Microsoft Sentinel Reviews

Microsoft Sentinel is a monitoring tool. It is a SIEM solution and is used to gather logs. It allows us to analyze and understand the flow of information based on the events that happen and the systems we connect it to. 

I explain it to my customers as being almost like an octopus. It sits in the middle of a tank, and it has all these tentacles that connect to different systems. We bring that information in via those connections, and then we query them. We can centrally analyze, examine, and understand the data that comes in through the analytics or the capabilities that Azure links to Microsoft Sentinel, which is Azure Log Analytics Workspace. We then use queries to help us understand or make sense of the data. We can have dashboards and visualize them. 

We use it to set up monitoring for cloud infrastructure and we use it as part of a larger monitoring capability around setting up a SOC capability. We are then able to keep track of infrastructure and mitigate risks.

Microsoft Sentinel gives visibility to some degree to all of the customers that I work with. It has given us more visibility into the accurate state of the endpoints being monitored in near real-time. 

With the solution, we are now able to respond to incidents in a more timely fashion, which helps us. It helped us to understand what is happening and make informed decisions as a result. It has given us a more comprehensive and holistic view of the ecosystem that exists, and not just an individual piece of that ecosystem. It does not give a view of just one server. It also gives a view of the supporting infrastructure around it. It has given us a lot more visibility, and it has made us smarter in terms of being able to defend ourselves against bad threat actors and the harm they look to do. It made us better armed and more informed, and therefore we can offer a better defense that will hopefully ward off some of those bad actions.

Microsoft Sentinel helps to prioritize threats across the enterprise in several ways. This capability is linked to other technology elements that make up the overall security posture of the Microsoft offering. Microsoft Sentinel, in particular, allows us to look at the flow of information coming through the connectors from various systems. This helps us create alerts and analyze that data so that we can bubble up and see what is happening. We can tie that into the Microsoft Defender stack or the products in the Microsoft Defender ecosystem, and we can take action and monitor. 

Whether it is being alerted, manually choosing to do something, or automating through the broader security capabilities of the platform, we can take action. When we tie in the broader security capabilities that involve governance, risk management, and compliance (GRC), and we have all the tools at our disposal to do that, Microsoft Sentinel becomes a huge ingestion engine that brings in signals. The telemetry and data from all the monitored endpoints allow other capabilities to access that data so that we can monitor it. We are then not only well-informed, but we can also choose how to respond. We can respond through a combination of automation and manual actions. If something occurs, we can then kick off an incident response to deal with it. If needed, we can quarantine and mitigate it. We have a rich set of capabilities but also a very flexible set of opportunities to respond because we are given near real-time information. We can analyze that information in near real-time to make informed choices when it comes to threat intelligence, threat mitigation, and threat assessment.

I use all of the products that Microsoft has in the market in various architectures or configurations with different customers, and I have used them for many years. Various customers use the entire suite of offerings that Microsoft has in the security space in terms of governance, risk management, and compliance, such as Microsoft Sentinel and Microsoft Defender. There are also solutions like Privileged Identity Management (PIM), which is now a part of Microsoft Entra, which has been renamed. I have integrated these products and set up the architectures or designs for customers. The setup depends on the size of the customer and some smaller businesses do not use all of them. They license at lower levels and do not have the business case, the resources, or the need to use them all. Larger companies tend to utilize more of them. Because I work with different-sized companies, I set the solutions up and have used them in a variety of circumstances across the board for different companies. 

In the beginning, like any technology, it was a little harder to integrate when the products were new. As they matured and went through iterations, they became easier to work with. Utilizing a new product is more painful than using a product that has perhaps been out for a year or two, that has been vetted and maybe has gone through one major update or release. The integration has gotten better over time, and the product lines continue to mature and become more powerful as a result.

Microsoft security products work natively together to deliver coordinated detection and response across the environment. For this, you need to use the appropriate connectors to bring in the information from both Microsoft-centric and third-party systems that you want to incorporate and monitor. It is bounded by the vision of the architecture that allows you to connect those systems and the availability of those connectors. Assuming those systems are connected properly, brought online, and are reporting, it gives you the depth of visibility that you need to manage both Microsoft and non-Microsoft systems.

Microsoft security products provide a very thorough set of security. Microsoft is looking at billions, perhaps a trillion, individual data points a day at this point across the Microsoft ecosystem, which includes everything Microsoft does, all customers, and all interactions. They take all that information and analyze it with dedicated security teams, machine learning and artificial intelligence, business analytics, etc. They turn that information around and make it available for customers who are consuming the threat analysis and threat intelligence capabilities on the platform. Some of the solutions are available for free to everybody regardless of licensing. For others, you need enhanced licensing to take advantage of it fully. The threat intelligence feeds, the live analysis, and the security posture that Microsoft provides to its customers globally as part of the shared responsibility model have matured tremendously. They are the best. You get incredible value for the amount of work that goes into providing that. The customers I work with are very happy with the work that Microsoft does and continues to do in that space.

We use the bi-directional sync capabilities of Microsoft Defender for Cloud in some cases. It is a very useful feature for myself and my customers. It is very important because it allows us to use the Defender product, which is made up of maybe 20 individual offerings at this point. There are a lot of different sub-areas that you have that you can attach the Defender product to. This concept allows us to be able to have the endpoints monitored, whether they are the servers or the service that Defender would monitor and protect. It allows us to understand what is happening with them and to have near real-time updates about their status. We can see the impact of potential threats that are attaching and risks that may become apparent, and we can see the impact of remediation or the things that are being done to stop those things or perhaps forestall them, hopefully, to prevent them from harming. This capability is very important, and it is one of the secrets that allow that platform to not only be very flexible but also very impactful in terms of monitoring the bulk of the infrastructure and services that most customers would have running in a public cloud, whether it is Microsoft or any other public cloud, such as Amazon, Google, etc. We can monitor any infrastructure and understand it, especially customers' environments that are hybrid where they have on-premises as well as cloud or multi-cloud infrastructure with more than one cloud. To be able to monitor both on-premises and multi-cloud environments is a requirement today, and Microsoft provides those capabilities but not all other providers do. 

It enables us to ingest data from the entire ecosystem as long as we are using a connector to link to the infrastructure that we need to monitor and as long as there is a connector for monitoring that infrastructure. So, as long as the pipe exists, we connect the pipe, and we can monitor the infrastructure. For a majority of mainline infrastructure or a majority of third-party vendor systems today, there are connectors. For some smaller systems or proprietary or custom systems that some companies run, there might not be connectors, but for mainline systems that you would buy, acquire, or use from large-scale SaaS vendors, connectors have been there for a while. As long as we are running connectors to that infrastructure, we can monitor almost anything that we have.

Sentinel enables us to investigate threats and respond holistically from one place. We have a central dashboard that we can use to monitor and then from there, do the analysis and also create the remediation if necessary. This functionality is very important. The biggest mistake vendors make in tool design from a UI/UX or user interface/user experience perspective is that they do not make things centrally available and obvious for the administrator or the end user who is going to run or use that system. Generally, if something is overly complicated and not very intuitive, it is hard to get people to buy into using something. With Microsoft Sentinel, you can have everything in one place and visualize the impact of the threats, the risks, the incoming data, and the number of incidents, events, or alerts that are happening. All those things are visually represented in the opening part of the dashboard. You could drill down from there with a navigation area that is intuitive and easily understood. That makes it very easy for different users, such as administrators and managers, and other user profiles that have different reasons for being in the tool, and that is the hallmark of a good design.

When you look at it holistically and look at what it is linked to in terms of the broader security platform that Microsoft provides, it is very strong, and it continues to get better. When you ask anyone about their thoughts about a product and how it works for their customers, the mistake that people often make in describing something is that they say, "I think it is great, and it is great for us. It does everything we need." That is good, and it should be. I can say that for the majority of my customers without any ambiguity or concern about being accurate, but the thing you have to add is that there are always things that we do not know that we need to do until they occur. We might not have seen that threat before. Maybe there is a new advanced persistent threat or zero-day exploit that we have to contend with, which we have not been aware of until now. The hallmark of a really good tool is its ability to integrate that new information in a timely fashion and have the flexibility to mature the tool over time based on feedback and iterative use. The strength that Microsoft has brought to the platform over time is the ability to listen to its customers and make sure they are offering based on that feedback. It is good, and it continues to get better. Today, it is good, and tomorrow, it will be better because of that thought process in the way they engineer over time.

Microsoft Sentinel helps automate routine tasks and the finding of high standards. If you set it up the right way, it does that as one of the key things that it is designed to do. It has streamlined our ability to respond, so response time has gone down. It has enhanced our understanding because automation is managing some of the remediation and the menial, repetitive ongoing tasks of:

• Paying attention to information flows.

