We primarily use the solution for security purposes, to record events, and generate alerts, so that our security team can review the items and take proper action.
We work jointly with an MSSP, we have about 14 people working on a 24/7 schedule, around 25 people might use our Sentinel workspace regularly, and more than 40 people benefit directly from the output of this solution.
With Microsoft Sentinel we have detected threats in early stages of an attack through custom detection rules, helping us prevent escalation and further compromise.
Sentinel has provided visibility of administration events, which allows us to audit security processes and discover misconfigurations and errors.
Using Sentinel we have definitely saved time in our detection and response efforts.
Microsoft Sentinel as a SIEM uses KQL (Kusto Query Language) in their detection rules, which is an optimized query language with some really powerful functions. Generally SIEM vendors use different query languages. KQL queries can use complex logic and be executed in a few seconds, which would not be possible or may take up several minutes in other SIEMs, and now some vendors are trying to implement their own version of KQL.
Sentinel provides us with good visibility of threats. The different kinds of logs it ingests are good as long as the log sources are correct. It can integrate some out-of-the-box log sources in a short time, and log data fields are usually very complete. We don't have experience integrating custom log sources, but it should be possible.
Out-of-the-box log sources have the same data structure in all Sentinel workspaces, which allows queries and detection rules to be shared easily between Sentinel customers. We could rapidly adapt to a new threat with public detection rules created by Microsoft or other security professionals.
We work with Microsoft Sentinel and other Microsoft security solutions like Defender. We've integrated all of them together easily from their web portals. As long as you have the right privileges, integrating these solutions might be as simple as a click. Microsoft security solutions work natively together to deliver coordinated detection and response, which is important to us.
Sentinel allows us to ingest data from our entire ecosystem, wether it might be an on-prem or cloud service. It allows us to correlate different data tables, to create complex threat detections, and to investigate holistically across our infrastructure.
I like the automation portion of the product, it helps us automate routine tasks. We have created some automation playbooks in Microsoft Sentinel, however, in our environment these are not specific to security tasks.
Microsoft Sentinel has a lot of out-of-the-box detection rules. Many of these rules have not been tested, they may execute but they have errors or do not work as expected. Due to this I've made more than 80 requests for modifications in Microsoft Sentinel public repository. If you want to ensure that Sentinel detection works, you need to review the logic of the detection rules one by one, and this shouldn't be the case.
Sentinel does not seem to have rules by default that check and notify of execution errors. I have had to create custom rules to detect when a log source or automation rule stops working as expected.
There can be discrepancies between Microsoft tools. Not all information appears in Sentinel. Sometimes there are items provided in Microsoft 365 Defender that you could search for in Sentinel and you would not find them and therefore assume they do not exist.
The solution is powerful but it can be expensive. Other solutions that are on-premises should be cheaper.
I've been using the solution for more than three years.
The solution is largely stable but not completely. I have had issues with some log sources that stop being ingested or are delayed, and also with automation rules not responding to incidents. Sometimes automation rules stop working intermittently, and this issue might happen during a month or two, and then they go back to working as expected without being notified of any issue by Microsoft.
The scalability is excellent, Sentinel has some limits regarding the amount of ingested data and enabled Sentinel resources, but these limits exist for extreme cases, which our workspace and organization are not even close to.
I'd rate it ten out of ten.
I've opened many support tickets. When you open a support ticket, it will typically be resolved within the first interaction. And they've solved all of my support tickets quite quickly. Even if I have made a mistake when opening support tickets, it's always been a positive experience.
Positive
I've used a few different solutions, including ArcSight, LogRhythm, and QRadar.
I don't have much insight into ArcSight.
LogRhythm did not let me create complex detection rules.
With QRadar, when we are looking at queries, they can be slow. However, IBM is trying to create its own KQL implementation for QRadar in order to make them faster.
But I don't have the same level of administration experience with these tools than with Sentinel.
We had some cloud engineers who created our instance on Azure. They enabled the connectors for some out-of-the-box log sources, and created other kinds of neccesary resources, specially to connect on-premises resources to Sentinel. We did not have issues that didn't depend directly on us.
At first we enabled all the detection rules we could, without deeply inspecting them, we assumed they would work. We would not take this approach again, detection rules should be reviewed and enabled one by one.
Maintenance is minimal. It's all on the cloud. If something does not work as expected, we open a support ticket. Since the tool is supported by Microsoft, you are paying them to also maintain it, basically.
Our implementation was handled in-house.
I would recommend to check regularly for deviations or unexpected surges of ingested events, which will affect the cost. I do not directly handle the pricing portion of the solution. There is a calculator in Azure that helps you estimate the cost.
It's ideal to go with a best-in-breed strategy rather than a single vendor. You need to know what is available in the market. Companies should be free to use any security tool that they consider to fit their needs.
For companies considering Sentinel, they need to ensure a threat detection engineer will be available to manage their detection rules, you shouldn't enable all of them blindly. You may get value from Microsoft Sentinel, however, you need to continuously invest time and ensure everything is set up and working as expected.
I'd rate the solution nine out of ten.
I'm an IT consultant, and I use Sentinel with two of my clients to monitor all their security signals and get alerts when things are happening that might be suspicious.
The fact that the solution helps automate routine tasks and the finding of high-value alerts has made it possible for me to provide security operations. If I didn't have automation, I wouldn't be able to do that. Nobody is going to pay me to sit and stare at a screen for eight hours a day. But with the automation built in to let me know about and fix things, it becomes viable. The automations have an email option, and all the alerts show up as emails in my inbox. I'm busy with other things, and I'm not looking at Sentinel all day. And the automation in those emails is available to deal with things automatically. Automation is incredibly important.
Sentinel gives me one XDR dashboard. In terms of security operations, it's improved them and makes it easy for me to do my job.
It saves my clients time, on the order of 30 percent.
It also saves costs for me and my clients. If we didn't have Sentinel in place, and they were to get compromised, it could cost them tens of thousands of dollars due to ransomware, a BEC scam, or another type of attack. Without Sentinel in place, that could be a very big cost.
And it decreases the time it takes to detect and respond by days, if not weeks.
My clients are small businesses, and mine is also a small business. Traditionally, even the concept of using a SIEM in most small businesses was unheard of. It was an on-premises product, and you needed to install servers, and most normal IT consultants wouldn't even look at it because it would be very complex for them. The standout feature of Sentinel is that, because it's cloud-based and because it's from Microsoft, it integrates really well with all the other Microsoft products. It's really simple to set up and get going. You don't have to set up a server or do a lot of configuring and setting up storage. It just lives in the cloud, you turn it on, and connecting most things to it is really easy.
It's fantastic when it comes to integration with other Microsoft products. It's so easy. I've been in IT for 30 years, and integrating products was, up until a few years ago, something we would never want to do. It was so hard, we wouldn't want to touch it. We would have to write custom code and configure things. It was just horrible. Now, it's literally a couple of sliders in the interface, and you're done.
And once these solutions are integrated, they work natively together to deliver coordinated detection and response across my clients' environments. I follow this space very closely, but I am not an expert in any other solution. Still, at least for my clients, with the threats they are facing and the alerts we get from the real world, Sentinel's detection and response are very comprehensive.
Sentinel enables you to ingest data from the entire ecosystem. I have integrated some non-Microsoft products with Sentinel, and, predictably, it's not as simple as one click because these are third-party products. But it is definitely quite easy. For cloud products and services, it's still very simple. It might be three or four clicks. But for on-premises products, it's a bit more work.
My clients also use Defender for Cloud, and its bi-directional sync capabilities are very important. It makes things much easier.
Sentinel provides a clear view into the threats that are coming in, and, compared to what I had before, it is night and day. I heard somebody say on a podcast, "The solution we had prior to Sentinel was like a dark room and you had a torch, and you could shine the torch in different directions and see some things. Having Sentinel, combined with Microsoft 365 Defender, the XDR solution, is like turning on the lights and seeing everything." I completely agree. That's exactly what it feels like.
Another incredibly important factor is the solution's ability to investigate threats and respond holistically from one place. Again, as a small business, I wouldn't have the time and energy to look in several different places. I need one place where it all shows up, and that's what Sentinel provides.
And with built-in SOAR, UEBA, and threat intelligence, the comprehensiveness of Sentinel's security protection is good.
Given that I am in the small business space, I wish they would make it easier to operate Sentinel without being a Sentinel expert. Examples of things that could be easier are creating alerts and automations from scratch and designing workbooks. All of those are available as templates and community-produced content, but doing all that from scratch and keeping it up-to-date, is not easy. Because I have lots of other things on my plate, it would really improve things for me if they would make it more accessible for small businesses and non-experts.
I have been using Microsoft Sentinel since it was in public preview, so that's at least three and a half years.
It's a very stable solution—rock-solid.
It's also very scalable.
I have only ever contacted them about Sentinel once, but I have certainly dealt with Microsoft support in various ways. Their response time is pretty good. But they have a difficult time providing good support, at the level that would cause me to give them a higher score than six out of 10, because things change so fast. And it's so much wider than it used to be 10 years ago. There's so much to cover, and that's difficult for them.
Neutral
We used ESET for one client, but it wasn't a SIEM, it was just endpoint protection. We replaced that with Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, and Sentinel. It's not an apples-to-apples comparison.
The initial deployment is very straightforward. It took me four or five hours to set it up.
The product itself, obviously, does not require maintenance, but the alerts and rules require work.
Sentinel is fairly priced and pretty cost-effective. Compared to on-premises solutions, Sentinel is very cost-effective.
It's certainly possible, if you're not careful about what you connect, to shoot yourself in the foot by ending up with large data sources being ingested that cost you a fair bit of money. You do need to think about what data sources you actually need, which ones will lead to the detection of actual attackers, and how much of that data you need. You also have to consider how you're going to store it, because Sentinel has different levels. You don't have to store it all in the expensive "this will give me alerts" tiers. But, as I said, my clients are small businesses. They certainly don't have a budget for anything expensive, and they're very happy with the costs.
Do a proof of concept. It's really easy to set up and get started. You don't have to turn everything on to start. Do a small proof of concept, get familiar with it, and you'll see how easy it is.
Does it help prioritize threats across the enterprise? The short answer is, "Yes, it does." The slightly longer answer is that it is not a set-and-forget solution. And no SIEM is. You do need to configure Sentinel and fine-tune it. I have a calendar reminder every two weeks to go back in and make sure the right analytics rules are in place and change the ones that need changing, et cetera. It does prioritize threats, but it's not an automatic process that you never have to worry about again.
