Microsoft Sentinel Reviews

Our first use case is related to centralized log aggregation and security management. We have a number of servers at the user level and data center level, and I cannot use multiple tools to correlate all the information. My overall infrastructure is on Azure. We have a hybrid approach for the security environment by using Sentinel. So, hybrid security is one of the use cases, and unified security management is another use case.

It has helped us in three ways. One is IT, one is security, and one is compliance. Before Sentinel, our IT was mature, but our security and compliance were not mature enough in terms of certain controls, client requirements, and global-level regulatory compliance. By implementing the SIEM along with Security Center, we have improved security to a mature level, and we are able to meet the compliance reporting and client requirements for security within the organization.

It has an in-depth defense strategy. It is not limited to giving an alert; it also does correlation. There are three things involved when it comes to a SIEM solution: threats, alerts, and incidents. Sentinel gives you granular and concise information in the UI format about where the log has been generated. It doesn't only not give the timestamp, etc. This information is useful for the L1 and L2 SOC managers.

It has good built-in threat intelligence tools. You can configure a policy set and connectors, and you don't need to have any extra tools to investigate a particular platform. We can directly use the built-in threat intelligence tools and investigate a particular threat and get the answers from that.

We are using Microsoft stack. We use SharePoint. We use OneDrive for cloud storage. We use Teams for our internal productivity and communication, and we use Outlook for emails. For us, it provides 100% visibility because our infrastructure is on Microsoft stack. That's the reason why I'm very comfortable with Sentinel and its security. However, that might not be the case if we were not in Microsoft's ecosystem.

We are using Microsoft Defender. The integration with Microsoft Defender takes a few seconds. In the connector, you just need to click a button, and it will automatically connect. However, for data ingestion, it will take some time to configure the backend log, workspaces, etc.

It is useful for comprehensive reporting. We need to prepare RFPs for our clients. We need to do reporting on particular threats and their resolution. So, it is useful for our RFPs and our internal security enhancements.

It is helpful for security posture management. It has good threat intelligence, and it provides deep analysis. The security engine of Microsoft Sentinel takes the raw data of the logs and correlates and analyses them based on the security rules that we have created. It uses threat-intelligence algorithms to map what's happening within a particular log. For example, if somebody is trying to log into an MS Office account, it will try to see what logs are available for this particular user and whether there is any anomaly or unwanted access. It gives you all that information, which is very important from the compliance perspective. It is mandatory to have such information if you have ISO 27001, HIPAA, or other compliances.

It enables us to investigate threats and respond holistically from one place. It is not only about detecting threats. It is also all about investigating and responding to threats. I can specify how the alerts should be sent for immediate response. Microsoft Sentinel provides a lot of automation capabilities around reporting.

With the help of incidents that we are observing and doing the analysis of the threats, we are able to better tune our infrastructure. When we come across an incident or a loophole, we can quickly go ahead and review that particular loophole and take action, such as closing the ports. A common issue is management ports being open to the public.

It saves time and reduces the response time to incidents. We have all the information on the dashboard. We don't need to go ahead and download the reports.

There are a lot of dashboards available out of the box, and we can also create custom dashboards based on our requirements. There is also one dashboard where we can see the summary of all incidents and alerts. Everything can be correlated with the main dashboard.

We can use playbooks and data analytics. We have one system called pre-policy definitions where our internal team can work on the usability of a particular product. We get a risk-based ranking. Based on this risk-based ranking, we will create policies and incorporate data analytics to get the threats and alerts. We are almost 100% comfortable with Sentinel in terms of the rules and threat detections.

It improves our time to detect and respond. On detecting a threat, it alerts us within seconds.

The AI and ML of Azure Sentinel are valuable. We can use machine learning models at the tenant level and within Office 365 and Microsoft stack. We don't need to depend upon any other connectors. It automatically provisions the native Microsoft products.

Playbooks are also valuable. When I compare it with the playbooks in other SIEM solutions, such as Splunk, AlienVault, or QRadar, the playbooks that Sentinel is providing are better.