• Picking out the most important elements.

• Prioritizing them and bubbling them up.

• Creating alerts around them and then telling people that these things are happening. 

Automation lets you do that without having to spend human or people cycles to do that. The automation never gets tired and it never gets bored. It never needs to take a break. It never gets distracted. Because of that, we find not only more things we need to react to, but we react to the things that we truly should be chasing. We are not distracted as much by things that seem to be important, but we find out that they are just ghosts. They are false flags. The ability to bring machine learning, artificial intelligence, business analytics, and data visualization as a part of automation has filtered out a lot of the background noise that distracts. It has allowed us to hone in and refine our activity cycles around the most important things that we have to pay attention to.

Microsoft Sentinel helps eliminate having to look at multiple dashboards and gives one XDR dashboard if you set it up the right way. I have seen it set up in ways where it does not do that because it is not optimized, but if you are using it the right way, if you understand the tool and how to integrate it properly, then it gives you that single dashboard where you can directly find the information or link through a smaller visual tile that will take you to that information that you need if you need to drill down in a deeper, more meaningful way.

Its threat intelligence helps to prepare for potential threats before they hit and take proactive steps. If you are integrating the threat intelligence feeds from Microsoft and looking at them, everything is relative. They are there if you are smart enough to consume them and understand what you are looking at. In other words, people who are paying attention to them and are using them properly are getting tremendous value out of them. Microsoft globally examines billions, if not a trillion, of individual telemetry data points every day and incorporates that into their threat analysis feeds, so no individual company, irrespective of how big they are and how much money they have, can bring that kind of at-scale analysis to that problem. As a result, you are getting a tremendous amount of data that is being vetted, analyzed, and distilled down to meaningful actionable intelligence. It is consumable because it is presented in a very summarized and succinct way. It is very valuable, but you have to be able to understand that and utilize that to draw value from it.

We have saved me time with Sentinel. The ability to have the power of Microsoft as a global scanning organization service provider at my disposal is helping me to better understand the environment I operate in through threat intelligence and threat analysis. In addition, the ability to automate at scale across the platform and to have the research and design that is being done to continuously upgrade and add features to those platforms has made me a much more capable and therefore, more successful security practitioner. It is hard to quantify the time saved. It would probably be a very extreme exercise to go back and do that, but it is fair to say that over a year, we have probably saved a thousand or more human hours. I look across a team for one of the customers that I work with, it is fair to say that we have saved at least a thousand human hours for a year by relying more on the automation toolsets. That is about ninety hours a month on average. We can break it down to 15 or 20 hours a week or something like that, but the reality is that it is about a thousand or more hours that we have saved in a year.

Time to detection has decreased, and the time to respond has gone. They both have decreased. That has been an outcome that we have seen and is measurable. It goes back to the investments you make in building out that architecture in terms of:

• How many systems are you monitoring or how many are you connecting?

• How much data do you have coming in? 

• What are you doing with that data and how are you using it? 

If you are building out a full SOC analysis capability or a full monitoring solution, and you are typing this into incident response and alerting and event continuous monitoring through automation, time to respond and time to solution is going to decrease as a result.

It can connect to an ever-growing number of platforms and systems within the Microsoft ecosystem, such as Azure Active Directory and Microsoft 365 or Office 365, as well as to external services and systems that can be brought in and managed. We can manage on-premises infrastructure. We can manage not just the things that are running in Azure in the public cloud, but through Azure Arc and the hybrid capabilities, we can monitor on-premises servers and endpoints. We can monitor VMware infrastructure, for instance, running as part of a hybrid environment. The continuing evolution of what we call the connectors, which is the marketplace that lets us connect these systems to Microsoft Sentinel, is probably one of the most important features.

The reliance on a very simple but very powerful query language called Kusto Query Language or KQL that Microsoft uses to allow us to log into the analytics workspace to assess and analyze the data is also valuable. That has made it very approachable and very scalable. Those are very big and important things for me as a consultant, as an architect, and as a person who is implementing these solutions for customers and who is explaining them, and ultimately working with them. This makes the product not only usable but also very flexible. Those are two very important elements.

Everyone has their favorites. There is always room for improvement, and everybody will say, "I wish you could do this for me or that for me." It is a personal thing based on how you use the tool. I do not necessarily have those thoughts, and they are probably not valuable because they are unique to the context of the user, but broadly, where it can continue to improve is by adding more connectors to more systems. 

The really interesting area where we are already seeing the impact is the use of more artificial intelligence. There could be the ability to bring AI into the analysis capabilities of the toolset in more ways so that we can utilize the power that computer analysis at scale has. That is because we are limited. As humans, we can only look at so much information, see so many patterns, and absorb so much in any given cycle of a workday, but artificial intelligence and automation engines do not take breaks. They do not stop. They do not need to. They can go deeper, and they can see more data and ingest more to find patterns that, as humans, we are not going to be able to see. The evolving technology in this area is all moving towards the use of artificial intelligence, embedding it in multiple areas in the platform so that we can be told that there are things that we need to pay attention to that are becoming a problem as opposed to things that are already a problem. Where the biggest improvements can happen is how we move that ability to identify emerging threats closer to the point of contact so that we can interject and essentially stop and disrupt the kill chain of an event series before it harms. Currently, the problem we often have is that things get bad, and until they get bad, we do not really know what is happening, and we do not know how to respond, so we spend a lot of time responding to incidents that have already started or have unfortunately unfolded fully in a reactive manner. The value proposition in terms of improvement down the road is getting better at predictive defense and proactive response before events take place to stop them before they start. That is the future that we are moving towards, and that is where the biggest improvement lies.

Sentinel, which is now called Microsoft Sentinel, used to be called Azure Sentinel. It was renamed about a year and a half or two years ago, but I have used Sentinel for about four years. It was probably released in 2019.

It is very stable. I have had little to no difficulty with it in the more than four years that I have used it or deployed it. I cannot think of a time in the last four years when it was unstable or unstable enough that I had to open a support ticket. I have had issues with it because people have misconfigured it or not set it up properly, but those issues were not related to the platform itself. Those were human interactions that were complicating it because it was not set up the right way. When it is set up correctly, it is a very solid platform with minimal to no downtime. There were no major service disruptions that I remember that caused problems.

It is very scalable. You do not think of scalability necessarily the same way you would if you were setting up a cluster to run virtual machines, for instance, because there, you have to add resources, and you are monitoring to make sure that there are enough resources versus the load in the system. Microsoft Sentinel is a managed solution. You are deploying it, but then Microsoft is scaling it and managing it on the backend for you, so you do not control some of the things that would impact scalability directly. Microsoft is hosting it. It is essentially a service you are consuming. In my history with the product, it has always met my expectations, and I have never had an issue where it could not perform because of a resource constraint, so its scalability is solid, and it is always available when necessary. It is not scalable in the same sense as you would control it by adding hosts to a cluster. It is a different kind of scalability, but it has been rock solid all the time I have been working with it.

In terms of the environment, I have multiple customers, so each one is different, but generically, it is safe to say that it is deployed to monitor infrastructure that is in multiple geographies, multiple data centers, or multiple places both on-premises and in the cloud. It could be hybrid as well as multi-cloud. The infrastructure is being monitored from a variety of different locations. Microsoft Sentinel itself is typically installed and instantiated in one instance. You set it up inside of an Azure subscription and you have one instance. If you need more than one, you might set up more than one depending on the geography and the needs of the organization, but typically, we have one central Microsoft Sentinel instance running, and then you will bring that information into it through the connectors. It is typically going to be a single instance. It will usually monitor geographically distributed architecture, and it will usually operate at scale, so there will be quite a bit of information coming into that at any given moment.

Like anything else, you can get support depending on how you are using the tool and the level at which you are using it. You get basic support from Microsoft. If you have a problem, they are very good at telling you if there are service issues. If you are paying additionally, you can get premium support to support you with the tool. There is an additional fee for platinum-level support or premium support. Their support is very good if you are paying for it and you are able to utilize it. If you are just able to open a basic ticket because you are having a problem, support is good, but you are going to be limited in the help you are going to get. To talk to a high-level engineer to deal with complicated issues, you are going to need to pay extra money for support. Overall, I would rate their support an eight out of ten.