Sentinel's threat intelligence doesn't really help with proactive steps. The threat intelligence has indicators of compromise, such as IP addresses, URLs, and file hashes. They get detected, but that's not really proactive. Perhaps it's "proactive" in the sense that somebody else has figured out that those things are bad and let the system know. But Microsoft 365 Defender does the proactive part because it has threat intelligence in it. It will tell you, "A new threat that we have a report on seems to be targeting your type of client." That's proactive, but Sentinel isn't proactive. Meaning, if you read about a threat and then protect yourself before that threat reaches you, Sentinel doesn't really do that.
In the debate about best-of-breed versus a single-vendor security solution, if you pick best-of-breed individual security solutions and you have to integrate them, now you're an integrator. And that is hard. It's not easy to integrate different security products. And that's why, at least for my clients, Sentinel and Microsoft 365 Defender have been a huge shift. They're so easy to integrate. My clients could license separate products and then try to integrate them to get the same level of integration, but that would never work.
In our Security Operations Center, we rely on Microsoft Sentinel for continuous security monitoring. We collect logs from various customer environments and define security use cases with correlation rules to analyze activities. These rules leverage predefined criteria to identify potential malicious behavior. Microsoft Sentinel serves as our central platform for security monitoring, investigation, and remediation of security threats detected through alerts.
The biggest challenge in security monitoring is managing the vast amount of logs generated daily from various devices like web servers and firewalls. Microsoft Sentinel tackles this by collecting all logs in a central location and allowing us to define rules. Using its query language, we can search across these logs for specific conditions, like malicious activity. If a suspicious event is identified, Sentinel generates an immediate security alert, enabling our team to investigate and take appropriate action to stop potential attacks.
Microsoft Sentinel helps us identify security threats through built-in machine learning. It analyzes network traffic patterns and can detect anomalies, like unusually high data transfers outside typical hours. These anomalies trigger alerts, allowing for early intervention.
Microsoft Sentinel shines in its ability to bridge hybrid and multi-cloud environments. It seamlessly integrates with on-premises infrastructure through Azure Arc, and even private clouds can be connected via Azure Gateway and a VPN to the Azure Log Analytics workspace. This unified approach ensures all our security data, regardless of origin, is ingested and analyzed for potential threats.
Microsoft recently launched Content Hub, a marketplace for pre-configured security solutions within Azure Sentinel. Unlike our previous experience setting up data connectors a few years ago, Content Hub offers a one-stop shop for integrating security tools. When we choose a data connector, we also get pre-built correlation rules, playbooks, and workbooks – all packaged together for faster and more effective security monitoring. The content hub streamlines onboarding pre-built SIEM content, especially during the initial SOC setup. When starting fresh with a new environment and unsure of specific use cases, we can search for relevant data sources in the hub. Once integrated, the content hub provides pre-configured rules alongside those connectors. Simply enabling these rules offers substantial coverage for our MITRE ATT&CK mapping, a framework that assesses our ability to detect various attack techniques. By leveraging these out-of-the-box tools, we gain significant initial security coverage with minimal effort.
The content hub helps us centralize all of the out-of-the-box content available from Sentinel.
Sentinel acts as a central hub, bringing together information from various sources both internal, first-party, and external, third-party into a single, unified view. This allows us to analyze logs stored in different tables, regardless of their naming conventions. By defining correlation routes, Sentinel can examine specific activities across these disparate sources. For example, we could create a route that checks firewall logs for suspicious activity and then correlates it with specific user actions in Windows device logs, providing a more comprehensive picture of potential security incidents.
Sentinel improves our visibility into user and network behavior through a feature called User Entity Behavior Analytics. This leverages Microsoft's machine learning to analyze user and device activity. If we're investigating multiple security incidents involving a user or device, UEBA provides a broader view. We can directly access the user's history of incidents and visualize their connections to other alerts and impacted devices in a graph format. This allows for efficient investigation of complex incidents impacting multiple users and devices.
Microsoft Sentinel streamlines security incident investigation. The incident page clearly displays involved entities and details of triggered alerts, including logs. This allows SOC analysts to quickly assess the situation and potentially predict the nature of the activity, even before diving into event logs. Sentinel's powerful query language further simplifies investigation by enabling easy data visualization, formatting, and custom functions, all within various timeframes. This significantly accelerates the overall investigation process.
Sentinel has streamlined our event investigation process. By allowing us to predefine keyword queries for specific alerts, it eliminates the need to manually craft queries each time. Similar to how SOCs use pre-defined playbooks for various incidents, Sentinel lets us define queries that return relevant data quickly. This cuts down on investigation time by allowing us to focus on the specific alert and the data it generates.
Microsoft Sentinel stands out among SIEM tools for its user-friendliness and powerful built-in query language. This language, included at no additional cost, allows for easy data collection, sorting, formatting, and visualization, making it accessible even to non-experts. Additionally, its seamless integration with other Azure products eliminates the need for custom parsing logic, saving time and resources.
Microsoft Sentinel's search efficiency can be improved, especially for queries spanning large datasets or long timeframes like 90 days compared to competitors like Splunk. While Sentinel might take several minutes to return results for such investigations, Splunk queries are significantly faster.
I have been using Microsoft Sentinel for two years.
Since the entire Azure Sentinel analytics workspace resides within the Azure environment, we've never experienced lag or downtime. This is because Microsoft handles all data storage, hosting, and infrastructure maintenance. As a result, we're relieved of those burdens and haven't encountered any Sentinel downtime.
Microsoft Sentinel's cloud-based deployment on Azure allows it to scale automatically. This likely involves built-in load-balancing mechanisms that distribute processing across different Azure resources when needed. This ensures Sentinel can handle increased workloads without manual intervention.
While I wasn't involved in deploying Microsoft Sentinel myself, I did help configure and set it up on our end. The initial setup process wasn't particularly simple, but it wasn't overly complex either.
While the user interface in Azure simplifies the deployment process of Microsoft Sentinel, some architectural knowledge is still necessary. The initial configuration might involve just a few selections, deciding on the deployment architecture, data replication workspace locations, etc. requires experience. This prior experience, however, should make integration with existing systems smoother. Three people on average are required for the initial deployment.
Our Microsoft Sentinel implementation approach depended on available time. For complex deployments, we handled it directly. In time-sensitive situations, we collaborated with teams managing the devices, providing them with implementation steps and troubleshooting support as needed.
While I wasn't involved with the specifics of Microsoft Sentinel's pricing, my understanding is it scales based on data ingestion. This means we only pay for the amount of data we bring in, which is fair. However, if a device generates excessive data like hundreds of GBs daily, investigating the cause becomes crucial to avoid unnecessary costs. In most cases though, the pay-as-you-go model shouldn't be an issue.
I would rate Microsoft Sentinel eight out of ten. I've tried Splunk, QRadar, and Azure Sentinel. While Splunk requires knowledge of SPL for deeper exploration and QRadar's query language isn't powerful, Azure Sentinel strikes a great balance. It offers a user-friendly interface for basic investigations without needing a query language but also allows for custom queries and visualizations for advanced users. This makes it the most versatile of the three.
Splunk requires users to learn SPL for full functionality, making it less accessible for basic investigations. Conversely, Microsoft Sentinel's intuitive UI allows even those without KQL knowledge to conduct basic security analysis through its built-in features and informative interface.
Because our service is hosted on Microsoft's cloud, they completely manage all maintenance tasks, freeing us from infrastructure management responsibilities.
Our first use case is related to centralized log aggregation and security management. We have a number of servers at the user level and data center level, and I cannot use multiple tools to correlate all the information. My overall infrastructure is on Azure. We have a hybrid approach for the security environment by using Sentinel. So, hybrid security is one of the use cases, and unified security management is another use case.
It has helped us in three ways. One is IT, one is security, and one is compliance. Before Sentinel, our IT was mature, but our security and compliance were not mature enough in terms of certain controls, client requirements, and global-level regulatory compliance. By implementing the SIEM along with Security Center, we have improved security to a mature level, and we are able to meet the compliance reporting and client requirements for security within the organization.
It has an in-depth defense strategy. It is not limited to giving an alert; it also does correlation. There are three things involved when it comes to a SIEM solution: threats, alerts, and incidents. Sentinel gives you granular and concise information in the UI format about where the log has been generated. It doesn't only not give the timestamp, etc. This information is useful for the L1 and L2 SOC managers.
It has good built-in threat intelligence tools. You can configure a policy set and connectors, and you don't need to have any extra tools to investigate a particular platform. We can directly use the built-in threat intelligence tools and investigate a particular threat and get the answers from that.
We are using Microsoft stack. We use SharePoint. We use OneDrive for cloud storage. We use Teams for our internal productivity and communication, and we use Outlook for emails. For us, it provides 100% visibility because our infrastructure is on Microsoft stack. That's the reason why I'm very comfortable with Sentinel and its security. However, that might not be the case if we were not in Microsoft's ecosystem.
We are using Microsoft Defender. The integration with Microsoft Defender takes a few seconds. In the connector, you just need to click a button, and it will automatically connect. However, for data ingestion, it will take some time to configure the backend log, workspaces, etc.
It is useful for comprehensive reporting. We need to prepare RFPs for our clients. We need to do reporting on particular threats and their resolution. So, it is useful for our RFPs and our internal security enhancements.
It is helpful for security posture management. It has good threat intelligence, and it provides deep analysis. The security engine of Microsoft Sentinel takes the raw data of the logs and correlates and analyses them based on the security rules that we have created. It uses threat-intelligence algorithms to map what's happening within a particular log. For example, if somebody is trying to log into an MS Office account, it will try to see what logs are available for this particular user and whether there is any anomaly or unwanted access. It gives you all that information, which is very important from the compliance perspective. It is mandatory to have such information if you have ISO 27001, HIPAA, or other compliances.
It enables us to investigate threats and respond holistically from one place. It is not only about detecting threats. It is also all about investigating and responding to threats. I can specify how the alerts should be sent for immediate response. Microsoft Sentinel provides a lot of automation capabilities around reporting.
With the help of incidents that we are observing and doing the analysis of the threats, we are able to better tune our infrastructure. When we come across an incident or a loophole, we can quickly go ahead and review that particular loophole and take action, such as closing the ports. A common issue is management ports being open to the public.
It saves time and reduces the response time to incidents. We have all the information on the dashboard. We don't need to go ahead and download the reports.
There are a lot of dashboards available out of the box, and we can also create custom dashboards based on our requirements. There is also one dashboard where we can see the summary of all incidents and alerts. Everything can be correlated with the main dashboard.
We can use playbooks and data analytics. We have one system called pre-policy definitions where our internal team can work on the usability of a particular product. We get a risk-based ranking. Based on this risk-based ranking, we will create policies and incorporate data analytics to get the threats and alerts. We are almost 100% comfortable with Sentinel in terms of the rules and threat detections.
It improves our time to detect and respond. On detecting a threat, it alerts us within seconds.