The SOAR architecture is also valuable. We use productivity apps, such as Outlook and Teams. If a security breach is happening, we automatically get security alerts on Teams and Outlook. Automation is one of its benefits.

We are working with a number of products around the cybersecurity and IoT divisions. We have Privileged Identity Management and a lot of firewalls to protect the organizations, such as Sophos, Fortinet, and Palo Alto. Based on my experience over three years, if you have your products in the Microsoft or Azure environment or a hybrid environment around Microsoft, all these solutions work well together natively, but with non-Microsoft products, there are definitely integration issues. Exporting the logs is very difficult, and the API calls are not being generated frequently from the Microsoft end. There are some issues with cross-platform integration, and you need to have the expertise to resolve the issues. They are working on improving the integration with other vendors, but as compared to other platforms, such as Prisma Cloud Security, the integration is not up to the mark.

The second improvement area is log ingestion. Sometimes, we are observing large ingestion delays. We expect logs within 5 minutes, but it takes about 10 to 15 minutes.

They can work on their documentation. For Sentinel, not many user or SOP information documents are available on the internet. They should provide more information related to how to deploy your Sentinel and various available options. Currently, the information is not so accurate. They say something at one place, and then there is something else at other places.

It has been about two years.

It is stable. They are enhancing it and upgrading it as well.

It is scalable. It is being used across all departments. We took it for about 80 devices, but, within 24 hours, we mapped it to 240 devices.

Technical support is very straightforward. They will not help you out with your specific use cases or requirements, but they will give you a basic understanding of how a particular feature works in Sentinel.

Positive

We didn't use any other solution in this company. We went for this because as per our compliance requirements, we needed to have this installation in place. About 80% of our environment is on Microsoft, and we could just spin up Azure Sentinel.

It is straightforward. Usually, you can deploy within seconds, but in order to replicate an agent on your Sentinel, it will take about 12 to 24 hours.

We engaged Microsoft experts to deploy the agents across the devices on the cloud. It didn't take much time on the cloud, but for on-prem, it takes some time.

It has saved a lot of time. Implementing a SIEM solution from a third-party vendor, such as AlienVault OSSIM, can take about 45 days to 60 days of time, but we can roll out Sentinel within 15 days if everything is on Microsoft.

For implementation, we have about three people. One is from the endpoint security team. One is from the compliance team, and one is from the security operations team.

It is a cloud solution. So, no maintenance is required.

We have reached our compliance goals, and we have been able to meet our client's requirements. We are getting a lot of revenue with this compliance.

It has saved us money. It would be about $2,500 to $3,000 per month.

It varies on a case-by-case basis. It is about $2,000 per month. The cost is very low in comparison to other SIEMs if you are already a Microsoft customer. If you are using the complete Microsoft stack, the cost reduces by almost 42% to 50%.

Its cost depends on the number of logs and the type of subscription you have. You need to have an Azure subscription, and there are charges for log ingestion, and there are charges for the connectors.

I would strongly recommend it, but it also depends on the infrastructure. I would advise understanding your infrastructure and use cases, such as whether your use case is for compliance or for meeting certain client requirements. Based on that, you can go ahead and sign up for Sentinel.

If you have the native Microsoft stack, you can easily ingest data from your ecosystem. There is no need to think about all the other things or vendors. However, in a non-Microsoft environment where, for example, you have endpoint security from Trend Micro, email security for Mimecast, and IPS and IDS from Sophos, FortiGate, or any other solution, or cloud workloads on AWS, Microsoft Sentinel is not recommended. You can go for other solutions, such as Splunk or QRadar. If about 80% of your infrastructure is on Microsoft, you can definitely go with Microsoft Sentinel. It will also be better commercially.

I would rate it a 10 out of 10 based on my use case.

We needed a SIEM solution that could integrate with our Microsoft 365 stack. Being a Microsoft product, that was the first SIEM we looked at, and we haven't looked back. We're still growing with the product over the last couple of years. It is phenomenal.