Positive

I have used several different solutions over time with different customers for different reasons. I work with a lot of different customers. I set up solutions for different customers. They have different technologies and different needs, and some of them have a bias towards certain products and against others, but I have used products like ConnectWise, which is a SIEM solution, and Splunk, which is probably one of the biggest ones out there that most people would name if you ask them. Splunk is probably at the top or near the top of everybody's list. Datadog would be another big one. I have used LogPoint and GrayLog. I have also used ManageEngine's Log360. SolarWinds is another popular one that I have come across pretty often. I have used many more than that, but those are probably the top five or six that I have used. They are the ones that customers tend to use a lot. Some of them are still using those products and have chosen not to move, but the ones that have chosen to move have done that because of two things. The cost plays a part. They have the ability to leverage a tool that is already built into the platform and that may be easier to work with and integrate in a more readily accessible fashion, and it would be as expensive and maybe less expensive over time. It might also seem to be a better architectural choice for them as they look at an upcoming renewal cycle, or they have heard or been told that they need a certain capability or feature and the vendor that they are currently using does not have that or it is not as easily accessible or readily available, but Microsoft Sentinel has that capability. It has connectors to those other platforms, but for whatever reason, their particular vendor does not have that connector, or they might promise to deliver it but it is not going to be ready for six months. It comes down to features and cost. These are the two main reasons or two main motivators to drive people to migrate.

In terms of the cost and ease of use of Microsoft Sentinel against standalone SIEM and SOAR solutions, it is difficult to do an apples-to-apples comparison. That is because, in theory, you can look at Microsoft Sentinel as a single standalone product with its own cost associated with it, but it is linked to, consumed by, and used in partnership with many other systems and tools that also have a licensing cost. Some of it is built-in and some of it is an add-on, depending on where you are and how you choose to license. In other words, Microsoft Defender is a per instance per month cost that is additional to using the Microsoft Sentinel product, and what you get with a standalone solution is essentially just the SIEM or the SOAR capability. You are not getting the capability to blend them across the platform, or if the vendor does both, you are buying them as an all-in-one solution and you are paying a monthly fee per user based on licensing. 

From my perspective, cost comparisons are not as accurate. When a customer asks whether Microsoft Sentinel is going to cost them less or more than using this other tool, it is a very simplistic way of looking at the tool, and it is a very operational-centric or OpEx discussion. When anyone asks about the monthly fee for the investment in this tool, you have to be more strategic. When you look at a tool, features, and capabilities, the capital expense is broader than just the operational expense. You have to understand the strategy associated with the tool decision and the impact and value of the tool. 

Microsoft Sentinel gives a good value for money or a return on investment in terms of what it costs you to run it. When comparing it to any of the other major competitors in the market, it is as cost-effective and perhaps even more cost-effective than some of them. It certainly is very competitive, but people do not necessarily understand the subtlety in that assessment in terms of how they are integrating the Microsoft Sentinel solution or the third-party solution into the broader context of their infrastructure and security posture. That is where they run into issues that become more prohibited from a cost perspective, both hard and soft. For example, the hard cost could be $15 a month per user to license or $15 a month per endpoint and $100 per gigabyte of storage or something like that. Those numbers are wildly inaccurate, but you do have hard costs, and then you have soft costs, which include what it costs you to train people who have to use that technology or to train people who have to manage it ongoing and integrate it. You might have to hire consultants to do that, for instance. Those are hard and soft costs. When you are using a Microsoft product and you are Microsoft-centric, you overcome some of those soft costs because you have people who already have skills on the platform. You are already integrating that technology. Microsoft is doing that for you. You do not have to do it yourself. As a result, some of what I refer to as hidden costs are not as high with a Microsoft solution as they would be with a third-party solution. If you are already Microsoft-centric and you are using a majority of Microsoft Azure and Microsoft 365-based infrastructure in some form, it is easier to implement that technology. It costs less when you go forward with Microsoft Sentinel than it does when you try to bring in a third-party external SIEM or SOAR and tie it into the Microsoft platforms and have it do the things that you are looking for it to do.

It is predominantly deployed for public cloud use, meaning customers hosting on a public cloud are using it. They are hosting in Azure, for instance, and they are running their cloud infrastructure in that cloud environment. You can link to on-premises resources in hybrid scenarios, and you can certainly make the case that it can be used for private cloud as well because you can extend it to the on-premises environment. It can be used to ingest information in a multi-cloud environment, meaning you can bring in infrastructure information from Amazon or Google, the other two major public cloud provider platforms, as well as VMware, which, in its own right, is a public cloud provider. So, it can be used or potentially be available to consume data from any of those areas.

I have been involved in the deployment of hundreds of instances of Microsoft Sentinel. Its initial deployment is straightforward. In terms of implementation strategy or how to approach it, it is important to spend a lot of time with whoever the customer is. I work with multiple customers. I ask them what sound like fairly simple and simplistic questions but are very important questions. What are they looking to accomplish by deploying a SIEM solution? What is the business requirement that we are addressing by deploying the solution? We need to define that and understand that because oftentimes, we find that the customer says, "Well, we think we need, for instance, X." We talk about it, but realize what they really need is perhaps X with other things or it is not X at all. It is really W. They just thought it was X because somebody told them that. They did not know any better, so asking W&H is important.

• Who is this for?

• Who are the stakeholders?

• Why are we doing this?

• What are we looking to accomplish?

• When are we looking to get it done?

• What is the timeline?

The where and the how are not as important because it is typically in the cloud, and we are going to have qualified people deploy this architecture and we are going to run it in Microsoft, Amazon, or whatever. If we ask those questions upfront, then we can come up with a deployment plan and architecture solution that approximates the customers' needs but also meets their expectations, so for me, a project's success or failure lies in planning. The majority of the work you do has to be done in the planning cycle before you do implementation. If you are really strong in planning, then implementation is relatively straightforward. There are not a lot of surprises. As long as you are technically competent, you can do your deployments, and they should be relatively straightforward and minimal risk to the organization in terms of the deployment. If you do not get your planning right, you are opening up a tremendous amount of risk and liability in the organization.

In terms of maintenance, you cannot set it and forget it. Like any other product, it does require maintenance. If you are smart about it and you set it up the right way the first time, it will take care of itself, and it will certainly operate well at scale, but you have to examine it on an ongoing basis. There is always an opportunity to refine and update connectors. You can add new connectors as you need to extend the reach of the tool. You may have to look at the volume of data that is coming in to refine the amount of data that you want to store, pay for, and analyze, and then you have to look at the queries you are running to be able to stay on top of the data to extrapolate meaning. So, there is maintenance that goes into using a tool like this. There is no checklist that you go through every day, but there are absolutely things that have to be done on a daily, weekly, and monthly basis to keep the tool running properly.

I am the one who handles the deployment. It is rare that I would not do it myself or work with a team that would be empowered to do it as part of that.

The deployment, depending on the size of the deployment, could be done by as little as one person. It does not necessarily need a huge number of people to be associated with it. The bigger need there is what you do once the initial deployment is done, meaning fine-tuning the operation of that. When you add all that in, you typically look at a team of anywhere from three to six individuals. There are incident management and response and SOC analysis people. There are also network people. There are different people who would play a part in ultimately standing up and optimizing a tool like this, but usually, four to six people play a part on average.

There is absolutely an ROI if it is architected properly and the customer has the right expectations going in.

Microsoft Sentinel has saved my customers money. There is an initial investment upfront, so you have to spend money to save money. There is an initial investment upfront of hard and soft hours, but if the systems are set up properly and optimized and you have people who understand them, one of the things that you are able to do is look at the redundancies in your security stack or in your provisioning. You can look at tools that you may be able to move away from at the end of a license period instead of renewing, for instance. You can do away with that redundancy and focus on simply using the Microsoft toolset, so you tend to find that there is definitely an economy of scale there in terms of recouping those returns on investment. There may be a one to three-year cycle to see those savings. It depends on where you are with redundant tool sets that you have identified to be eliminated and where you are with a contractual licensing obligation of time cycle or license period before you have to pay to renew based on current investment, so it may lag a little bit. You do not tend to see those results right away. They tend to lag anywhere from 12 to 36 months, but at the end of, for instance, a three-year cycle, you are not spending another $300,000 to re-license a new tool. You are saving that money. You can then work backward and say that on average, you are now saving x amount of dollars a month going forward because you are not making that investment anymore. You definitely do see investments that yield value, but they tend to lag.

It is priced fairly given the value that you get from the use of the product. The biggest mistake people make with Microsoft Sentinel is not understanding the pricing model and the amount of data that they are going to be running through the tool because you are paying based on the flow. You are paying based on the amount of data that is moving through the tool. People do not plan, and therefore, they get surprised by the cost associated with using the tool. They connect everything because they want to know everything, but connecting everything is very expensive. They might not need to know everything. That is what I talk about with customers. It would be nice to know everything, but it might not be affordable or cost-effective. Microsoft Sentinel provides good value for the money. It is competitive with any of the other offerings out there based on the cost, but the mistake customers make is that they do not understand the cost model for using a SIEM solution regardless of whose solution they are using. When they get visibility into that model, it becomes a lot easier for them to make informed decisions.

