Microsoft Sentinel Reviews

I'm using it as a SIEM solution. If I consider the leading clouds, especially Google and Amazon, so we don't have a dedicated SIEM solution available in either and we have to create a SIEM solution by using the native services of those clouds. But Microsoft Sentinel gives us an opportunity to use a direct SIEM solution. 

I have clients from different regions and they already have environments on the cloud with various vendors, as well as on-prem. The problem they came to me with was that they wanted to secure their environments. They wanted to monitor all the vulnerability management, patches, and vulnerability scans in a single place. They have third-party data sources that they wanted to monitor things in a single dashboard. I suggested they use Microsoft Sentinel because it can integrate many third-party vendors into a single picture.

Those are the kinds of scenarios in which I suggest that my clients use Microsoft Sentinel.

One thing that makes our work easier is that Sentinel enables you to investigate threats and respond from one place. We don't need to jump into different portals. We configure the rules there and we have the response plans as well as the recommendations from the Sentinel itself and, from there, we can take action. It saves time. That is a good and really important feature.

Working with Sentinel, trust is something we have gained. My company is a consulting firm and we have multiple clients in different regions. We have Australian clients and have to deal with Australian policies, as well as in India where there are different kinds of government policies. With all these policies that our clients have to accommodate, when we deploy Sentinel, the trust we are gaining from them is good.

We are also able to optimize costs, have stability, and an improved work culture by using Sentinel.

Another benefit is the automation of routine functions, like the creation of incidents. Our SOC doesn't need to create incidents manually. We have playbooks to automate things. That saves time on a daily basis.

A monotonous job was the need to send an email to an affected user to tell them to take an action because their third-party tool was something we didn't have access to. For example, we do not have visibility into the portal of Palo Alto, CyberArk, or Zscaler. My team's job in that situation was to send an email for every alert to tell someone to take action. Now, they don't need to waste their time. With automation, we can create a playbook for that. When an alert is generated, it automatically triggers the affected user to take action accordingly. In the time we have saved, my team has been able to learn and customize KQL queries and enhance their KQL skills.

Another area where it is helping us is in creating a single dashboard for our environment. We can collect all the logs into a log analytics workset and run queries on top of it. We get all the results in the dashboard. Even a layman can understand this stuff. The way Microsoft presents it is really incredible. We can download that dashboard or a report from the dashboard and present it in a team meeting. That is really useful.

Overall, per week, Sentinel saves us 40 to 45 hours, per person. We have a team of 20 people who log in to Sentinel and each of those people is saving something like 40 to 45 hours by using it. In that time we can work on different technologies. It has also definitely decreased our time to detection by 80 percent.

The most amazing aspect of Microsoft Sentinel is the daily upgrading of the product. They have third-party connectors that their people are enhancing on a daily basis. That is what I like about the product. Their people are not sitting idly and saying, "Okay, we have created the product, now just use it." It's nothing like that. They are continuously working on it to make it number one in the market.

It also has a playbook feature so that we can do automation in Sentinel itself, based on the data sources and the logs that we are receiving. That means we don't need to do manual stuff again and again.

Using Sentinel, we can collect all the logs of third-party vendors and use them to analyze what kinds of scenarios are going on in the environment. On top of that, we can create analytics rules to monitor the environment and take action accordingly if there is a suspicious or malicious event.

Something else that is great is the visibility into threats. We have an AI feature enabled in Sentinel and that gives us great visibility into the data sources we have integrated. And for data sources that we don't have integrated, we have a Zero Trust feature and we get great visibility into the threat log. Visibility-wise, Sentinel is fantastic.

The ingestion of data from our entire environment is very important to our security operations. We have clients in insurance and multiple firms that deal with taxation, and we need to do an audit yearly. To do that, we need the data from the whole environment to be ingested into the workspace.

They can work on the EDR side of things. It is already really superb, because of the kinds of features we get with the EDR solution. It's not a standard EDR and they have recently enhanced things. But the problem is with onboarding devices. I have different OS flavors, including a large number of Linux, Windows, macOS, and some on-prem machines as well.

Every time we need to onboard these kinds of machines into the EDR, we need to do it with the help of Intune, to sync up the devices, and do the configuration. I'm looking for something on the EDR side that will reduce this kind of work. They can eliminate having to do manual configuration for the machines, and check the different types of configurations for each OS. In some cases, it does not support some OSs. If they could reduce this type of work, that would be really amazing.

I have been using this product for the last three and a half years.

It is reliable. I would rate it a nine out of 10 for performance and reliability.

The scalability is also a nine out of 10.

We have the solution in different locations and regions. Most of my clients are in Singapore, Australia, and India and we have some European clients as well. On average, our clients have 2,200 employees.

Most of the time, their technical support is very good and very supportive. But sometimes we feel that they don't want to help us. Recently, we had a major issue and we tried to involve a Microsoft engineer. I felt he was not aware of the things we were asking for. 

I said, "That machine is hosted on Microsoft Azure and you and people are managing that stuff, so you need to know that machine inside and out." He said, "No, the configuration and integration parts, in the machine itself, is something I'm not aware of. You people did this, and you need to take care of it." I told him that the challenge we were facing was with the configuration and we do not get those kinds of logs. I suggested he engage some Linux OS expertise for this call, but he said, "No, we don't have a Linux OS expert."

Sometimes we face this kind of challenge, but most of the time their people are very helpful.

Neutral

It is a very simple process to integrate things. On a scale of one to 10, where 10 is "easy," I would rate it at nine. We have a team that takes part with me in the implementation and we divide the work.

And we don't need to worry too much about maintenance. Microsoft takes care of that part.

We do it all in-house.

Microsoft can enhance the licensing side. I feel there is confusion sometimes. They should have a list of features when we opt for Microsoft Sentinel. They should have a single license in which we have the opportunity to use the EDR or CASB solution. Right now, for Sentinel, we have to pay for a license for something in the Azure portal. Then, if we want to work with CASB, we need to buy a different license. And if we want to go for EDR, we need to buy another license. They do provide a type of comparison with a combo of licenses, but I feel very confused sometimes about subscriptions and licensing.

Also, sometimes it's quite tough to reach them when we need a license. We have to wait for some time. When we drop an email to contact them, it is at least 24 until they reply. They should be able to get back to us in one hour or even 30 minutes. They do have a premium feature where, within one or two hours, they are bound to respond to a query. But with licensing, sometimes this is a challenge. They don't respond on time.

If I compare Sentinel with standalone SIEM and SOAR solutions when it comes to cost, Sentinel is good. It is really cheap but that does not mean it compromises on features, ease of use, or flexibility, compared to what the other vendors are providing. When I look at other similar solutions, like Splunk, QRadar, and ArcSight, they are charging more than Microsoft, but ultimately they are not giving us the features that Microsoft is offering us.

Sentinel is far better than these other solutions. I have worked with Splunk in the past and many of my colleagues are working in the QRadar as well. When I talk to them, and when I compare the features, these solutions are not at all near to Microsoft Sentinel.

So while we do create a type of SIEM solution in other platforms in the cloud, using the native services, Microsoft gives us a direct solution at a very reasonable rate. They are charging less money, but they will never compromise the quality or the features. Microsoft is updating Sentinel on a regular basis. If I look at Sentinel three and a half years back, and the Sentinel of today, the difference is really unbelievable.

As part of our consulting team, I have never suggested that someone go for a third-party solution. Some of my clients have a whole environment on AWS and GCP and they have said, "Can we create some kind of SIEM solution for my cloud by using something we have in Microsoft?" I give them a comparison between using the native services and Microsoft Sentinel. The main point I tell them is about the cost. They are convinced and say, "Okay, if we get those kinds of features at that cost, we are good to go with the Microsoft Sentinel." And they don't need to migrate their whole environment into Sentinel or Microsoft Azure. They can continue to use whatever they are using. We can onboard their logs into Sentinel and, on top of that, create use cases and dashboards, and they can monitor things.

Microsoft is proactive in helping you be ready for potential threats, but I'm not involved in that part. It's something my counterpart takes care of. But I have heard from them that it is proactive.

We also use Microsoft's CASB solution, Microsoft Defender for Cloud, and Defender for Endpoint. There is some complexity when it comes to integration of Defender for Endpoint. This is the feedback I have submitted to Microsoft. When we do the integration of Defender for Endpoint, we have more than 12,000 machines, with different OSs. Onboarding all those machines into the environment is a challenge because of the large number of machines.

Although it's not creating any kind of mess, compared with Sentinel or the CASB product, Defender for Endpoint is something Microsoft can work on to create an option where we don't need to onboard all these machines into Intune and then into Defender for Endpoint. If that step can be omitted, Defender for Point will also be a good solution because it is also working on an AI basis.

These Microsoft products do work together to deliver coordinated detection and response. We simultaneously get the benefits of all these products.

We are also using Microsoft Defender for Cloud to see the security posture of our environment and it also has some great features. It helps us understand vulnerability issues and, on the top of that, we get recommendations for resolving those issues. The security posture is based on the policies it has, as well as third-party CIS benchmarks that people are using in the backend to provide the recommendations. It's good.

