Microsoft Sentinel Reviews

Microsoft Sentinel is a monitoring tool. It is a SIEM solution and is used to gather logs. It allows us to analyze and understand the flow of information based on the events that happen and the systems we connect it to. 

I explain it to my customers as being almost like an octopus. It sits in the middle of a tank, and it has all these tentacles that connect to different systems. We bring that information in via those connections, and then we query them. We can centrally analyze, examine, and understand the data that comes in through the analytics or the capabilities that Azure links to Microsoft Sentinel, which is Azure Log Analytics Workspace. We then use queries to help us understand or make sense of the data. We can have dashboards and visualize them. 

We use it to set up monitoring for cloud infrastructure and we use it as part of a larger monitoring capability around setting up a SOC capability. We are then able to keep track of infrastructure and mitigate risks.

Microsoft Sentinel gives visibility to some degree to all of the customers that I work with. It has given us more visibility into the accurate state of the endpoints being monitored in near real-time. 

With the solution, we are now able to respond to incidents in a more timely fashion, which helps us. It helped us to understand what is happening and make informed decisions as a result. It has given us a more comprehensive and holistic view of the ecosystem that exists, and not just an individual piece of that ecosystem. It does not give a view of just one server. It also gives a view of the supporting infrastructure around it. It has given us a lot more visibility, and it has made us smarter in terms of being able to defend ourselves against bad threat actors and the harm they look to do. It made us better armed and more informed, and therefore we can offer a better defense that will hopefully ward off some of those bad actions.

Microsoft Sentinel helps to prioritize threats across the enterprise in several ways. This capability is linked to other technology elements that make up the overall security posture of the Microsoft offering. Microsoft Sentinel, in particular, allows us to look at the flow of information coming through the connectors from various systems. This helps us create alerts and analyze that data so that we can bubble up and see what is happening. We can tie that into the Microsoft Defender stack or the products in the Microsoft Defender ecosystem, and we can take action and monitor. 

Whether it is being alerted, manually choosing to do something, or automating through the broader security capabilities of the platform, we can take action. When we tie in the broader security capabilities that involve governance, risk management, and compliance (GRC), and we have all the tools at our disposal to do that, Microsoft Sentinel becomes a huge ingestion engine that brings in signals. The telemetry and data from all the monitored endpoints allow other capabilities to access that data so that we can monitor it. We are then not only well-informed, but we can also choose how to respond. We can respond through a combination of automation and manual actions. If something occurs, we can then kick off an incident response to deal with it. If needed, we can quarantine and mitigate it. We have a rich set of capabilities but also a very flexible set of opportunities to respond because we are given near real-time information. We can analyze that information in near real-time to make informed choices when it comes to threat intelligence, threat mitigation, and threat assessment.

I use all of the products that Microsoft has in the market in various architectures or configurations with different customers, and I have used them for many years. Various customers use the entire suite of offerings that Microsoft has in the security space in terms of governance, risk management, and compliance, such as Microsoft Sentinel and Microsoft Defender. There are also solutions like Privileged Identity Management (PIM), which is now a part of Microsoft Entra, which has been renamed. I have integrated these products and set up the architectures or designs for customers. The setup depends on the size of the customer and some smaller businesses do not use all of them. They license at lower levels and do not have the business case, the resources, or the need to use them all. Larger companies tend to utilize more of them. Because I work with different-sized companies, I set the solutions up and have used them in a variety of circumstances across the board for different companies. 

In the beginning, like any technology, it was a little harder to integrate when the products were new. As they matured and went through iterations, they became easier to work with. Utilizing a new product is more painful than using a product that has perhaps been out for a year or two, that has been vetted and maybe has gone through one major update or release. The integration has gotten better over time, and the product lines continue to mature and become more powerful as a result.

Microsoft security products work natively together to deliver coordinated detection and response across the environment. For this, you need to use the appropriate connectors to bring in the information from both Microsoft-centric and third-party systems that you want to incorporate and monitor. It is bounded by the vision of the architecture that allows you to connect those systems and the availability of those connectors. Assuming those systems are connected properly, brought online, and are reporting, it gives you the depth of visibility that you need to manage both Microsoft and non-Microsoft systems.

Microsoft security products provide a very thorough set of security. Microsoft is looking at billions, perhaps a trillion, individual data points a day at this point across the Microsoft ecosystem, which includes everything Microsoft does, all customers, and all interactions. They take all that information and analyze it with dedicated security teams, machine learning and artificial intelligence, business analytics, etc. They turn that information around and make it available for customers who are consuming the threat analysis and threat intelligence capabilities on the platform. Some of the solutions are available for free to everybody regardless of licensing. For others, you need enhanced licensing to take advantage of it fully. The threat intelligence feeds, the live analysis, and the security posture that Microsoft provides to its customers globally as part of the shared responsibility model have matured tremendously. They are the best. You get incredible value for the amount of work that goes into providing that. The customers I work with are very happy with the work that Microsoft does and continues to do in that space.

We use the bi-directional sync capabilities of Microsoft Defender for Cloud in some cases. It is a very useful feature for myself and my customers. It is very important because it allows us to use the Defender product, which is made up of maybe 20 individual offerings at this point. There are a lot of different sub-areas that you have that you can attach the Defender product to. This concept allows us to be able to have the endpoints monitored, whether they are the servers or the service that Defender would monitor and protect. It allows us to understand what is happening with them and to have near real-time updates about their status. We can see the impact of potential threats that are attaching and risks that may become apparent, and we can see the impact of remediation or the things that are being done to stop those things or perhaps forestall them, hopefully, to prevent them from harming. This capability is very important, and it is one of the secrets that allow that platform to not only be very flexible but also very impactful in terms of monitoring the bulk of the infrastructure and services that most customers would have running in a public cloud, whether it is Microsoft or any other public cloud, such as Amazon, Google, etc. We can monitor any infrastructure and understand it, especially customers' environments that are hybrid where they have on-premises as well as cloud or multi-cloud infrastructure with more than one cloud. To be able to monitor both on-premises and multi-cloud environments is a requirement today, and Microsoft provides those capabilities but not all other providers do. 

It enables us to ingest data from the entire ecosystem as long as we are using a connector to link to the infrastructure that we need to monitor and as long as there is a connector for monitoring that infrastructure. So, as long as the pipe exists, we connect the pipe, and we can monitor the infrastructure. For a majority of mainline infrastructure or a majority of third-party vendor systems today, there are connectors. For some smaller systems or proprietary or custom systems that some companies run, there might not be connectors, but for mainline systems that you would buy, acquire, or use from large-scale SaaS vendors, connectors have been there for a while. As long as we are running connectors to that infrastructure, we can monitor almost anything that we have.

Sentinel enables us to investigate threats and respond holistically from one place. We have a central dashboard that we can use to monitor and then from there, do the analysis and also create the remediation if necessary. This functionality is very important. The biggest mistake vendors make in tool design from a UI/UX or user interface/user experience perspective is that they do not make things centrally available and obvious for the administrator or the end user who is going to run or use that system. Generally, if something is overly complicated and not very intuitive, it is hard to get people to buy into using something. With Microsoft Sentinel, you can have everything in one place and visualize the impact of the threats, the risks, the incoming data, and the number of incidents, events, or alerts that are happening. All those things are visually represented in the opening part of the dashboard. You could drill down from there with a navigation area that is intuitive and easily understood. That makes it very easy for different users, such as administrators and managers, and other user profiles that have different reasons for being in the tool, and that is the hallmark of a good design.

When you look at it holistically and look at what it is linked to in terms of the broader security platform that Microsoft provides, it is very strong, and it continues to get better. When you ask anyone about their thoughts about a product and how it works for their customers, the mistake that people often make in describing something is that they say, "I think it is great, and it is great for us. It does everything we need." That is good, and it should be. I can say that for the majority of my customers without any ambiguity or concern about being accurate, but the thing you have to add is that there are always things that we do not know that we need to do until they occur. We might not have seen that threat before. Maybe there is a new advanced persistent threat or zero-day exploit that we have to contend with, which we have not been aware of until now. The hallmark of a really good tool is its ability to integrate that new information in a timely fashion and have the flexibility to mature the tool over time based on feedback and iterative use. The strength that Microsoft has brought to the platform over time is the ability to listen to its customers and make sure they are offering based on that feedback. It is good, and it continues to get better. Today, it is good, and tomorrow, it will be better because of that thought process in the way they engineer over time.

Microsoft Sentinel helps automate routine tasks and the finding of high standards. If you set it up the right way, it does that as one of the key things that it is designed to do. It has streamlined our ability to respond, so response time has gone down. It has enhanced our understanding because automation is managing some of the remediation and the menial, repetitive ongoing tasks of:

• Paying attention to information flows.