I certainly evaluate products all the time. I am always looking to see what capabilities exist and which vendor can offer me the best mix of features and capabilities for the price, and then I make recommendations to my customers as a result of that. Microsoft Sentinel is a newer product in the market in terms of time. It has only been around for about four years, whereas some of the other products, such as Splunk, have been around a lot longer, so I tend to find people evaluating Microsoft Sentinel versus the other products they already possess when they are looking to move.

To those evaluating this solution, I would advise doing their due diligence. They have to understand the technology, the capabilities, and the limitations. They need to assess the business requirements that they are trying to address by deploying a SIEM solution, whether it is Microsoft or not. They need to understand what those key business requirements or key objectives are, and then evaluate the tools to make sure that those tools can achieve those objectives. They can then make an informed decision accordingly.

Microsoft Sentinel is one piece of the puzzle. Threat intelligence or threat analysis is a broader aspect of the security platform that Microsoft provides. It is certainly reliant on the data that Microsoft Sentinel provides, but there is a lot more to it than that. Overall, Microsoft has made tremendous investments in the last five to ten years. Especially in the last five years, in that space, they have developed a threat intelligence, threat analysis, and threat awareness capability that rivals any of the top platforms that are out there today. They continue to mature and grow that capability by maturing the products that support it. Microsoft Sentinel is one aspect of that. The Microsoft Defender stack or all different Defender products are a part of that. A few years ago, it would have been very hard to make the statement or make the case that Microsoft has a mature offering that is certainly at the very top along with other offerings that are often talked about as being at the top in that field. Today, Microsoft competes at the top tier of that field, and their solution is as mature as any of the ones in the market. The challenge with Microsoft solution is that it is very specific and uniquely honed for the Microsoft infrastructure. That is not a bad thing, but it is something that you need to be aware of. It is specifically designed to work with, work for, and wrap around Microsoft's public cloud offering Microsoft Azure and the supporting elements in Microsoft 365, etc. So, as long as you are Microsoft-centric in your stack, in your technology, in your architecture, it is a very valuable piece of the overall threat posture management that a company needs, but if your investment in technology is heavily weighted outside of Microsoft, it is of less value because you need to be Microsoft centric and Microsoft forward to be able to fully leverage that platform.

To a security colleague who says it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that it depends on the nature of the organization's technology architecture. If the organization is overwhelmingly single-technology-centric, meaning they use Microsoft almost exclusively, you can make the case either way. Using an external third party not tied to Microsoft is important because now you are splitting your investment, and you are not gambling only on one provider, which is the argument you always hear people make when they say, "Do not put all your eggs in one basket." The counter to that argument is who knows my environment better than the vendor that has made all the technology that I am integrating, and who would be better to monitor it than the vendor that makes all the technology? When I have customers that are single-technology-stack customers, they are almost exclusively or predominantly Microsoft, I counsel them to think strongly about using Microsoft products unless there is a compelling reason not to because Microsoft is going to make a much better solution than a third-party vendor that has to figure out how to connect to Microsoft to use that product properly. Organizations that have a mixed technology environment do not use only one vendor. To be fair, many small, medium, and large organizations are mixed technology environments, and it would be foolish to only rely on one vendor's security solution.

Overall, I would rate Microsoft Sentinel an eight out of ten.

We use Microsoft Sentinel for log aggregation, data connectors, and alerts.

In terms of visibility, Microsoft Sentinel captures a lot of useful data.

Microsoft Sentinel helps us prioritize threats across our enterprise. It shows us the most vulnerable assets, and because we have agents on every machine, we know exactly where to go to investigate. This is important for staying secure as a company. It allows us to cover our own bases by seeing what is happening in real-time and taking proactive steps to address threats, rather than reacting to them after they have already occurred. We can stay up-to-date with security measures and ensure that we follow through and execute our security plan.

We integrated Microsoft Sentinel with Defender for Cloud, Endpoint, and Defender Vulnerability Management. 

Microsoft is not the most vendor-friendly company in terms of integrations and connections, but we were able to get it working in the end, so we cannot really complain.

Microsoft's security tools work natively together to deliver coordinated detection responses across our environment.

The comprehensive threat protection that Microsoft Sentinel provides is good. They provide really good information. We are able to create documents, perform root cause analysis, and analyze anything we need to. Log integration is also key. We are able to find potentially malicious files, correlate events to alerts, and then take action on alerts. So, the comprehensiveness is pretty straightforward.

We use Cloud and Endpoint security. We have our Defender cloud, and then Defender agents on each endpoint. The bidirectional sync capability is important, and it is a work in progress. We are in the process of off-boarding our contract with CrowdStrike. We are moving all of our cybersecurity needs to Microsoft Defender, which is included in our existing Microsoft licenses. This makes financial sense, and CrowdStrike was not providing us with much value.

The system allows us to ingest data from our entire ecosystem, which is very important. This is our main source of correlation of logs to alerts. Therefore, we definitely need to get every single log source, and possibly a few more.

The system allows us to investigate and respond holistically from one place.

It is a very comprehensive tool to use. However, the supporting documentation is limited to initial troubleshooting. This is where I find the most difficulty in explaining how good the tool is. Other than that, the tool is pretty straightforward. There is enough documentation to get us started. However, beyond that, we will need to rely on online forums and other open-source resources to learn more about the tool.

When comparing Microsoft Sentinel to other SIEMs in terms of cost, we are saving money because it is included with our Microsoft 365 E5 licenses. This also helps us to reduce the number of different types of software that we need to use. We do like redundancy in terms of coverage, but the cost of multiple solutions adds up. We want to be able to use one central location for all of our security software. This is one of the reasons why we choose Microsoft Sentinel over third-party solutions. As we move into larger projects, we need to have a centralized place for all of our security policies and procedures.

Microsoft Sentinel helps us automate routine tasks and find high-value alerts. We also use Sentinel as a store for our alerts. This allows us to automate most of our responses if not all of them. We also tailored our alerts to specific events that occur in our environment.

Microsoft Sentinel helps eliminate the need to use multiple dashboards by providing a single XDR dashboard. We currently use Sentinel's workbooks, which provide a dashboard that we can use for metrics, reporting, and other purposes. This makes it easier to relay information upwards, as it is presented in a more visually appealing and easy-to-understand manner. For example, we can use pie charts, bar charts, and line charts to represent data in a way that is easy to understand. This makes it easier to convey information to upper management, such as where we are most vulnerable and what steps we need to take to improve our security.

Microsoft Sentinel helps us prepare for potential threats before they hit by taking proactive steps. We can also detect ongoing incidents. For example, if we receive a ticket or alert that is ongoing and will not go away, we can automate a response to it and add it to our playbook. This way, if a similar incident occurs in the future, we will know what to do to respond immediately.

In terms of automation, I believe we save about 20 to 22 hours per week by closing tickets. We receive about 50 to 100 tickets per day, and we automated about 80 percent of those. This means that we can now close tickets without having to manually review them. This saved us a significant amount of time, which we can now use on other tasks.

We are on the smaller side in terms of the number of logs that come in. So, I don't think it's necessary to compare at this level of data ingestion. However, I can definitely see that if we scale and grow in the future, it will save us a lot of money, especially in terms of manpower and hours that we have to dedicate to automation or non-automated tasks. For example, in the six months that we've had Sentinel up and running, we've saved 755 hours in automation alone.

We currently meet all of our service level agreements in terms of incident response. This definitely saved us time, and we also receive email alerts directly so that we know as soon as something happens.

Log aggregation and data connectors are the most valuable features. We have a plethora of data connectors, so being able to get all of our logs into a central location is very helpful.

For certain vendors, some of the data that Microsoft Sentinel captures is redacted due to privacy reasons. In the future, it would be helpful to have this data unredacted so that we can have a better understanding of it.

Microsoft Sentinel is not the most user-friendly tool. Other tools, such as Splunk SIEM or any other SIEM, are better and easier to use.

Our threat-hunting capabilities can definitely be improved. We do use workbooks to view incoming data, but threat hunting is where we can really find those underlying issues that may not be immediately visible. We will use these alerts as a starting point for our hunting. If we can correlate two different events and identify the same root cause, it will save us a lot of time and resources.

I have been using Microsoft Sentinel for six months.

I would definitely rate Microsoft's technical support low. First, it is very difficult to reach a real person. We are always directed to a bot, which can only diagnose some issues. If we do need to speak to a real person, the wait time is very long. It can take hours or even days to get a call or video conference. Second, the documentation is outdated. This is especially true since Microsoft recently rebranded Azure Sentinel as Microsoft Sentinel. The new documentation is not yet available, and the old documentation is no longer accurate.

