sentinel as a single standalone product with its own cost associated with it, but it is linked to, consumed by, and used in partnership with many other systems and tools that also have a licensing cost. Some of it is built-in and some of it is an add-on, depending on where you are and how you choose to license. In other words, Microsoft Defender is a per instance per month cost that is additional to using the Microsoft Sentinel product, and what you get with a standalone solution is essentially just the SIEM or the SOAR capability. You are not getting the capability to blend them across the platform, or if the vendor does both, you are buying them as an all-in-one solution and you are paying a monthly fee per user based on licensing. 

From my perspective, cost comparisons are not as accurate. When a customer asks whether Microsoft Sentinel is going to cost them less or more than using this other tool, it is a very simplistic way of looking at the tool, and it is a very operational-centric or OpEx discussion. When anyone asks about the monthly fee for the investment in this tool, you have to be more strategic. When you look at a tool, features, and capabilities, the capital expense is broader than just the operational expense. You have to understand the strategy associated with the tool decision and the impact and value of the tool. 

Microsoft Sentinel gives a good value for money or a return on investment in terms of what it costs you to run it. When comparing it to any of the other major competitors in the market, it is as cost-effective and perhaps even more cost-effective than some of them. It certainly is very competitive, but people do not necessarily understand the subtlety in that assessment in terms of how they are integrating the Microsoft Sentinel solution or the third-party solution into the broader context of their infrastructure and security posture. That is where they run into issues that become more prohibited from a cost perspective, both hard and soft. For example, the hard cost could be $15 a month per user to license or $15 a month per endpoint and $100 per gigabyte of storage or something like that. Those numbers are wildly inaccurate, but you do have hard costs, and then you have soft costs, which include what it costs you to train people who have to use that technology or to train people who have to manage it ongoing and integrate it. You might have to hire consultants to do that, for instance. Those are hard and soft costs. When you are using a Microsoft product and you are Microsoft-centric, you overcome some of those soft costs because you have people who already have skills on the platform. You are already integrating that technology. Microsoft is doing that for you. You do not have to do it yourself. As a result, some of what I refer to as hidden costs are not as high with a Microsoft solution as they would be with a third-party solution. If you are already Microsoft-centric and you are using a majority of Microsoft Azure and Microsoft 365-based infrastructure in some form, it is easier to implement that technology. It costs less when you go forward with Microsoft Sentinel than it does when you try to bring in a third-party external SIEM or SOAR and tie it into the Microsoft platforms and have it do the things that you are looking for it to do.

It is predominantly deployed for public cloud use, meaning customers hosting on a public cloud are using it. They are hosting in Azure, for instance, and they are running their cloud infrastructure in that cloud environment. You can link to on-premises resources in hybrid scenarios, and you can certainly make the case that it can be used for private cloud as well because you can extend it to the on-premises environment. It can be used to ingest information in a multi-cloud environment, meaning you can bring in infrastructure information from Amazon or Google, the other two major public cloud provider platforms, as well as VMware, which, in its own right, is a public cloud provider. So, it can be used or potentially be available to consume data from any of those areas.

I have been involved in the deployment of hundreds of instances of Microsoft Sentinel. Its initial deployment is straightforward. In terms of implementation strategy or how to approach it, it is important to spend a lot of time with whoever the customer is. I work with multiple customers. I ask them what sound like fairly simple and simplistic questions but are very important questions. What are they looking to accomplish by deploying a SIEM solution? What is the business requirement that we are addressing by deploying the solution? We need to define that and understand that because oftentimes, we find that the customer says, "Well, we think we need, for instance, X." We talk about it, but realize what they really need is perhaps X with other things or it is not X at all. It is really W. They just thought it was X because somebody told them that. They did not know any better, so asking W&H is important.

• Who is this for?

• Who are the stakeholders?

• Why are we doing this?

• What are we looking to accomplish?

• When are we looking to get it done?

• What is the timeline?