• Picking out the most important elements.

• Prioritizing them and bubbling them up.

• Creating alerts around them and then telling people that these things are happening. 

Automation lets you do that without having to spend human or people cycles to do that. The automation never gets tired and it never gets bored. It never needs to take a break. It never gets distracted. Because of that, we find not only more things we need to react to, but we react to the things that we truly should be chasing. We are not distracted as much by things that seem to be important, but we find out that they are just ghosts. They are false flags. The ability to bring machine learning, artificial intelligence, business analytics, and data visualization as a part of automation has filtered out a lot of the background noise that distracts. It has allowed us to hone in and refine our activity cycles around the most important things that we have to pay attention to.

Microsoft Sentinel helps eliminate having to look at multiple dashboards and gives one XDR dashboard if you set it up the right way. I have seen it set up in ways where it does not do that because it is not optimized, but if you are using it the right way, if you understand the tool and how to integrate it properly, then it gives you that single dashboard where you can directly find the information or link through a smaller visual tile that will take you to that information that you need if you need to drill down in a deeper, more meaningful way.

Its threat intelligence helps to prepare for potential threats before they hit and take proactive steps. If you are integrating the threat intelligence feeds from Microsoft and looking at them, everything is relative. They are there if you are smart enough to consume them and understand what you are looking at. In other words, people who are paying attention to them and are using them properly are getting tremendous value out of them. Microsoft globally examines billions, if not a trillion, of individual telemetry data points every day and incorporates that into their threat analysis feeds, so no individual company, irrespective of how big they are and how much money they have, can bring that kind of at-scale analysis to that problem. As a result, you are getting a tremendous amount of data that is being vetted, analyzed, and distilled down to meaningful actionable intelligence. It is consumable because it is presented in a very summarized and succinct way. It is very valuable, but you have to be able to understand that and utilize that to draw value from it.

We have saved me time with Sentinel. The ability to have the power of Microsoft as a global scanning organization service provider at my disposal is helping me to better understand the environment I operate in through threat intelligence and threat analysis. In addition, the ability to automate at scale across the platform and to have the research and design that is being done to continuously upgrade and add features to those platforms has made me a much more capable and therefore, more successful security practitioner. It is hard to quantify the time saved. It would probably be a very extreme exercise to go back and do that, but it is fair to say that over a year, we have probably saved a thousand or more human hours. I look across a team for one of the customers that I work with, it is fair to say that we have saved at least a thousand human hours for a year by relying more on the automation toolsets. That is about ninety hours a month on average. We can break it down to 15 or 20 hours a week or something like that, but the reality is that it is about a thousand or more hours that we have saved in a year.

Time to detection has decreased, and the time to respond has gone. They both have decreased. That has been an outcome that we have seen and is measurable. It goes back to the investments you make in building out that architecture in terms of:

• How many systems are you monitoring or how many are you connecting?

• How much data do you have coming in? 

• What are you doing with that data and how are you using it? 

If you are building out a full SOC analysis capability or a full monitoring solution, and you are typing this into incident response and alerting and event continuous monitoring through automation, time to respond and time to solution is going to decrease as a result.

It can connect to an ever-growing number of platforms and systems within the Microsoft ecosystem, such as Azure Active Directory and Microsoft 365 or Office 365, as well as to external services and systems that can be brought in and managed. We can manage on-premises infrastructure. We can manage not just the things that are running in Azure in the public cloud, but through Azure Arc and the hybrid capabilities, we can monitor on-premises servers and endpoints. We can monitor VMware infrastructure, for instance, running as part of a hybrid environment. The continuing evolution of what we call the connectors, which is the marketplace that lets us connect these systems to Microsoft Sentinel, is probably one of the most important features.

The reliance on a very simple but very powerful query language called Kusto Query Language or KQL that Microsoft uses to allow us to log into the analytics workspace to assess and analyze the data is also valuable. That has made it very approachable and very scalable. Those are very big and important things for me as a consultant, as an architect, and as a person who is implementing these solutions for customers and who is explaining them, and ultimately working with them. This makes the product not only usable but also very flexible. Those are two very important elements.

Everyone has their favorites. There is always room for improvement, and everybody will say, "I wish you could do this for me or that for me." It is a personal thing based on how you use the tool. I do not necessarily have those thoughts, and they are probably not valuable because they are unique to the context of the user, but broadly, where it can continue to improve is by adding more connectors to more systems. 

The really interesting area where we are already seeing the impact is the use of more artificial intelligence. There could be the ability to bring AI into the analysis capabilities of the toolset in more ways so that we can utilize the power that computer analysis at scale has. That is because we are limited. As humans, we can only look at so much information, see so many patterns, and absorb so much in any given cycle of a workday, but artificial intelligence and automation engines do not take breaks. They do not stop. They do not need to. They can go deeper, and they can see more data and ingest more to find patterns that, as humans, we are not going to be able to see. The evolving technology in this area is all moving towards the use of artificial intelligence, embedding it in multiple areas in the platform so that we can be told that there are things that we need to pay attention to that are becoming a problem as opposed to things that are already a problem. Where the biggest improvements can happen is how we move that ability to identify emerging threats closer to the point of contact so that we can interject and essentially stop and disrupt the kill chain of an event series before it harms. Currently, the problem we often have is that things get bad, and until they get bad, we do not really know what is happening, and we do not know how to respond, so we spend a lot of time responding to incidents that have already started or have unfortunately unfolded fully in a reactive manner. The value proposition in terms of improvement down the road is getting better at predictive defense and proactive response before events take place to stop them before they start. That is the future that we are moving towards, and that is where the biggest improvement lies.

Sentinel, which is now called Microsoft Sentinel, used to be called Azure Sentinel. It was renamed about a year and a half or two years ago, but I have used Sentinel for about four years. It was probably released in 2019.

It is very stable. I have had little to no difficulty with it in the more than four years that I have used it or deployed it. I cannot think of a time in the last four years when it was unstable or unstable enough that I had to open a support ticket. I have had issues with it because people have misconfigured it or not set it up properly, but those issues were not related to the platform itself. Those were human interactions that were complicating it because it was not set up the right way. When it is set up correctly, it is a very solid platform with minimal to no downtime. There were no major service disruptions that I remember that caused problems.

It is very scalable. You do not think of scalability necessarily the same way you would if you were setting up a cluster to run virtual machines, for instance, because there, you have to add resources, and you are monitoring to make sure that there are enough resources versus the load in the system. Microsoft Sentinel is a managed solution. You are deploying it, but then Microsoft is scaling it and managing it on the backend for you, so you do not control some of the things that would impact scalability directly. Microsoft is hosting it. It is essentially a service you are consuming. In my history with the product, it has always met my expectations, and I have never had an issue where it could not perform because of a resource constraint, so its scalability is solid, and it is always available when necessary. It is not scalable in the same sense as you would control it by adding hosts to a cluster. It is a different kind of scalability, but it has been rock solid all the time I have been working with it.

In terms of the environment, I have multiple customers, so each one is different, but generically, it is safe to say that it is deployed to monitor infrastructure that is in multiple geographies, multiple data centers, or multiple places both on-premises and in the cloud. It could be hybrid as well as multi-cloud. The infrastructure is being monitored from a variety of different locations. Microsoft Sentinel itself is typically installed and instantiated in one instance. You set it up inside of an Azure subscription and you have one instance. If you need more than one, you might set up more than one depending on the geography and the needs of the organization, but typically, we have one central Microsoft Sentinel instance running, and then you will bring that information into it through the connectors. It is typically going to be a single instance. It will usually monitor geographically distributed architecture, and it will usually operate at scale, so there will be quite a bit of information coming into that at any given moment.

Like anything else, you can get support depending on how you are using the tool and the level at which you are using it. You get basic support from Microsoft. If you have a problem, they are very good at telling you if there are service issues. If you are paying additionally, you can get premium support to support you with the tool. There is an additional fee for platinum-level support or premium support. Their support is very good if you are paying for it and you are able to utilize it. If you are just able to open a basic ticket because you are having a problem, support is good, but you are going to be limited in the help you are going to get. To talk to a high-level engineer to deal with complicated issues, you are going to need to pay extra money for support. Overall, I would rate their support an eight out of ten.