Negative

Microsoft Sentinel is included in our E5 license.

I give Microsoft Sentinel a seven out of ten. It has good capabilities, including a large number of native connectors. It is a well-known brand, so it is likely that many third-party vendors will integrate with it in the future. This will give Sentinel a wider range of data sources to collect from. In terms of data connectors, I think Microsoft Sentinel is one of the better options available. However, some of its competitors, such as Splunk and SentinelOne, have better interfaces and support. They may also have some proprietary capabilities that Microsoft Sentinel does not offer.

I believe that duplicating security measures is a good thing. It is also important to have redundancy in tools. If we have multiple tools that cover the same thing, we will have more eyes and visibility, and we will be able to remediate issues as they arise. Therefore, using multiple vendors, platforms, and consoles is the way to go. If we use only one tool for everything, it will be like a Swiss Army knife. We will definitely run into problems. I believe that we should avoid single points of failure at all costs. We should have redundancy in tools, but not just in tools. It is also beneficial for our team to all know the same tool or a specific suite.

Sentinel is Microsoft's SIEM solution, similar to QRadar, Splunk, etc. It is the primary tool used by our Security Operations Center.

Sentinel enhances our visibility by integrating with on-prem and cloud log sources. It provides visibility into any cloud environment, including GCP and AWS, not just Azure. With Sentinel, we get end-to-end coverage of all types of infrastructure. Last week, I was talking to a client who already had a SIEM solution, and they had just deployed Sentinel through us. I asked them why they wanted Sentinel when they already have an MSP. They told me their SIEM solution doesn't cover the cloud, so there's clearly a gap. Sentinel covers on-premise and all the cloud providers. It has a highly flexible ingestion method. There are seven or eight ways to ingest.

A lack of total visibility is a significant pain point for security analysts working on a SIEM solution. Furthermore, even if they have visibility, they might not be able to take remedial action because the company lacks a license or a separate SOAR solution. In that case, you need to have integration for each playbook. Sentinel addresses all of these issues out of the box. 

The SOAR component of Sentinel can automate some routine tasks. Sentinel comes with around 180 different playbooks you can execute with one click. If you face a type of incident, you can run a specific playbook or automate it to run each time the incident is triggered. These automation features make our lives easier. Analysts have to do the same tasks over and over again. It's a nightmare that makes you want to give up sometimes. You are dealing with the same incidents many times daily for many MSPs and customers. The playbook is incredibly beneficial.

It also reduces the number of dashboards we need to check, and you can create a custom dashboard. There are also several preset dashboards from Microsoft that are solution-specific. For example, if I'm using Defender for Office, it has a separate dashboard for Office that I can customize. I can also see everything from one console if I want. It's highly flexible.

Sentinel saves time because you don't need to look at multiple SIEM solutions, like IBM, Splunk, AlienVault, McAfee, etc. You need to spend time deploying those solutions, and there's a learning curve, whereas Sentinel is cloud-native. You click "next," "next," and "next," and the whole solution is deployed in the cloud in five minutes. Other parts, like integration, are native. It takes only a click to integrate all the services. Sentinel has its own agent, so it's easy to deploy the agent and start collecting logs. Overall, Sentinel requires less effort than other solutions.

It also saves us money because deployment costs less. Many SIEM solutions charge for the log forwarders deployed in the client's system. Sentinel is free. You have a VM in the cloud or on the client infrastructure, and there is just a script to turn that server into a log forwarder. 

Sentinel speeds up our response, but I don't have any hard numbers. It depends on how well you have configured it. You can go to an incident and then click on each playbook in sequence, or it can be automated to run a playbook when an incident is triggered. You don't need to go into the interface and do anything.

Sentinel proactively responds by detecting IOCs in our environment and automatically triggering an incident. The threat intelligence feed is typically based on IOCs, like malicious IP, UR, hostname, file hash, etc. However, real proactive response requires you to buy threat intel from different providers. Those companies provide you with information before an attack occurs anywhere. For example, there could be dark web forums where attackers discuss an attack on organization XYZ, and the threat intel provider informs us about that. That's an entirely different thing, but Microsoft has built-in rules for any threat intelligence matches. 

I've worked on most of the top SIEM solutions, and Sentinel has an edge in most areas. For example, it has built-in SOAR capabilities, allowing you to run playbooks automatically. Other vendors typically offer SOAR as a separate licensed solution or module, but you get it free with Sentinel. In-depth incident integration is available out of the box. 

Having all these solutions built into a single platform is an advantage. Once any malware is detected, it only takes a single click to run the playbook, and it will do the desired actions. It may be blocking an IP address or isolating a machine. 

The SOAR, UEBA, automated detection and response, and threat intelligence capabilities are comprehensive. I have 10-plus years of experience working with different SIEM solutions. This is the best by far. Everything is integrated, and there is so much flexibility, whether you're trying to customize ingestion or run custom playbooks.

Sentinel performs well when searching a large amount of data, like two months of logs. Sentinel uses underlying big data and KQL, which is highly efficient in query performance. I also like Sentinel's user behavior analytics. UEBA is another solution vendors typically sell as a separate product, but it's included with Sentinel for free. It has integration with other multiple cloud platforms, whereas most vendors lack this capability. 

When comparing visibility, we need to also compare at the company level. Microsoft doesn't only provide a security solution. They have a cloud platform with many services and security products that feed threat intelligence into Sentinel. There are many backend things that Microsoft does in cybersecurity. That is an added advantage that comes with this solution.

The native integration with the vast Microsoft ecosystem is a huge advantage. Another good aspect about Sentinel is that you can integrate all the Microsoft technologies with one click using the backend APIs. It's a seamless process because Sentinel is a Microsoft-native solution. It doesn't take much effort to do the integration.

We also use Defender for Endpoint, Defender for Cloud, and Azure firewall. Most of our customers already use some Microsoft services, so when we integrate their environments, we integrate Defender for Endpoint and Defender for Office 365. We also have Azure Activity, Azure Identity Protection, and many other solutions from Microsoft.

Microsoft products can be integrated with one click. You check a box, and it integrates with that service on the backend. You only need to set the permissions only. Integrating third-party solutions requires the same effort that would be necessary for any other SIEM solution. 

All the solutions work together seamlessly to protect our environment. For example, Defender for Endpoint detects threats on the endpoints, and you see the same alerts within Sentinel. If Defender for Office detects a malicious email, it feeds that incident to Sentinel. The whole ecosystem is integrated there.

Sentinel ingests data from our entire environment. There are seven or eight ways to ingest data. You can install agents through LogStack or do it through APA calls. There are many ways to ingest everything that's required. We have had cases of custom applications running critical services for clients who wanted to ensure they were being monitored. 

The out-of-the-box integration wasn't there, but other methods of ingesting the solution exist. We used one of the custom methods with LogStack, and we could use onboard these applications. Managed services need to have that kind of flexibility for product onboarding.

We have been working with multiple customers, and every time we onboard a customer, we are missing an essential feature that surprisingly doesn't exist in Sentinel. We searched the forums and knowledge bases but couldn't find a solution. When you onboard new customers, you need to enable the data connectors. That part is easy, but you must create rules from scratch for every associated connector. You click "next," "next," "next," and it requires five clicks for each analytical rule. Imagine we have a customer with 150 rules.

It can be a nightmare. It would be much easier if Microsoft provided a way to select all the rules you need, and you can click once to create them. I went to multiple forums to find a way to automate this. Unfortunately, the best I can do is a semi-automated method. Half of them can be automated, but you must do the rest manually. 

For now, we are doing it manually, and our DevOps team is assigned to do this. Some APIs could be used. We leverage the Azure Insights PowerShell module to do the automation part. Currently, the team is working on it, but I know from the discussion that the solution would only be semi-automated. We can't fully automate this because it simply lacks that capability. Many people in the Microsoft community have already requested this solution. Hopefully, Microsoft will implement this feature.

These solutions provide comprehensive protection, but there is always room for improvement. For example, virus removal has 98 different antivirus engines associated. Still, if you are searching for a malicious IP address or a hostname, some solutions will pick it up, and others won't. It's okay overall. I wouldn't say it isn't good enough. It does what we need, but sometimes another solution does it better. It depends on who detects it first.

I've been using Sentinel for nearly a year.

Sentinel is a cloud-based solution, so everything is handled by Microsoft. We haven't experienced any outages. With any on-premise solution, you will see downtime when there are problems or changes in the infrastructure.

Sentinel is highly scalable. It's on the cloud, so we can scale up to any level. There are two models: pay-go and commitment tier. The commitment tier is there to help reduce costs. If you're a large organization with high volumes of data coming in, Microsoft recommends the commitment tier, which will save you 40-60%. Scalability isn't a problem.