The where and the how are not as important because it is typically in the cloud, and we are going to have qualified people deploy this architecture and we are going to run it in Microsoft, Amazon, or whatever. If we ask those questions upfront, then we can come up with a deployment plan and architecture solution that approximates the customers' needs but also meets their expectations, so for me, a project's success or failure lies in planning. The majority of the work you do has to be done in the planning cycle before you do implementation. If you are really strong in planning, then implementation is relatively straightforward. There are not a lot of surprises. As long as you are technically competent, you can do your deployments, and they should be relatively straightforward and minimal risk to the organization in terms of the deployment. If you do not get your planning right, you are opening up a tremendous amount of risk and liability in the organization.

In terms of maintenance, you cannot set it and forget it. Like any other product, it does require maintenance. If you are smart about it and you set it up the right way the first time, it will take care of itself, and it will certainly operate well at scale, but you have to examine it on an ongoing basis. There is always an opportunity to refine and update connectors. You can add new connectors as you need to extend the reach of the tool. You may have to look at the volume of data that is coming in to refine the amount of data that you want to store, pay for, and analyze, and then you have to look at the queries you are running to be able to stay on top of the data to extrapolate meaning. So, there is maintenance that goes into using a tool like this. There is no checklist that you go through every day, but there are absolutely things that have to be done on a daily, weekly, and monthly basis to keep the tool running properly.

I am the one who handles the deployment. It is rare that I would not do it myself or work with a team that would be empowered to do it as part of that.

The deployment, depending on the size of the deployment, could be done by as little as one person. It does not necessarily need a huge number of people to be associated with it. The bigger need there is what you do once the initial deployment is done, meaning fine-tuning the operation of that. When you add all that in, you typically look at a team of anywhere from three to six individuals. There are incident management and response and SOC analysis people. There are also network people. There are different people who would play a part in ultimately standing up and optimizing a tool like this, but usually, four to six people play a part on average.

There is absolutely an ROI if it is architected properly and the customer has the right expectations going in.

Microsoft Sentinel has saved my customers money. There is an initial investment upfront, so you have to spend money to save money. There is an initial investment upfront of hard and soft hours, but if the systems are set up properly and optimized and you have people who understand them, one of the things that you are able to do is look at the redundancies in your security stack or in your provisioning. You can look at tools that you may be able to move away from at the end of a license period instead of renewing, for instance. You can do away with that redundancy and focus on simply using the Microsoft toolset, so you tend to find that there is definitely an economy of scale there in terms of recouping those returns on investment. There may be a one to three-year cycle to see those savings. It depends on where you are with redundant tool sets that you have identified to be eliminated and where you are with a contractual licensing obligation of time cycle or license period before you have to pay to renew based on current investment, so it may lag a little bit. You do not tend to see those results right away. They tend to lag anywhere from 12 to 36 months, but at the end of, for instance, a three-year cycle, you are not spending another $300,000 to re-license a new tool. You are saving that money. You can then work backward and say that on average, you are now saving x amount of dollars a month going forward because you are not making that investment anymore. You definitely do see investments that yield value, but they tend to lag.

It is priced fairly given the value that you get from the use of the product. The biggest mistake people make with Microsoft Sentinel is not understanding the pricing model and the amount of data that they are going to be running through the tool because you are paying based on the flow. You are paying based on the amount of data that is moving through the tool. People do not plan, and therefore, they get surprised by the cost associated with using the tool. They connect everything because they want to know everything, but connecting everything is very expensive. They might not need to know everything. That is what I talk about with customers. It would be nice to know everything, but it might not be affordable or cost-effective. Microsoft Sentinel provides good value for the money. It is competitive with any of the other offerings out there based on the cost, but the mistake customers make is that they do not understand the cost model for using a SIEM solution regardless of whose solution they are using. When they get visibility into that model, it becomes a lot easier for them to make informed decisions.