We have created an automation rule, but not directly using Defender for Cloud's bi-directional feature. The automation we have created is logic using a bidirectional aspect for Sentinel incidents. When we get incidents in Sentinel, we can trigger those same incidents in ServiceNow as well. We have a SOC team that manages our incident response plan and ServiceNow. Once they take an action in ServiceNow, they don't need to go to Microsoft Sentinel again and take action on the incident. It will automatically reflect the action they have taken.

Between best-of-breed versus a single vendor for security, Microsoft is on top. They are continuously enhancing their product and other cloud platforms don't have a direct SIEM solution. We need to customize other solutions every time if we want to opt for another cloud vendor. This is the advantage of Microsoft Sentinel at this point in time.

I would recommend Microsoft Sentinel to anybody.

I and my colleagues feel that Microsoft Sentinel is the number-one product for anyone considering something similar. We have other tools as well, but none compare with Sentinel.

We utilize Microsoft Sentinel to monitor files for suspicious activities, such as unauthorized user login information, remote logins from outside the secure region, and primarily attachments.

Microsoft Sentinel offers good visibility into threats because we can integrate it with both Defender for Cloud and Defender for Endpoint. We conducted a test to determine the extent of visibility achievable through Sentinel integration, aiming to identify the primary sources of attacks.

We also use Microsoft Office 365, Defender for Cloud, and Defender for Endpoint.

When it concerns cybersecurity, particularly regarding zero-day attacks, Microsoft tends to promptly release TVEs. These updates enable us to patch systems that are susceptible to specific zero-day attacks.

Sentinel allows us to gather data from our entire ecosystem. We can install connectors or an agent on the user's system, or we can do it manually.

Sentinel enables us to investigate threats and respond promptly from a unified platform. Upon receiving alerts, we can navigate to the corresponding tab for analytics, where we can initiate an investigation to view comprehensive details about the threat's origin and its interactions.

It has assisted our organization in enhancing our preparedness and thwarting phishing emails and attacks. We encounter attacks on a daily basis from individuals attempting to execute scripts via websites. Every month, we can conduct simulations to train our personnel in recognizing and evading threats. Sentinel is particularly effective in mitigating risks posed by employees who click on dubious email attachments.

Sentinel assists in automating routine tasks and identifying high-value alerts. Although I haven't extensively used it, playbooks can be employed to create automated responses for alerts and to resolve them.

It assists in eliminating the need to utilize multiple dashboards. We configured one of our servers as a honeypot, enabling us to observe all access and related details from a unified dashboard.

The threat intelligence assists us in preparing for potential threats before they occur and taking any necessary proactive measures. When a potential threat is identified, we are also given recommendations on how to proceed.

Sentinel has helped decrease our time to detect and respond. The automation has reduced the time I spend on low-level threats, allowing me to focus on the priority threats.

Microsoft Sentinel comes preloaded with templates for teaching and analytics rules. we can also create our own.

We need to continually test and define analytics rules due to the possibility of triggering false positives if we simply use the preloaded templates and neglect them.

We attempted to integrate our Microsoft solutions, but we occasionally faced problems when connecting with other systems. While it functioned effectively with Linux and Unix systems, a Windows 11 update led to complications. Sentinel was unable to capture essential logs on certain computers. As a result, we were compelled to create two SIEMs using Splunk and QualysGuard. This was necessary because certain operating systems experienced issues, particularly after receiving updates.

Although Sentinel is a comprehensive security solution, it could be more user-friendly. When I started using it, it was a bit confusing. I think that certain features should be placed in separate tabs instead of being clustered together in one place.

The KQL query does not function effectively with Windows 11 machines, and in the majority of machine-based investigations, KQL queries are essential for organizing the data during investigations.

I have been using Microsoft Sentinel for two years.

I have not experienced any stability issues with Microsoft Sentinel.

Scaling is straightforward. For instance, if an organization opts to establish a new department and intends to add ten machines to that department, all that is required is to create a new load analysis workspace, incorporate the machines into that workspace, and subsequently link it to Sentinel.

Microsoft Sentinel requires an E5 license. When considering this from the perspective of a large enterprise organization, the cost might be justified. However, for smaller organizations, it is comparatively expensive when compared to other SIEM and SOAR solutions. Open-source SIEMs like OSSEC are also available. These can be integrated with other open-source tools to address similar issues as Microsoft Sentinel, often at minimal or no cost.

I would rate Microsoft Sentinel an eight out of ten.

Our Microsoft security solutions both cooperate and have limitations in working seamlessly together to provide coordinated detection and response across our environment. The individual who initially implemented these solutions did so in a manner that prevents us from accessing all the necessary information to effectively utilize Sentinel with a single administrative account, as intended.

Most of our servers are on-premises but we have two that are connected to Defender for Cloud. Those are mostly pickup servers.

Microsoft takes care of the maintenance for Sentinel.

Using a best-of-breed strategy is superior to relying on a single-vendor security suite. I have observed while working with Splunk and QualysGuard, that they are capable of detecting certain low-level threats more promptly than Sentinel. Occasionally, these threats manage to slip through when using Sentinel.

Microsoft Sentinel is a commendable solution, and its value justifies the cost. However, it should be noted that it comes with a significant price tag. Therefore, any organization considering implementing this solution should ensure they are financially prepared for it. I strongly advise obtaining certification and acquiring proficiency in using Sentinel. It is an excellent tool equipped with numerous features. Unfortunately, many users remain unaware of these features or lack the understanding of how to utilize them effectively. It's worth mentioning that Microsoft Defender and Intune serve to further enhance Sentinel's capabilities, elevating it into an even more powerful tool.

I work as a security team leader and consultant in the Netherlands. Additionally, I am the main architect for my organization. Our current focus is on building our own Security Operations Center for media entities, and we offer this service to our customers as well. Our solution ensures zero bypasses and integrates the XDR suite of our clients. Therefore, any customer looking for the same solution can benefit from our expertise.

Microsoft Sentinel has the potential to assist us in prioritizing threats across our entire enterprise. However, its effectiveness relies heavily on the quality of our analytics roles. If we have appropriate alerts in place, we can avoid unnecessary noise. If we can accurately prioritize incidents and assign the appropriate level, it will significantly aid us. Additionally, automation can help analysts make informed decisions by consolidating incidents and alerts.

I have completed many customer integrations. Currently, I am working with one of the largest healthcare retailers and a very large insurance company. They have a variety of other products, such as effective AI, Infoblocks, and Akamai as a last resort. Our goal is to consolidate all the alerts from these products into Sentinel, which sometimes requires processing or editing. We refer to this as social editing, which essentially means fixing issues. Ultimately, our objective is to have a comprehensive overview of everything in a single dashboard.

The effectiveness of the integrated solutions that work together natively varies. At times, a data connector may work well, while at other times, it may not. I have noticed that Sentinel has significant potential for the development of data connectors and passes. This observation is due to one of my customers requiring a considerable amount of additional processing for data connectors, which prompted us to make a request to Microsoft. Currently, we are pleased to see that Microsoft is integrating this functionality. On the other hand, we also have plans to work with a local collector that involves parsing logs and collecting log data using custom parsing services.

The effectiveness of integrated security products in providing comprehensive threat protection is improving. However, there is a risk of overlap in the functionalities of Microsoft's various products, leading to duplicate alerts or unwanted charges. Nonetheless, compliance is improving. Additionally, the endpoint portal is starting to function more like an application portal for multiple products. Using only the Defender portal instead of Sentinel would benefit many customers at present, though additional sources may provide added value. There are also many developments in this area worth exploring.

Microsoft Sentinel has the capability to collect data from our entire ecosystem, but it comes with a cost. As the head of IT, I would have the ability to obtain any sensitive data that I need. If there is a substantial amount of data, I can handle it. However, we need to establish a use case for the data before proceeding, as it could become too expensive for us to handle. Therefore, we will not be ingesting all the data available.

Microsoft Sentinel allows us to investigate and respond to threats holistically from a single platform. This capability is powerful because we can create our own queries, and the language used is user-friendly. However, we must ensure that the data in Sentinel is properly structured. This means ensuring that our timestamps are consistent and accurate and that the quality of our data is high. By doing so, querying becomes easy and effective.

If we have a background in Azure, then it's relatively easy to understand the SOAR capabilities since it's built on Azure foundations and logic apps. This makes it more powerful.

The cost of Microsoft Sentinel is reasonable when compared to other SIEM and SOAR solutions. While the cost of ingestion may be high, the platform offers numerous capabilities for automation, alerting, monitoring, and operations. Therefore, we are receiving good value for our investment, even though it may not be the cheapest option on the market. Microsoft Sentinel's ongoing development of new features justifies the price point. For example, I compared it to a customer who used Splunk last year, and Splunk was more expensive and had fewer features.

Sentinel assists in automating routine tasks and identifying high-value alerts. For instance, we can configure it to automatically detect risks on specific accounts and receive notifications through an automatic inbox. While we exercise caution in implementing automation, we can leverage it during hours when staffing is limited to ensure timely and appropriate actions.

Sentinel's threat intelligence helps us prepare for potential threats and take action before they can impact us. Obtaining threat intelligence feeds from Microsoft would also be beneficial. We may eventually need to acquire an Excel feed, either from Microsoft or another source, but we must ensure that these expenses provide tangible value. I believe that the machine learning used by Microsoft Infusionsoft provides valuable threat intelligence with reliable patterns.