Positive

I have used several different solutions over time with different customers for different reasons. I work with a lot of different customers. I set up solutions for different customers. They have different technologies and different needs, and some of them have a bias towards certain products and against others, but I have used products like ConnectWise, which is a SIEM solution, and Splunk, which is probably one of the biggest ones out there that most people would name if you ask them. Splunk is probably at the top or near the top of everybody's list. Datadog would be another big one. I have used LogPoint and GrayLog. I have also used ManageEngine's Log360. SolarWinds is another popular one that I have come across pretty often. I have used many more than that, but those are probably the top five or six that I have used. They are the ones that customers tend to use a lot. Some of them are still using those products and have chosen not to move, but the ones that have chosen to move have done that because of two things. The cost plays a part. They have the ability to leverage a tool that is already built into the platform and that may be easier to work with and integrate in a more readily accessible fashion, and it would be as expensive and maybe less expensive over time. It might also seem to be a better architectural choice for them as they look at an upcoming renewal cycle, or they have heard or been told that they need a certain capability or feature and the vendor that they are currently using does not have that or it is not as easily accessible or readily available, but Microsoft Sentinel has that capability. It has connectors to those other platforms, but for whatever reason, their particular vendor does not have that connector, or they might promise to deliver it but it is not going to be ready for six months. It comes down to features and cost. These are the two main reasons or two main motivators to drive people to migrate.

In terms of the cost and ease of use of Microsoft Sentinel against standalone SIEM and SOAR solutions, it is difficult to do an apples-to-apples comparison. That is because, in theory, you can look at Microsoft Sentinel as a single standalone product with its own cost associated with it, but it is linked to, consumed by, and used in partnership with many other systems and tools that also have a licensing cost. Some of it is built-in and some of it is an add-on, depending on where you are and how you choose to license. In other words, Microsoft Defender is a per instance per month cost that is additional to using the Microsoft Sentinel product, and what you get with a standalone solution is essentially just the SIEM or the SOAR capability. You are not getting the capability to blend them across the platform, or if the vendor does both, you are buying them as an all-in-one solution and you are paying a monthly fee per user based on licensing. 

From my perspective, cost comparisons are not as accurate. When a customer asks whether Microsoft Sentinel is going to cost them less or more than using this other tool, it is a very simplistic way of looking at the tool, and it is a very operational-centric or OpEx discussion. When anyone asks about the monthly fee for the investment in this tool, you have to be more strategic. When you look at a tool, features, and capabilities, the capital expense is broader than just the operational expense. You have to understand the strategy associated with the tool decision and the impact and value of the tool. 

Microsoft Sentinel gives a good value for money or a return on investment in terms of what it costs you to run it. When comparing it to any of the other major competitors in the market, it is as cost-effective and perhaps even more cost-effective than some of them. It certainly is very competitive, but people do not necessarily understand the subtlety in that assessment in terms of how they are integrating the Microsoft Sentinel solution or the third-party solution into the broader context of their infrastructure and security posture. That is where they run into issues that become more prohibited from a cost perspective, both hard and soft. For example, the hard cost could be $15 a month per user to license or $15 a month per endpoint and $100 per gigabyte of storage or something like that. Those numbers are wildly inaccurate, but you do have hard costs, and then you have soft costs, which include what it costs you to train people who have to use that technology or to train people who have to manage it ongoing and integrate it. You might have to hire consultants to do that, for instance. Those are hard and soft costs. When you are using a Microsoft product and you are Microsoft-centric, you overcome some of those soft costs because you have people who already have skills on the platform. You are already integrating that technology. Microsoft is doing that for you. You do not have to do it yourself. As a result, some of what I refer to as hidden costs are not as high with a Microsoft solution as they would be with a third-party solution. If you are already Microsoft-centric and you are using a majority of Microsoft Azure and Microsoft 365-based infrastructure in some form, it is easier to implement that technology. It costs less when you go forward with Microsoft Sentinel than it does when you try to bring in a third-party external SIEM or SOAR and tie it into the Microsoft platforms and have it do the things that you are looking for it to do.

It is predominantly deployed for public cloud use, meaning customers hosting on a public cloud are using it. They are hosting in Azure, for instance, and they are running their cloud infrastructure in that cloud environment. You can link to on-premises resources in hybrid scenarios, and you can certainly make the case that it can be used for private cloud as well because you can extend it to the on-premises environment. It can be used to ingest information in a multi-cloud environment, meaning you can bring in infrastructure information from Amazon or Google, the other two major public cloud provider platforms, as well as VMware, which, in its own right, is a public cloud provider. So, it can be used or potentially be available to consume data from any of those areas.

I have been involved in the deployment of hundreds of instances of Microsoft Sentinel. Its initial deployment is straightforward. In terms of implementation strategy or how to approach it, it is important to spend a lot of time with whoever the customer is. I work with multiple customers. I ask them what sound like fairly simple and simplistic questions but are very important questions. What are they looking to accomplish by deploying a SIEM solution? What is the business requirement that we are addressing by deploying the solution? We need to define that and understand that because oftentimes, we find that the customer says, "Well, we think we need, for instance, X." We talk about it, but realize what they really need is perhaps X with other things or it is not X at all. It is really W. They just thought it was X because somebody told them that. They did not know any better, so asking W&H is important.

• Who is this for?

• Who are the stakeholders?

• Why are we doing this?

• What are we looking to accomplish?

• When are we looking to get it done?

• What is the timeline?

The where and the how are not as important because it is typically in the cloud, and we are going to have qualified people deploy this architecture and we are going to run it in Microsoft, Amazon, or whatever. If we ask those questions upfront, then we can come up with a deployment plan and architecture solution that approximates the customers' needs but also meets their expectations, so for me, a project's success or failure lies in planning. The majority of the work you do has to be done in the planning cycle before you do implementation. If you are really strong in planning, then implementation is relatively straightforward. There are not a lot of surprises. As long as you are technically competent, you can do your deployments, and they should be relatively straightforward and minimal risk to the organization in terms of the deployment. If you do not get your planning right, you are opening up a tremendous amount of risk and liability in the organization.

In terms of maintenance, you cannot set it and forget it. Like any other product, it does require maintenance. If you are smart about it and you set it up the right way the first time, it will take care of itself, and it will certainly operate well at scale, but you have to examine it on an ongoing basis. There is always an opportunity to refine and update connectors. You can add new connectors as you need to extend the reach of the tool. You may have to look at the volume of data that is coming in to refine the amount of data that you want to store, pay for, and analyze, and then you have to look at the queries you are running to be able to stay on top of the data to extrapolate meaning. So, there is maintenance that goes into using a tool like this. There is no checklist that you go through every day, but there are absolutely things that have to be done on a daily, weekly, and monthly basis to keep the tool running properly.

I am the one who handles the deployment. It is rare that I would not do it myself or work with a team that would be empowered to do it as part of that.

The deployment, depending on the size of the deployment, could be done by as little as one person. It does not necessarily need a huge number of people to be associated with it. The bigger need there is what you do once the initial deployment is done, meaning fine-tuning the operation of that. When you add all that in, you typically look at a team of anywhere from three to six individuals. There are incident management and response and SOC analysis people. There are also network people. There are different people who would play a part in ultimately standing up and optimizing a tool like this, but usually, four to six people play a part on average.

There is absolutely an ROI if it is architected properly and the customer has the right expectations going in.

Microsoft Sentinel has saved my customers money. There is an initial investment upfront, so you have to spend money to save money. There is an initial investment upfront of hard and soft hours, but if the systems are set up properly and optimized and you have people who understand them, one of the things that you are able to do is look at the redundancies in your security stack or in your provisioning. You can look at tools that you may be able to move away from at the end of a license period instead of renewing, for instance. You can do away with that redundancy and focus on simply using the Microsoft toolset, so you tend to find that there is definitely an economy of scale there in terms of recouping those returns on investment. There may be a one to three-year cycle to see those savings. It depends on where you are with redundant tool sets that you have identified to be eliminated and where you are with a contractual licensing obligation of time cycle or license period before you have to pay to renew based on current investment, so it may lag a little bit. You do not tend to see those results right away. They tend to lag anywhere from 12 to 36 months, but at the end of, for instance, a three-year cycle, you are not spending another $300,000 to re-license a new tool. You are saving that money. You can then work backward and say that on average, you are now saving x amount of dollars a month going forward because you are not making that investment anymore. You definitely do see investments that yield value, but they tend to lag.

It is priced fairly given the value that you get from the use of the product. The biggest mistake people make with Microsoft Sentinel is not understanding the pricing model and the amount of data that they are going to be running through the tool because you are paying based on the flow. You are paying based on the amount of data that is moving through the tool. People do not plan, and therefore, they get surprised by the cost associated with using the tool. They connect everything because they want to know everything, but connecting everything is very expensive. They might not need to know everything. That is what I talk about with customers. It would be nice to know everything, but it might not be affordable or cost-effective. Microsoft Sentinel provides good value for the money. It is competitive with any of the other offerings out there based on the cost, but the mistake customers make is that they do not understand the cost model for using a SIEM solution regardless of whose solution they are using. When they get visibility into that model, it becomes a lot easier for them to make informed decisions.