I certainly evaluate products all the time. I am always looking to see what capabilities exist and which vendor can offer me the best mix of features and capabilities for the price, and then I make recommendations to my customers as a result of that. Microsoft Sentinel is a newer product in the market in terms of time. It has only been around for about four years, whereas some of the other products, such as Splunk, have been around a lot longer, so I tend to find people evaluating Microsoft Sentinel versus the other products they already possess when they are looking to move.

To those evaluating this solution, I would advise doing their due diligence. They have to understand the technology, the capabilities, and the limitations. They need to assess the business requirements that they are trying to address by deploying a SIEM solution, whether it is Microsoft or not. They need to understand what those key business requirements or key objectives are, and then evaluate the tools to make sure that those tools can achieve those objectives. They can then make an informed decision accordingly.

Microsoft Sentinel is one piece of the puzzle. Threat intelligence or threat analysis is a broader aspect of the security platform that Microsoft provides. It is certainly reliant on the data that Microsoft Sentinel provides, but there is a lot more to it than that. Overall, Microsoft has made tremendous investments in the last five to ten years. Especially in the last five years, in that space, they have developed a threat intelligence, threat analysis, and threat awareness capability that rivals any of the top platforms that are out there today. They continue to mature and grow that capability by maturing the products that support it. Microsoft Sentinel is one aspect of that. The Microsoft Defender stack or all different Defender products are a part of that. A few years ago, it would have been very hard to make the statement or make the case that Microsoft has a mature offering that is certainly at the very top along with other offerings that are often talked about as being at the top in that field. Today, Microsoft competes at the top tier of that field, and their solution is as mature as any of the ones in the market. The challenge with Microsoft solution is that it is very specific and uniquely honed for the Microsoft infrastructure. That is not a bad thing, but it is something that you need to be aware of. It is specifically designed to work with, work for, and wrap around Microsoft's public cloud offering Microsoft Azure and the supporting elements in Microsoft 365, etc. So, as long as you are Microsoft-centric in your stack, in your technology, in your architecture, it is a very valuable piece of the overall threat posture management that a company needs, but if your investment in technology is heavily weighted outside of Microsoft, it is of less value because you need to be Microsoft centric and Microsoft forward to be able to fully leverage that platform.

To a security colleague who says it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that it depends on the nature of the organization's technology architecture. If the organization is overwhelmingly single-technology-centric, meaning they use Microsoft almost exclusively, you can make the case either way. Using an external third party not tied to Microsoft is important because now you are splitting your investment, and you are not gambling only on one provider, which is the argument you always hear people make when they say, "Do not put all your eggs in one basket." The counter to that argument is who knows my environment better than the vendor that has made all the technology that I am integrating, and who would be better to monitor it than the vendor that makes all the technology? When I have customers that are single-technology-stack customers, they are almost exclusively or predominantly Microsoft, I counsel them to think strongly about using Microsoft products unless there is a compelling reason not to because Microsoft is going to make a much better solution than a third-party vendor that has to figure out how to connect to Microsoft to use that product properly. Organizations that have a mixed technology environment do not use only one vendor. To be fair, many small, medium, and large organizations are mixed technology environments, and it would be foolish to only rely on one vendor's security solution.

Overall, I would rate Microsoft Sentinel an eight out of ten.

We use Microsoft Sentinel for log aggregation, data connectors, and alerts.

In terms of visibility, Microsoft Sentinel captures a lot of useful data.

Microsoft Sentinel helps us prioritize threats across our enterprise. It shows us the most vulnerable assets, and because we have agents on every machine, we know exactly where to go to investigate. This is important for staying secure as a company. It allows us to cover our own bases by seeing what is happening in real-time and taking proactive steps to address threats, rather than reacting to them after they have already occurred. We can stay up-to-date with security measures and ensure that we follow through and execute our security plan.

We integrated Microsoft Sentinel with Defender for Cloud, Endpoint, and Defender Vulnerability Management. 

Microsoft is not the most vendor-friendly company in terms of integrations and connections, but we were able to get it working in the end, so we cannot really complain.