We're mainly focused on the cloud, but one of our selling points is that you can integrate with on-prem. We push to get the Azure Arc implementation done on top of Sentinel so that we can ingest data from your on-prem environment into Azure Monitor, which is then exposed to Sentinel. That's how we drive that integration, but we mainly have the cloud. We have 80% cloud and 20% on-prem.

The specific focus on entity behavior is where the gold is within Sentinel. The machine learning and AI capabilities that Microsoft already provides within their toolset are exposed through entity behavior analytics. That really is magic. It is something we don't live without. We have specific key metrics we measure against, and this information is very relevant information to our security approach. That's because not everything is an alert and not everything is a threat. In some cases, the anomalous sign or the anomalous behavior is more important than the actual alert coming up and saying that something has been infected. It could be those sign-ins a week before or a month before into a database that you don't always look into that end up being the actual threat. The entity behavior or the overall feature that Sentinel has is absolute gold for us.

In terms of the visibility into threats, because I set up the product, I'm very much aware of the fact that you see what you configure. That's probably a plus in terms of if you have an appetite only for product one, you ingest and you consume only product one. In our company, we have the full E5 solution, and we tend to have a lot of endpoints or metrics that we can pull into one space. So, each and every sub-component, such as Defender for Endpoint, Defender for Identity, and all the incidents end up within Sentinel. It is one spot from where we can manage everything. That works very well for us. We do have small customers with one or two Microsoft solutions, and even third-party solutions, and we can still integrate or expose those product-specific incidents within Sentinel. For me, that's a big plus.

It definitely helps us to prioritize threats across our enterprise. There is not just a clear classification of severity but also the ability to team certain alerts together. It can chain events and bring you a bigger picture to tell you this is something that you need to take care of or look at because it is tied or chained to multiple events or alerts. That ability is again a big plus.

We probably use all of the Microsoft products. We use Azure Active Directory, and we use Defender for pretty much everything, such as Defender for Identity, Defender for Endpoint, Defender for Cloud, and Defender for Cloud Apps. As a senior cloud infrastructure consultant, it is a part of my role to provide or customize and configure these products on behalf of our customers. We have integrated these products for multiple customers. One of my favorite benefits of Sentinel is its integration with the entire stack. I am yet to find a Microsoft product with which it does not integrate well. All of the Microsoft products are fairly simple to integrate with it. Anyone can set up their own environment. It is only third-party products where you tend to have a bit of technicality to configure, but even that is not a difficult process. It is fairly straightforward and easy to follow.

All these solutions work natively together to deliver coordinated detection and response across our environment. Microsoft Defender stack does that quite well. One of the reasons why Microsoft personally favors the Microsoft Defender stack is because of the integration with the rest of the products.

I'm a big fan of the layered approach, and it should be in every environment. Microsoft does a good job of providing you with that layered approach without too much of an oversight or a combination of a bunch of products. They work well individually, and they stack together quite well based on the individual requirements or the needs of each.

We use Microsoft Defender for Cloud. Our footprint in the cloud is limited. We only have two or three customers that fully make use of the product, but it is something that I do make use of and will. We do make use of its bi-directional sync capabilities. Especially within the organization, we have a very small team dedicated to assisting in our cloud-managed servers. If one person has to run around and duplicate these efforts in multiple portals, that wouldn't be an effective use of their time. So, the simple ability to just be in one portal or one place and apply the remediation or the management of an item is a big plus for us.

It allows us to ingest data from our ecosystem. I have found only one or two third-party antivirus products that still don't integrate fully with Sentinel, but for my use case within my own environment, as well as the environments we manage through our inSOC offering, there hasn't been any case or instance I know of where we could not find a solution to ingest necessary logs.

I work with security, and I also work with compliance. On the compliance side, the ability to have an audit trail and all your logs in one central location is important. The data is queryable. The KQL language is not a difficult language to get under. So, for me, having it all in one place and being able to query it and slice the data to what I need to provide or expose is a key feature of a SIEM solution.