I certainly evaluate products all the time. I am always looking to see what capabilities exist and which vendor can offer me the best mix of features and capabilities for the price, and then I make recommendations to my customers as a result of that. Microsoft Sentinel is a newer product in the market in terms of time. It has only been around for about four years, whereas some of the other products, such as Splunk, have been around a lot longer, so I tend to find people evaluating Microsoft Sentinel versus the other products they already possess when they are looking to move.

To those evaluating this solution, I would advise doing their due diligence. They have to understand the technology, the capabilities, and the limitations. They need to assess the business requirements that they are trying to address by deploying a SIEM solution, whether it is Microsoft or not. They need to understand what those key business requirements or key objectives are, and then evaluate the tools to make sure that those tools can achieve those objectives. They can then make an informed decision accordingly.

Microsoft Sentinel is one piece of the puzzle. Threat intelligence or threat analysis is a broader aspect of the security platform that Microsoft provides. It is certainly reliant on the data that Microsoft Sentinel provides, but there is a lot more to it than that. Overall, Microsoft has made tremendous investments in the last five to ten years. Especially in the last five years, in that space, they have developed a threat intelligence, threat analysis, and threat awareness capability that rivals any of the top platforms that are out there today. They continue to mature and grow that capability by maturing the products that support it. Microsoft Sentinel is one aspect of that. The Microsoft Defender stack or all different Defender products are a part of that. A few years ago, it would have been very hard to make the statement or make the case that Microsoft has a mature offering that is certainly at the very top along with other offerings that are often talked about as being at the top in that field. Today, Microsoft competes at the top tier of that field, and their solution is as mature as any of the ones in the market. The challenge with Microsoft solution is that it is very specific and uniquely honed for the Microsoft infrastructure. That is not a bad thing, but it is something that you need to be aware of. It is specifically designed to work with, work for, and wrap around Microsoft's public cloud offering Microsoft Azure and the supporting elements in Microsoft 365, etc. So, as long as you are Microsoft-centric in your stack, in your technology, in your architecture, it is a very valuable piece of the overall threat posture management that a company needs, but if your investment in technology is heavily weighted outside of Microsoft, it is of less value because you need to be Microsoft centric and Microsoft forward to be able to fully leverage that platform.

To a security colleague who says it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that it depends on the nature of the organization's technology architecture. If the organization is overwhelmingly single-technology-centric, meaning they use Microsoft almost exclusively, you can make the case either way. Using an external third party not tied to Microsoft is important because now you are splitting your investment, and you are not gambling only on one provider, which is the argument you always hear people make when they say, "Do not put all your eggs in one basket." The counter to that argument is who knows my environment better than the vendor that has made all the technology that I am integrating, and who would be better to monitor it than the vendor that makes all the technology? When I have customers that are single-technology-stack customers, they are almost exclusively or predominantly Microsoft, I counsel them to think strongly about using Microsoft products unless there is a compelling reason not to because Microsoft is going to make a much better solution than a third-party vendor that has to figure out how to connect to Microsoft to use that product properly. Organizations that have a mixed technology environment do not use only one vendor. To be fair, many small, medium, and large organizations are mixed technology environments, and it would be foolish to only rely on one vendor's security solution.

Overall, I would rate Microsoft Sentinel an eight out of ten.

We use Microsoft Sentinel for log aggregation, data connectors, and alerts.

In terms of visibility, Microsoft Sentinel captures a lot of useful data.

Microsoft Sentinel helps us prioritize threats across our enterprise. It shows us the most vulnerable assets, and because we have agents on every machine, we know exactly where to go to investigate. This is important for staying secure as a company. It allows us to cover our own bases by seeing what is happening in real-time and taking proactive steps to address threats, rather than reacting to them after they have already occurred. We can stay up-to-date with security measures and ensure that we follow through and execute our security plan.

We integrated Microsoft Sentinel with Defender for Cloud, Endpoint, and Defender Vulnerability Management. 

Microsoft is not the most vendor-friendly company in terms of integrations and connections, but we were able to get it working in the end, so we cannot really complain.

Microsoft's security tools work natively together to deliver coordinated detection responses across our environment.

The comprehensive threat protection that Microsoft Sentinel provides is good. They provide really good information. We are able to create documents, perform root cause analysis, and analyze anything we need to. Log integration is also key. We are able to find potentially malicious files, correlate events to alerts, and then take action on alerts. So, the comprehensiveness is pretty straightforward.

We use Cloud and Endpoint security. We have our Defender cloud, and then Defender agents on each endpoint. The bidirectional sync capability is important, and it is a work in progress. We are in the process of off-boarding our contract with CrowdStrike. We are moving all of our cybersecurity needs to Microsoft Defender, which is included in our existing Microsoft licenses. This makes financial sense, and CrowdStrike was not providing us with much value.

The system allows us to ingest data from our entire ecosystem, which is very important. This is our main source of correlation of logs to alerts. Therefore, we definitely need to get every single log source, and possibly a few more.

The system allows us to investigate and respond holistically from one place.

It is a very comprehensive tool to use. However, the supporting documentation is limited to initial troubleshooting. This is where I find the most difficulty in explaining how good the tool is. Other than that, the tool is pretty straightforward. There is enough documentation to get us started. However, beyond that, we will need to rely on online forums and other open-source resources to learn more about the tool.

When comparing Microsoft Sentinel to other SIEMs in terms of cost, we are saving money because it is included with our Microsoft 365 E5 licenses. This also helps us to reduce the number of different types of software that we need to use. We do like redundancy in terms of coverage, but the cost of multiple solutions adds up. We want to be able to use one central location for all of our security software. This is one of the reasons why we choose Microsoft Sentinel over third-party solutions. As we move into larger projects, we need to have a centralized place for all of our security policies and procedures.

Microsoft Sentinel helps us automate routine tasks and find high-value alerts. We also use Sentinel as a store for our alerts. This allows us to automate most of our responses if not all of them. We also tailored our alerts to specific events that occur in our environment.

Microsoft Sentinel helps eliminate the need to use multiple dashboards by providing a single XDR dashboard. We currently use Sentinel's workbooks, which provide a dashboard that we can use for metrics, reporting, and other purposes. This makes it easier to relay information upwards, as it is presented in a more visually appealing and easy-to-understand manner. For example, we can use pie charts, bar charts, and line charts to represent data in a way that is easy to understand. This makes it easier to convey information to upper management, such as where we are most vulnerable and what steps we need to take to improve our security.

Microsoft Sentinel helps us prepare for potential threats before they hit by taking proactive steps. We can also detect ongoing incidents. For example, if we receive a ticket or alert that is ongoing and will not go away, we can automate a response to it and add it to our playbook. This way, if a similar incident occurs in the future, we will know what to do to respond immediately.

In terms of automation, I believe we save about 20 to 22 hours per week by closing tickets. We receive about 50 to 100 tickets per day, and we automated about 80 percent of those. This means that we can now close tickets without having to manually review them. This saved us a significant amount of time, which we can now use on other tasks.

We are on the smaller side in terms of the number of logs that come in. So, I don't think it's necessary to compare at this level of data ingestion. However, I can definitely see that if we scale and grow in the future, it will save us a lot of money, especially in terms of manpower and hours that we have to dedicate to automation or non-automated tasks. For example, in the six months that we've had Sentinel up and running, we've saved 755 hours in automation alone.

We currently meet all of our service level agreements in terms of incident response. This definitely saved us time, and we also receive email alerts directly so that we know as soon as something happens.

Log aggregation and data connectors are the most valuable features. We have a plethora of data connectors, so being able to get all of our logs into a central location is very helpful.

For certain vendors, some of the data that Microsoft Sentinel captures is redacted due to privacy reasons. In the future, it would be helpful to have this data unredacted so that we can have a better understanding of it.

Microsoft Sentinel is not the most user-friendly tool. Other tools, such as Splunk SIEM or any other SIEM, are better and easier to use.

Our threat-hunting capabilities can definitely be improved. We do use workbooks to view incoming data, but threat hunting is where we can really find those underlying issues that may not be immediately visible. We will use these alerts as a starting point for our hunting. If we can correlate two different events and identify the same root cause, it will save us a lot of time and resources.

I have been using Microsoft Sentinel for six months.

I would definitely rate Microsoft's technical support low. First, it is very difficult to reach a real person. We are always directed to a bot, which can only diagnose some issues. If we do need to speak to a real person, the wait time is very long. It can take hours or even days to get a call or video conference. Second, the documentation is outdated. This is especially true since Microsoft recently rebranded Azure Sentinel as Microsoft Sentinel. The new documentation is not yet available, and the old documentation is no longer accurate.