Microsoft's security tools work natively together to deliver coordinated detection responses across our environment.

The comprehensive threat protection that Microsoft Sentinel provides is good. They provide really good information. We are able to create documents, perform root cause analysis, and analyze anything we need to. Log integration is also key. We are able to find potentially malicious files, correlate events to alerts, and then take action on alerts. So, the comprehensiveness is pretty straightforward.

We use Cloud and Endpoint security. We have our Defender cloud, and then Defender agents on each endpoint. The bidirectional sync capability is important, and it is a work in progress. We are in the process of off-boarding our contract with CrowdStrike. We are moving all of our cybersecurity needs to Microsoft Defender, which is included in our existing Microsoft licenses. This makes financial sense, and CrowdStrike was not providing us with much value.

The system allows us to ingest data from our entire ecosystem, which is very important. This is our main source of correlation of logs to alerts. Therefore, we definitely need to get every single log source, and possibly a few more.

The system allows us to investigate and respond holistically from one place.

It is a very comprehensive tool to use. However, the supporting documentation is limited to initial troubleshooting. This is where I find the most difficulty in explaining how good the tool is. Other than that, the tool is pretty straightforward. There is enough documentation to get us started. However, beyond that, we will need to rely on online forums and other open-source resources to learn more about the tool.

When comparing Microsoft Sentinel to other SIEMs in terms of cost, we are saving money because it is included with our Microsoft 365 E5 licenses. This also helps us to reduce the number of different types of software that we need to use. We do like redundancy in terms of coverage, but the cost of multiple solutions adds up. We want to be able to use one central location for all of our security software. This is one of the reasons why we choose Microsoft Sentinel over third-party solutions. As we move into larger projects, we need to have a centralized place for all of our security policies and procedures.

Microsoft Sentinel helps us automate routine tasks and find high-value alerts. We also use Sentinel as a store for our alerts. This allows us to automate most of our responses if not all of them. We also tailored our alerts to specific events that occur in our environment.

Microsoft Sentinel helps eliminate the need to use multiple dashboards by providing a single XDR dashboard. We currently use Sentinel's workbooks, which provide a dashboard that we can use for metrics, reporting, and other purposes. This makes it easier to relay information upwards, as it is presented in a more visually appealing and easy-to-understand manner. For example, we can use pie charts, bar charts, and line charts to represent data in a way that is easy to understand. This makes it easier to convey information to upper management, such as where we are most vulnerable and what steps we need to take to improve our security.

Microsoft Sentinel helps us prepare for potential threats before they hit by taking proactive steps. We can also detect ongoing incidents. For example, if we receive a ticket or alert that is ongoing and will not go away, we can automate a response to it and add it to our playbook. This way, if a similar incident occurs in the future, we will know what to do to respond immediately.

In terms of automation, I believe we save about 20 to 22 hours per week by closing tickets. We receive about 50 to 100 tickets per day, and we automated about 80 percent of those. This means that we can now close tickets without having to manually review them. This saved us a significant amount of time, which we can now use on other tasks.

We are on the smaller side in terms of the number of logs that come in. So, I don't think it's necessary to compare at this level of data ingestion. However, I can definitely see that if we scale and grow in the future, it will save us a lot of money, especially in terms of manpower and hours that we have to dedicate to automation or non-automated tasks. For example, in the six months that we've had Sentinel up and running, we've saved 755 hours in automation alone.

We currently meet all of our service level agreements in terms of incident response. This definitely saved us time, and we also receive email alerts directly so that we know as soon as something happens.

Log aggregation and data connectors are the most valuable features. We have a plethora of data connectors, so being able to get all of our logs into a central location is very helpful.

For certain vendors, some of the data that Microsoft Sentinel captures is redacted due to privacy reasons. In the future, it would be helpful to have this data unredacted so that we can have a better understanding of it.

Microsoft Sentinel is not the most user-friendly tool. Other tools, such as Splunk SIEM or any other SIEM, are better and easier to use.