It enables us to investigate threats and respond holistically from one place. It is very important, and bidirectional ties into this. We have a small team. So, the following capabilities are critical to our managed solution:

• The ability to hunt from one location or one stream.
• The ability to integrate with multiple sources and data tables for ingestion.
• The ability to expose information from those tables from one stream or portal.

We probably would end up having to hire twice as many people to accomplish what we can do simply by integrating Sentinel with the rest of our product stack.

It helps automate routine tasks and the finding of high-value alerts. Being able to automate routine tasks or routine alerts is a big save for us because our analysts are not bogged down trying to just close alerts in a portal. This freeing up of time alone is a big save for us.

It helps eliminate having to look at multiple dashboards and gives us one XDR dashboard. The workbooks already integrate well with Azure Lighthouse. So, right out the bat, we had that multitenant capability from one dashboard or one screen. It is just absolutely brilliant.

It saves time on a daily basis. For example, as a desktop engineer, if I have to go through 20,000 devices, it would take a long time to go one device at a time. To make sure everything is fine, if I have to log in, upload some logs, do some metrics, log off, and go to the next office, it would take us a good part of a year to be able to work on each of these devices. With Sentinel, once your logs are configured and analytics rules are in place, a simple hunting query could accomplish exactly the same in a month.

Previously, four hours of my day were spent on just dashboards here and there, logging into tenants one time to the next, running the same view in the same portals, and looking through, for example, the alerts for the day or the threats for the day. With Sentinel, all that is in one place. I can just log on with my company-provided credentials, do MFA once, and through a portal with multiple links, seamlessly go through entity after entity. My whole exercise of four hours per day is now probably down to half an hour just because everything is in one place.

It has decreased our time to detection and time to respond. In the past, we would have to get someone to physically log onto a portal once there is an alert, and if that alert was in multiple places or multiple customers, it would mean multiple portals and multiple logins. The ability to manage from one screen and run an effective service has alone saved us 60% of our day.

I work with the Microsoft 365 products stack quite a bit, and I'm a big fan of the granularity that the products have. For example, the Defender stack is very focused on endpoints, identities, and so forth. With Sentinel, we have the ability to integrate with each of these components and enhance the view that we would have through the Defender portal. It also gives us the ability to customize our queries and workbooks to provide the solution that we have in mind on behalf of our team to our customers.

The part that was very unexpected was Sentinel's ability to integrate with Azure Lighthouse, which, as a managed services solution provider, gives us the ability to also manage our customers' Sentinel environments or Sentinel workspaces. It is a big plus for us. With its integration with Lighthouse, we get the ability to monitor multiple workspaces from one portal. A lot of the Microsoft Sentinel workbooks already integrate with that capability, and we save countless amounts of money by simply being able to almost immediately realize multitenant capabilities. That alone is a big plus for us. Never mind everything else, such as the security benefits, visibility, and the ability to query the data. They all are great, but the ability to see multiple workspaces is a big money saver and a big time saver for our team.

We offer a managed service where we are geared toward a proactive approach rather than a reactive one. Sentinel obviously covers quite a lot of the proactive approach, but if you engage all of your Microsoft products, especially around the Microsoft endpoint stack, you also gain the ability to manage your vulnerability. For us, gaining the ability to realize a full managed service or managed solution in one product stack has been valuable.

Its threat intelligence helps us prepare for potential threats before they hit and take proactive steps. It highlights items that are not really an alert yet. They are items that are running around in the wild that Microsoft or other threat intelligence providers have picked up and would expose to you through Sentinel by running a query. This ability to integrate with those kinds of signals is a big plus. Security is not only about the alerts but also about what else is going on within your environment and what is going on unnoticed. Threat intelligence helps in highlighting that kind of information.