The AI and ML of Azure Sentinel are valuable. We can use machine learning models at the tenant level and within Office 365 and Microsoft stack. We don't need to depend upon any other connectors. It automatically provisions the native Microsoft products.
Playbooks are also valuable. When I compare it with the playbooks in other SIEM solutions, such as Splunk, AlienVault, or QRadar, the playbooks that Sentinel is providing are better.
The SOAR architecture is also valuable. We use productivity apps, such as Outlook and Teams. If a security breach is happening, we automatically get security alerts on Teams and Outlook. Automation is one of its benefits.
We are working with a number of products around the cybersecurity and IoT divisions. We have Privileged Identity Management and a lot of firewalls to protect the organizations, such as Sophos, Fortinet, and Palo Alto. Based on my experience over three years, if you have your products in the Microsoft or Azure environment or a hybrid environment around Microsoft, all these solutions work well together natively, but with non-Microsoft products, there are definitely integration issues. Exporting the logs is very difficult, and the API calls are not being generated frequently from the Microsoft end. There are some issues with cross-platform integration, and you need to have the expertise to resolve the issues. They are working on improving the integration with other vendors, but as compared to other platforms, such as Prisma Cloud Security, the integration is not up to the mark.
The second improvement area is log ingestion. Sometimes, we are observing large ingestion delays. We expect logs within 5 minutes, but it takes about 10 to 15 minutes.
They can work on their documentation. For Sentinel, not many user or SOP information documents are available on the internet. They should provide more information related to how to deploy your Sentinel and various available options. Currently, the information is not so accurate. They say something at one place, and then there is something else at other places.
It has been about two years.
It is stable. They are enhancing it and upgrading it as well.
It is scalable. It is being used across all departments. We took it for about 80 devices, but, within 24 hours, we mapped it to 240 devices.
Technical support is very straightforward. They will not help you out with your specific use cases or requirements, but they will give you a basic understanding of how a particular feature works in Sentinel.
Positive
We didn't use any other solution in this company. We went for this because as per our compliance requirements, we needed to have this installation in place. About 80% of our environment is on Microsoft, and we could just spin up Azure Sentinel.
It is straightforward. Usually, you can deploy within seconds, but in order to replicate an agent on your Sentinel, it will take about 12 to 24 hours.
We engaged Microsoft experts to deploy the agents across the devices on the cloud. It didn't take much time on the cloud, but for on-prem, it takes some time.
It has saved a lot of time. Implementing a SIEM solution from a third-party vendor, such as AlienVault OSSIM, can take about 45 days to 60 days of time, but we can roll out Sentinel within 15 days if everything is on Microsoft.
For implementation, we have about three people. One is from the endpoint security team. One is from the compliance team, and one is from the security operations team.
It is a cloud solution. So, no maintenance is required.
We have reached our compliance goals, and we have been able to meet our client's requirements. We are getting a lot of revenue with this compliance.
It has saved us money. It would be about $2,500 to $3,000 per month.
It varies on a case-by-case basis. It is about $2,000 per month. The cost is very low in comparison to other SIEMs if you are already a Microsoft customer. If you are using the complete Microsoft stack, the cost reduces by almost 42% to 50%.
Its cost depends on the number of logs and the type of subscription you have. You need to have an Azure subscription, and there are charges for log ingestion, and there are charges for the connectors.
I would strongly recommend it, but it also depends on the infrastructure. I would advise understanding your infrastructure and use cases, such as whether your use case is for compliance or for meeting certain client requirements. Based on that, you can go ahead and sign up for Sentinel.
If you have the native Microsoft stack, you can easily ingest data from your ecosystem. There is no need to think about all the other things or vendors. However, in a non-Microsoft environment where, for example, you have endpoint security from Trend Micro, email security for Mimecast, and IPS and IDS from Sophos, FortiGate, or any other solution, or cloud workloads on AWS, Microsoft Sentinel is not recommended. You can go for other solutions, such as Splunk or QRadar. If about 80% of your infrastructure is on Microsoft, you can definitely go with Microsoft Sentinel. It will also be better commercially.
I would rate it a 10 out of 10 based on my use case.
We needed a SIEM solution that could integrate with our Microsoft 365 stack. Being a Microsoft product, that was the first SIEM we looked at, and we haven't looked back. We're still growing with the product over the last couple of years. It is phenomenal.
We're mainly focused on the cloud, but one of our selling points is that you can integrate with on-prem. We push to get the Azure Arc implementation done on top of Sentinel so that we can ingest data from your on-prem environment into Azure Monitor, which is then exposed to Sentinel. That's how we drive that integration, but we mainly have the cloud. We have 80% cloud and 20% on-prem.
The specific focus on entity behavior is where the gold is within Sentinel. The machine learning and AI capabilities that Microsoft already provides within their toolset are exposed through entity behavior analytics. That really is magic. It is something we don't live without. We have specific key metrics we measure against, and this information is very relevant information to our security approach. That's because not everything is an alert and not everything is a threat. In some cases, the anomalous sign or the anomalous behavior is more important than the actual alert coming up and saying that something has been infected. It could be those sign-ins a week before or a month before into a database that you don't always look into that end up being the actual threat. The entity behavior or the overall feature that Sentinel has is absolute gold for us.
In terms of the visibility into threats, because I set up the product, I'm very much aware of the fact that you see what you configure. That's probably a plus in terms of if you have an appetite only for product one, you ingest and you consume only product one. In our company, we have the full E5 solution, and we tend to have a lot of endpoints or metrics that we can pull into one space. So, each and every sub-component, such as Defender for Endpoint, Defender for Identity, and all the incidents end up within Sentinel. It is one spot from where we can manage everything. That works very well for us. We do have small customers with one or two Microsoft solutions, and even third-party solutions, and we can still integrate or expose those product-specific incidents within Sentinel. For me, that's a big plus.
It definitely helps us to prioritize threats across our enterprise. There is not just a clear classification of severity but also the ability to team certain alerts together. It can chain events and bring you a bigger picture to tell you this is something that you need to take care of or look at because it is tied or chained to multiple events or alerts. That ability is again a big plus.
We probably use all of the Microsoft products. We use Azure Active Directory, and we use Defender for pretty much everything, such as Defender for Identity, Defender for Endpoint, Defender for Cloud, and Defender for Cloud Apps. As a senior cloud infrastructure consultant, it is a part of my role to provide or customize and configure these products on behalf of our customers. We have integrated these products for multiple customers. One of my favorite benefits of Sentinel is its integration with the entire stack. I am yet to find a Microsoft product with which it does not integrate well. All of the Microsoft products are fairly simple to integrate with it. Anyone can set up their own environment. It is only third-party products where you tend to have a bit of technicality to configure, but even that is not a difficult process. It is fairly straightforward and easy to follow.
All these solutions work natively together to deliver coordinated detection and response across our environment. Microsoft Defender stack does that quite well. One of the reasons why Microsoft personally favors the Microsoft Defender stack is because of the integration with the rest of the products.
I'm a big fan of the layered approach, and it should be in every environment. Microsoft does a good job of providing you with that layered approach without too much of an oversight or a combination of a bunch of products. They work well individually, and they stack together quite well based on the individual requirements or the needs of each.
We use Microsoft Defender for Cloud. Our footprint in the cloud is limited. We only have two or three customers that fully make use of the product, but it is something that I do make use of and will. We do make use of its bi-directional sync capabilities. Especially within the organization, we have a very small team dedicated to assisting in our cloud-managed servers. If one person has to run around and duplicate these efforts in multiple portals, that wouldn't be an effective use of their time. So, the simple ability to just be in one portal or one place and apply the remediation or the management of an item is a big plus for us.
It allows us to ingest data from our ecosystem. I have found only one or two third-party antivirus products that still don't integrate fully with Sentinel, but for my use case within my own environment, as well as the environments we manage through our inSOC offering, there hasn't been any case or instance I know of where we could not find a solution to ingest necessary logs.
I work with security, and I also work with compliance. On the compliance side, the ability to have an audit trail and all your logs in one central location is important. The data is queryable. The KQL language is not a difficult language to get under. So, for me, having it all in one place and being able to query it and slice the data to what I need to provide or expose is a key feature of a SIEM solution.
It enables us to investigate threats and respond holistically from one place. It is very important, and bidirectional ties into this. We have a small team. So, the following capabilities are critical to our managed solution:
We probably would end up having to hire twice as many people to accomplish what we can do simply by integrating Sentinel with the rest of our product stack.
It helps automate routine tasks and the finding of high-value alerts. Being able to automate routine tasks or routine alerts is a big save for us because our analysts are not bogged down trying to just close alerts in a portal. This freeing up of time alone is a big save for us.
It helps eliminate having to look at multiple dashboards and gives us one XDR dashboard. The workbooks already integrate well with Azure Lighthouse. So, right out the bat, we had that multitenant capability from one dashboard or one screen. It is just absolutely brilliant.
It saves time on a daily basis. For example, as a desktop engineer, if I have to go through 20,000 devices, it would take a long time to go one device at a time. To make sure everything is fine, if I have to log in, upload some logs, do some metrics, log off, and go to the next office, it would take us a good part of a year to be able to work on each of these devices. With Sentinel, once your logs are configured and analytics rules are in place, a simple hunting query could accomplish exactly the same in a month.
Previously, four hours of my day were spent on just dashboards here and there, logging into tenants one time to the next, running the same view in the same portals, and looking through, for example, the alerts for the day or the threats for the day. With Sentinel, all that is in one place. I can just log on with my company-provided credentials, do MFA once, and through a portal with multiple links, seamlessly go through entity after entity. My whole exercise of four hours per day is now probably down to half an hour just because everything is in one place.
It has decreased our time to detection and time to respond. In the past, we would have to get someone to physically log onto a portal once there is an alert, and if that alert was in multiple places or multiple customers, it would mean multiple portals and multiple logins. The ability to manage from one screen and run an effective service has alone saved us 60% of our day.
I work with the Microsoft 365 products stack quite a bit, and I'm a big fan of the granularity that the products have. For example, the Defender stack is very focused on endpoints, identities, and so forth. With Sentinel, we have the ability to integrate with each of these components and enhance the view that we would have through the Defender portal. It also gives us the ability to customize our queries and workbooks to provide the solution that we have in mind on behalf of our team to our customers.
The part that was very unexpected was Sentinel's ability to integrate with Azure Lighthouse, which, as a managed services solution provider, gives us the ability to also manage our customers' Sentinel environments or Sentinel workspaces. It is a big plus for us. With its integration with Lighthouse, we get the ability to monitor multiple workspaces from one portal. A lot of the Microsoft Sentinel workbooks already integrate with that capability, and we save countless amounts of money by simply being able to almost immediately realize multitenant capabilities. That alone is a big plus for us. Never mind everything else, such as the security benefits, visibility, and the ability to query the data. They all are great, but the ability to see multiple workspaces is a big money saver and a big time saver for our team.