Negative

Microsoft Sentinel is included in our E5 license.

I give Microsoft Sentinel a seven out of ten. It has good capabilities, including a large number of native connectors. It is a well-known brand, so it is likely that many third-party vendors will integrate with it in the future. This will give Sentinel a wider range of data sources to collect from. In terms of data connectors, I think Microsoft Sentinel is one of the better options available. However, some of its competitors, such as Splunk and SentinelOne, have better interfaces and support. They may also have some proprietary capabilities that Microsoft Sentinel does not offer.

I believe that duplicating security measures is a good thing. It is also important to have redundancy in tools. If we have multiple tools that cover the same thing, we will have more eyes and visibility, and we will be able to remediate issues as they arise. Therefore, using multiple vendors, platforms, and consoles is the way to go. If we use only one tool for everything, it will be like a Swiss Army knife. We will definitely run into problems. I believe that we should avoid single points of failure at all costs. We should have redundancy in tools, but not just in tools. It is also beneficial for our team to all know the same tool or a specific suite.

We use Microsoft Sentinel as our main SIEM suite alerts and automation rules. It feeds everything into Sentinel Logs and Realities for security purposes.

Microsoft Sentinel has helped by streamlining our security. We have a nine-member network team, with three members managing security for the city, and Sentinel allows us to operate an unofficial SOC. 

It makes investigations easy. We were spending a lot of time manually investigating and resolving false positives. Once Sentinel was fully integrated and we suppressed those false positives, our SOC environment greatly improved. 

The most valuable feature of Sentinel is the automation. Creating automation rules helps eliminate false positives, which is crucial due to the high amount of noise in security. Sentinel integrates with Microsoft Defender XDR as a single security hub. Sending our alerts from XDR into Sentinel has made it a decent transition to one solution.

We can easily build reports based on Sentinel alerts and logs. Around 80 percent of our logs go into Sentinel. The solution has improved our threat-hunting by enabling us to run KQL queries. If we learn something through threat intelligence, we can run a query to see if our environment is affected.

Sentinel MITRE ATT&CK recommendations strengthen our security posture. For a small security team like ours, the automation and integrated technologies increase our service efficiency.

There is room for improvement in terms of integrations. We have some tools, such as our off-site Meraki firewalls, that have not fully integrated with Sentinel. We lack integration for Syslogs into Sentinel.

Sentinel's stability is great. I don't see us changing Sentinel as our SIEM in the near future.

Sentinel's scalability is excellent. As our organization uses Microsoft Azure and Defender, everything grows together, and we can integrate various features seamlessly.

Customer service and support for Sentinel have been very responsive. Working with a Sentinel engineer helped us tune settings effectively.

Positive

The initial setup process involved working with a Microsoft Expert, which helped in achieving an effective setup.

The implementation team was a Microsoft Expert, providing substantial support in tuning Sentinel post-deployment.

The management has expressed that the return on investment has been favorable, especially due to the reduction in security investigations. However, specific metrics were not shared with me.

We already had the necessary licensing for Sentinel, so we didn't need to to spend extra money. 

We considered Splunk and ano Splunk and another unnamed product, but Splunk was a notable option.

I Sentinel nine out of 10. Our licensing strategy and the positive impact on investigations indicate a good return on investment.

Our use case for Microsoft Sentinel is having a more holistic view by having all security events in one place.

We were likely the first partner in New Zealand. We've been able to manage the path forward early on and have helped small businesses adopt a really scalable solution.

It's one of the key areas we've focused on. We love the ability of having reliable threat intelligence.

Microsoft Sentinel's ability to integrate with other Microsoft products has been beneficial to our team's operations. We like the best of ecosystem versus the best of breed approach. We can have everyone have the same skillsets and not have individuals specialized. It's much more holistic. 

The threat detection has been useful. We like having everything managed by one solution. It simplifies everything. 

The automation feature helps with efficiency, specifically around security. 

It has good integration with other security features. It's a great product. The ease of use and ease of management are great. 

It's allowing us to have one Microsoft security pane of glass.

Microsoft Sentinel has improved cost efficiency, which is one of the key areas we're able to win business against the ability to have threat intelligence.

To improve Microsoft Sentinel specifically, giving us different functionality to handle tasks would be really amazing. I don't have any issues with what's currently available.

It would be nice to be able to leverage more AI to handle more data and recovery aspects in the future. 

I've used the solution for the last five years. 

Regarding the stability of Microsoft Sentinel, there haven't been any significant issues. There may have been one or two minor incidents over time, yet nothing substantial.

The scalability is very good. Our largest customer has 55,000 seats. Others have 100 to 200 seats. 

We've had a good experience with Microsoft support.

We decided early on we weren't going to partner with a lot of vendors. We liked what Microsoft was going to do with a best-of-ecosystem approach instead of best of breed. 

The initial setup is pretty easy. 

I have definitely seen a return on investment in the past five years. We attribute our growth to Sentinel. It became a product that everyone suddenly wanted. 

My experience with the pricing setup has been positive.

There were a couple of other products available, however, we were quite certain we were going to go with Microsoft Sentinel.

The reason why having a best-of-ecosystem is crucial for our customers is that it eliminates the need to set up multiple different products, so it was really attractive to have everything in one place.

I'd rate the solution ten out of ten. 

We use Sentinel for our SOC operations. We set up analytics rules and SOAR playbooks. Sentinel covers our entire security operation. It is deployed across multiple locations and covers around 4,000 users.

Sentinel gives us alerts, identifies vulnerabilities, and helps us remediate issues. Some of it is automated, but we also do manual remediation through the ticketing process. We have integrated Sentinel with ServiceNow, so the alerts are routed to the engineers.

Sentinel has reduced our mean time to resolution, one of our KPIs, by about 30 to 40 percent and enabled us to identify vulnerabilities faster. The co-pilot capability saves us a lot of time, too. We're also doing mapping with the MITRE framework, improving our MITRE coverage. We started to see results after the initial deployment and configuration. It took about two or three months. It's an ongoing process, but we realized the benefits within three months. 

The solution correlates signals from native and third-party sources into a single incident. Before implementing Sentinel, we used multiple tools to investigate and remedy vulnerabilities. Having that single pane of glass has significantly increased the efficiency.

Sentinel has improved our overall visibility. We get data about user behavior and correlate it. It also gives us alerts about network vulnerabilities. Having a single pane of glass and one consolidated security tool allows us to capture multiple layers, from the endpoints to the servers. One solution gives us visibility into all the layers. 

The SOAR playbooks are Sentinel's most valuable feature. It gives you a unified toolset for detecting, investigating, and responding to incidents. That's what clearly differentiates Sentinels from its competitors. It's cloud-native, offering end-to-end coverage with more than 120 connectors. All types of data logs can be poured into the system so analysis can happen. That end-to-end visibility gives it the advantage.

Sentinel's AI and automation capabilities make our SOC team's job easy. When logs come into Sentinel, the AI engine analyzes, contextualizes, and correlates them. The AI is correlating the data from multiple log sources and giving us alerts. We depend on that. We also perform automated remediation based on our SOAR playbooks. 

I would like Sentinel to have more out-of-the-box analytics rules. There are already more than 400 rules, but they could add more industry-specific ones. For example, you could have sets of out-of-the-box rules for banking, financial sector, insurance, automotive, etc., so it's easier for people to use it out of the box. Structuring the rules according to industry might help us. 

They could also add some more connectors. Sentinel has 120 connectors, including most of the essential data ones, but they could add some more legacy connectors.

I have used Microsoft Sentinel for three years.

Our SOC team relies on Sentinel from end to end, and it has been quite stable. It's always up, and we've never had any issues with the connectors.

Scalability isn't a problem because we have an Azure environment, and Sentinel is native.

I rate Microsoft support nine out of 10. They resolve our tickets within an acceptable time frame. That is pretty much okay for us.

Positive

Initially, we used Splunk, but I've mostly worked on Sentinel at this company. It was a company decision. Splunk works well in an on-premise or legacy environment, but our entire digital estate shifted to the cloud, so it makes more sense to move to Microsoft Sentinel because we moved to Azure.

Our deployment went smoothly. We spent about three or four months setting up the entire thing, and it all went according to plan without any undue complications. About three months of that was the configuration phase, and we had a transitional month before starting operations. 

The implementation steps included enabling Sentinel, setting up Log Analytics Workspace, and connecting the data connectors. After that, the logs started flowing in. Next, we created the analytic rules and remediation use cases. The deployment team included seven full-time staff. After deployment, Sentinel requires some ongoing maintenance when we add new analytics rules or log sources. We have one engineer responsible for that.