Our threat-hunting capabilities can definitely be improved. We do use workbooks to view incoming data, but threat hunting is where we can really find those underlying issues that may not be immediately visible. We will use these alerts as a starting point for our hunting. If we can correlate two different events and identify the same root cause, it will save us a lot of time and resources.

I have been using Microsoft Sentinel for six months.

I would definitely rate Microsoft's technical support low. First, it is very difficult to reach a real person. We are always directed to a bot, which can only diagnose some issues. If we do need to speak to a real person, the wait time is very long. It can take hours or even days to get a call or video conference. Second, the documentation is outdated. This is especially true since Microsoft recently rebranded Azure Sentinel as Microsoft Sentinel. The new documentation is not yet available, and the old documentation is no longer accurate.

Negative

Microsoft Sentinel is included in our E5 license.

I give Microsoft Sentinel a seven out of ten. It has good capabilities, including a large number of native connectors. It is a well-known brand, so it is likely that many third-party vendors will integrate with it in the future. This will give Sentinel a wider range of data sources to collect from. In terms of data connectors, I think Microsoft Sentinel is one of the better options available. However, some of its competitors, such as Splunk and SentinelOne, have better interfaces and support. They may also have some proprietary capabilities that Microsoft Sentinel does not offer.

I believe that duplicating security measures is a good thing. It is also important to have redundancy in tools. If we have multiple tools that cover the same thing, we will have more eyes and visibility, and we will be able to remediate issues as they arise. Therefore, using multiple vendors, platforms, and consoles is the way to go. If we use only one tool for everything, it will be like a Swiss Army knife. We will definitely run into problems. I believe that we should avoid single points of failure at all costs. We should have redundancy in tools, but not just in tools. It is also beneficial for our team to all know the same tool or a specific suite.

I'm using it as a SIEM solution. If I consider the leading clouds, especially Google and Amazon, so we don't have a dedicated SIEM solution available in either and we have to create a SIEM solution by using the native services of those clouds. But Microsoft Sentinel gives us an opportunity to use a direct SIEM solution. 

I have clients from different regions and they already have environments on the cloud with various vendors, as well as on-prem. The problem they came to me with was that they wanted to secure their environments. They wanted to monitor all the vulnerability management, patches, and vulnerability scans in a single place. They have third-party data sources that they wanted to monitor things in a single dashboard. I suggested they use Microsoft Sentinel because it can integrate many third-party vendors into a single picture.

Those are the kinds of scenarios in which I suggest that my clients use Microsoft Sentinel.

One thing that makes our work easier is that Sentinel enables you to investigate threats and respond from one place. We don't need to jump into different portals. We configure the rules there and we have the response plans as well as the recommendations from the Sentinel itself and, from there, we can take action. It saves time. That is a good and really important feature.

Working with Sentinel, trust is something we have gained. My company is a consulting firm and we have multiple clients in different regions. We have Australian clients and have to deal with Australian policies, as well as in India where there are different kinds of government policies. With all these policies that our clients have to accommodate, when we deploy Sentinel, the trust we are gaining from them is good.

We are also able to optimize costs, have stability, and an improved work culture by using Sentinel.

Another benefit is the automation of routine functions, like the creation of incidents. Our SOC doesn't need to create incidents manually. We have playbooks to automate things. That saves time on a daily basis.

A monotonous job was the need to send an email to an affected user to tell them to take an action because their third-party tool was something we didn't have access to. For example, we do not have visibility into the portal of Palo Alto, CyberArk, or Zscaler. My team's job in that situation was to send an email for every alert to tell someone to take action. Now, they don't need to waste their time. With automation, we can create a playbook for that. When an alert is generated, it automatically triggers the affected user to take action accordingly. In the time we have saved, my team has been able to learn and customize KQL queries and enhance their KQL skills.

Another area where it is helping us is in creating a single dashboard for our environment. We can collect all the logs into a log analytics workset and run queries on top of it. We get all the results in the dashboard. Even a layman can understand this stuff. The way Microsoft presents it is really incredible. We can download that dashboard or a report from the dashboard and present it in a team meeting. That is really useful.