We offer a managed service where we are geared toward a proactive approach rather than a reactive one. Sentinel obviously covers quite a lot of the proactive approach, but if you engage all of your Microsoft products, especially around the Microsoft endpoint stack, you also gain the ability to manage your vulnerability. For us, gaining the ability to realize a full managed service or managed solution in one product stack has been valuable.
Its threat intelligence helps us prepare for potential threats before they hit and take proactive steps. It highlights items that are not really an alert yet. They are items that are running around in the wild that Microsoft or other threat intelligence providers have picked up and would expose to you through Sentinel by running a query. This ability to integrate with those kinds of signals is a big plus. Security is not only about the alerts but also about what else is going on within your environment and what is going on unnoticed. Threat intelligence helps in highlighting that kind of information.
Improvement-wise, I would like to see more integration with third-party solutions or old-school antivirus products that have some kind of logging capability. I wouldn't mind having that exposed within Sentinel. We do have situations where certain companies have bought licensing or have made an investment in a product, and that product will be there for the next two or three years. To be able to view information from those legacy products would be great. We can then better leverage the Sentinel solution and its capabilities. It is being enhanced, and it has been growing day to day. It has gone a long way since it started, but I would like to see some more improvement on the integration with those third parties or old products that some companies still have an investment in.
In terms of additional features, one thing that I was hoping for is now being introduced through Microsoft Defender Threat Intelligence. I believe that is going to be integrated with Sentinel completely. That's what I've been waiting for.
I have been working with this solution for close to two years.
It is very much stable. We've had one or two issues in the last two years where we had a Microsoft-reported incident, and there were data flow issues, but overall, they are 99.9999% available. We've not had an unrecoverable event across the solution. We've had incidents where users ended up not paying the subscription and the subscription got disabled. It simply required just turning it back on and paying your bill, and you were back up and running. It is quite robust.
It definitely is scalable. It will adapt to your needs. It is really about how much you're willing to spend or what your investment is like. That's basically the only limitation. We've seen customers or deployed to customers with thousands of endpoints across the world, ingesting tons and tons of data. We're talking 200, 300 gigabytes per day, and the product is able to cope with that. It does a great job all the way up there at 200, 300 gigs per day to all the way down to the 10, 20 megs per day. It is really scalable. I am quite a fan of the product.
It is being used at multiple locations and multiple departments, and in our case, multiple companies as well. In terms of user entities, the number is probably close to 40,000 in total across our state. In terms of endpoints, we probably are looking at close to 30,000 endpoints.
I've dealt with Microsoft technical support in the recent past, and I'm overall quite happy with it. Being a big company with big solutions and lots of moving parts, overall, their approach to troubleshooting or fault finding is great. I'm going to give them an eight out of ten. There is always some room for improvement, but they're doing well.
Positive
We didn't really use a full SIEM solution at the time. We hovered between dashboards and certain portals. We didn't have a SIEM in place. The first solution we looked at was Sentinel, and we fell in love. It does everything we want and everything we need, and we haven't looked back. We're not even looking at any other solutions right now. For us, it is unnecessary. We're very happy with Sentinel and what Sentinel can do.
It is very straightforward. As a service provider, we'd love to be part of that integration or setup. That's where we make our bread and butter. It is simple enough for the average IT enthusiast to get going, but if you do want to get the best out of your product and if you want to start with some customization, reaching out to a service provider or to a specialist does make sense because they have learned a few things on your behalf. Other than that, it is easy enough to get going on your own. It is a very straightforward configuration, and it does make sense. It is easy to follow.
If you already have a subscription in place, you could be fully operational in less than one business day.
For its deployment, it is a one consultant kind of approach. What is important is that everyone from within the company that is part of the decision-making chain is present as part of it. That's because the main pushback is not the implementation of Sentinel, but the connection to it for the data. So, you would have your firewall guys push back and say, "I don't want to give my data to you." You have your Defender guys saying, "No, I don't want to give my data to you." That's more important in terms of the deployment. One person can easily manage the deployment in terms of the workload.
There is some maintenance. There are some daily, monthly, and weekly tasks that we set out for ourselves. It is normally in the form of query updates, workbook updates, or playbook updates. If some schema update has happened to the underlying data, that needs to be deployed within your environment. Microsoft does a great job of alerting you, if you are within the portal, as to what element needs updating. We have 16 customers in total, and we have one person dedicated to maintenance.
We could realize its benefits very early from the time of deployment. Probably within the first three months, we realized that this tool was a lot more than just a simple SIEM, SOAR solution.
It has absolutely saved us money. Of course, there is an upfront investment in Sentinel, which has to be kept in mind, but overall, after two years, the return on investment has been absolutely staggering. In security, you don't always have people available 24/7. You don't have people awake at two o'clock in the morning. By deploying Sentinel, we pretty much have a 24/7 AI that's looking at signals, metrics, and alerts coming in, making decisions on those, and applying automated actions. It is like a 24-hour help desk service from a solution that is completely customizable. We have programmatic access to the likes of playbooks to be able to further enhance that capability. The savings on that alone have been astronomical. If we did not have Sentinel, we would have had to double the amount of staff that we have now. There is about a 40% reduction in costs.
I'm not happy with the pricing on the integration with Defender for Endpoint. Defender for Endpoint is log-rich. There is a lot of information coming through, and it is needed information. The price point at which you ingest those logs has made a lot of my customers make the decision to leave that within the Defender stack. The big challenge for me right now is having to query data with the Microsoft Defender API and then querying a similar structure. That's a simple cost decision. If that cost can be brought down, I'm sure more of my clients would be interested in ingesting more of the Defender for Endpoint data, and that alone will obviously drive up ingestion. They are very willing to look at that, but right now, it is at such a price point that it is not cost-effective. Most of them are relying on us to recreate our solution, to integrate with two portals rather than having the data integrator Sentinel. If we can make a way there, it'll be a big one.
We have had some assessments where we were asked to do a comparison with the likes of Splunk and other similar tools. What I love about Sentinel is the granularity. You can configure what you need. Whether it just logs from a server or logs from any of the Microsoft solutions, you have the ability to limit data depending on your use or your need. You can couple that with the ability to archive data, as well as retain data, on a set schedule.
Its cost is comparable to the other products that we've had, but we get much more control. If you have a large appetite for security, you can ingest a lot of information right down to a server event type of log. That obviously would be costly, but for ingesting from the Microsoft stack itself, a lot of the key logs are free to use. So, you could get up and running for a very small amount per month or very small investment demand, and then grow your appetite over time, whereas with some of the other solutions, I believe you buy a commitment. So, you are in it for a certain price from the beginning. Whether you consume that, whether you have an appetite for that, or whether there are actual people in your company who can make use of that tool is separate from that commitment. That commitment is upfront, whereas Sentinel is much more granular. You have much more control, and you can grow into a fully-fledged product. You don't need to switch everything on from day one and then run and see what it will cost. You can grow based on your needs, appetite, and budget until you find that sweet spot between what you ingest and what you can afford.
Having worked with the product and knowing the capabilities of the product, it is worth investing in a product that Microsoft has spent a great deal on integrating with the rest of its product stack. Now, we can argue how far along the third-party vendors are in terms of integration with the rest of the security landscape, but if you're a Microsoft house, there is literally no better solution right now in terms of integration and highlighting the best out of your investment. Of course, every use case is different, but I'm happy to look at any challenge in terms of what a third-party solution can bring and what they reckon Sentinel can't.
My advice to others evaluating the solution is that Sentinel isn't a silver bullet solution. It is not something you deploy and set up, and it is going to work 100% well and you're going to be happy. There is going to be some upfront investment. You're going to have to spend some time getting the product in place and getting it configured to your needs. To showcase in a PoC environment is quick and easy, but to realize real-world day-to-day benefits from this product, there is going to be some investment. Keep that in mind. If you're willing to spend that time upfront within the first couple of days or a couple of weeks of you deploying the solution, you'll immediately realize the benefit, but you have to have that mindset. It is not going to just be next, next, next, where it is deployed, and congratulations, you are now secure. That's never going to be the case, but after spending a bit of time on this product, there is nothing it can't do.
I want to give it a 10 out of 10 just because I'm very passionate about this product. I've seen it grow from a very basic SIEM solution to a fully-fledged SIEM, SOAR solution. Some of the capabilities that are built in right now make my day so much easier. Overall, it is a brilliant product, and I love what Microsoft is doing to it. It is a great product.
Microsoft Sentinel is a monitoring tool. It is a SIEM solution and is used to gather logs. It allows us to analyze and understand the flow of information based on the events that happen and the systems we connect it to.
I explain it to my customers as being almost like an octopus. It sits in the middle of a tank, and it has all these tentacles that connect to different systems. We bring that information in via those connections, and then we query them. We can centrally analyze, examine, and understand the data that comes in through the analytics or the capabilities that Azure links to Microsoft Sentinel, which is Azure Log Analytics Workspace. We then use queries to help us understand or make sense of the data. We can have dashboards and visualize them.
We use it to set up monitoring for cloud infrastructure and we use it as part of a larger monitoring capability around setting up a SOC capability. We are then able to keep track of infrastructure and mitigate risks.
Microsoft Sentinel gives visibility to some degree to all of the customers that I work with. It has given us more visibility into the accurate state of the endpoints being monitored in near real-time.
With the solution, we are now able to respond to incidents in a more timely fashion, which helps us. It helped us to understand what is happening and make informed decisions as a result. It has given us a more comprehensive and holistic view of the ecosystem that exists, and not just an individual piece of that ecosystem. It does not give a view of just one server. It also gives a view of the supporting infrastructure around it. It has given us a lot more visibility, and it has made us smarter in terms of being able to defend ourselves against bad threat actors and the harm they look to do. It made us better armed and more informed, and therefore we can offer a better defense that will hopefully ward off some of those bad actions.
Microsoft Sentinel helps to prioritize threats across the enterprise in several ways. This capability is linked to other technology elements that make up the overall security posture of the Microsoft offering. Microsoft Sentinel, in particular, allows us to look at the flow of information coming through the connectors from various systems. This helps us create alerts and analyze that data so that we can bubble up and see what is happening. We can tie that into the Microsoft Defender stack or the products in the Microsoft Defender ecosystem, and we can take action and monitor.