Improvement-wise, I would like to see more integration with third-party solutions or old-school antivirus products that have some kind of logging capability. I wouldn't mind having that exposed within Sentinel. We do have situations where certain companies have bought licensing or have made an investment in a product, and that product will be there for the next two or three years. To be able to view information from those legacy products would be great. We can then better leverage the Sentinel solution and its capabilities. It is being enhanced, and it has been growing day to day. It has gone a long way since it started, but I would like to see some more improvement on the integration with those third parties or old products that some companies still have an investment in.

In terms of additional features, one thing that I was hoping for is now being introduced through Microsoft Defender Threat Intelligence. I believe that is going to be integrated with Sentinel completely. That's what I've been waiting for.

I have been working with this solution for close to two years.

It is very much stable. We've had one or two issues in the last two years where we had a Microsoft-reported incident, and there were data flow issues, but overall, they are 99.9999% available. We've not had an unrecoverable event across the solution. We've had incidents where users ended up not paying the subscription and the subscription got disabled. It simply required just turning it back on and paying your bill, and you were back up and running. It is quite robust.

It definitely is scalable. It will adapt to your needs. It is really about how much you're willing to spend or what your investment is like. That's basically the only limitation. We've seen customers or deployed to customers with thousands of endpoints across the world, ingesting tons and tons of data. We're talking 200, 300 gigabytes per day, and the product is able to cope with that. It does a great job all the way up there at 200, 300 gigs per day to all the way down to the 10, 20 megs per day. It is really scalable. I am quite a fan of the product.

It is being used at multiple locations and multiple departments, and in our case, multiple companies as well. In terms of user entities, the number is probably close to 40,000 in total across our state. In terms of endpoints, we probably are looking at close to 30,000 endpoints.

I've dealt with Microsoft technical support in the recent past, and I'm overall quite happy with it. Being a big company with big solutions and lots of moving parts, overall, their approach to troubleshooting or fault finding is great. I'm going to give them an eight out of ten. There is always some room for improvement, but they're doing well.

Positive

We didn't really use a full SIEM solution at the time. We hovered between dashboards and certain portals. We didn't have a SIEM in place. The first solution we looked at was Sentinel, and we fell in love. It does everything we want and everything we need, and we haven't looked back. We're not even looking at any other solutions right now. For us, it is unnecessary. We're very happy with Sentinel and what Sentinel can do.

It is very straightforward. As a service provider, we'd love to be part of that integration or setup. That's where we make our bread and butter. It is simple enough for the average IT enthusiast to get going, but if you do want to get the best out of your product and if you want to start with some customization, reaching out to a service provider or to a specialist does make sense because they have learned a few things on your behalf. Other than that, it is easy enough to get going on your own. It is a very straightforward configuration, and it does make sense. It is easy to follow.

If you already have a subscription in place, you could be fully operational in less than one business day.

For its deployment, it is a one consultant kind of approach. What is important is that everyone from within the company that is part of the decision-making chain is present as part of it. That's because the main pushback is not the implementation of Sentinel, but the connection to it for the data. So, you would have your firewall guys push back and say, "I don't want to give my data to you." You have your Defender guys saying, "No, I don't want to give my data to you." That's more important in terms of the deployment. One person can easily manage the deployment in terms of the workload.

There is some maintenance. There are some daily, monthly, and weekly tasks that we set out for ourselves. It is normally in the form of query updates, workbook updates, or playbook updates. If some schema update has happened to the underlying data, that needs to be deployed within your environment. Microsoft does a great job of alerting you, if you are within the portal, as to what element needs updating. We have 16 customers in total, and we have one person dedicated to maintenance.

We could realize its benefits very early from the time of deployment. Probably within the first three months, we realized that this tool was a lot more than just a simple SIEM, SOAR solution.