Overall, per week, Sentinel saves us 40 to 45 hours, per person. We have a team of 20 people who log in to Sentinel and each of those people is saving something like 40 to 45 hours by using it. In that time we can work on different technologies. It has also definitely decreased our time to detection by 80 percent.

The most amazing aspect of Microsoft Sentinel is the daily upgrading of the product. They have third-party connectors that their people are enhancing on a daily basis. That is what I like about the product. Their people are not sitting idly and saying, "Okay, we have created the product, now just use it." It's nothing like that. They are continuously working on it to make it number one in the market.

It also has a playbook feature so that we can do automation in Sentinel itself, based on the data sources and the logs that we are receiving. That means we don't need to do manual stuff again and again.

Using Sentinel, we can collect all the logs of third-party vendors and use them to analyze what kinds of scenarios are going on in the environment. On top of that, we can create analytics rules to monitor the environment and take action accordingly if there is a suspicious or malicious event.

Something else that is great is the visibility into threats. We have an AI feature enabled in Sentinel and that gives us great visibility into the data sources we have integrated. And for data sources that we don't have integrated, we have a Zero Trust feature and we get great visibility into the threat log. Visibility-wise, Sentinel is fantastic.

The ingestion of data from our entire environment is very important to our security operations. We have clients in insurance and multiple firms that deal with taxation, and we need to do an audit yearly. To do that, we need the data from the whole environment to be ingested into the workspace.

They can work on the EDR side of things. It is already really superb, because of the kinds of features we get with the EDR solution. It's not a standard EDR and they have recently enhanced things. But the problem is with onboarding devices. I have different OS flavors, including a large number of Linux, Windows, macOS, and some on-prem machines as well.

Every time we need to onboard these kinds of machines into the EDR, we need to do it with the help of Intune, to sync up the devices, and do the configuration. I'm looking for something on the EDR side that will reduce this kind of work. They can eliminate having to do manual configuration for the machines, and check the different types of configurations for each OS. In some cases, it does not support some OSs. If they could reduce this type of work, that would be really amazing.

I have been using this product for the last three and a half years.

It is reliable. I would rate it a nine out of 10 for performance and reliability.

The scalability is also a nine out of 10.

We have the solution in different locations and regions. Most of my clients are in Singapore, Australia, and India and we have some European clients as well. On average, our clients have 2,200 employees.

Most of the time, their technical support is very good and very supportive. But sometimes we feel that they don't want to help us. Recently, we had a major issue and we tried to involve a Microsoft engineer. I felt he was not aware of the things we were asking for. 

I said, "That machine is hosted on Microsoft Azure and you and people are managing that stuff, so you need to know that machine inside and out." He said, "No, the configuration and integration parts, in the machine itself, is something I'm not aware of. You people did this, and you need to take care of it." I told him that the challenge we were facing was with the configuration and we do not get those kinds of logs. I suggested he engage some Linux OS expertise for this call, but he said, "No, we don't have a Linux OS expert."

Sometimes we face this kind of challenge, but most of the time their people are very helpful.

Neutral

It is a very simple process to integrate things. On a scale of one to 10, where 10 is "easy," I would rate it at nine. We have a team that takes part with me in the implementation and we divide the work.

And we don't need to worry too much about maintenance. Microsoft takes care of that part.

We do it all in-house.

Microsoft can enhance the licensing side. I feel there is confusion sometimes. They should have a list of features when we opt for Microsoft Sentinel. They should have a single license in which we have the opportunity to use the EDR or CASB solution. Right now, for Sentinel, we have to pay for a license for something in the Azure portal. Then, if we want to work with CASB, we need to buy a different license. And if we want to go for EDR, we need to buy another license. They do provide a type of comparison with a combo of licenses, but I feel very confused sometimes about subscriptions and licensing.