Whether it is being alerted, manually choosing to do something, or automating through the broader security capabilities of the platform, we can take action. When we tie in the broader security capabilities that involve governance, risk management, and compliance (GRC), and we have all the tools at our disposal to do that, Microsoft Sentinel becomes a huge ingestion engine that brings in signals. The telemetry and data from all the monitored endpoints allow other capabilities to access that data so that we can monitor it. We are then not only well-informed, but we can also choose how to respond. We can respond through a combination of automation and manual actions. If something occurs, we can then kick off an incident response to deal with it. If needed, we can quarantine and mitigate it. We have a rich set of capabilities but also a very flexible set of opportunities to respond because we are given near real-time information. We can analyze that information in near real-time to make informed choices when it comes to threat intelligence, threat mitigation, and threat assessment.
I use all of the products that Microsoft has in the market in various architectures or configurations with different customers, and I have used them for many years. Various customers use the entire suite of offerings that Microsoft has in the security space in terms of governance, risk management, and compliance, such as Microsoft Sentinel and Microsoft Defender. There are also solutions like Privileged Identity Management (PIM), which is now a part of Microsoft Entra, which has been renamed. I have integrated these products and set up the architectures or designs for customers. The setup depends on the size of the customer and some smaller businesses do not use all of them. They license at lower levels and do not have the business case, the resources, or the need to use them all. Larger companies tend to utilize more of them. Because I work with different-sized companies, I set the solutions up and have used them in a variety of circumstances across the board for different companies.
In the beginning, like any technology, it was a little harder to integrate when the products were new. As they matured and went through iterations, they became easier to work with. Utilizing a new product is more painful than using a product that has perhaps been out for a year or two, that has been vetted and maybe has gone through one major update or release. The integration has gotten better over time, and the product lines continue to mature and become more powerful as a result.
Microsoft security products work natively together to deliver coordinated detection and response across the environment. For this, you need to use the appropriate connectors to bring in the information from both Microsoft-centric and third-party systems that you want to incorporate and monitor. It is bounded by the vision of the architecture that allows you to connect those systems and the availability of those connectors. Assuming those systems are connected properly, brought online, and are reporting, it gives you the depth of visibility that you need to manage both Microsoft and non-Microsoft systems.
Microsoft security products provide a very thorough set of security. Microsoft is looking at billions, perhaps a trillion, individual data points a day at this point across the Microsoft ecosystem, which includes everything Microsoft does, all customers, and all interactions. They take all that information and analyze it with dedicated security teams, machine learning and artificial intelligence, business analytics, etc. They turn that information around and make it available for customers who are consuming the threat analysis and threat intelligence capabilities on the platform. Some of the solutions are available for free to everybody regardless of licensing. For others, you need enhanced licensing to take advantage of it fully. The threat intelligence feeds, the live analysis, and the security posture that Microsoft provides to its customers globally as part of the shared responsibility model have matured tremendously. They are the best. You get incredible value for the amount of work that goes into providing that. The customers I work with are very happy with the work that Microsoft does and continues to do in that space.
We use the bi-directional sync capabilities of Microsoft Defender for Cloud in some cases. It is a very useful feature for myself and my customers. It is very important because it allows us to use the Defender product, which is made up of maybe 20 individual offerings at this point. There are a lot of different sub-areas that you have that you can attach the Defender product to. This concept allows us to be able to have the endpoints monitored, whether they are the servers or the service that Defender would monitor and protect. It allows us to understand what is happening with them and to have near real-time updates about their status. We can see the impact of potential threats that are attaching and risks that may become apparent, and we can see the impact of remediation or the things that are being done to stop those things or perhaps forestall them, hopefully, to prevent them from harming. This capability is very important, and it is one of the secrets that allow that platform to not only be very flexible but also very impactful in terms of monitoring the bulk of the infrastructure and services that most customers would have running in a public cloud, whether it is Microsoft or any other public cloud, such as Amazon, Google, etc. We can monitor any infrastructure and understand it, especially customers' environments that are hybrid where they have on-premises as well as cloud or multi-cloud infrastructure with more than one cloud. To be able to monitor both on-premises and multi-cloud environments is a requirement today, and Microsoft provides those capabilities but not all other providers do.
It enables us to ingest data from the entire ecosystem as long as we are using a connector to link to the infrastructure that we need to monitor and as long as there is a connector for monitoring that infrastructure. So, as long as the pipe exists, we connect the pipe, and we can monitor the infrastructure. For a majority of mainline infrastructure or a majority of third-party vendor systems today, there are connectors. For some smaller systems or proprietary or custom systems that some companies run, there might not be connectors, but for mainline systems that you would buy, acquire, or use from large-scale SaaS vendors, connectors have been there for a while. As long as we are running connectors to that infrastructure, we can monitor almost anything that we have.
Sentinel enables us to investigate threats and respond holistically from one place. We have a central dashboard that we can use to monitor and then from there, do the analysis and also create the remediation if necessary. This functionality is very important. The biggest mistake vendors make in tool design from a UI/UX or user interface/user experience perspective is that they do not make things centrally available and obvious for the administrator or the end user who is going to run or use that system. Generally, if something is overly complicated and not very intuitive, it is hard to get people to buy into using something. With Microsoft Sentinel, you can have everything in one place and visualize the impact of the threats, the risks, the incoming data, and the number of incidents, events, or alerts that are happening. All those things are visually represented in the opening part of the dashboard. You could drill down from there with a navigation area that is intuitive and easily understood. That makes it very easy for different users, such as administrators and managers, and other user profiles that have different reasons for being in the tool, and that is the hallmark of a good design.
When you look at it holistically and look at what it is linked to in terms of the broader security platform that Microsoft provides, it is very strong, and it continues to get better. When you ask anyone about their thoughts about a product and how it works for their customers, the mistake that people often make in describing something is that they say, "I think it is great, and it is great for us. It does everything we need." That is good, and it should be. I can say that for the majority of my customers without any ambiguity or concern about being accurate, but the thing you have to add is that there are always things that we do not know that we need to do until they occur. We might not have seen that threat before. Maybe there is a new advanced persistent threat or zero-day exploit that we have to contend with, which we have not been aware of until now. The hallmark of a really good tool is its ability to integrate that new information in a timely fashion and have the flexibility to mature the tool over time based on feedback and iterative use. The strength that Microsoft has brought to the platform over time is the ability to listen to its customers and make sure they are offering based on that feedback. It is good, and it continues to get better. Today, it is good, and tomorrow, it will be better because of that thought process in the way they engineer over time.
Microsoft Sentinel helps automate routine tasks and the finding of high standards. If you set it up the right way, it does that as one of the key things that it is designed to do. It has streamlined our ability to respond, so response time has gone down. It has enhanced our understanding because automation is managing some of the remediation and the menial, repetitive ongoing tasks of:
Paying attention to information flows.
Picking out the most important elements.
Prioritizing them and bubbling them up.
Creating alerts around them and then telling people that these things are happening.
Automation lets you do that without having to spend human or people cycles to do that. The automation never gets tired and it never gets bored. It never needs to take a break. It never gets distracted. Because of that, we find not only more things we need to react to, but we react to the things that we truly should be chasing. We are not distracted as much by things that seem to be important, but we find out that they are just ghosts. They are false flags. The ability to bring machine learning, artificial intelligence, business analytics, and data visualization as a part of automation has filtered out a lot of the background noise that distracts. It has allowed us to hone in and refine our activity cycles around the most important things that we have to pay attention to.
Microsoft Sentinel helps eliminate having to look at multiple dashboards and gives one XDR dashboard if you set it up the right way. I have seen it set up in ways where it does not do that because it is not optimized, but if you are using it the right way, if you understand the tool and how to integrate it properly, then it gives you that single dashboard where you can directly find the information or link through a smaller visual tile that will take you to that information that you need if you need to drill down in a deeper, more meaningful way.
Its threat intelligence helps to prepare for potential threats before they hit and take proactive steps. If you are integrating the threat intelligence feeds from Microsoft and looking at them, everything is relative. They are there if you are smart enough to consume them and understand what you are looking at. In other words, people who are paying attention to them and are using them properly are getting tremendous value out of them. Microsoft globally examines billions, if not a trillion, of individual telemetry data points every day and incorporates that into their threat analysis feeds, so no individual company, irrespective of how big they are and how much money they have, can bring that kind of at-scale analysis to that problem. As a result, you are getting a tremendous amount of data that is being vetted, analyzed, and distilled down to meaningful actionable intelligence. It is consumable because it is presented in a very summarized and succinct way. It is very valuable, but you have to be able to understand that and utilize that to draw value from it.
We have saved me time with Sentinel. The ability to have the power of Microsoft as a global scanning organization service provider at my disposal is helping me to better understand the environment I operate in through threat intelligence and threat analysis. In addition, the ability to automate at scale across the platform and to have the research and design that is being done to continuously upgrade and add features to those platforms has made me a much more capable and therefore, more successful security practitioner. It is hard to quantify the time saved. It would probably be a very extreme exercise to go back and do that, but it is fair to say that over a year, we have probably saved a thousand or more human hours. I look across a team for one of the customers that I work with, it is fair to say that we have saved at least a thousand human hours for a year by relying more on the automation toolsets. That is about ninety hours a month on average. We can break it down to 15 or 20 hours a week or something like that, but the reality is that it is about a thousand or more hours that we have saved in a year.
Time to detection has decreased, and the time to respond has gone. They both have decreased. That has been an outcome that we have seen and is measurable. It goes back to the investments you make in building out that architecture in terms of:
How many systems are you monitoring or how many are you connecting?
How much data do you have coming in?
What are you doing with that data and how are you using it?
If you are building out a full SOC analysis capability or a full monitoring solution, and you are typing this into incident response and alerting and event continuous monitoring through automation, time to respond and time to solution is going to decrease as a result.
It can connect to an ever-growing number of platforms and systems within the Microsoft ecosystem, such as Azure Active Directory and Microsoft 365 or Office 365, as well as to external services and systems that can be brought in and managed. We can manage on-premises infrastructure. We can manage not just the things that are running in Azure in the public cloud, but through Azure Arc and the hybrid capabilities, we can monitor on-premises servers and endpoints. We can monitor VMware infrastructure, for instance, running as part of a hybrid environment. The continuing evolution of what we call the connectors, which is the marketplace that lets us connect these systems to Microsoft Sentinel, is probably one of the most important features.
The reliance on a very simple but very powerful query language called Kusto Query Language or KQL that Microsoft uses to allow us to log into the analytics workspace to assess and analyze the data is also valuable. That has made it very approachable and very scalable. Those are very big and important things for me as a consultant, as an architect, and as a person who is implementing these solutions for customers and who is explaining them, and ultimately working with them. This makes the product not only usable but also very flexible. Those are two very important elements.
Everyone has their favorites. There is always room for improvement, and everybody will say, "I wish you could do this for me or that for me." It is a personal thing based on how you use the tool. I do not necessarily have those thoughts, and they are probably not valuable because they are unique to the context of the user, but broadly, where it can continue to improve is by adding more connectors to more systems.