We see an ROI. Our efficiency increased once we created the initial set of analytics rules and SOAR automation, and we review our automation use cases every six months to find more ways to save money. It comes out to roughly a 10 percent return annually on a three-year contract.

I am not involved on the financial side, but from an enterprise-wide use perspective, I think the price is good enough. We have bundled pricing with Azure Monitor Log Analytics. We would be using Log Analytics Workspace even if we didn't have Sentinel, and we would need to pay a separate license for IBM QRadar or Splunk. It optimizes costs when we use both in our digital estate. 

We considered IBM QRadar. 

I rate Microsoft Sentinel eight out of 10. It's a plug-and-play solution, so you can start seeing benefits quickly using the out-of-the-box analytics rules and use cases. Of course, you need more time to create custom use cases and playbooks, but it's simple to get started. It might be challenging to migrate from a legacy system because you may have trouble connecting to the old data, but this is the best tool for a greenfield deployment. 

We use Microsoft Sentinel for centralized log aggregation and security management. Our environment uses a variety of security products to strengthen its security. This has made it difficult for the SOC team to analyze logs from different consoles and products. To ease the team's workload and help them prioritize events and attacks, we decided to acquire a centralized console. We chose Sentinel because it provides a centralized console where we can ingest and analyze logs. The logs that Sentinel analyzes add value.

Sentinel's threat visibility is good. It has analytics and threat detection capabilities that we can add to our own playbooks. We can use the predefined log analytics to create our own custom rules. Using these custom rules with predefined logs further improves our environment's security posture.

Sentinel helps us prioritize threats across our enterprise. When we have a lot of alerts and incidents, it is better to understand if they are false positives, because the SOC team sometimes wastes time on false positives, which are not very relevant. We must prioritize positive alerts, which should be given the highest priority. In order to solve this problem.

The manufacturing environment I work in is not very critical, so a simple attack is unlikely to have a major impact on the business. However, data is important in any business, and a data breach can damage our reputation. Therefore, it is important to have a good security posture to avoid threats. Threats and attacks can happen even with the highest level of security. Therefore, we look for products that can give us visibility into our environment and help us to proactively solve problems. Microsoft proactively identifies threats and informs its peers and partners. This allows us to take action to assess the impact of these threats on our environment. By taking proactive measures, we can prevent threats from harming our environment.

We also use Microsoft Defender for Cloud and Microsoft Defender for Identity. We have integrated these solutions with Microsoft Sentinel, and their logs are ingested by Sentinel. We do not incur any costs for ingesting Office 365 logs because Microsoft provides a free login exchange for Microsoft Office 365 and, I believe, for Defender as well into our Sentinel for analysis.

Our Microsoft products work seamlessly together to provide coordinated detection and response in our environment. We use a lot of Microsoft products, and it is best to use them in the same environment. This makes integration and collaboration easier. We also have licensing agreements that give us discounts when we use multiple products together. For example, we use Microsoft 365, OneDrive, and security products. We are also migrating our workloads to Azure. We have already migrated many workloads to Azure, and we are in the process of migrating the remaining workloads. We are heavily dependent on Microsoft, so we believe it is best to use one cloud provider. This makes it easier to manage different services. Additionally, Microsoft provides us with a lot of help and benefits, which can save us money. Cost is one of the factors that businesses consider, and IT is a major investment for businesses. Even though our business is not in the IT industry, IT plays a vital role in driving the business forward. Therefore, our organization needs to ensure that their IT investments are having a positive impact.

The comprehensiveness of the threat protection provided by our Microsoft security products is good. They have a large number of predefined indicators of compromise and a comprehensive team that monitors threats around the world. We receive notifications and newsletters from Microsoft whenever a new threat emerges. When an organization does not have experts on its team, it is very difficult to identify zero-day vulnerabilities or attacks. This makes it difficult for them to identify and mitigate these threats. Microsoft, on the other hand, proactively identifies threats and informs its teams and partners so that they can mitigate or prevent them in their environments.

Sentinel allows us to ingest data from our entire IT ecosystem, including network devices, servers, endpoints, and firewalls. This is important because if we are not monitoring all of our devices, we cannot know what threats they are facing or what attacks they have already been subjected to. Sentinel scans every device in the environment because it is difficult to see how many devices are compromised by a threat when we have an inventory of thousands of devices. This is why we need a centralized console where we can ingest all of our important logs and correlate them to identify threats. We need to know when our environment has been attacked by zero-day vulnerabilities. If we see that two devices have been affected, we still do not know how many additional devices the attack has compromised. This can only be known if we have all of our logs in our console. Sentinel provides us with a valuable capability: we can simply identify the source, user, or affected machines, and Sentinel will tell us how many machines have already been compromised and how far the threat has spread. This information allows us to isolate or quarantine the affected machines so that they cannot access more of our environment or steal more data.

We can react and respond holistically from one place with Sentinel.

The best part of Sentinel is its built-in SOAR, user and entity behavior analytics, and threat intelligence capabilities, which collaborate with the SIEM. Other products typically sell these capabilities as separate products. When we automate tasks, we reduce the team's manual effort. Whenever we detect an attack or need to provide analytics, we generate a lot of events and alerts. If we don't correlate these events and automatically resolve them, repetitive tasks will have to be performed by team members. This is not an efficient use of resources. Repetitive tasks can be automated by writing scripts and putting them into the system. Sentinel correlates events and creates incidents for us. These incidents can be resolved by scripts, such as by informing users that their IDs have been compromised and they need to reset their passwords or their IDs will be blocked. This saves SOC time so that they can focus on more important tasks, such as detecting and responding to threats that are already impacting the environment. Sentinel's features help organizations reduce manual and repetitive effort.

Sentinel has helped our organization by providing seamless collection and correlation of all logs. It is important to correlate logs into alerts and then to incidents, as this prevents the team that receives the alerts from becoming overloaded. Sentinel's analytics capabilities are also beneficial, as they allow me to easily perform searches and analyses of incidents. I do not have to spend much effort to determine the source of an incident, its impact, or how far it has spread through our environment. Additionally, Sentinel's automation features, such as its playbooks, templates, and integrations, help us to reduce manual effort.

Automating routine tasks that help find high-value alerts reduces the cost and workload of our SOC team. We have created several automation use cases by discussing them with multiple stakeholders and analyzing how frequently we receive the same type of incident alerts. When we receive the same type of incident alerts, we can correlate them and create scripts or automate solutions to resolve them. This helps to reduce the team's workload and headaches. We have already incorporated this automation into our SOC processes. If an incident is created, it is automatically resolved without any user or machine interaction. If we receive an alert that the resolution failed, some team members investigate the cause, such as a missing or disabled user ID or a technical system issue.

Automation has reduced our manual tasks, saving us around 30 percent of our time so that we can focus on more important tasks.

Previously, when I joined the organization, they were using Splunk on-premises and other security tools, such as Trend Micro and Darktrace devices, to collect logs. The security operations center team had to log into each console to see the logs, investigate them, and determine how to mitigate the alerts. This process was slow and inefficient, especially in the event of a critical attack. Sentinel provides a centralized console for log collection and analysis which helps the SOC team respond to alerts more quickly and reduce the impact of threats.

Microsoft Sentinel helped us eliminate the need for multiple dashboards by providing a single XDR dashboard. They have data connectors that can integrate with different security tools because they partner with other security companies to provide us with the functionality we need to integrate into our environment. Microsoft is at its best when we can integrate with our peers and security companies that are bringing new features to improve our security posture. We can then integrate these features with Sentinel, benefit from them, and ingest our logs into Sentinel as well. We no longer need to log in to multiple security tools; we can simply go to Sentinel, view the incidents and alerts that are being generated, and take action.

The automation feature is valuable. There are many events that happen, and we require manual effort from our SOC team to mitigate each one. When we started automating tasks, it helped us to reduce the time it takes to react to attacks. Attacks may not be able to penetrate our environment as easily because of this. Therefore, I believe that Sentinel's automation is the best.

The integration is not that difficult. The configuration is simple, but the data connector documentation is lacking in useful information. If Microsoft improves the documentation, we will be able to see how to complete the integration from start to finish. In the past, we have encountered problems during the integration process because the documentation was incomplete. For example, we recently deployed Microsoft Defender for Identity with the help of our Active Directory team. Initially, they told us that only a few ports were required, but later they said that more ports were needed. Our environment did not allow these additional ports, and we were not aware of this requirement. This delayed the project and caused frustration for our team members. The customer also expected the project to be completed sooner, but unexpected firewall rules and undocumented configuration requirements prevented us from doing so. We had to open a case with Microsoft for assistance, and we were eventually able to resolve the issue.