It has absolutely saved us money. Of course, there is an upfront investment in Sentinel, which has to be kept in mind, but overall, after two years, the return on investment has been absolutely staggering. In security, you don't always have people available 24/7. You don't have people awake at two o'clock in the morning. By deploying Sentinel, we pretty much have a 24/7 AI that's looking at signals, metrics, and alerts coming in, making decisions on those, and applying automated actions. It is like a 24-hour help desk service from a solution that is completely customizable. We have programmatic access to the likes of playbooks to be able to further enhance that capability. The savings on that alone have been astronomical. If we did not have Sentinel, we would have had to double the amount of staff that we have now. There is about a 40% reduction in costs.

I'm not happy with the pricing on the integration with Defender for Endpoint. Defender for Endpoint is log-rich. There is a lot of information coming through, and it is needed information. The price point at which you ingest those logs has made a lot of my customers make the decision to leave that within the Defender stack. The big challenge for me right now is having to query data with the Microsoft Defender API and then querying a similar structure. That's a simple cost decision. If that cost can be brought down, I'm sure more of my clients would be interested in ingesting more of the Defender for Endpoint data, and that alone will obviously drive up ingestion. They are very willing to look at that, but right now, it is at such a price point that it is not cost-effective. Most of them are relying on us to recreate our solution, to integrate with two portals rather than having the data integrator Sentinel. If we can make a way there, it'll be a big one.

We have had some assessments where we were asked to do a comparison with the likes of Splunk and other similar tools. What I love about Sentinel is the granularity. You can configure what you need. Whether it just logs from a server or logs from any of the Microsoft solutions, you have the ability to limit data depending on your use or your need. You can couple that with the ability to archive data, as well as retain data, on a set schedule.

Its cost is comparable to the other products that we've had, but we get much more control. If you have a large appetite for security, you can ingest a lot of information right down to a server event type of log. That obviously would be costly, but for ingesting from the Microsoft stack itself, a lot of the key logs are free to use. So, you could get up and running for a very small amount per month or very small investment demand, and then grow your appetite over time, whereas with some of the other solutions, I believe you buy a commitment. So, you are in it for a certain price from the beginning. Whether you consume that, whether you have an appetite for that, or whether there are actual people in your company who can make use of that tool is separate from that commitment. That commitment is upfront, whereas Sentinel is much more granular. You have much more control, and you can grow into a fully-fledged product. You don't need to switch everything on from day one and then run and see what it will cost. You can grow based on your needs, appetite, and budget until you find that sweet spot between what you ingest and what you can afford.

Having worked with the product and knowing the capabilities of the product, it is worth investing in a product that Microsoft has spent a great deal on integrating with the rest of its product stack. Now, we can argue how far along the third-party vendors are in terms of integration with the rest of the security landscape, but if you're a Microsoft house, there is literally no better solution right now in terms of integration and highlighting the best out of your investment. Of course, every use case is different, but I'm happy to look at any challenge in terms of what a third-party solution can bring and what they reckon Sentinel can't.

My advice to others evaluating the solution is that Sentinel isn't a silver bullet solution. It is not something you deploy and set up, and it is going to work 100% well and you're going to be happy. There is going to be some upfront investment. You're going to have to spend some time getting the product in place and getting it configured to your needs. To showcase in a PoC environment is quick and easy, but to realize real-world day-to-day benefits from this product, there is going to be some investment. Keep that in mind. If you're willing to spend that time upfront within the first couple of days or a couple of weeks of you deploying the solution, you'll immediately realize the benefit, but you have to have that mindset. It is not going to just be next, next, next, where it is deployed, and congratulations, you are now secure. That's never going to be the case, but after spending a bit of time on this product, there is nothing it can't do.

I want to give it a 10 out of 10 just because I'm very passionate about this product. I've seen it grow from a very basic SIEM solution to a fully-fledged SIEM, SOAR solution. Some of the capabilities that are built in right now make my day so much easier. Overall, it is a brilliant product, and I love what Microsoft is doing to it. It is a great product.

We use it for security. It's at the forefront of managing the security within our organization. We use the platform as our main SIEM for enterprise security whereby we have several tools that feed into Microsoft Sentinel and then from there, we have the use cases. It's a major tool for security monitoring within the enterprise.