The really interesting area where we are already seeing the impact is the use of more artificial intelligence. There could be the ability to bring AI into the analysis capabilities of the toolset in more ways so that we can utilize the power that computer analysis at scale has. That is because we are limited. As humans, we can only look at so much information, see so many patterns, and absorb so much in any given cycle of a workday, but artificial intelligence and automation engines do not take breaks. They do not stop. They do not need to. They can go deeper, and they can see more data and ingest more to find patterns that, as humans, we are not going to be able to see. The evolving technology in this area is all moving towards the use of artificial intelligence, embedding it in multiple areas in the platform so that we can be told that there are things that we need to pay attention to that are becoming a problem as opposed to things that are already a problem. Where the biggest improvements can happen is how we move that ability to identify emerging threats closer to the point of contact so that we can interject and essentially stop and disrupt the kill chain of an event series before it harms. Currently, the problem we often have is that things get bad, and until they get bad, we do not really know what is happening, and we do not know how to respond, so we spend a lot of time responding to incidents that have already started or have unfortunately unfolded fully in a reactive manner. The value proposition in terms of improvement down the road is getting better at predictive defense and proactive response before events take place to stop them before they start. That is the future that we are moving towards, and that is where the biggest improvement lies.
Sentinel, which is now called Microsoft Sentinel, used to be called Azure Sentinel. It was renamed about a year and a half or two years ago, but I have used Sentinel for about four years. It was probably released in 2019.
It is very stable. I have had little to no difficulty with it in the more than four years that I have used it or deployed it. I cannot think of a time in the last four years when it was unstable or unstable enough that I had to open a support ticket. I have had issues with it because people have misconfigured it or not set it up properly, but those issues were not related to the platform itself. Those were human interactions that were complicating it because it was not set up the right way. When it is set up correctly, it is a very solid platform with minimal to no downtime. There were no major service disruptions that I remember that caused problems.
It is very scalable. You do not think of scalability necessarily the same way you would if you were setting up a cluster to run virtual machines, for instance, because there, you have to add resources, and you are monitoring to make sure that there are enough resources versus the load in the system. Microsoft Sentinel is a managed solution. You are deploying it, but then Microsoft is scaling it and managing it on the backend for you, so you do not control some of the things that would impact scalability directly. Microsoft is hosting it. It is essentially a service you are consuming. In my history with the product, it has always met my expectations, and I have never had an issue where it could not perform because of a resource constraint, so its scalability is solid, and it is always available when necessary. It is not scalable in the same sense as you would control it by adding hosts to a cluster. It is a different kind of scalability, but it has been rock solid all the time I have been working with it.
In terms of the environment, I have multiple customers, so each one is different, but generically, it is safe to say that it is deployed to monitor infrastructure that is in multiple geographies, multiple data centers, or multiple places both on-premises and in the cloud. It could be hybrid as well as multi-cloud. The infrastructure is being monitored from a variety of different locations. Microsoft Sentinel itself is typically installed and instantiated in one instance. You set it up inside of an Azure subscription and you have one instance. If you need more than one, you might set up more than one depending on the geography and the needs of the organization, but typically, we have one central Microsoft Sentinel instance running, and then you will bring that information into it through the connectors. It is typically going to be a single instance. It will usually monitor geographically distributed architecture, and it will usually operate at scale, so there will be quite a bit of information coming into that at any given moment.
Like anything else, you can get support depending on how you are using the tool and the level at which you are using it. You get basic support from Microsoft. If you have a problem, they are very good at telling you if there are service issues. If you are paying additionally, you can get premium support to support you with the tool. There is an additional fee for platinum-level support or premium support. Their support is very good if you are paying for it and you are able to utilize it. If you are just able to open a basic ticket because you are having a problem, support is good, but you are going to be limited in the help you are going to get. To talk to a high-level engineer to deal with complicated issues, you are going to need to pay extra money for support. Overall, I would rate their support an eight out of ten.
Positive
I have used several different solutions over time with different customers for different reasons. I work with a lot of different customers. I set up solutions for different customers. They have different technologies and different needs, and some of them have a bias towards certain products and against others, but I have used products like ConnectWise, which is a SIEM solution, and Splunk, which is probably one of the biggest ones out there that most people would name if you ask them. Splunk is probably at the top or near the top of everybody's list. Datadog would be another big one. I have used LogPoint and GrayLog. I have also used ManageEngine's Log360. SolarWinds is another popular one that I have come across pretty often. I have used many more than that, but those are probably the top five or six that I have used. They are the ones that customers tend to use a lot. Some of them are still using those products and have chosen not to move, but the ones that have chosen to move have done that because of two things. The cost plays a part. They have the ability to leverage a tool that is already built into the platform and that may be easier to work with and integrate in a more readily accessible fashion, and it would be as expensive and maybe less expensive over time. It might also seem to be a better architectural choice for them as they look at an upcoming renewal cycle, or they have heard or been told that they need a certain capability or feature and the vendor that they are currently using does not have that or it is not as easily accessible or readily available, but Microsoft Sentinel has that capability. It has connectors to those other platforms, but for whatever reason, their particular vendor does not have that connector, or they might promise to deliver it but it is not going to be ready for six months. It comes down to features and cost. These are the two main reasons or two main motivators to drive people to migrate.
In terms of the cost and ease of use of Microsoft Sentinel against standalone SIEM and SOAR solutions, it is difficult to do an apples-to-apples comparison. That is because, in theory, you can look at Microsoft Sentinel as a single standalone product with its own cost associated with it, but it is linked to, consumed by, and used in partnership with many other systems and tools that also have a licensing cost. Some of it is built-in and some of it is an add-on, depending on where you are and how you choose to license. In other words, Microsoft Defender is a per instance per month cost that is additional to using the Microsoft Sentinel product, and what you get with a standalone solution is essentially just the SIEM or the SOAR capability. You are not getting the capability to blend them across the platform, or if the vendor does both, you are buying them as an all-in-one solution and you are paying a monthly fee per user based on licensing.
From my perspective, cost comparisons are not as accurate. When a customer asks whether Microsoft Sentinel is going to cost them less or more than using this other tool, it is a very simplistic way of looking at the tool, and it is a very operational-centric or OpEx discussion. When anyone asks about the monthly fee for the investment in this tool, you have to be more strategic. When you look at a tool, features, and capabilities, the capital expense is broader than just the operational expense. You have to understand the strategy associated with the tool decision and the impact and value of the tool.
Microsoft Sentinel gives a good value for money or a return on investment in terms of what it costs you to run it. When comparing it to any of the other major competitors in the market, it is as cost-effective and perhaps even more cost-effective than some of them. It certainly is very competitive, but people do not necessarily understand the subtlety in that assessment in terms of how they are integrating the Microsoft Sentinel solution or the third-party solution into the broader context of their infrastructure and security posture. That is where they run into issues that become more prohibited from a cost perspective, both hard and soft. For example, the hard cost could be $15 a month per user to license or $15 a month per endpoint and $100 per gigabyte of storage or something like that. Those numbers are wildly inaccurate, but you do have hard costs, and then you have soft costs, which include what it costs you to train people who have to use that technology or to train people who have to manage it ongoing and integrate it. You might have to hire consultants to do that, for instance. Those are hard and soft costs. When you are using a Microsoft product and you are Microsoft-centric, you overcome some of those soft costs because you have people who already have skills on the platform. You are already integrating that technology. Microsoft is doing that for you. You do not have to do it yourself. As a result, some of what I refer to as hidden costs are not as high with a Microsoft solution as they would be with a third-party solution. If you are already Microsoft-centric and you are using a majority of Microsoft Azure and Microsoft 365-based infrastructure in some form, it is easier to implement that technology. It costs less when you go forward with Microsoft Sentinel than it does when you try to bring in a third-party external SIEM or SOAR and tie it into the Microsoft platforms and have it do the things that you are looking for it to do.
It is predominantly deployed for public cloud use, meaning customers hosting on a public cloud are using it. They are hosting in Azure, for instance, and they are running their cloud infrastructure in that cloud environment. You can link to on-premises resources in hybrid scenarios, and you can certainly make the case that it can be used for private cloud as well because you can extend it to the on-premises environment. It can be used to ingest information in a multi-cloud environment, meaning you can bring in infrastructure information from Amazon or Google, the other two major public cloud provider platforms, as well as VMware, which, in its own right, is a public cloud provider. So, it can be used or potentially be available to consume data from any of those areas.
I have been involved in the deployment of hundreds of instances of Microsoft Sentinel. Its initial deployment is straightforward. In terms of implementation strategy or how to approach it, it is important to spend a lot of time with whoever the customer is. I work with multiple customers. I ask them what sound like fairly simple and simplistic questions but are very important questions. What are they looking to accomplish by deploying a SIEM solution? What is the business requirement that we are addressing by deploying the solution? We need to define that and understand that because oftentimes, we find that the customer says, "Well, we think we need, for instance, X." We talk about it, but realize what they really need is perhaps X with other things or it is not X at all. It is really W. They just thought it was X because somebody told them that. They did not know any better, so asking W&H is important.
Who is this for?
Who are the stakeholders?
Why are we doing this?
What are we looking to accomplish?
When are we looking to get it done?
What is the timeline?
The where and the how are not as important because it is typically in the cloud, and we are going to have qualified people deploy this architecture and we are going to run it in Microsoft, Amazon, or whatever. If we ask those questions upfront, then we can come up with a deployment plan and architecture solution that approximates the customers' needs but also meets their expectations, so for me, a project's success or failure lies in planning. The majority of the work you do has to be done in the planning cycle before you do implementation. If you are really strong in planning, then implementation is relatively straightforward. There are not a lot of surprises. As long as you are technically competent, you can do your deployments, and they should be relatively straightforward and minimal risk to the organization in terms of the deployment. If you do not get your planning right, you are opening up a tremendous amount of risk and liability in the organization.
In terms of maintenance, you cannot set it and forget it. Like any other product, it does require maintenance. If you are smart about it and you set it up the right way the first time, it will take care of itself, and it will certainly operate well at scale, but you have to examine it on an ongoing basis. There is always an opportunity to refine and update connectors. You can add new connectors as you need to extend the reach of the tool. You may have to look at the volume of data that is coming in to refine the amount of data that you want to store, pay for, and analyze, and then you have to look at the queries you are running to be able to stay on top of the data to extrapolate meaning. So, there is maintenance that goes into using a tool like this. There is no checklist that you go through every day, but there are absolutely things that have to be done on a daily, weekly, and monthly basis to keep the tool running properly.