I've noticed that some customers are using on-premises environments such as Oxite for this particular task. However, since we're on a cloud platform, we don't have to handle and operate the systems as much because they are cloud services. This allows us to focus on the platform, the content, and making it work. The integration with Microsoft works well, and we can use similar queries in Sentinel as we do in Defender for Endpoint, which saves us time.

If we compare the current situation to that of five years ago, we can see that every company was spending less on this type of product because the threat wasn't as significant. However, over time, we have witnessed a significant increase in cyberattacks. As a result, every budget has been increased to address this issue. Therefore, in my opinion, Sentinel is not merely saving money; rather, we are utilizing our resources more efficiently.

I believe one of the main advantages is Microsoft Sentinel's seamless integration with other Microsoft products. This means that if we need to work with customers who already use the entire defense suite, we can easily collaborate with them. Additionally, the KQL language created is very robust and has a manageable learning curve for those who already have some experience. Furthermore, we can use KQL in other Microsoft platforms, making it a versatile tool. The AI aspect is also noteworthy, as it utilizes existing resources in Azure. For instance, if we have previous experience building Azure functions or using wireless technology, we can incorporate these skills into our playbook development in Sentinel.

Microsoft Sentinel provides visibility into threats, and the incident alert display has improved. However, I don't believe it is efficient or pleasant to work with, especially for specialists who work with it all day. We are considering putting our incident alerts into ServiceNow first, which would improve instant handling, logging, and monitoring, and streamline the investigation process. This is a potential area for improvement, but currently, the system is workable and easy to use. I understand that improvements are in progress, and I expect the system to get even better with time.

When we look at external SOAR and orchestration platforms, we have a better overview of all the rules, their behavior, and the correlation between them. From a technical perspective, it works well, but from a functional overview, there's room for improvement. For example, we need a clear understanding of what playbooks we have in our SOAR capabilities. Currently, we have a long list, and we need to know what each playbook does. If we want to add some playbooks in Azure, we need to consider the playbooks that we have in Azure that are not related to any schedule. This can make the environment a bit messy. While building them ourselves, we can have a clear understanding of the why, what, and how, but it can be complicated to know which playbook does what at a given moment or what role it best fits.

Currently, the watchlist feature is being utilized, and although there have been improvements, it is still not fully optimized. When examining the watchlist, it appears that it is not adequately supported in Sentinel's repository feature. As a result, we are constantly having to find workarounds, which is functional but require more effort. It is possible for Microsoft to improve efficiency, but they have not done so yet. 

I have been using Microsoft Sentinel for three years.

Last year, there were some issues with Azure Sentinel, which is a specific service within the Azure platform. These issues affected the performance of Sentinel and caused some concerns. While the situation has improved, there may be further challenges as the platform continues to grow. As a cloud service, there is a risk of outages, which can be difficult to address. Overall, there are currently no complaints about the stability of Azure Sentinel, but it is important to stay vigilant about potential issues that may arise.

Sentinel's scalability is impressive. Currently, we have not encountered any limitations. While there may be a limit on the number of rules with a large amount of data, we have not reached that point. The system performs well, aided by the basic and archive loss features. In the event that those features are insufficient, we still have additional options available. Overall, I believe that Sentinel is highly scalable.

We used to utilize ArcSight Interset, an outdated on-premises product that wasn't suitable for our move to the cloud or offering services to our customers. Since we mainly use Microsoft products, we switched to Sentinel enthusiastically. Sentinel is a perfect fit for our organization.

The initial setup was straightforward and adoption was fast. Currently, our approach within the organization is, to begin with a simple implementation and ensure it is functional before incorporating more complex integrations. We started with basic tasks such as editing data files and integrating on-premises data responses. Once we have established a solid foundation, we will build upon it to create a more advanced version.

If we take all areas into account, we would need a considerable number of people for deployment. I believe we would need around 15 to 20 individuals, including engineering consultants, ServiceNow personnel, and others.

I give Microsoft Sentinel an eight out of ten.

We use the entire range of security measures except for Defender for IP. This is similar to how we use Defender for servers. In Azure, these measures are used on the front-end point, server, and callbacks. As for our customer implementations, I am responsible for carrying them out. For our own laptops, we have a strategy where we use Carbon Black instead of Defender for Endpoint. However, we still use Defender AV, and for other cloud applications, we use Defender for Office 365. The reason we continue to use Carbon Black is due to its legacy status.

Sentinel is a cloud service platform that is particularly useful for those who require sizable, scalable, and high-performing solutions.

Sentinel always requires some maintenance, which includes examining the ingested data to determine if it is being used for a specific purpose. It is important to evaluate the amount of data being stored and ensure that we are paying the correct price. Additionally, any necessary updates should be made to patch up any queries. These actions will result in improved efficiency and effectiveness.

The choice of the best-of-breed solution depends on the company's specific needs, but given the shortage of skilled personnel in many organizations, managing multiple products can be challenging. If we opt for a best-of-breed solution, we may end up having to maintain expertise in several different areas. On the other hand, choosing a single vendor, such as Microsoft, can be advantageous in terms of discounts, support, and skill maintenance. Our experience suggests that when evaluating a solution, it's essential to know the requirements, risks, and desired outcomes beforehand, rather than trying to ingest all available data, which can be costly and inefficient.

My client has a huge environment in Azure. They have around 30,000 resources spread across the globe. They also have a huge presence on-premises itself. So, for on-prem, they have a SIEM solution already in place. But for the cloud, they didn't have anything. So, basically, no visibility into any kind of attacks or any kind of logging or monitoring in the cloud. We could not scale up our on-prem counterpart for it due to various reasons of cost and how much resources it would take. Microsoft Sentinel seemed like a pretty good solution since it's cloud-native, it's hosted by Azure itself. So we went ahead with the solution.

Microsoft Sentinel has given us great visibility into our cloud workloads and cloud environment as a whole. And not just that, but even, in fact, with the MCAS and email-security solutions also. We get a lot of visibility into what kind of emails we are getting and how many of them are malicious versus legitimate. From a visibility and compatibility perspective, it's really a nice product to have as a SIEM solution for your cloud environment. In fact, we have integrated this with our AWS, as well. At this point in time, it's just one account, but we plan on expanding more. So all the logs from our AWS environment flow to the solution. Microsoft Sentinel performs the analytics and gives us the alert for that.

The comprehensiveness and coverage of multiple different solutions, on-prem solutions, and cloud solutions, are the two aspects, Microsoft Sentinel really has an edge over other products.

Visibility into threats is above average. Since I also went through some slides of Microsoft and they receive a lot of telemetry because of their Windows platform, because of Azure. What I saw in those slides is that they benefit from this telemetry and create a rich threat-intelligence, kind of a backend service, which supports Sentinel and literally enriches the detection capabilities for Microsoft Sentinel.

Correlation is something that helps us instead of looking at every single alert. So, if we get a phishing email and five users click on it, instead of going through five individual detections, it correlates all of that and presents it in one single incident correlating all these five events. So, in terms of that correlation, it is pretty good. In terms of responding to these alerts, I know there is some automation. There were multiple calls with Microsoft when we were setting up this solution. They showed us how we can do this and they gave us a demo, which was really nice to see the automation. But from the response point of view, we haven't enabled any automation as of now because we are still in the nascent stages of setting this up. We have done multiple integrations, but, still, there's a lot of ground to cover. So, the response is something we would look at last. I think the response side also has a lot of automation and correlation, but we haven't worked on that as of now.

The time to detect and time to respond has been reduced considerably. Detect, because the analytics that is done by Microsoft Sentinel is near real-time, and response is based on us. So, when we see the alert, we respond to it, and we wait on the teams to receive an answer. Previously, the SOC guys were doing this. It was really slow and, sometimes, proceeded at a snail's pace. With Microsoft Sentinel, at least one part of it got addressed, which was running these queries with the SIEM and getting to analyze multiple events to go onto a specific security incident. That time has been saved by Sentinel. I would say 20 to 30% of the time to respond and detect has been saved.

In terms of Microsoft Sentinel, I think a large part of it has been automated by Azure itself. From a customer point of view, all you have to do is just run some queries and get the data. In terms of connections or the connectors for multiple data sources or multiple log sources, it's very easy to just set it up, be it Azure-native services or something customized, like some connection with the on-prem servers or things like that, or even connections with the other cloud platforms, such as AWS. The connectors are really one thing I appreciate. I think it sets Microsoft Sentinel apart from other solutions. Apart from that, the analytics that it performs and the built-in queries that it has, are valuable. A lot of automation on part of Microsoft Sentinel is really commendable.

Microsoft Sentinel definitely helps prioritize threats across our enterprise. I think Microsoft Defender for Cloud would also come in when we talk about this because Microsoft Defender for Cloud and Microsoft Sentinel work in conjunction with each other. We can set it up that way so any alerts that are found in Microsoft Defender for Cloud are forwarded to Microsoft Sentinel. Then, the prioritization is set based on the standard criticality, high, medium, low and informational. So, from our sense, what we can do is, we can simply target the high incidents.