Also, sometimes it's quite tough to reach them when we need a license. We have to wait for some time. When we drop an email to contact them, it is at least 24 until they reply. They should be able to get back to us in one hour or even 30 minutes. They do have a premium feature where, within one or two hours, they are bound to respond to a query. But with licensing, sometimes this is a challenge. They don't respond on time.

If I compare Sentinel with standalone SIEM and SOAR solutions when it comes to cost, Sentinel is good. It is really cheap but that does not mean it compromises on features, ease of use, or flexibility, compared to what the other vendors are providing. When I look at other similar solutions, like Splunk, QRadar, and ArcSight, they are charging more than Microsoft, but ultimately they are not giving us the features that Microsoft is offering us.

Sentinel is far better than these other solutions. I have worked with Splunk in the past and many of my colleagues are working in the QRadar as well. When I talk to them, and when I compare the features, these solutions are not at all near to Microsoft Sentinel.

So while we do create a type of SIEM solution in other platforms in the cloud, using the native services, Microsoft gives us a direct solution at a very reasonable rate. They are charging less money, but they will never compromise the quality or the features. Microsoft is updating Sentinel on a regular basis. If I look at Sentinel three and a half years back, and the Sentinel of today, the difference is really unbelievable.

As part of our consulting team, I have never suggested that someone go for a third-party solution. Some of my clients have a whole environment on AWS and GCP and they have said, "Can we create some kind of SIEM solution for my cloud by using something we have in Microsoft?" I give them a comparison between using the native services and Microsoft Sentinel. The main point I tell them is about the cost. They are convinced and say, "Okay, if we get those kinds of features at that cost, we are good to go with the Microsoft Sentinel." And they don't need to migrate their whole environment into Sentinel or Microsoft Azure. They can continue to use whatever they are using. We can onboard their logs into Sentinel and, on top of that, create use cases and dashboards, and they can monitor things.

Microsoft is proactive in helping you be ready for potential threats, but I'm not involved in that part. It's something my counterpart takes care of. But I have heard from them that it is proactive.

We also use Microsoft's CASB solution, Microsoft Defender for Cloud, and Defender for Endpoint. There is some complexity when it comes to integration of Defender for Endpoint. This is the feedback I have submitted to Microsoft. When we do the integration of Defender for Endpoint, we have more than 12,000 machines, with different OSs. Onboarding all those machines into the environment is a challenge because of the large number of machines.

Although it's not creating any kind of mess, compared with Sentinel or the CASB product, Defender for Endpoint is something Microsoft can work on to create an option where we don't need to onboard all these machines into Intune and then into Defender for Endpoint. If that step can be omitted, Defender for Point will also be a good solution because it is also working on an AI basis.

These Microsoft products do work together to deliver coordinated detection and response. We simultaneously get the benefits of all these products.

We are also using Microsoft Defender for Cloud to see the security posture of our environment and it also has some great features. It helps us understand vulnerability issues and, on the top of that, we get recommendations for resolving those issues. The security posture is based on the policies it has, as well as third-party CIS benchmarks that people are using in the backend to provide the recommendations. It's good.

We have created an automation rule, but not directly using Defender for Cloud's bi-directional feature. The automation we have created is logic using a bidirectional aspect for Sentinel incidents. When we get incidents in Sentinel, we can trigger those same incidents in ServiceNow as well. We have a SOC team that manages our incident response plan and ServiceNow. Once they take an action in ServiceNow, they don't need to go to Microsoft Sentinel again and take action on the incident. It will automatically reflect the action they have taken.

Between best-of-breed versus a single vendor for security, Microsoft is on top. They are continuously enhancing their product and other cloud platforms don't have a direct SIEM solution. We need to customize other solutions every time if we want to opt for another cloud vendor. This is the advantage of Microsoft Sentinel at this point in time.

I would recommend Microsoft Sentinel to anybody.

I and my colleagues feel that Microsoft Sentinel is the number-one product for anyone considering something similar. We have other tools as well, but none compare with Sentinel.