I am the one who handles the deployment. It is rare that I would not do it myself or work with a team that would be empowered to do it as part of that.
The deployment, depending on the size of the deployment, could be done by as little as one person. It does not necessarily need a huge number of people to be associated with it. The bigger need there is what you do once the initial deployment is done, meaning fine-tuning the operation of that. When you add all that in, you typically look at a team of anywhere from three to six individuals. There are incident management and response and SOC analysis people. There are also network people. There are different people who would play a part in ultimately standing up and optimizing a tool like this, but usually, four to six people play a part on average.
There is absolutely an ROI if it is architected properly and the customer has the right expectations going in.
Microsoft Sentinel has saved my customers money. There is an initial investment upfront, so you have to spend money to save money. There is an initial investment upfront of hard and soft hours, but if the systems are set up properly and optimized and you have people who understand them, one of the things that you are able to do is look at the redundancies in your security stack or in your provisioning. You can look at tools that you may be able to move away from at the end of a license period instead of renewing, for instance. You can do away with that redundancy and focus on simply using the Microsoft toolset, so you tend to find that there is definitely an economy of scale there in terms of recouping those returns on investment. There may be a one to three-year cycle to see those savings. It depends on where you are with redundant tool sets that you have identified to be eliminated and where you are with a contractual licensing obligation of time cycle or license period before you have to pay to renew based on current investment, so it may lag a little bit. You do not tend to see those results right away. They tend to lag anywhere from 12 to 36 months, but at the end of, for instance, a three-year cycle, you are not spending another $300,000 to re-license a new tool. You are saving that money. You can then work backward and say that on average, you are now saving x amount of dollars a month going forward because you are not making that investment anymore. You definitely do see investments that yield value, but they tend to lag.
It is priced fairly given the value that you get from the use of the product. The biggest mistake people make with Microsoft Sentinel is not understanding the pricing model and the amount of data that they are going to be running through the tool because you are paying based on the flow. You are paying based on the amount of data that is moving through the tool. People do not plan, and therefore, they get surprised by the cost associated with using the tool. They connect everything because they want to know everything, but connecting everything is very expensive. They might not need to know everything. That is what I talk about with customers. It would be nice to know everything, but it might not be affordable or cost-effective. Microsoft Sentinel provides good value for the money. It is competitive with any of the other offerings out there based on the cost, but the mistake customers make is that they do not understand the cost model for using a SIEM solution regardless of whose solution they are using. When they get visibility into that model, it becomes a lot easier for them to make informed decisions.
I certainly evaluate products all the time. I am always looking to see what capabilities exist and which vendor can offer me the best mix of features and capabilities for the price, and then I make recommendations to my customers as a result of that. Microsoft Sentinel is a newer product in the market in terms of time. It has only been around for about four years, whereas some of the other products, such as Splunk, have been around a lot longer, so I tend to find people evaluating Microsoft Sentinel versus the other products they already possess when they are looking to move.
To those evaluating this solution, I would advise doing their due diligence. They have to understand the technology, the capabilities, and the limitations. They need to assess the business requirements that they are trying to address by deploying a SIEM solution, whether it is Microsoft or not. They need to understand what those key business requirements or key objectives are, and then evaluate the tools to make sure that those tools can achieve those objectives. They can then make an informed decision accordingly.
Microsoft Sentinel is one piece of the puzzle. Threat intelligence or threat analysis is a broader aspect of the security platform that Microsoft provides. It is certainly reliant on the data that Microsoft Sentinel provides, but there is a lot more to it than that. Overall, Microsoft has made tremendous investments in the last five to ten years. Especially in the last five years, in that space, they have developed a threat intelligence, threat analysis, and threat awareness capability that rivals any of the top platforms that are out there today. They continue to mature and grow that capability by maturing the products that support it. Microsoft Sentinel is one aspect of that. The Microsoft Defender stack or all different Defender products are a part of that. A few years ago, it would have been very hard to make the statement or make the case that Microsoft has a mature offering that is certainly at the very top along with other offerings that are often talked about as being at the top in that field. Today, Microsoft competes at the top tier of that field, and their solution is as mature as any of the ones in the market. The challenge with Microsoft solution is that it is very specific and uniquely honed for the Microsoft infrastructure. That is not a bad thing, but it is something that you need to be aware of. It is specifically designed to work with, work for, and wrap around Microsoft's public cloud offering Microsoft Azure and the supporting elements in Microsoft 365, etc. So, as long as you are Microsoft-centric in your stack, in your technology, in your architecture, it is a very valuable piece of the overall threat posture management that a company needs, but if your investment in technology is heavily weighted outside of Microsoft, it is of less value because you need to be Microsoft centric and Microsoft forward to be able to fully leverage that platform.
To a security colleague who says it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that it depends on the nature of the organization's technology architecture. If the organization is overwhelmingly single-technology-centric, meaning they use Microsoft almost exclusively, you can make the case either way. Using an external third party not tied to Microsoft is important because now you are splitting your investment, and you are not gambling only on one provider, which is the argument you always hear people make when they say, "Do not put all your eggs in one basket." The counter to that argument is who knows my environment better than the vendor that has made all the technology that I am integrating, and who would be better to monitor it than the vendor that makes all the technology? When I have customers that are single-technology-stack customers, they are almost exclusively or predominantly Microsoft, I counsel them to think strongly about using Microsoft products unless there is a compelling reason not to because Microsoft is going to make a much better solution than a third-party vendor that has to figure out how to connect to Microsoft to use that product properly. Organizations that have a mixed technology environment do not use only one vendor. To be fair, many small, medium, and large organizations are mixed technology environments, and it would be foolish to only rely on one vendor's security solution.
Overall, I would rate Microsoft Sentinel an eight out of ten.
We use Microsoft Sentinel for log aggregation, data connectors, and alerts.
In terms of visibility, Microsoft Sentinel captures a lot of useful data.
Microsoft Sentinel helps us prioritize threats across our enterprise. It shows us the most vulnerable assets, and because we have agents on every machine, we know exactly where to go to investigate. This is important for staying secure as a company. It allows us to cover our own bases by seeing what is happening in real-time and taking proactive steps to address threats, rather than reacting to them after they have already occurred. We can stay up-to-date with security measures and ensure that we follow through and execute our security plan.
We integrated Microsoft Sentinel with Defender for Cloud, Endpoint, and Defender Vulnerability Management.
Microsoft is not the most vendor-friendly company in terms of integrations and connections, but we were able to get it working in the end, so we cannot really complain.
Microsoft's security tools work natively together to deliver coordinated detection responses across our environment.
The comprehensive threat protection that Microsoft Sentinel provides is good. They provide really good information. We are able to create documents, perform root cause analysis, and analyze anything we need to. Log integration is also key. We are able to find potentially malicious files, correlate events to alerts, and then take action on alerts. So, the comprehensiveness is pretty straightforward.
We use Cloud and Endpoint security. We have our Defender cloud, and then Defender agents on each endpoint. The bidirectional sync capability is important, and it is a work in progress. We are in the process of off-boarding our contract with CrowdStrike. We are moving all of our cybersecurity needs to Microsoft Defender, which is included in our existing Microsoft licenses. This makes financial sense, and CrowdStrike was not providing us with much value.
The system allows us to ingest data from our entire ecosystem, which is very important. This is our main source of correlation of logs to alerts. Therefore, we definitely need to get every single log source, and possibly a few more.
The system allows us to investigate and respond holistically from one place.
It is a very comprehensive tool to use. However, the supporting documentation is limited to initial troubleshooting. This is where I find the most difficulty in explaining how good the tool is. Other than that, the tool is pretty straightforward. There is enough documentation to get us started. However, beyond that, we will need to rely on online forums and other open-source resources to learn more about the tool.
When comparing Microsoft Sentinel to other SIEMs in terms of cost, we are saving money because it is included with our Microsoft 365 E5 licenses. This also helps us to reduce the number of different types of software that we need to use. We do like redundancy in terms of coverage, but the cost of multiple solutions adds up. We want to be able to use one central location for all of our security software. This is one of the reasons why we choose Microsoft Sentinel over third-party solutions. As we move into larger projects, we need to have a centralized place for all of our security policies and procedures.
Microsoft Sentinel helps us automate routine tasks and find high-value alerts. We also use Sentinel as a store for our alerts. This allows us to automate most of our responses if not all of them. We also tailored our alerts to specific events that occur in our environment.
Microsoft Sentinel helps eliminate the need to use multiple dashboards by providing a single XDR dashboard. We currently use Sentinel's workbooks, which provide a dashboard that we can use for metrics, reporting, and other purposes. This makes it easier to relay information upwards, as it is presented in a more visually appealing and easy-to-understand manner. For example, we can use pie charts, bar charts, and line charts to represent data in a way that is easy to understand. This makes it easier to convey information to upper management, such as where we are most vulnerable and what steps we need to take to improve our security.
Microsoft Sentinel helps us prepare for potential threats before they hit by taking proactive steps. We can also detect ongoing incidents. For example, if we receive a ticket or alert that is ongoing and will not go away, we can automate a response to it and add it to our playbook. This way, if a similar incident occurs in the future, we will know what to do to respond immediately.
In terms of automation, I believe we save about 20 to 22 hours per week by closing tickets. We receive about 50 to 100 tickets per day, and we automated about 80 percent of those. This means that we can now close tickets without having to manually review them. This saved us a significant amount of time, which we can now use on other tasks.
We are on the smaller side in terms of the number of logs that come in. So, I don't think it's necessary to compare at this level of data ingestion. However, I can definitely see that if we scale and grow in the future, it will save us a lot of money, especially in terms of manpower and hours that we have to dedicate to automation or non-automated tasks. For example, in the six months that we've had Sentinel up and running, we've saved 755 hours in automation alone.
We currently meet all of our service level agreements in terms of incident response. This definitely saved us time, and we also receive email alerts directly so that we know as soon as something happens.
Log aggregation and data connectors are the most valuable features. We have a plethora of data connectors, so being able to get all of our logs into a central location is very helpful.
For certain vendors, some of the data that Microsoft Sentinel captures is redacted due to privacy reasons. In the future, it would be helpful to have this data unredacted so that we can have a better understanding of it.
Microsoft Sentinel is not the most user-friendly tool. Other tools, such as Splunk SIEM or any other SIEM, are better and easier to use.
Our threat-hunting capabilities can definitely be improved. We do use workbooks to view incoming data, but threat hunting is where we can really find those underlying issues that may not be immediately visible. We will use these alerts as a starting point for our hunting. If we can correlate two different events and identify the same root cause, it will save us a lot of time and resources.
I have been using Microsoft Sentinel for six months.