Another thing is that it very efficiently correlates all the events. So if multiple emails have been sent from a single email ID, which is supposed to be a phishing email, Sentinel identifies it, flags all the emails, and it can very beautifully track all of it from their console such as who clicked it, when did they click it, which ID was it, who received it. So, in terms of all that, correlation also helps us prioritize those events.

Prioritization is important. If we have a bunch of alerts and we started investigating some alerts that are not of that much value, some alerts would get ignored if the prioritization was not set correctly. So if it's a phishing attempt and, in another area, we find that there's a brute-force attack going on, we would first want to address the phishing attempt since, in my opinion, in my experience, the probability of getting a link clicked is high rather than a password getting compromised by a brute-force attack. So, in those terms, prioritization really helps us.

Microsoft Sentinel definitely enables us to ingest data from the entire ecosystem. Microsoft Sentinel has around 122 or 123 connectors. Although we haven't set up the solution for our whole ecosystem, be it on-prem, Azure Cloud, AWS cloud, or any other cloud for that matter, looking at the connectors, I feel like there's a whole lot of support, and possibly, we can cover our whole ecosystem, with some exceptions for some solutions. Exceptions are always there. From a coverage point of view, I think it's pretty good. We can cover at least 80 to 90% of our ecosystem. Obviously, it comes at a cost. So at that point in time, it could get very costly. That is one downside.

From the SOC point of view, everything depends on how good the data you are ingesting is and the amount of data you are ingesting. So, the more data we have, the better insights we would have into what activities are going on in our cloud environment, and in our on-prem environment. So it's very critical to have the right data ingested into things like Microsoft Sentinel. Otherwise, you could have a great solution but an ineffective solution in place if you don't have data ingestion configured in the right manner.

Investigations are something really remarkable. We can drill down right to the raw logs by running different queries and getting those on the console itself.

The number one area of improvement for Sentinel would be the cost. 
At this point in time, I feel like, simply because we are a huge organization spread across the globe, we can afford it, but small and medium businesses cannot afford it. Maybe it's not meant for them? I don't know; that's a debatable topic. But even for organizations like ours, a problem that we face and for some of my other friends that I have talked to, it's a great solution, but we cannot deploy it everywhere because, frankly, we overrun our budget.

One thing that would really help or benefit would be the alerts that get thrown up. I've seen multiple alerts. For example, external file activity or external user activity. I open those alerts and there is absolutely no information in them. If there's external user activity, then who is that user, what is something that they are doing, how did Microsoft Sentinel detect this, or what were the analytics based on this outcome that it was a malicious activity or there was something anomalous or something like that? There is some particular type of alerts where a bit more data enrichment would help us.

The alerts get thrown out, and this is something we generally see with any kind of SIEM or any kind of other detection-based solution. For example, in an EDR solution or a vulnerability solution, the typical problem is alert fatigue. We get so many alerts that we start to see a large amount of them, and then we don't know where to start. Although here, we have the prioritization already shared by Microsoft Sentinel, so we have a starting point, but then it never ends. Perhaps tweaking and reducing the number of alerts that get thrown out, and enriching those alerts with more data would help. A lot of these alerts are just very normal things. They are not security incidents in their truest form, but it does take up our time just viewing those alerts. And sometimes, it also lacks a lot of information, like who did what, at exactly what time, and why did Microsoft Sentinel think that it was a malicious incident. That is one question I see a lot of times myself and don't get an answer for, like, "Okay, I get this a lot, but why do you think it's a security event?" So, enriching those alerts with more data might be a good area of improvement for Microsoft Sentinel.

The number of dashboards is something we complained a lot to Microsoft about, "You have great solutions, but you have a different console or a different dashboard for everything. So, as a person who is responding to these alerts, it really becomes overwhelming juggling between multiple different screens, dashboards, tabs, and windows." They have acknowledged this and they have mentioned to us that a lot of other customers made the same complaint and they're working on integrating these dashboards. So, for example, if you are using Microsoft Defender for Cloud, in one click you can reach a Microsoft Sentinel page wherein it would show you the raw logs. It sometimes gets overwhelming viewing the same alert on multiple different dashboards. In one sense, if I had to give an example, you might see an alert on Microsoft Sentinel, but it won't have much data to it. To drill down to the very specific raw data, you would have to go to some other console. You would have to go to the source of that event or detection, be it Microsoft Defender for Cloud, MDI, or MCAS. So in those terms, we have to sometimes juggle through all these dashboards and tabs of multiple solutions.

I have been using the solution for eight months.

I think the solution is pretty stable. I didn't see any aberrations or anomalous behavior of Microsoft Sentinel. And that's the benefit of having a managed service. Downtime is quite less. Especially from providers like Microsoft. With Microsoft Sentinel, we didn't feel like there were any hiccups in the operations or any sort of problems we faced with the solution, as of now.

This is something good about having a managed product, you don't have to worry about scaling. And this is exactly the problem we felt with our existing on-prem solution LogRhythm: the scaling was not possible because of the cost included. With Microsoft Sentinel, you have to pay extra, but you don't have to worry about setting up more servers, configuring them, patching them, doing all the maintenance, and doing additional administrative work. The solution is pretty scalable.

Based on our interactions at the time of setup, after that, we didn't really require that much assistance from Microsoft. So, at the time of setup, they really helped us with insights and with decisions that we had to take based on our organization type and how we work. We have teams distributed globally across multiple time zones, and similarly, we have data and operations distributed all over the world. So this becomes a challenge when dealing with anything related to IT. So, Microsoft did really help us with setting it up. From a technical-assistance point of view, at the initial stages, it was a good experience.

Neutral

Our on-prem solution is LogRhythm and the reason we decided to add Microsoft Sentinel was scaling up of LogRhythm would have been a huge cost to us. Because right now, on-prem LogRhythm is running on multiple VMs, so their cost structure is very different. If you run the same setup on Azure, it's just an exorbitant amount of money. So that was one factor that we chose not to scale up LogRhythm to our cloud environment and looked for some other solution. The other reason we went for Microsoft Sentinel was that it is cloud-native. Since it's a managed service from Microsoft and from Azure themselves, not just time but also a lot of responsibility on our end gets transferred to the cloud provider of just setting up and maintaining that infrastructure, updating and patching all those systems, and doing that maintenance work. That overhead gets taken off our heads. That's why we were looking for a cloud-native solution. And hence, in our comparison, in our multiple rounds of discussion with internal stakeholders within the cybersecurity team, Microsoft Sentinel seemed like a perfect fit, so we went ahead with the solution.

The initial setup is pretty straightforward. We didn't face many problems or complexity. We had everything running in a couple of weeks. The deployment was just me and one other person from the security team. She had a lot more experience with Microsoft 365 and the MCAS side of things. And I was more from an Azure infrastructure point of view, Defender for Cloud and the like.

We started the deployment from scratch and we brought on Microsoft for assistance. We already have a huge presence in Azure, so we already had a Microsoft contact. We reached out to them. We mentioned that we want Microsoft Sentinel on board. We got in touch with their own cloud security and Microsoft Sentinel experts. They advised us, but I can say all the setup and all the operational side of things we did because if Microsoft did it then that would be handled by the consulting arm of Microsoft and that would be a full-fledged project, which would have its own cost. So Microsoft had to play a role as an advisor. We used to get about four IT calls to set it up. Whatever Microsoft recommended us to do, we went ahead with that.

First of all, we enabled everything that was free of cost. When you onboard Microsoft Sentinel, you pay some fee for the solution itself, and with that, you get some free connectors. So Azure AD sign-in and audit logs are one thing, Azure activity logs, and Microsoft Defender for Cloud are another. All these integrations don't cost anything extra over and above. So we started off with integrating all of that, and later on, slowly and steadily, we scaled up our integrations. There's still a lot of ground to cover. We aren't there yet with what we envisioned initially.

At this time I don't have an answer about a return on investment but it is something we have been contemplating inside our own team and we have been thinking of since we talked about how good a solution Microsoft Sentinel is. We cannot enable it across the organization, so we are thinking about creating a story of how much value, not in just terms of money but how much value in terms of security has the solution brought for us, and communicating this idea to other stakeholders in other teams and probably to the leadership, and maybe getting a little more budget for this project.

Microsoft Sentinel is definitely costly. If we factor in the cost of other services, MCAS, MDI, and Microsoft Defender for Cloud, it gets seriously costly, to the extent that we cannot enable it across the organization. It simply overshoots the budget by a huge margin. When talking about the Microsoft Sentinel piece itself, let's say we have set up custom integrations and it does not cost us that much, it is definitely costly. If we talk about log retention, then it is even more costly. Comparing it to the other solutions, in fact, when we started off with the SIEM solutions for the cloud, we did do a comparison between which one would be the best: the classic Splunk, like we used in our on-prem, or maybe Microsoft Defender for Cloud. So, for our use case, Splunk was also a bit costly but less than Microsoft Sentinel. We went ahead with Microsoft Sentinel being a cloud-native platform on our side, the effort would be a lot less. Splunk would require to be set up from scratch. From a cost perspective, Microsoft Sentinel is quite costly.