I rate Microsoft support nine out of 10. Within all Microsoft services, there is a link you can use to contact support and raise a ticket based on severity. If it's something that will impact business, they are available 24/7. Once we get a call from them, they follow up around the clock until it's closed. It isn't bad.

Positive

I've worked on Splunk, QRadar, LogRhythm, AlienVault, McAfee, Juniper STRM, etc. I started using Sentinel when I joined this company. We are Microsoft Gold partners. However, my feedback is neutral as an analyst. Compared to other solutions I've used, Microsoft is easier in terms of integration and deployment.

We've seen an ROI. Having used multiple SIEM solutions, I would recommend Microsoft Sentinel for the ROI, integration, cloud visibility, customization, etc. 

The price is reasonable because Sentinel includes features like user behavior analytics and SOAR that are typically sold separately. Overall, a standalone on-prem solution would require some high-end servers at a different cost. It is a cloud-based solution, so there are backend cloud computing costs, but they are negligible. 

The most significant cost factor is log ingestion. The best approach with any SIEM solution is only to ingest the necessary security-specific logs. You consume the EPS licenses, memory, bandwidth, and CPU. It doesn't make sense to forward and dump everything into any SIEM solution. If you are doing the architecture correctly, you send the right amount of logs.

On top of that, Sentinel provides you with a workbook that tells you which log costs how much. You can optimize that part so it's cost-effective. Its dashboard offers clear graphs and charts, showing which log sources ingest the most logs, contributing to the cost. We can easily cut 40-60% of the price if we do appropriate fine-tuning. As long as you're doing the fine-tuning regularly, it's a highly cost-efficient solution.

I rate Sentinel 10 out of 10. At the same time, I understand no solution is perfect. I've had multiple issues with SIEM solutions I've used previously. Sentinel is missing one minor feature that could be added eventually. I have no complaints about the core functionality.

A large enterprise client contacted us about replacing Splunk with Sentinel, and their team wanted a side-by-side comparison. They're pretty new to SOC, and I've been in the field for a long time, so I told them that it's hard to do an apples-to-apples comparison. In many instances, you won't see much difference between the two, and Sentinel might beat Splunk in certain cases.

However, the essential component they would be missing in the comparison is the ecosystem. Sentinel can leverage a huge ecosystem on the backend that Splunk or any other solution simply can't. Splunk specializes in SIEM, but Microsoft covers the full cybersecurity spectrum. When comparing solutions, customers should look at the whole ecosystem and not only product features. 

A best-in-breed strategy works for some categories of security products. For example, it was an organizational policy that we would not purchase all of our firewall-related products from one vendor. However, SIEM only does detection based on the type of logs ingested. An organization might have firewalls from Cisco, Fortinet, and Juniper. At the end of the day, these three firewall brands are feeding the logs into one security solution, which is Sentinel. It's a single pane of glass that correlates all threats across your enterprise. It doesn't make sense to have multiple SIEM solutions.

The only cases where it makes sense are in large enterprises like oil and gas. For example, they may have an IT environment and an OT environment. In the IT environment, they have one solution and a different solution in the OT environment. They are silos being managed by different teams. They may have separate budgets and decision-making processes. That's why they have different solutions. Other than that, I really don't see any reason for having two different SIEM solutions in place.

Our organization is an SSP, a service provider for manual threat detection and hunting. We use Microsoft Sentinel for threat detection. We have a few clients using Microsoft Sentinel, and we provide SOAR services to them.

Having the ability to respond holistically from one place with Microsoft Sentinel is very useful. We don't need to log into different security consoles. It is less hectic and reduces our time to respond and resolve the issue.

The solution has helped improve our organization by detecting and hunting threats. The solution also correlates alerts from other solutions, such as Defender, Office 365, and other Endpoint solutions. Microsoft Sentinel has automated responses that help us reduce the number of analysts required for example, from ten to six because most of the tasks are done automatically.

The solution's automation of routine tasks helps us automate the finding of high-value alerts by reducing the manual work from 30 minutes down to three. 90 percent of the work is done by Sentinel which runs the playbook and provides us with all the data required to make a decision quickly.

The solution has helped eliminate the need to use multiple dashboards by incorporating SIEM plus SOAR into one convenient location. We don't need to log into each of the solutions individually. We can directly correlate the alerts and incidents from our Sentinel console. Sentinel reduces our time because we don't need to check multiple tabs for multiple solutions. All the information required to investigate and make a decision can be found in the solution's panel view.

We don't have any out-of-the-box threat intelligence from Microsoft, but with the integration of some open-source solutions and premium sources, Microsoft Sentinel helps us take proactive steps before threats enter our environment.

We have custom rules created to check IPs or domains for potential threats. Whenever an IP or domain is visible in our logs, the solution will automatically correlate with the threat intelligence feed and create an alert. If we skip the correlation portion and an alert has been created for a malicious IP or a malicious domain, the solution can check the reputation in different reputation sources such as a virus portal, or threat recorded future, and it will auto-populate the information for the analyst which helps us prepare for potential threats.

The solution has definitely saved us 90 percent of our time. Microsoft Sentinel reduces our time to detect, respond, and resolve incidents. Most of the incidents are detected automatically and we just need the data to make a decision. We don't have to go look for different clues or reputations over the internet or use other solutions.

Microsoft Sentinel has saved us from incurring costs related to a breach by protecting us.

The solution detects incidents and alerts us in real-time based on custom rules that we create or the out-of-the-box rules that are part of Sentinel. The information that auto-populates when we run the playbook reduces our response time in most cases because all the relevant data required for our investigation is provided on the incident details page.

Logic apps, playbooks, and dashboarding are all valuable features of this solution. 

Microsoft Sentinel prioritizes threats across our organization because the solution allows us to correlate using multiple solutions including Defender.

Integrating Microsoft solutions with each other is very easy. The integrated solutions work together to deliver coordinated detection and response in our environment.

The solution enables us to investigate threats and respond holistically from one place. We can write AQL queries and also create rules to detect the alerts. In the event that we don't have rules, we can proactively hunt through KQL queries.

The workbook based on KQL queries, which is the query language is very extensive compared to other solutions such as QRada and Splunk.

The solution requires no in-house maintenance because it is all handled by Microsoft. We only need to monitor the updates.

The playbook development environment is not as rich as it should be. There are multiple occasions when we face problems while creating the playbook. 

The cost is not straightforward and would benefit from a single charge model. 

The UI is not impressive, we need to train our analysts to conduct the investigation. Unlike IBM QRadar which has a different UI for searching, there is no UI where we can conduct searches with Sentinel. With Sentinel, all our searches require a KQL query, and if our analysts are not familiar with KQL queries, we have to train them. 

The data ingestion can use improvement. There are a few scenarios where we have experienced a delay in data ingestion.

I have been using the solution for one and a half years.

Sentinel is quite stable because it's a SaaS-based offering, so we don't have to worry about our stability. The solution is available 99.99999 percent of the time. The only time we have an issue is if there is a problem with the Azure portal. Microsoft handles the stability well.

We can scale the solution as much as we want, and with a few clicks, we can increase or decrease capacity.

We currently have four engineering teams that handle the deployments and use case development as well as a SOAR team that consists of ten technical people who all use the solution.

Microsoft Sentinel support is really good. They respond quickly to our requests and they try to resolve our issues as soon as possible. From my experience, Microsoft has the best support.

Positive

For SIEM, we previously used IBM QRadar and Splunk Enterprise Security. For SOAR, We have used IBM Resilient, Palo Alto XSOAR, and D3 SOAR, which is a new tool. D3 SOAR is a startup based in Canada and we used it for POC, but we have not used it in production. Sentinel is a SaaS-based solution. There is less administration required and with a few clicks, we can deploy Microsoft Sentinel, whereas, with other solutions, we have to build everything from scratch. There are other SaaS-based solutions but Sentinel is one of the most popular and because a lot of organizations are already using Microsoft and Azure products, Sentinel is the best compatible solution.

The initial setup for Sentinel is straightforward and the best I have worked with to date. We are able to deploy within half an hour and we only require one person to complete the implementation. 

The implementation was completed in-house.

From a cost perspective, there are some additional charges in addition to the licensing. Initially, the cost appears expensive, but over time, the solution justifies that cost. The cost is not straightforward, but instead really complex. We are charged for data ingestion as well as data leaving the environment. We are also charged for running playbooks and for logic apps. Compared with SIEM solutions, whose cost is simply based on EPS or data storage, Microsoft Sentinel's cost is complex. Over time we can predict what the cost of using the solution will be. Other standalone SOAR tools have fixed licensing and their cost is simple. We don't need to pay for each command we run or each integration we have or each automation we do. With Microsoft Sentinel, there is a cost associated with each of the connectors that we use in our playbook. Every time we run that playbook, there will be charges, but the charges are minimal unless we run the playbook repeatedly, then over time the cost shoots up.