The playbook is a bit difficult and could be improved. For those who do not have a deep understanding of playbooks or programming languages, it would be better to have extensive documentation and information available online. When I started working with Sentinel, there were times when we had to refer to the documentation to get information about the configuration or implementation steps. If we encountered errors in the implementation, we had to rely on the internet to figure out how to fix them. The information available online is not that comprehensive and does not cover specific maintenance tasks. If the documentation were improved a bit, and the playbook and automation were made easier to use, it would be a great benefit for technical users.

The AI and Machine Learning can be improved.

I have been using Microsoft Sentinel for over one year.

I have not seen any downtime with Sentinel. Sentinel is stable.

Sentinel is highly scalable. We can easily integrate more devices without any effort. Microsoft has a large data center, and they are always ready to add our devices.

Microsoft technical support has declined in quality over the years. I have only been using Sentinel for a year, but I have experience with Microsoft technical support through Azure and other Microsoft products. In the past, we were able to resolve tickets quickly with minimal back-and-forth. However, recently, the quality of support has degraded. We had a few critical cases that directly impacted production, but Microsoft did not assign their senior engineers to these cases. This wasted a lot of our time, as we had to explain the problems to multiple support representatives.

Neutral

We previously used Splunk SOAR in conjunction with Trend Micro and Darktrace to ingest logs, but we switched to Sentinel because it is more seamless.

The initial setup was successful. The configuration is not difficult. There were some challenging areas. However, we had access to free tools and a Microsoft contact who was always available to help us if we encountered any knowledge gaps. When setting up Sentinel for the first time in our environment, we always have an expert with us to assist with the setup, as not everyone has extensive knowledge of implementing the product. The expert is there to help us with the implementation if we get stuck on a step.

We decided which devices and types of alerts or information we wanted to ingest. At that time, we were not using automation. Our environment was in poor condition, and we were not utilizing the automated features of Sentinel. We only required the basic features of Sentinel, which were to ingest logs from the devices we were interested in, correlate them, analyze them, and integrate them with our service tools and alerting. For alerting, we used ServiceNow as our ticketing system. We would receive a ticket from ServiceNow for the SOC team, and then the SOC team would investigate and mitigate the issue. However, as time went on, the number of events increased, and the time it took to investigate them also increased. If we did not automate our environment, we would have to keep increasing the size of our SOC team or the number of SOC members to handle the workload. We could not meet the priority requirements. That is when we proposed using some of the automation features to help with low-priority alerts.

The deployment required three to four people. I joined the team for the implementation phase. So, by the time I joined, a lot of decisions had already been made, and a low-level plan had been decided upon. This was a low-level design and plan that we had to follow.

We had help from our Microsoft representative for the implementation. This contact was provided to us by Microsoft from the initial trial period all the way through the implementation.

Currently, given our use case, the cost of Sentinel is justified, but it is expensive. It is not so cheap that any organization can afford it. However, if an organization has a requirement for good security posture and can invest in security tools, they should have at least a decent budget to afford Sentinel. Sentinel does offer good features, such as SIEM, SOAR, and automation. However, we need to monitor our budget because ingestion can increase at any time and exceed our budget. We can set alerts to notify us if our budget is increasing significantly on a monthly or yearly basis. We can then control our budget by adjusting what we ingest. We can ingest any amount of data because there is a lot of data flowing in. However, some data is not necessary to ingest because it is not valuable to our analytics. Therefore, being careful about what data we ingest through Sentinel will help us stay within our budget.

We evaluated IBM QRadar and Splunk. Splunk has been in the market for a long time and is trusted by many organizations. While it was once a leader in its field, it does not seem to be keeping up with new features and automation. However, I am not aware of their current state of development.

We saw good features in both Splunk and QRadar, but QRadar had more features that were relevant to us. However, we are moving more towards the cloud. Previously, we had on-premises infrastructure, but we migrated to Azure when a new management team came in.

When we evaluated Microsoft Sentinel, we found that it had good functionality and met our requirements. We also liked that it is a cloud-based solution, so we do not have to worry about underlying hardware, features, operating systems, or management. We simply need to configure the application, which is relatively straightforward. We also do not need to make any upfront capital expenditures.

However, we need to consider the cost of ingesting logs into our environment. Microsoft charges for the amount of data ingested per day, so we need to keep our costs within budget.

QRadar is more complex and difficult to configure than Sentinel. Sentinel is easy to expand. If we add new devices to our environment, we can simply connect them directly to Sentinel. We do not need to worry about additional hardware or configuration.

Overall, Sentinel is a good choice for us because it is cloud-based, easy to configure, and scalable.

I would rate Microsoft Sentinel an eight out of ten.

Whether to use separate SIEM and SOAR solutions or Microsoft Sentinel depends on each organization's specific needs. All SIEM and SOAR tools are expensive because they provide essential security features. Organizations with the resources to pay for these features may choose to purchase Sentinel or another SIEM or SOAR solution. However, small and medium-sized businesses may not be able to afford these tools. Instead, they may choose to use a third-party service provider that already has a license for an SIEM solution such as QRadar or Sentinel.

Sentinel ingests data from over 1,500 endpoints, including technical devices, Windows devices, and Linux devices in our environment.

There is no maintenance required on our end. Microsoft is doing everything for us. We only have to have our configurations in place.

Before using Sentinel, organizations should clearly understand their use cases and requirements. They can take a trial of Sentinel and collaborate with Microsoft to create use cases that demonstrate the value of the investment. Because there are thousands of SIEM and SOAR tools on the market, organizations should evaluate multiple solutions to see what benefits they offer. They can then create use cases for each solution in their environment and take trials to implement them. Organizations should compare the solutions based on visibility, budget, and additional features. Anyone who is considering using a SIEM or SOAR solution should evaluate multiple solutions. Budgeting is very important.

Our team uses Microsoft Sentinel to monitor all security incidents. Security analysts working the intake process configure rules that trigger alerts based on specific criteria and route them to the appropriate team based on the event ID. This unified view within Sentinel allows me to investigate each incident, tracing its origin, path, and endpoint. By analyzing the information gathered, I can then determine whether the alert is a true positive or a false positive.

The visibility into threats that Microsoft Sentinel provides is excellent.

Microsoft Sentinel prioritizes threats across our organization, with levels P1, P2, and P3. This helps me determine how to investigate since some alerts, especially P1s, might seem critical at first glance. However, further investigation may reveal non-critical situations, like a P1 triggered by an authorized user's access from an unfamiliar IP or location. Analyzing logs can help identify these scenarios and ensure appropriate responses.

Microsoft Sentinel and Defender seamlessly integrate to provide a unified system for detecting and responding to security threats across our entire environment. This is crucial for meeting compliance standards and informing client communication. By investigating all security events and summarizing key findings in reports, we can not only highlight critical incidents but also demonstrate the steps we're taking to reduce the overall number of high, medium, and low-severity threats for our clients.

I would rate the comprehensiveness of the threat-protection that Microsoft Sentinel provides an eight out of ten.

Once data is ingested, the process begins with reviewing the ticket information. This can then lead us to Sentinel, where we can view logs. The depth of our investigation determines the next step: a login to Defender, which provides the full range of investigation tools to pinpoint the root cause of the incident.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place.

I would rate the comprehensiveness of Microsoft Sentinel eight out of ten.

Microsoft Sentinel helps automate routine tasks and the finding of high-value alerts.

Microsoft Sentinel simplifies security management by offering a single, unified XDR dashboard, eliminating the need to switch between and monitor multiple disconnected security tools.

The threat intelligence gives us a proactive advantage by anticipating potential threats, allowing us to prioritize and swiftly address critical incidents before they cause harm.

Microsoft Sentinel has helped save us time.

The detection is in real-time with Microsoft Sentinel. 

While Microsoft Sentinel provides a log of security events, its true power lies in its integration with Microsoft Defender. Defender extends Sentinel's capabilities by allowing for in-depth investigation. Imagine investigating a phishing email: through Defender within Sentinel, we can view the email itself, block the malicious email address and its domain, and even take down its IP address – all within a unified platform.

I would like Microsoft Sentinel to enhance its SOAR capabilities. 

I have been using Microsoft Sentinel for two years.

I would rate the stability of Microsoft Sentinel ten out of ten.

I would rate the scalability of Microsoft Sentinel ten out of ten.

I evaluated a few other SIEM solutions but I prefer Microsoft Sentinel because it is straightforward and I can also use Defender to investigate.

I would rate Microsoft Sentinel nine out of ten.