We compared Splunk with Microsoft Sentinel.

I give the solution an eight out of ten.

We have used and tested additional Microsoft solutions. At one point in time, we used Microsoft Defender for Identity, MDI solution, but it was for three to four months only. We discontinued it because it was more of an experiment and the guys from Microsoft gave us the license for that product for a limited time for testing. We were short on budgets, hence we could not leverage or we could not go ahead and purchase it. Another product was MCAS, Microsoft Cloud App Security. Primarily, we use Microsoft Sentinel. Microsoft Defender for Cloud is also used, but it has not been enabled on a lot of resources because it has a cost implication. So cost is a huge factor that we have to think about every time we do anything in security related to all these four products. 

Wherever it is possible, wherever we have identified some critical resources and we had the budget, we enabled Microsoft Defender for Cloud and then integrated it with Microsoft Sentinel. Integration is super easy for anything which is an Azure service. It's mostly about doing a couple of clicks or maybe running a couple of commands. For Azure-native services, it's very easy, be it integrating the Azure AD logs or Microsoft Defender for Cloud or things like that. If I remember correctly, I integrated Microsoft Defender simply by flipping a toggle on the console. So it was easy to integrate Microsoft Defender for Cloud.

The coordination among all these tools is really marvelous. Although my role is not exactly that of an incident responder or from a SOC point of view, if I was a SOC person or an incident responder, it really takes the load off of my work to look around and to correlate that, and open four, five tabs and just juggling through them and trying to make a story. Microsoft Defender for Cloud, Microsoft Sentinel, and MCAS, all of them do it for us. So you just have a single pane of glass. Although these are four different products and you sometimes do have to juggle around, but not to that extent. Many times, it happens that your job gets done with just a single pane of glass.

I think the coverage is comprehensive from a protection point of view for all these four, or five products from Microsoft.

The bi-directional sync capabilities of Microsoft Defender is an option that we get at the time of integrating the solution. This is exactly what I mean by using the toggle button to integrate Microsoft Defender for Cloud with Microsoft Sentinel.

I would say the sync capabilities are both critical and a nice add-on to have. Even if it's not critical and there was no sync between Microsoft Defender for Cloud and Microsoft Sentinel, we would still be doing our job of looking at two multiple portals. But since Microsoft does it for us, then it's really good to have. It takes the load off our shoulders and we could do other tasks and possibly look at more alerts instead of juggling through these portals between Microsoft Defender for Cloud, Microsoft Sentinel, MCAS, and MDI.

Investigations are something really remarkable. We can drill down right to the raw logs by running different queries and getting those on the console itself.
In terms of response, I do not have that much experience in automating the responses or letting Azure handle it, because we feel like the automation here might go wrong and we might have to face another incident caused by some sort of misconfiguration. So, at this point in time, we respond manually to the alerts. We don't use many of the response capabilities of Microsoft Sentinel. I did have a look at what I think, these are called playbooks, which are based on LogicHub. They do seem very promising, but we haven't used those functionalities as of now.

If I had to rank the three capabilities in terms of comprehensiveness, at the top would be SOAR. I would put threat intelligence and UEBA second. I haven't used both of these capabilities that much. We haven't enabled UEBA in our environment. Threat intelligence is the default one. Again, this is something we haven't enabled on a custom basis or something add-on; it's the default one that Microsoft provides.

In regards to proactiveness, I don't feel like there is anything proactive about the solution. It's mostly reactive. The nature of the whole SIEM is reactive: you analyze the logs, you get some alerts, and then you react to those alerts. I think in terms of prediction, I don't see it like that. But in terms of using threat intelligence, I definitely think that it really adds value when, for example, there's something legitimate in the email, there's something malicious. But when it comes to the unknown, when you cannot determine if it's good or bad, it adds value there, its threat intelligence, by simply stating that. Just a couple of days back, we had an alert that said that "URL was clicked," and it wasn't able to determine the nature of the URL: Was it malicious? Was it bad? So it gave us a low or an informational alert. Threat intelligence helps us in those situations.

The solution has saved us time in two aspects. A tremendous amount of time is saved in terms of integration. Nowadays every organization across any sector you talk about has a lot of IT solutions and security solutions in place. You talk about network devices, VPNs, security devices, these collaboration services, et cetera, all of these generate a lot of data integrating and investing all of that data into SIEM is really critical for the SIEM to function properly. That is something that Microsoft Sentinel does quite well. And I see that they are always working on not just creating those integrations but also making them very easy to configure, from a customer point of view. So, those integrations are one thing that I really like about Microsoft Sentinel. The second is the correlation of these alerts across multiple of these integrations. So, integrations and correlations are two aspects that I really like about the solution. I would say the solution saved me around 50% of the time. Simply, it's less of running the queries on a standard SIEM solution and more of clicking on the dashboards. So the typing time gets taken off and the loading time of getting the results back, and doing this over and over again with a typical SIEM solution, that has been absorbed, by the solution. Microsoft Sentinel does it for us. Our time has been saved in that sense.

I would say that, since the solution saved us time, and time is money, in that sense, the solution has saved us money. On the other, hand the solution's cost is such that it might have balanced out. So, I can say it saved us money in one sense, but I don't think it's because of the solution, it's because of how the processes are set up in our firm. When we find some detections primarily from Microsoft Defender for Cloud, we share it with the team and we get to know that "XYZ resource is not in use anymore," and it probably gets deleted. So, in that sense, resource getting deleted, obviously, would stop incurring the money and the extra cost that we would have been paying. In that sense, our money is saved, but I wouldn't really put Microsoft Sentinel there because if there was any other solution that would also do the same, the resource would eventually get deleted.

Microsoft Sentinel runs on top of Log Analytics. And right now, we have it just hosted in the European region, but logs get ingested from all over the world, and the logs are of all types. Such as Microsoft Defender for Cloud, Azure AD sign-in logs, audit logs, Azure activity logs, and MCAS. We stopped using MDIs. We also have AWS. From AWS, there is a couple of log types. I think it's the CloudTrail, and events around S3 buckets and Kubernetes, although we don't use Kubernetes. That is all that is configured as of now with Microsoft Sentinel.

Four people in our organization use the solution. We have a dedicated SOC team, two guys are from the SOC team: one is me, and one is another person who has experience with Microsoft 365, and two people from the cybersecurity team.

I don't think there is any maintenance required. But there is overhead administration. So far, what I have experienced, it's just about integration. If you have to get started with the integration, then that's the overhead administrative effort on your head. Otherwise, it's not much of a problem. Everything is pretty smooth and automated with regard to maintenance.

There's one guy in our organization who for some reason, doesn't really like Microsoft and its products. He thinks that it's a way for them to catch us in a net and then upsell all their services to us. But I have a different, opposing view. I think, yes, they do have their own strategy of upselling and cross-selling all their products and solutions, but I think they are pretty good when working with them with those solutions, be it Azure as a whole cloud service, or just one part of it like Microsoft Sentinel. It takes off a lot of overhead, also, in terms of when you want some support, since it's a one-vendor-based solution, they would be much more helpful to support you and give you the right resolution in comparison to having three different products from three different vendors. What happens is, more often than not, they all start blaming each other, and then there's a blame game going on, and we, as a customer, have to suffer with whatever problem we are dealing with. So, I would go with having one vendor's solution, provided the vendor is not the kind of vendor that just sees you as a cash cow.

The only advice I would give to someone is that when you are evaluating the solution, if possible, you onboard people from Microsoft so they can help you and guide you. It's their product, they know how to best use it. So you would be in a better position right from the get-go, and it would also save a lot of time and effort in case you did something wrong or you chose a bad design decision, which might end up wasting a lot of time in the future. So, one piece of advice I would say is, simply to onboard Microsoft and it won't cost you extra. I don't think it would cost you extra. If you are already using any good Azure service or Azure itself, then that could be possible with the help of the account manager and the relationship that you have already with Microsoft. 

I work for a security operation center. We use Microsoft Sentinel to monitor the tenants of our customers and provide automated investigations and feedback and alerting.

If something happens or if we get an alert, we also use it to investigate further. We do a deep analysis of the logs that we ingest from our customers. We also have many automation rules built into Microsoft Sentinel to reduce the noise and not-true positive alerts.

There is the ease of setup and ease of use. When we get new customers, we do not need to go onsite, build a system inside their on-premise network, and spend a lot of time setting up the systems. We can easily deploy a new Sentinel solution for a customer with automated templates, which benefits a lot in onboarding new customers. Because we have integrated it with many other security solutions from Microsoft, we can also perform many actions for which we otherwise would have needed VPN access or would have had to go to the customer site. So, the main benefit is that we can easily do anything from anywhere without having to spend much time setting up and onboarding.

We have combined it with other tools such as Microsoft 365 Defender Suite. With all tools combined and the customization that we have developed, we get pretty good insights into possible threats. It all depends on the logs you ingest. If you ingest the right logs, you can get very meaningful insights.

It helps us to prioritize threats across the enterprise. It does that in a very good way. It prioritizes the threats based on multiple factors. If multiple similar incidents happen or suspicious related activities happen at the same time, the incident gets a high priority because that's likely to be a real threat, but it also ingests the priorities that come from the other tools. You also have the ability to adapt priorities because each customer is different. Each business is different. We give our customers a standby for tickets that come in with priority two or higher. Microsoft Sentinel also gives us the chance to lower priority on some cases or upper the priority on some cases depending on the business use case of the customer.