We occasionally test POC and we are still evaluating other solutions.

I give the solution nine out of ten.

My impression of the visibility into threats that Microsoft Sentinel provides is that the solution is not perfect, but since it is part of Microsoft Workspace, Microsoft already provides so many services to clients, and Microsoft Sentinel is one of them. If we are already using Azure and other services from Microsoft, then Sentinel is easy to implement and use compared to other similar solutions. If I was not using Microsoft Solutions, then I can use other solutions, such as IBM QRadar or Splunk, and when it comes to XSOAR, Palo Alto XSOAR is a much better solution.

We use multiple solutions from Microsoft within our organization including Defender and Endpoint. We have integrated Endpoint with Defender and Microsoft Security Center to receive alerts.

Microsoft Sentinel has out-of-the-box support for up to 90 percent of solutions where we can find a connector to ingest the data directly, but for the remaining 10 percent, we need to write custom tables.

The ability to ingest data is the backbone of our security. If we don't ingest the data, we won't be able to perform anything at all in SIEM. SIEM is based on data ingestion. Once the data is ingested, then on top of that data, we can monitor and detect or hunt, whatever we want. We can create a reporting dashboard, but the data needs to be there.

Microsoft Sentinel's UEBA is quite capable. For SIEM, Splunk and IBM QRadar are slightly better than Sentinel, but Sentinel is catching up fast. The solution has only been in the market for two or three years and has already captured a large share with increasing popularity. For SOAR, Palo Alto XSOAR is much better than Microsoft Sentinel because Sentinel is a SIEM plus SOAR solution whereas Palo Alto XSOAR is a SOAR-focused solution only. What Microsoft Sentinel provides is one solution for SIEM plus SOAR, where we can detect and also respond in one place.

Currently, we have one environment based in a US data center, but we have the ability for multiple solutions in multiple regions within Azure, and we can integrate them using a master and slave configuration that will allow us to run all the queries from the master console.

Using a best-of-breed strategy rather than a single vendor suite is fine if we have a SIEM solution, a SOAR solution, or an Endpoint detection solution until a time when they are no longer compatible with each other and we can not integrate them. If we can not integrate the solutions it becomes difficult for our teams to log into and monitor multiple solutions separately.

I definitely recommend Microsoft Sentinel, but I suggest basing the decision on proof of concept by gathering the requirements, security solutions, and additional log source devices an organization has before using the solution. There are multiple solutions available that may be more suitable in some cases.

Our two primary uses for the solution are incident management and threat hunting. We use Sentinel and other Microsoft security products for security investigations, threat, team, and incident management purposes. The tool is deployed across multiple departments and locations, with around 8,000 total end users.

We use multiple Microsoft security products, the full Defender suite including Defender for Cloud, Cloud Apps, and Identity, all integrated with Sentinel. 

Integrating multiple solutions is straightforward; as they are all Microsoft products, it's easy for Sentinel to ingest the logs and data connectors. The process is very simple, and we can configure log sources or data connectors in Sentinel in a couple of clicks.  

As a next-generation AI-powered SIEM and SOAR tool, Sentinel provides an all-encompassing cyber defense at the cloud scale. The solution's machine learning capabilities make threat hunting and identification rapid across the entire cloud environment.

The solution provides excellent visibility into threats; it's integrated with Microsoft's threat intelligence platform, which forwards information to Sentinel. We have robust threat detection 24/7.   

Sentinel helps us prioritize threats across our enterprise, an essential function that lets us focus on investigating and resolving high-priority incidents first. When the most significant threats are dealt with, we can move on to the medium and low-priority issues.  

The multiple Microsoft solutions work natively together to deliver coordinated detection and response across our environment; they work very well together, and we trust these products to investigate matters further. 

The Microsoft solutions provide comprehensive threat protection across our entire organization.  

Sentinel enables us to ingest data from our entire ecosystem, which is crucial to our security operation. We require the data not just from Microsoft products but also from different firewalls and other security products, including firewall proxies, web proxies, logs, etc. We can quickly integrate multiple data sources in just a few steps. 

The solution's threat intelligence helps prepare us for potential threats before they hit and take proactive steps. Sentinel's intelligent and fast threat detection allows us to respond rapidly to critical and high-priority incidents by leveraging built-in automation and orchestration tools. 

Using Sentinel gives us time savings of 30-40%.  

The solution also decreased our time to detect and respond by 30-40%. 

Sentinel is a SIEM and SOAR tool, so its automation is the best feature; we can reduce human interaction, freeing up our human resources.

The built-in AI and machine learning are excellent; they reduce the number of false positives by around 90%.

The centralized threat collection is a valuable feature. 

The solution is cloud-native, so it's faster and easier to deploy as there is no hardware or software to implement.

The product is flexible enough to deploy in the cloud and on-prem, which is an advantage over other SIEM tools.

Sentinel allows us to investigate threats and respond holistically from one place, which is crucial because time management is essential during a security investigation. Having all the relevant data in one place enables security analysts to investigate and resolve quickly.   

The solution's built-in SOAR, UEBA, and threat intelligence capabilities provide comprehensive protection. The SOAR capability is excellent and better than other products on the market, reducing our dependence on security analysts, and IT takes less investigation time. We can leverage the UEBA to focus on risky users and entities first during an investigation, which is an integral part of the process. 

Compared to standalone SIEM and SOAR products, Sentinel reduces infrastructure costs by around 50% due to the cloud and reduced maintenance relative to legacy solutions. Sentinel is also approximately 70% faster to deploy than legacy solutions with the same rules. 

The solution helped to automate routine tasks and the finding of high-value alerts. This reduced our dependency on security analysts and their workloads because the solution reduced false positive alerts by about 90%. This freed up our analysts and is the most significant benefit of automation.  

The product helped eliminate having to look at multiple dashboards and gave us one XDR dashboard, which provides us with greater visibility and a reduced time to investigate and resolve.  

The data connectors for third-party tools could be improved, as some aren't available in Sentinel. They need to be available in the data connector panel. 

The solution could have more favorable pricing; the cost is relatively high compared to other SIEM tools, which can be prohibitive for smaller organizations. 

We've been using the solution for over a year. 

Sentinel is stable. 

The solution is scalable. 

The technical support is good and responsive, but in some cases, it took a long time to resolve our issue.

Positive

We previously used IBM QRadar as a SIEM tool and switched because Sentinel is cloud-native and has more comprehensive capabilities, including SOAR capabilities. Sentinel fits our clients' requirements better, as many of them utilize the MS Defender security suite, which gives them a specific grant for free data ingestion. The solution also provides greater visibility.

I wasn't involved in the solution's initial setup, and in terms of maintenance, it's very lightweight; updates are Microsoft's responsibility, so we don't need to do anything.

Sentinel is expensive relative to other products of the class, so it often isn't affordable for small-scale businesses. However, considering the solution has more extensive capabilities than others, the price is not so high. Pricing is based on GBs of ingested daily data, either by a pay-as-you-go or subscription model.

The product saved us money, but actual savings depend on the project size, as the pricing is per GB of ingested data. Our savings are approximately 40-50%. 

We evaluated various solutions, including LogRhythm SIEM, Splunk, and Sumo Logic Security. We chose Sentinel because it's more advanced, cost-efficient has greater capabilities and fulfills our requirements better than the other products.

I rate Sentinel nine out of ten. 

To a security colleague who says it's better to go with a best-of-breed strategy over a single vendor's security suite, it's better to go with multiple vendors. This provides better visibility and avoids a single point of failure.

My advice to others considering the product is it depends on the project requirements. For larger organizations, I recommend Sentinel, as it's very advanced. However, for smaller-scale industries, Splunk and IBM QRadar are good options. For primarily cloud-based organizations with the majority of users in the cloud, then Sentinel is again an excellent choice.

Microsoft Sentinel serves as a centralized hub for collecting and analyzing logs from various Microsoft tools and other sources. It eliminates the need to develop custom toolsets for detecting malicious activities across different Microsoft tools. Instead, Microsoft Sentinel provides standardized rules and playbooks to streamline the process of identifying and responding to potential threats.

For instance, consider a scenario where an employee clicks on a phishing link in an email, leading to the installation of malware on their system. While the endpoint detection and response tool on the endpoint might not detect malicious activity, Microsoft Sentinel, acting as a central log collector, receives the EDR logs and triggers an event based on pre-defined rules.