I would definitely rate Microsoft's technical support low. First, it is very difficult to reach a real person. We are always directed to a bot, which can only diagnose some issues. If we do need to speak to a real person, the wait time is very long. It can take hours or even days to get a call or video conference. Second, the documentation is outdated. This is especially true since Microsoft recently rebranded Azure Sentinel as Microsoft Sentinel. The new documentation is not yet available, and the old documentation is no longer accurate.
Negative
Microsoft Sentinel is included in our E5 license.
I give Microsoft Sentinel a seven out of ten. It has good capabilities, including a large number of native connectors. It is a well-known brand, so it is likely that many third-party vendors will integrate with it in the future. This will give Sentinel a wider range of data sources to collect from. In terms of data connectors, I think Microsoft Sentinel is one of the better options available. However, some of its competitors, such as Splunk and SentinelOne, have better interfaces and support. They may also have some proprietary capabilities that Microsoft Sentinel does not offer.
I believe that duplicating security measures is a good thing. It is also important to have redundancy in tools. If we have multiple tools that cover the same thing, we will have more eyes and visibility, and we will be able to remediate issues as they arise. Therefore, using multiple vendors, platforms, and consoles is the way to go. If we use only one tool for everything, it will be like a Swiss Army knife. We will definitely run into problems. I believe that we should avoid single points of failure at all costs. We should have redundancy in tools, but not just in tools. It is also beneficial for our team to all know the same tool or a specific suite.
We use it for security. It's at the forefront of managing the security within our organization. We use the platform as our main SIEM for enterprise security whereby we have several tools that feed into Microsoft Sentinel and then from there, we have the use cases. It's a major tool for security monitoring within the enterprise.
Microsoft Sentinel provides the capability to integrate different log sources. On top of having several data connectors in place, you can also do integration with a threat intelligence platform to enhance and enrich the data that's available. You can collect as many logs and build all the use cases.
Microsoft Sentinel helps to prioritize threats across the enterprise. We do threat categorization based on a risk-based approach. We categorize incidents as critical, high, and medium. The platform gives us the capability of categorizing the threats based on our assets' criticality and the type of data on our systems. At the end of the day, it does help in managing the threats within the organization. There are different levels of threats depending on the data that we have.
We also use Microsoft Defender for Endpoint. We have integrated Microsoft Defender for Endpoint with Microsoft Sentinel. Most of the alerts that come on our Microsoft Defender for Endpoint are fed into Microsoft Sentinel. We manage those alerts through Microsoft Sentinel, but when we are doing our investigations, we always leverage Microsoft Defender for Endpoint because we are able to do the investigation from the original source. Integrating a Microsoft product with other Microsoft products is not as difficult as compared to integrating Microsoft products with other vendor applications. With the inbuilt data connectors that already exist in Microsoft Sentinel, it's much easier to do the integrations with the Azure environment and other Microsoft products. If there's no data connector, it's somehow tricky. If we have a data connector in place, it's better. We also need to do some customization of the data that we ingest because we need to have the right size of the data that we feed into Microsoft Sentinel because of the cost aspect. At the end of the day, we managed to do an integration of on-prem AD with Microsoft Sentinel via a platform that acts as a bridge between them
Microsoft Sentinel and Microsoft Defender for Endpoint work together natively. The alerts are fed into Microsoft Sentinel seamlessly, but when it comes to investigations, you need to leverage Microsoft Defender for Endpoint to isolate a device and to see some of the timelines or actions that were done with that machine. You can't do that with Microsoft Sentinel.
Microsoft Sentinel allows us to investigate threats from one place, but it doesn't let us respond from one place. For responding, we need to narrow down the source of the threat. If it has been flagged from a Cisco perimeter solution that we use, such as Cisco Meraki, we need to go back and check in that platform. If it's flagging an issue that's happening on an endpoint, we need to go back to Microsoft Defender for Endpoint and do further investigation to respond.
Microsoft Sentinel helps to automate routine tasks. We have playbooks and once we establish a baseline or a routine task that needs to be done, we can just automate it through the playbook.
We have the Sentinel dashboard, but we still need other dashboards for other logs, such as from email. We can't see email logs from Sentinel. We still need a network security monitoring platform. It has helped us to secure 90% of our cloud environment.
With the integrations we have, its threat intelligence helps prepare us for potential threats before they hit and to take proactive steps. We get visibility into what's happening on the AD on a real-time basis. If there's any issue going on with the AD, we are able to fix that within the minimum time possible. It also helps with the visibility of different resources across the cloud environment. However, it can't do all that by itself. We also need other tools.
It has saved us time. It has helped in handling most of the issues within the cloud environments or any misconfigurations done on the cloud environment. We are able to handle any issues within the shortest time possible. In terms of threat detection, I can give it a nine out of ten. If we didn't have Microsoft Sentinel, it would have taken us three to four days to discover a security incident that is happening or any security misconfiguration in the cloud environment. Within a week, it saves me about three days.
It has saved us money from a security risk perspective, but from a technology perspective, it hasn't saved much. The main value that it's giving to the organization is from a security perspective.
It has saved our time to detect, but that also depends on the original platform. If the original platform, such as Microsoft Defender, fails to detect incidents, then Microsoft Sentinel will definitely not flag anything. The feed that Microsoft Sentinel gets comes from other platforms. With better fine-tuning across the other platforms and with good integrations, it can really help.
Playbooks are valuable. When it comes to automation, it helps in terms of managing the logs. It brings the SOAR capability or the SOAR perspective to the platform with the high usage of Microsoft products within our environment. We are utilizing most of the Azure resources. Our AD runs on Azure. We have on-prem and Azure AD, so we have the integrations. At the end of the day, when we are managing the security, we have the capability of initiating some options from Microsoft Sentinel and directly to AD. We also have automation with Cisco Meraki. We have configured playbooks where if there is a suspicious IP, it blocks the IP.
Microsoft Sentinel needs to be improved on the metrics part. I've had an issue in the recent past while trying to do my metrics from it. It gives me an initial report, but sometimes an incident is created on Microsoft Sentinel, but you realize that when a lot of information is being fed from Microsoft Defender to Microsoft Sentinel, instead of feeding the existing alert, Microsoft Sentinel creates a new alert. So, metrics-wise, it can do better. It can also do better in terms of managing the endpoint notifications.
We do have in-built or out-of-the-box metrics that are shown on the dashboard, but it doesn't give the kind of metrics that we need from our environment whereby we need to check the meantime to detect and meantime to resolve an incident. I have to do it manually. I have to pull all the logs or all the alerts that are fed into Sentinel over a certain period. We do this on a monthly basis, so I go into Microsoft Sentinel and pull all the alerts or incidents we closed over a period of thirty days. I then calculate the meantime to detect and the mean time to resolve. I have to check when all the tickets were created, when they were handled by the analysts, and when they were closed. I do a manual metrics calculation after pulling all the data. I believe Microsoft can do better on the metrics side of Sentinel. They can provide monthly reports. If I want to submit the reports to my senior management, it will be much easier for me to pull the data as a report. Currently, you can't pull any reports from Sentinel. It would be helpful if they can build a reporting tool within it and allow me to have my own customization. I should be able to customize the reports based on my needs. For example, I should be able to generate a report only for incidents with high and medium severity.
It should also provide information on trends within the platform. There should be reports on specific alerts or security incidents.
They should build more analytics rules to assess key security threats. I have had to build a lot of custom analytics rules. There should be more of them out of the box.
There should be more information about how to utilize the notebooks. They can have a better approach to enlightening the end-users about the straightforward use of notebooks. The data point analysis rules and automation are straightforward compared to the way you utilize the notebooks. They can do better in terms of sharing how we can utilize the notebooks.
We are able to ingest data across all our tenants and on-prem solutions, but we have been chasing Microsoft for the longest time possible for ingesting some data from Microsoft Dynamics 365. The kind of logs that we need or the kind of security monitoring that we need to do on Microsoft Dynamics 365 versus what's available through data connector tools is different. The best advice that they have managed to give us is to monitor the database logs, but we can't go into monitoring database logs because that's a different platform. There are several things that we want to address across Microsoft Dynamics 365, but the kind of logs that we get from the data connector are not of any significance. It would be better if they could give us customization for that one. That's the worst application from Microsoft to add because we can't monitor any business processes in that application, and there's no capability to do even customization. We are so frustrated with that.
It's quite comprehensive in threat intelligence capabilities, but it takes some time to establish a baseline. They can also improve the UEBA module so that it can help us address and have an overview of the risk. It's not yet that complete. It can establish a baseline for a user, but it doesn't inform how I can leverage the capability to address risks.
We can also have more integrations within Microsoft Sentinel with TI feeds out of the box. Currently, we don't have something out of the box for other TI feeds. Microsoft has its own TI feed, but we aren't utilizing that.
Microsoft Sentinel should provide more capability to end-users for customization of the logs they feed into Microsoft Sentinel.
It has been two years.
We haven't had any issues with it so far. It's very stable.
It's scalable. There are data connectors for different technologies and products.
I've not contacted their support for Microsoft Sentinel.
I've used QRadar.
We are ingesting on-prem and cloud logs. The initial setup was a bit complex. It wasn't that straightforward because of the integrations.
We had help from a Microsoft partner for visibility and integrations. We had about five engineers involved in its implementation.
In terms of maintenance, it doesn't require any maintenance from our side.
Microsoft Sentinel is costly, but it provides value in terms of managing security or managing the threats within our organization.
The return on investment is in terms of better security, visibility, and management. If you don't know what's going on in the cloud environment or the on-prem environment, you might need to pay a huge price in terms of compliance or ransomware to restore your data. We have seen value in investing in Microsoft Sentinel because we are building a better security capability within our environment.
The current licensing is based on the logs that are being ingested on the platform. Most of the SIEM solutions utilize that pricing model, but Microsoft should give us a customization option for controlling the kind of logs that we feed into Microsoft Sentinel. That will be much better. Otherwise, the pricing is a bit higher.
We evaluated other solutions. The reason why we chose Microsoft Sentinel was because of the cloud visibility. We needed a lot of visibility across the cloud environment, and choosing another product that's not Microsoft native wouldn't have been easy in terms of integrations and shipping logs from Microsoft Sentinel to on-prem.
A good thing about Microsoft Sentinel as compared to the other platform is that most organizations run on Azure, and the integration of Microsoft Sentinel is much easier with other products, but when it comes to other SIEM solutions, integrating them with Microsoft sometimes becomes an issue.
You need to customize the kind of logs that you feed to Microsoft Sentinel. If you just plug-in data connectors and don't do any customization and feed everything to Microsoft Sentinel, it will be very expensive in terms of cost. You only need the traffic that assists you in addressing security issues within your environment. You only need the information that gives you visibility to address security issues.
Overall, I would rate Microsoft Sentinel an eight out of ten.