We are a Microsoft security company, so we try to use as many Microsoft security tools as possible. We have Microsoft Defender for Cloud and Microsoft Defender for Office 365 as well. They are integrated into Defender 365 currently. We use the compliance portal. We use Microsoft Purview. We use Microsoft Sentinel. We use Microsoft Defender for Key Vault. We try to use as many security solutions as possible.

We have integrated these products with each other, and we have succeeded in it as well. Each product is at least integrated with Microsoft Sentinel by either using the way provided by Microsoft or a custom way to ingest data. We have integrated Defender 365 and other tools as well. We try to ingest alerts only from one place, if possible. We have integrated everything into one portal, and we ingest the data only from that portal. The integration for Microsoft solutions mostly works natively, but some of our customers have third-party solutions that we can integrate as well.

It's very important that Microsoft solutions work natively. When they work natively, you can have more built-in functionality for them. They are much more maintainable, and it does not take as much time to set up versus when you have to make a custom integration to something.

Microsoft Sentinel enables us to ingest data from the entire ecosystem. We can make custom integrations. If you have Linux machines or on-premises networks, you can set up a log forwarder inside the network and ingest the data that way into Microsoft Sentinel. There are many possibilities to ingest data from all locations, which is necessary for an XDR/SIEM solution. This ingestion of data is one of the most important things for our security operations because if we cannot ingest any data, we are partially blind on that side.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place. You do have to learn the KQL language, but it's similar to many other languages that are created by Microsoft or adopted by Microsoft. It's not that hard to learn. If you know it well, you can easily perform analysis on a whole bunch of data, whereas without Microsoft Sentinel, you would have to perform the analysis at many different places. Microsoft Sentinel gives you the possibility to do it just in one place.

We do not use all the functionalities of Microsoft Sentinel. For example, hunting queries are something that we do not use often, but their threat intelligence is updated quite regularly. We have tried it in Purview, which is a separate threat intelligence license that you can buy from Microsoft, but Microsoft also provides basic rules that alert on multiple threat indicators they detected earlier. They are very useful at the beginning sometimes. You have to remove those rules yourself as soon as they get outdated. The alerting that we get out of the threat intelligence provided by Microsoft itself has been valuable many times for our use cases.

Microsoft Sentinel helps automate routine tasks and the finding of high-value alerts. If we see many recurring alerts that are always suspicious but not really malicious, we can build our own automation rules that auto-close these alerts or automatically lower the priority on those alerts so that we are not getting too many notifications from alerts that are not worth investigating. It's really easy to do that. You can do it in many ways. To do the automation, there is a user-friendly interface. There are just drag-and-drop steps. It helps a lot, and it's easy to implement as well.

It has helped to eliminate having to look at multiple dashboards and have one dashboard for the analysis part, but for the response actions, it hasn't eliminated that because we have to log on to the Microsoft Defender security portals to perform most of those actions. For the analysis part, the alerting part, and the automated investigation part, this is the solution.

Its threat intelligence helps prepare us for potential threats before they hit and take proactive steps. For example, as soon as the Log4j vulnerability was known to the public, we immediately got alerts. We were able to take immediate action and remediate the vulnerability. We immediately knew how to prioritize our customers because we knew which customers already had active exploitation. Most of the time, such attempts were blocked, and if they got through, then the machine was luckily not really vulnerable, but it has been very helpful at that point to immediately assess the criticality for our customers. The attempts were not successful for many reasons. It also blocked them immediately.

It has saved us time. Especially because of the automated investigation part, it saved us a lot of time. We also have automated reporting, which also saves a lot of time each month. We provide our customers with a monthly report. If we had to do it manually and gather data from many different places, it would take a lot of time. Even if we had to fill it in manually in Microsoft Sentinel, it would take a lot of time, but because Microsoft Sentinel already ingests all of the data we use in our reports, we were able to write an integration with Microsoft Sentinel, which takes care of 75% of our reporting, and then we only have to do our analysis part. The data is already filled in, which saves a lot of time each month. The time savings went from one day per customer to one hour or two hours. For nearly fifteen customers, it was fifteen days, and now, it's 30 hours, which is more or less four days. It saves a lot of time each month that can now be spent on improving our service or performing deeper investigations on newly known threats and proactively act on them.

It hasn't reduced our time to detect because we have been using Microsoft Sentinel from the beginning. So, we always had the same response time because we only used Microsoft Sentinel for our alerting. It integrates well with Atlassian tools and ServiceNow tools, which gives us the ability to be alerted very fast on something, and then we can act immediately.

It's easy to use. It's a very good product. It can easily ingest data from anywhere. It has an easily understandable language to perform actions. You can use the entire Azure cloud to perform automated actions and automate investigations. The possibilities are more or less limitless because you can integrate Microsoft Sentinel with many resources inside the Azure cloud. If you integrate the security tooling with it, you can also make use of the data that Microsoft gathers from all Windows operating systems about malware, for instance, or about possible attacks. They ingest that data from so many sources, and you can make use of it. It helps a lot in discovering new vulnerabilities. We can almost immediately investigate them because Microsoft is always on top of things.

Threat intelligence could be better because we have had some cases where we got alerted online for many things all of a sudden. It was because some updates happened in the background, and we didn't agree with the use cases or how they were built. That part of threat intelligence could be a little better.

We have also had incidents where other tooling got an update but Microsoft Sentinel didn't update.

Microsoft Sentinel is a simple and straightforward solution. It could have a better API to be able to automate many things more extensively and get more extensive data and more expensive deployment possibilities. It can gain some points on the automation part and the integration part. The API is very limited, and I would like to see it extended a bit more.

We have recently turned on the bi-directional sync capabilities of Microsoft Defender for Cloud. It works pretty well, but sometimes, it just syncs only the incidents and not the alerts behind them or the other way around. That was the only thing. That was a recent complaint we had. Other than that, it works well.

I've been using Microsoft Sentinel for nearly two years.

It's very stable. We have many different Microsoft Sentinel instances running. Apart from some cleanup and maintenance, they all are running without any issues.

It's very scalable. As long as you send the right logs, it can ingest them perfectly, but, of course, the more logs you ingest, the higher the price, so you have to be very careful and very concerned about the logs you are ingesting in Microsoft Sentinel. You have to make sure that the logs that you ingest provide value for your security and are not useless.

I have not contacted them regarding Microsoft Sentinel, but I have contacted them for other solutions. Sometimes, we can't figure something out ourselves or we have questions about the new features that are made public. If we have a question or need assistance in any way in providing support to our customers, we can count on support to help us. I have not had a bad experience with them. We are also a Microsoft partner, so we get quick replies and have direct contacts within Microsoft sometimes for some cases. If we need support, they always help us very well.

Overall, I would rate them a seven out of ten because sometimes, they take a long time or you get redirected many times to another colleague before the issue is resolved, but in the end, they always help us out, and everything is fixed.

Neutral

In my previous job, we worked with local or on-premise systems, but the security monitoring was not that strong at that time. This is my second job, and in this job, I've only worked with Microsoft Sentinel.

I worked on one of the deployment scripts we use for our customers, but I was not involved in its initial deployment. I deployed it once for a customer by using the Azure resource manager template that I built. It was rather complex because the documentation was not up to date or correct at that time. When working with Microsoft Sentinel, sometimes the documentation is not as up-to-date or complete as it should be in my opinion.

The number of people involved in its deployment depends on the size of the customer, but usually, one or two people from the team do the deployment. One person works on the deployment of Microsoft Sentinel, and the other one usually works on the deployment of other components, such as analytics, automation, etc.

It does require maintenance. In order to stay up to date and keep evolving on the threat landscape, you have to keep looking for new analytic rules, new investigation techniques, and new automations. You have to constantly improve your Sentinel in order to stay on point and detect and have complete detection scenarios. Sometimes, the rules that are provided by Microsoft or the settings or conditions that are provided by Microsoft get deprecated or get a new update. You have to follow that up as well in order to stay up to date with the things Microsoft changes or recommends.

If you want to use Microsoft Sentinel, you should start thinking about the logs that you want to ingest. You should identify the ones that are important and also think of the use cases and what you want to detect from those logs. If you make the right choices on these two things, the setup and the integration with other tools will be very easy because you know from where you want to ingest logs and you know how to create analytics rules, automation rules, and things like that to detect the things that are critical or important to the security of your business.

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that with a single vendor, we can integrate everything like a single product. We use Azure Active Directory, so we can easily secure authentication across multiple products and manage access permissions. On top of that, we have a single pane of glass where we can investigate and perform analysis in a very easy and user-friendly way, which saves a lot of time. We don't have to click through many different portals and know where to look each time. We don't have to learn the configuration, the setup, and the actions we can perform in each system because everything has the same interface. We only have to learn the things that Microsoft provides and not different products. The single pane of glass saves time and makes it much easier to investigate and respond and secure the environment.

Overall, I would rate Microsoft Sentinel an eight out of ten. I'm very happy with it, but no product is perfect. It can improve on some points, but overall, it's very good.