Upon detecting the suspicious activity, Microsoft Sentinel automatically executes a playbook, which may involve actions such as killing the malicious process or isolating the affected endpoint. This automated response helps expedite threat containment and reduces the burden on security analysts.

It is crucial that Sentinel empowers us to safeguard our hybrid, cloud, and multi-cloud environments. We employ a hybrid cloud setup, and securing our environment using Sentinel is significantly simpler than manual methods. We can gather events in the Central Point and develop playbooks and scripts to automate responses. This streamlines the process and enhances our overall security posture. Additionally, if an alert is triggered, we receive an incident notification via email, prompting us to take action and resolve the issue.

Sentinel provides a library of customizable content to address our company's needs.

Microsoft Sentinel has helped our organization with alerts. We'll receive alerts from Sentinel indicating that we're at risk. It's important to address these alerts promptly. We first need to review the information in the email, and then work on the issue in the office. After that, we'll contact the team members on the relevant shift. There's nothing particularly difficult about this process. It's based on our access privileges, which are determined by our role in the company. If we have a high-level role, we'll have access to all the necessary tools and resources. We'll even be able to receive alerts at home if there's a security issue. The company that provides this technology grants work-from-home access based on security considerations. If someone has a critical role, they'll also be equipped with the tools they need to work remotely and connect with their team members. So, the company that provided the technology can resolve the issue first, and then we can address it. Once we've taken care of the issue, everything will be much easier.

By leveraging Sentinel's AI in conjunction with our playbooks for automation, we can enhance the effectiveness of our security team, subject to the specific rules and policies we implement.

The logs provided by Sentinel have helped improve our visibility into our user's network behavior.

Sentinel has helped us save 60 percent of our time by prioritizing the severity of the alerts we receive. When we receive an alert with a high-risk level, we immediately address it to mitigate the potential security threat. Additionally, we have configured our anti-ransomware software, to further protect our systems from cyberattacks. In the event of a ransomware attack, our Halcyon system will generate an encryption key that can be used to unlock our system. This key is securely stored by Halcyon.

Sentinel has helped reduce our investigation times by enabling us to review an alert, generate a ticket, and resolve the issue simultaneously upon receiving the alert.

The most valuable feature is the alert notifications, which are categorized by severity levels: informational, low, medium, and high. This allows us to prioritize and address alerts based on their urgency. For instance, we would immediately address high-severity alerts. This feature, along with the ability to create playbooks, significantly enhances our workflow.

I would like Microsoft to add more connectors for Sentinel.

Microsoft Sentinel should provide an alternative query language to KQL for users who lack KQL expertise. 

I have been using Microsoft Sentinel for one and a half years.

Microsoft Sentinel is a stable solution. 

Microsoft Sentinel is scalable.

We have to write playbooks to resolve our issues.

Neutral

The configuration of Microsoft Sentinel involved a complex process that required thorough familiarity with the available connectors and the policies to be implemented.

We have seen a 30 percent return on investment.

Sentinel is costly.

I would rate Microsoft Sentinel seven out of ten.

We have five people in our organization who utilize Sentinel.

No maintenance is required from our end.

We use Sentinel for our SOC operations. We set up analytics rules and SOAR playbooks. Sentinel covers our entire security operation. It is deployed across multiple locations and covers around 4,000 users.

Sentinel gives us alerts, identifies vulnerabilities, and helps us remediate issues. Some of it is automated, but we also do manual remediation through the ticketing process. We have integrated Sentinel with ServiceNow, so the alerts are routed to the engineers.

Sentinel has reduced our mean time to resolution, one of our KPIs, by about 30 to 40 percent and enabled us to identify vulnerabilities faster. The co-pilot capability saves us a lot of time, too. We're also doing mapping with the MITRE framework, improving our MITRE coverage. We started to see results after the initial deployment and configuration. It took about two or three months. It's an ongoing process, but we realized the benefits within three months. 

The solution correlates signals from native and third-party sources into a single incident. Before implementing Sentinel, we used multiple tools to investigate and remedy vulnerabilities. Having that single pane of glass has significantly increased the efficiency.

Sentinel has improved our overall visibility. We get data about user behavior and correlate it. It also gives us alerts about network vulnerabilities. Having a single pane of glass and one consolidated security tool allows us to capture multiple layers, from the endpoints to the servers. One solution gives us visibility into all the layers. 

The SOAR playbooks are Sentinel's most valuable feature. It gives you a unified toolset for detecting, investigating, and responding to incidents. That's what clearly differentiates Sentinels from its competitors. It's cloud-native, offering end-to-end coverage with more than 120 connectors. All types of data logs can be poured into the system so analysis can happen. That end-to-end visibility gives it the advantage.

Sentinel's AI and automation capabilities make our SOC team's job easy. When logs come into Sentinel, the AI engine analyzes, contextualizes, and correlates them. The AI is correlating the data from multiple log sources and giving us alerts. We depend on that. We also perform automated remediation based on our SOAR playbooks. 

I would like Sentinel to have more out-of-the-box analytics rules. There are already more than 400 rules, but they could add more industry-specific ones. For example, you could have sets of out-of-the-box rules for banking, financial sector, insurance, automotive, etc., so it's easier for people to use it out of the box. Structuring the rules according to industry might help us. 

They could also add some more connectors. Sentinel has 120 connectors, including most of the essential data ones, but they could add some more legacy connectors.

I have used Microsoft Sentinel for three years.

Our SOC team relies on Sentinel from end to end, and it has been quite stable. It's always up, and we've never had any issues with the connectors.

Scalability isn't a problem because we have an Azure environment, and Sentinel is native.

I rate Microsoft support nine out of 10. They resolve our tickets within an acceptable time frame. That is pretty much okay for us.

Positive

Initially, we used Splunk, but I've mostly worked on Sentinel at this company. It was a company decision. Splunk works well in an on-premise or legacy environment, but our entire digital estate shifted to the cloud, so it makes more sense to move to Microsoft Sentinel because we moved to Azure.

Our deployment went smoothly. We spent about three or four months setting up the entire thing, and it all went according to plan without any undue complications. About three months of that was the configuration phase, and we had a transitional month before starting operations. 

The implementation steps included enabling Sentinel, setting up Log Analytics Workspace, and connecting the data connectors. After that, the logs started flowing in. Next, we created the analytic rules and remediation use cases. The deployment team included seven full-time staff. After deployment, Sentinel requires some ongoing maintenance when we add new analytics rules or log sources. We have one engineer responsible for that.

We see an ROI. Our efficiency increased once we created the initial set of analytics rules and SOAR automation, and we review our automation use cases every six months to find more ways to save money. It comes out to roughly a 10 percent return annually on a three-year contract.

I am not involved on the financial side, but from an enterprise-wide use perspective, I think the price is good enough. We have bundled pricing with Azure Monitor Log Analytics. We would be using Log Analytics Workspace even if we didn't have Sentinel, and we would need to pay a separate license for IBM QRadar or Splunk. It optimizes costs when we use both in our digital estate. 

We considered IBM QRadar. 

I rate Microsoft Sentinel eight out of 10. It's a plug-and-play solution, so you can start seeing benefits quickly using the out-of-the-box analytics rules and use cases. Of course, you need more time to create custom use cases and playbooks, but it's simple to get started. It might be challenging to migrate from a legacy system because you may have trouble connecting to the old data, but this is the best tool for a greenfield deployment. 

We are developing our security signals for Microsoft Sentinel, so we are making a connector for Microsoft Sentinel. We try to use several features.

When using mobile devices, if there is an attacker or malware, the signal goes to the Microsoft Sentinel console from there. Our IT admin looks at those incidents.

The importance of that for our organization is because we are using our mobile devices for work. Mobile devices are not safe enough.

I focus on mobile devices while using Microsoft Sentinel. Mainly we want to expand our Identity performers. 

The signal correlation and dashboards features of Microsoft Sentinel are fantastic because it correlates the signal logs with other products. The customizable dashboards are also valuable.

Microsoft Sentinel's ability to correlate data from multiple sources and its detection capabilities are essential.

Microsoft Sentinel can be improved in terms of automation or connecting with security products so that it is easier to use for general IT admins.

I started using Microsoft Sentinel last June, so it has been about a year.

I was not using any other solutions for this specific task before Microsoft Sentinel. We ultimately chose Microsoft Sentinel because we have partnerships.

We have not yet seen a return on investment with Microsoft Sentinel. We expect to see a return on investment this year. 

We try to use the security incidents feature in Microsoft Sentinel, but I have not seen the actual incident yet. I could not find good use cases. My experience with the collaboration capabilities of Microsoft Sentinel is limited, as I am still getting used to it.

I would rate Microsoft Sentinel a seven out of ten.