While Microsoft Sentinel offers SIEM capabilities for security information and event management, it doesn't fully replace the need for a separate SOAR solution, which specializes in security orchestration, automation, and response.

In addition to Microsoft Sentinel, I've also used IBM Security QRadar, which I believe is a superior solution because it functions as both a SIEM and SOAR, offering a more comprehensive approach to handling complex security processes.

I advise taking the course before using Microsoft Sentinel to have a better understanding of the solution.

I recommend trying Microsoft Sentinel.

My role thus far has been to integrate security log sources into the platform. This includes developing or troubleshooting some of the data connectors for different sources, such as web application firewall interfaces.

Sentinel is a SOAR platform. It represents the next generation beyond traditional SIM and SIEM platforms. Its powerful SOAR functionality orchestrates and automates responses to security events, eliminating the need for manual intervention. Instead of relying on human analysts to monitor events and react, Microsoft Sentinel leverages pre-defined automation rules. These rules correlate relevant events, generating a holistic understanding of the situation. Based on this analysis, automated responses are triggered, expediting the resolution process and eliminating any delays associated with manual identification and decision-making.

Sentinel provides us with a unified set of tools for detecting, investigating, and responding to incidents. This centralized approach offers both advantages and challenges. On the one hand, it grants us the flexibility to tailor Sentinel's capabilities to various situations. However, this flexibility demands a deep understanding of the environments and activities we're dealing with to effectively utilize Sentinel's features. While this presents a challenge, it also highlights the potential benefits of this unified approach. The unified view is important to me because I get all the information together in a single pane of glass instead of having to switch between multiple applications. The ability to consolidate all of that information into a single application or dashboard and to centrally evaluate its intelligence is a significant advantage.

Sentinel's ability to secure our cloud environment is of the utmost importance.

Sentinel Cloud Protection offers a collection of customizable content that caters to our specific requirements, demonstrating the solution's flexibility. The versatility of this content allows us to address a wide range of needs. However, in most instances, we need to adapt the material to suit our unique circumstances. While Sentinel Cloud Protection provides a comprehensive set of resources, including pre-written responses, it often requires tailoring to fit specific situations. This customization process is not a drawback but rather an essential aspect of effectively utilizing the tool. It's crucial to understand the nuances of each situation to apply the content appropriately. While I wouldn't consider this a negative aspect, I've encountered individuals who believe they can purchase a solution, implement it without modification, and achieve optimal results. However, such unrealistic expectations often lead to disappointment.

The Sentinel Content Hub is essentially the central repository where we acquire the content to build upon. Therefore, it serves as the starting point for our efforts. Some of the hunt rules have been quite beneficial in terms of what they provide from the Content Hub, allowing for a plug-and-play approach. This means we can immediately benefit from what's available without having to do any additional work. We can then build upon this foundation and extend the capabilities beyond what's provided by the Content Hub. The Content Hub itself is a valuable asset that gives us a head start in achieving our objectives.

Content Hub helps us centralize out-of-the-box SIM content. This has made our workload more manageable.

The ability to correlate and centralize all of that information together, rather than having to manage it across multiple platforms and potentially miss things between different platforms, makes it more likely that we will not miss anything. The workload and the missed threats that we need to respond to have been reduced because of that unified approach. The mean time to detect has been reduced, and the mean time to respond has been reduced.

Sentinel correlates signals from first- and third-party sources into a single, high-confidence incident. The third-party integrations provided through Microsoft offer all the tools we need to integrate those sources. In other cases, we have to build the integrations from the ground up. Currently, we are struggling to integrate some of the sources that don't have existing connectors. However, the platform is flexible enough to allow us to build these integrations. It is just a matter of finding the time to address this issue.

Our security team's overall efficiency has improved. The build phase is still ongoing. We have not yet fully transitioned to an operational model. We are still in the build implementation stage because we need to integrate some third-party sources into the existing platform and ensure that they are included in the scope of the analytics rules. However, this has significantly reduced the amount of time spent working between different platforms.

The automation capabilities are perhaps the platform's most significant advantage. The force multiplier capability is exceptional. Traditional SIM or SIEM-like platforms were effective in gathering and presenting security information to security personnel. However, security personnel were still responsible for evaluating the information and determining whether a response was necessary. One of the benefits of Sentinel's automation capabilities is the ability to automatically trigger an action or response activity, which is a significant advantage.

The automation capabilities have helped reduce our mean time to respond. Automated events can prevent a problem from escalating beyond a single incident to multiple occurrences before we have to respond to it. In this way, automation effectively catches problems right away.

Sentinel has helped to improve our visibility into user and network behavior. This is extremely important because it allows us to have a better understanding of how users and networks are behaving.

Sentinel has helped reduce our team's time.

Sentinel has streamlined our event investigation process by eliminating the need to manually track down specific event activities. The rules are now automatically identifying and processing these activities, significantly reducing the time required for investigation. Tasks that previously took half an hour can now be completed in under five minutes.

The analytic rule is the most valuable feature. It allows us to assess the various use cases we've developed and then automate those processes accordingly. I consider it a force multiplier. It empowers a small team to achieve a significant impact, whereas previously, I would have relied on multiple individuals. By utilizing it, we can accomplish more with fewer resources.

While I appreciate the UI itself and the vast amount of information available on the platform, I'm finding the overall user experience to be frustrating due to frequent disconnections and the requirement to repeatedly re-authenticate. Microsoft needs to address these usability issues to enhance the user experience.

I have been using Microsoft Sentinel for seven months.

The stability is exceptionally reliable. I tend to be quite vocal when things don't function as expected. The web interface requires using a browser for interaction, and I often find myself multitasking between Sentinel-related tasks and other activities, such as responding to emails. When I return to the Sentinel interface, I'm prompted to re-enter my credentials, which causes me to lose my previous work. If I'm using KQL to query data, I frequently have to restart my work from scratch. This can be frustrating, but I've learned to copy my work periodically to avoid losing it. I haven't encountered this issue with previous platforms, even those that use web interfaces.

Sentinel boasts exceptional scalability. While it's crucial to monitor data ingestion costs, Microsoft has effectively crafted a platform capable of expanding to accommodate far greater volumes than initially anticipated.

The technical support has room for improvement.

Neutral

The initial deployment was straightforward. Our strategy was to consolidate onto a common platform. We have a significant portion of our security information being handled through SysLog events. As a result, it was almost as straightforward as simply rerouting data from the old platform to the new one. This served as a preliminary test of the new platform to ensure it was functioning as intended and could effectively redirect and handle the increased volume.

The deployment likely involved six people, but not all at the same time. There were six people involved in the deployment overall, but we probably had four people working on it at any given time. From a headcount perspective, I believe four people is the appropriate number.

We employed a third-party company for the implementation because we sought expertise in Sentinel and the Azure platform, and we aimed to augment our existing staff.

We have achieved a positive return on our investment. In my previous jobs of comparable size, I would have needed approximately three people to manage the event activity and to handle and respond to it. Here, we can accomplish this with two people. As a result, we have saved at least one headcount with our current staffing levels. Additionally, as we expand the platform, we will not need to increase the headcount to manage the growth.

Microsoft Sentinel can be costly, particularly for data management. While Microsoft provides various free offerings to attract users, these benefits can quickly become overwhelmed by escalating data management expenses if proper precautions are not taken.

I don't think it's Microsoft engaging in underhanded tactics. I believe the issue lies with customers not paying close enough attention to what they're enabling. Initially, they're excited and eager to incorporate everything, but before they realize it, they've incurred unexpected costs.

Azure Monitor Log Analytics and Sentinel have different subscription plans and pricing tiers. This segmentation was implemented to accommodate the distinct business relationships within our organization. Sentinel costs are managed separately from Azure costs.

The decision to adopt Microsoft Sentinel was made before I joined the organization. I understand that they evaluated all the major solutions available, including Splunk and QRadar. However, due to the selection of a cloud-based solution, they opted for Microsoft Sentinel as it aligned with their overall strategy.

I would rate Microsoft Sentinel eight out of ten.

We've got a user base globally of about 5,000 people.

Microsoft Sentinel does require maintenance, which includes monitoring the incoming data and ensuring that everything is functioning as expected. While automation simplifies many tasks, it doesn't eliminate the need for oversight. We still need to verify that everything is working correctly. Part of the maintenance cycle involves ensuring that the automation agents are operational and performing their intended tasks and that events are being collected and evaluated properly.

Users need to have a clear understanding of their goals before selecting a solution. I have encountered too many people who believe that simply choosing a solution will resolve all of their problems. It is crucial to understand the desired outcome and the specific requirements of the use case to determine whether or not Sentinel is the appropriate fit.