Sentinel is Microsoft's SIEM solution, similar to QRadar, Splunk, etc. It is the primary tool used by our Security Operations Center.

Sentinel enhances our visibility by integrating with on-prem and cloud log sources. It provides visibility into any cloud environment, including GCP and AWS, not just Azure. With Sentinel, we get end-to-end coverage of all types of infrastructure. Last week, I was talking to a client who already had a SIEM solution, and they had just deployed Sentinel through us. I asked them why they wanted Sentinel when they already have an MSP. They told me their SIEM solution doesn't cover the cloud, so there's clearly a gap. Sentinel covers on-premise and all the cloud providers. It has a highly flexible ingestion method. There are seven or eight ways to ingest.

A lack of total visibility is a significant pain point for security analysts working on a SIEM solution. Furthermore, even if they have visibility, they might not be able to take remedial action because the company lacks a license or a separate SOAR solution. In that case, you need to have integration for each playbook. Sentinel addresses all of these issues out of the box. 

The SOAR component of Sentinel can automate some routine tasks. Sentinel comes with around 180 different playbooks you can execute with one click. If you face a type of incident, you can run a specific playbook or automate it to run each time the incident is triggered. These automation features make our lives easier. Analysts have to do the same tasks over and over again. It's a nightmare that makes you want to give up sometimes. You are dealing with the same incidents many times daily for many MSPs and customers. The playbook is incredibly beneficial.

It also reduces the number of dashboards we need to check, and you can create a custom dashboard. There are also several preset dashboards from Microsoft that are solution-specific. For example, if I'm using Defender for Office, it has a separate dashboard for Office that I can customize. I can also see everything from one console if I want. It's highly flexible.

Sentinel saves time because you don't need to look at multiple SIEM solutions, like IBM, Splunk, AlienVault, McAfee, etc. You need to spend time deploying those solutions, and there's a learning curve, whereas Sentinel is cloud-native. You click "next," "next," and "next," and the whole solution is deployed in the cloud in five minutes. Other parts, like integration, are native. It takes only a click to integrate all the services. Sentinel has its own agent, so it's easy to deploy the agent and start collecting logs. Overall, Sentinel requires less effort than other solutions.

It also saves us money because deployment costs less. Many SIEM solutions charge for the log forwarders deployed in the client's system. Sentinel is free. You have a VM in the cloud or on the client infrastructure, and there is just a script to turn that server into a log forwarder. 

Sentinel speeds up our response, but I don't have any hard numbers. It depends on how well you have configured it. You can go to an incident and then click on each playbook in sequence, or it can be automated to run a playbook when an incident is triggered. You don't need to go into the interface and do anything.

Sentinel proactively responds by detecting IOCs in our environment and automatically triggering an incident. The threat intelligence feed is typically based on IOCs, like malicious IP, UR, hostname, file hash, etc. However, real proactive response requires you to buy threat intel from different providers. Those companies provide you with information before an attack occurs anywhere. For example, there could be dark web forums where attackers discuss an attack on organization XYZ, and the threat intel provider informs us about that. That's an entirely different thing, but Microsoft has built-in rules for any threat intelligence matches. 

I've worked on most of the top SIEM solutions, and Sentinel has an edge in most areas. For example, it has built-in SOAR capabilities, allowing you to run playbooks automatically. Other vendors typically offer SOAR as a separate licensed solution or module, but you get it free with Sentinel. In-depth incident integration is available out of the box. 

Having all these solutions built into a single platform is an advantage. Once any malware is detected, it only takes a single click to run the playbook, and it will do the desired actions. It may be blocking an IP address or isolating a machine. 

The SOAR, UEBA, automated detection and response, and threat intelligence capabilities are comprehensive. I have 10-plus years of experience working with different SIEM solutions. This is the best by far. Everything is integrated, and there is so much flexibility, whether you're trying to customize ingestion or run custom playbooks.

Sentinel performs well when searching a large amount of data, like two months of logs. Sentinel uses underlying big data and KQL, which is highly efficient in query performance. I also like Sentinel's user behavior analytics. UEBA is another solution vendors typically sell as a separate product, but it's included with Sentinel for free. It has integration with other multiple cloud platforms, whereas most vendors lack this capability. 

When comparing visibility, we need to also compare at the company level. Microsoft doesn't only provide a security solution. They have a cloud platform with many services and security products that feed threat intelligence into Sentinel. There are many backend things that Microsoft does in cybersecurity. That is an added advantage that comes with this solution.

The native integration with the vast Microsoft ecosystem is a huge advantage. Another good aspect about Sentinel is that you can integrate all the Microsoft technologies with one click using the backend APIs. It's a seamless process because Sentinel is a Microsoft-native solution. It doesn't take much effort to do the integration.

We also use Defender for Endpoint, Defender for Cloud, and Azure firewall. Most of our customers already use some Microsoft services, so when we integrate their environments, we integrate Defender for Endpoint and Defender for Office 365. We also have Azure Activity, Azure Identity Protection, and many other solutions from Microsoft.

Microsoft products can be integrated with one click. You check a box, and it integrates with that service on the backend. You only need to set the permissions only. Integrating third-party solutions requires the same effort that would be necessary for any other SIEM solution. 

All the solutions work together seamlessly to protect our environment. For example, Defender for Endpoint detects threats on the endpoints, and you see the same alerts within Sentinel. If Defender for Office detects a malicious email, it feeds that incident to Sentinel. The whole ecosystem is integrated there.

Sentinel ingests data from our entire environment. There are seven or eight ways to ingest data. You can install agents through LogStack or do it through APA calls. There are many ways to ingest everything that's required. We have had cases of custom applications running critical services for clients who wanted to ensure they were being monitored. 

The out-of-the-box integration wasn't there, but other methods of ingesting the solution exist. We used one of the custom methods with LogStack, and we could use onboard these applications. Managed services need to have that kind of flexibility for product onboarding.

We have been working with multiple customers, and every time we onboard a customer, we are missing an essential feature that surprisingly doesn't exist in Sentinel. We searched the forums and knowledge bases but couldn't find a solution. When you onboard new customers, you need to enable the data connectors. That part is easy, but you must create rules from scratch for every associated connector. You click "next," "next," "next," and it requires five clicks for each analytical rule. Imagine we have a customer with 150 rules.

It can be a nightmare. It would be much easier if Microsoft provided a way to select all the rules you need, and you can click once to create them. I went to multiple forums to find a way to automate this. Unfortunately, the best I can do is a semi-automated method. Half of them can be automated, but you must do the rest manually. 

For now, we are doing it manually, and our DevOps team is assigned to do this. Some APIs could be used. We leverage the Azure Insights PowerShell module to do the automation part. Currently, the team is working on it, but I know from the discussion that the solution would only be semi-automated. We can't fully automate this because it simply lacks that capability. Many people in the Microsoft community have already requested this solution. Hopefully, Microsoft will implement this feature.

These solutions provide comprehensive protection, but there is always room for improvement. For example, virus removal has 98 different antivirus engines associated. Still, if you are searching for a malicious IP address or a hostname, some solutions will pick it up, and others won't. It's okay overall. I wouldn't say it isn't good enough. It does what we need, but sometimes another solution does it better. It depends on who detects it first.

I've been using Sentinel for nearly a year.

Sentinel is a cloud-based solution, so everything is handled by Microsoft. We haven't experienced any outages. With any on-premise solution, you will see downtime when there are problems or changes in the infrastructure.

Sentinel is highly scalable. It's on the cloud, so we can scale up to any level. There are two models: pay-go and commitment tier. The commitment tier is there to help reduce costs. If you're a large organization with high volumes of data coming in, Microsoft recommends the commitment tier, which will save you 40-60%. Scalability isn't a problem.

I rate Microsoft support nine out of 10. Within all Microsoft services, there is a link you can use to contact support and raise a ticket based on severity. If it's something that will impact business, they are available 24/7. Once we get a call from them, they follow up around the clock until it's closed. It isn't bad.

Positive

I've worked on Splunk, QRadar, LogRhythm, AlienVault, McAfee, Juniper STRM, etc. I started using Sentinel when I joined this company. We are Microsoft Gold partners. However, my feedback is neutral as an analyst. Compared to other solutions I've used, Microsoft is easier in terms of integration and deployment.

We've seen an ROI. Having used multiple SIEM solutions, I would recommend Microsoft Sentinel for the ROI, integration, cloud visibility, customization, etc. 

The price is reasonable because Sentinel includes features like user behavior analytics and SOAR that are typically sold separately. Overall, a standalone on-prem solution would require some high-end servers at a different cost. It is a cloud-based solution, so there are backend cloud computing costs, but they are negligible. 

The most significant cost factor is log ingestion. The best approach with any SIEM solution is only to ingest the necessary security-specific logs. You consume the EPS licenses, memory, bandwidth, and CPU. It doesn't make sense to forward and dump everything into any SIEM solution. If you are doing the architecture correctly, you send the right amount of logs.

On top of that, Sentinel provides you with a workbook that tells you which log costs how much. You can optimize that part so it's cost-effective. Its dashboard offers clear graphs and charts, showing which log sources ingest the most logs, contributing to the cost. We can easily cut 40-60% of the price if we do appropriate fine-tuning. As long as you're doing the fine-tuning regularly, it's a highly cost-efficient solution.

I rate Sentinel 10 out of 10. At the same time, I understand no solution is perfect. I've had multiple issues with SIEM solutions I've used previously. Sentinel is missing one minor feature that could be added eventually. I have no complaints about the core functionality.

A large enterprise client contacted us about replacing Splunk with Sentinel, and their team wanted a side-by-side comparison. They're pretty new to SOC, and I've been in the field for a long time, so I told them that it's hard to do an apples-to-apples comparison. In many instances, you won't see much difference between the two, and Sentinel might beat Splunk in certain cases.

However, the essential component they would be missing in the comparison is the ecosystem. Sentinel can leverage a huge ecosystem on the backend that Splunk or any other solution simply can't. Splunk specializes in SIEM, but Microsoft covers the full cybersecurity spectrum. When comparing solutions, customers should look at the whole ecosystem and not only product features. 

A best-in-breed strategy works for some categories of security products. For example, it was an organizational policy that we would not purchase all of our firewall-related products from one vendor. However, SIEM only does detection based on the type of logs ingested. An organization might have firewalls from Cisco, Fortinet, and Juniper. At the end of the day, these three firewall brands are feeding the logs into one security solution, which is Sentinel. It's a single pane of glass that correlates all threats across your enterprise. It doesn't make sense to have multiple SIEM solutions.

The only cases where it makes sense are in large enterprises like oil and gas. For example, they may have an IT environment and an OT environment. In the IT environment, they have one solution and a different solution in the OT environment. They are silos being managed by different teams. They may have separate budgets and decision-making processes. That's why they have different solutions. Other than that, I really don't see any reason for having two different SIEM solutions in place.

Our two primary uses for the solution are incident management and threat hunting. We use Sentinel and other Microsoft security products for security investigations, threat, team, and incident management purposes. The tool is deployed across multiple departments and locations, with around 8,000 total end users.

We use multiple Microsoft security products, the full Defender suite including Defender for Cloud, Cloud Apps, and Identity, all integrated with Sentinel. 

Integrating multiple solutions is straightforward; as they are all Microsoft products, it's easy for Sentinel to ingest the logs and data connectors. The process is very simple, and we can configure log sources or data connectors in Sentinel in a couple of clicks.  

As a next-generation AI-powered SIEM and SOAR tool, Sentinel provides an all-encompassing cyber defense at the cloud scale. The solution's machine learning capabilities make threat hunting and identification rapid across the entire cloud environment.

The solution provides excellent visibility into threats; it's integrated with Microsoft's threat intelligence platform, which forwards information to Sentinel. We have robust threat detection 24/7.   

Sentinel helps us prioritize threats across our enterprise, an essential function that lets us focus on investigating and resolving high-priority incidents first. When the most significant threats are dealt with, we can move on to the medium and low-priority issues.  

The multiple Microsoft solutions work natively together to deliver coordinated detection and response across our environment; they work very well together, and we trust these products to investigate matters further. 

The Microsoft solutions provide comprehensive threat protection across our entire organization.  

Sentinel enables us to ingest data from our entire ecosystem, which is crucial to our security operation. We require the data not just from Microsoft products but also from different firewalls and other security products, including firewall proxies, web proxies, logs, etc. We can quickly integrate multiple data sources in just a few steps. 

The solution's threat intelligence helps prepare us for potential threats before they hit and take proactive steps. Sentinel's intelligent and fast threat detection allows us to respond rapidly to critical and high-priority incidents by leveraging built-in automation and orchestration tools. 

Using Sentinel gives us time savings of 30-40%.  

The solution also decreased our time to detect and respond by 30-40%. 

Sentinel is a SIEM and SOAR tool, so its automation is the best feature; we can reduce human interaction, freeing up our human resources.

The built-in AI and machine learning are excellent; they reduce the number of false positives by around 90%.

The centralized threat collection is a valuable feature. 

The solution is cloud-native, so it's faster and easier to deploy as there is no hardware or software to implement.

The product is flexible enough to deploy in the cloud and on-prem, which is an advantage over other SIEM tools.

Sentinel allows us to investigate threats and respond holistically from one place, which is crucial because time management is essential during a security investigation. Having all the relevant data in one place enables security analysts to investigate and resolve quickly.   

The solution's built-in SOAR, UEBA, and threat intelligence capabilities provide comprehensive protection. The SOAR capability is excellent and better than other products on the market, reducing our dependence on security analysts, and IT takes less investigation time. We can leverage the UEBA to focus on risky users and entities first during an investigation, which is an integral part of the process. 

Compared to standalone SIEM and SOAR products, Sentinel reduces infrastructure costs by around 50% due to the cloud and reduced maintenance relative to legacy solutions. Sentinel is also approximately 70% faster to deploy than legacy solutions with the same rules. 

The solution helped to automate routine tasks and the finding of high-value alerts. This reduced our dependency on security analysts and their workloads because the solution reduced false positive alerts by about 90%. This freed up our analysts and is the most significant benefit of automation.  

The product helped eliminate having to look at multiple dashboards and gave us one XDR dashboard, which provides us with greater visibility and a reduced time to investigate and resolve.  

The data connectors for third-party tools could be improved, as some aren't available in Sentinel. They need to be available in the data connector panel. 

The solution could have more favorable pricing; the cost is relatively high compared to other SIEM tools, which can be prohibitive for smaller organizations. 

We've been using the solution for over a year. 

Sentinel is stable. 

The solution is scalable. 

The technical support is good and responsive, but in some cases, it took a long time to resolve our issue.

Positive

We previously used IBM QRadar as a SIEM tool and switched because Sentinel is cloud-native and has more comprehensive capabilities, including SOAR capabilities. Sentinel fits our clients' requirements better, as many of them utilize the MS Defender security suite, which gives them a specific grant for free data ingestion. The solution also provides greater visibility.

I wasn't involved in the solution's initial setup, and in terms of maintenance, it's very lightweight; updates are Microsoft's responsibility, so we don't need to do anything.

Sentinel is expensive relative to other products of the class, so it often isn't affordable for small-scale businesses. However, considering the solution has more extensive capabilities than others, the price is not so high. Pricing is based on GBs of ingested daily data, either by a pay-as-you-go or subscription model.

The product saved us money, but actual savings depend on the project size, as the pricing is per GB of ingested data. Our savings are approximately 40-50%. 

We evaluated various solutions, including LogRhythm SIEM, Splunk, and Sumo Logic Security. We chose Sentinel because it's more advanced, cost-efficient has greater capabilities and fulfills our requirements better than the other products.

I rate Sentinel nine out of ten. 

To a security colleague who says it's better to go with a best-of-breed strategy over a single vendor's security suite, it's better to go with multiple vendors. This provides better visibility and avoids a single point of failure.

My advice to others considering the product is it depends on the project requirements. For larger organizations, I recommend Sentinel, as it's very advanced. However, for smaller-scale industries, Splunk and IBM QRadar are good options. For primarily cloud-based organizations with the majority of users in the cloud, then Sentinel is again an excellent choice.

We use it for our security operations center. We have private and multi-cloud environments.

It enables data integration within our hybrid, multi-cloud environment, and it makes this data integration very easy for our security operations center.

Sentinel has helped improve our visibility into user and network behavior. It helps in identifying risky users, creating a watch list for specific users and their activities, which is very important.

It has also been saving us time. It's a complete cloud-based solution, so there is no time wasted on setting up servers, infrastructure, et cetera.

It also reduces the work involved in event investigation because it puts together detection logic through detection rules. That helps in automating incident identification.

The features that stand out are the 

• detection engine
• integration with multiple data sources.

And while it does not give the tools to detect and investigate, it provides
the ability to integrate multiple tools together on the platform. This is very important for us. Sentinel provides very good integration with Microsoft Power Apps and Power Automate. That is a very handy feature.

It provides a good user interface for an operations analyst and makes it easy for an ops analyst to do incident analysis and investigations.

One key area that can be improved is by building a strong integration with our XDR platform.

I have been using Microsoft Sentinel for over a year. I'm a product manager, and I do not do hands-on deployment, but I do product definition, platform selection, and product feature definition.

It is a stable product.

The technical support team is good. They have account managers aligned with our customers. It is a good, scalable model.

Neutral

We started with Sentinel only. We have had some experience with Splunk, but Sentinel is more mature, flexible, and scalable.

The install or setup time is very small. Without Sentinel, it would usually take 15 to 30 days to set up a SIEM solution in an environment. With Sentinel, it is very easy. A completely production-grade environment can be set up within a week.

Setting up Sentinel is straightforward. Because it is a cloud-based solution, there is no infrastructure deployment involved. Much of the implementation can be done in automated ways. We leverage that automation for implementation. It doesn't require much staff. It is very automated.

It requires maintenance, and that is part of what we cover by providing our customers with managed services.

Our team does the deployment.

We have seen ROI.

The licensing cost is available on the Microsoft Azure calculator. It depends on the size of the deployment, the size of the data ingestion. It is consumption-based pricing. It is an affordable solution.