Microsoft Sentinel provides the capability to integrate different log sources. On top of having several data connectors in place, you can also do integration with a threat intelligence platform to enhance and enrich the data that's available. You can collect as many logs and build all the use cases. 

Microsoft Sentinel helps to prioritize threats across the enterprise. We do threat categorization based on a risk-based approach. We categorize incidents as critical, high, and medium. The platform gives us the capability of categorizing the threats based on our assets' criticality and the type of data on our systems. At the end of the day, it does help in managing the threats within the organization. There are different levels of threats depending on the data that we have.

We also use Microsoft Defender for Endpoint. We have integrated Microsoft Defender for Endpoint with Microsoft Sentinel. Most of the alerts that come on our Microsoft Defender for Endpoint are fed into Microsoft Sentinel. We manage those alerts through Microsoft Sentinel, but when we are doing our investigations, we always leverage Microsoft Defender for Endpoint because we are able to do the investigation from the original source. Integrating a Microsoft product with other Microsoft products is not as difficult as compared to integrating Microsoft products with other vendor applications. With the inbuilt data connectors that already exist in Microsoft Sentinel, it's much easier to do the integrations with the Azure environment and other Microsoft products. If there's no data connector, it's somehow tricky. If we have a data connector in place, it's better. We also need to do some customization of the data that we ingest because we need to have the right size of the data that we feed into Microsoft Sentinel because of the cost aspect. At the end of the day, we managed to do an integration of on-prem AD with Microsoft Sentinel via a platform that acts as a bridge between them

Microsoft Sentinel and Microsoft Defender for Endpoint work together natively. The alerts are fed into Microsoft Sentinel seamlessly, but when it comes to investigations, you need to leverage Microsoft Defender for Endpoint to isolate a device and to see some of the timelines or actions that were done with that machine. You can't do that with Microsoft Sentinel.

Microsoft Sentinel allows us to investigate threats from one place, but it doesn't let us respond from one place. For responding, we need to narrow down the source of the threat. If it has been flagged from a Cisco perimeter solution that we use, such as Cisco Meraki, we need to go back and check in that platform. If it's flagging an issue that's happening on an endpoint, we need to go back to Microsoft Defender for Endpoint and do further investigation to respond.

Microsoft Sentinel helps to automate routine tasks. We have playbooks and once we establish a baseline or a routine task that needs to be done, we can just automate it through the playbook.

We have the Sentinel dashboard, but we still need other dashboards for other logs, such as from email. We can't see email logs from Sentinel. We still need a network security monitoring platform. It has helped us to secure 90% of our cloud environment.

With the integrations we have, its threat intelligence helps prepare us for potential threats before they hit and to take proactive steps. We get visibility into what's happening on the AD on a real-time basis. If there's any issue going on with the AD, we are able to fix that within the minimum time possible. It also helps with the visibility of different resources across the cloud environment. However, it can't do all that by itself. We also need other tools. 

It has saved us time. It has helped in handling most of the issues within the cloud environments or any misconfigurations done on the cloud environment. We are able to handle any issues within the shortest time possible. In terms of threat detection, I can give it a nine out of ten. If we didn't have Microsoft Sentinel, it would have taken us three to four days to discover a security incident that is happening or any security misconfiguration in the cloud environment. Within a week, it saves me about three days.

It has saved us money from a security risk perspective, but from a technology perspective, it hasn't saved much. The main value that it's giving to the organization is from a security perspective.

It has saved our time to detect, but that also depends on the original platform. If the original platform, such as Microsoft Defender, fails to detect incidents, then Microsoft Sentinel will definitely not flag anything. The feed that Microsoft Sentinel gets comes from other platforms. With better fine-tuning across the other platforms and with good integrations, it can really help.

Playbooks are valuable. When it comes to automation, it helps in terms of managing the logs. It brings the SOAR capability or the SOAR perspective to the platform with the high usage of Microsoft products within our environment. We are utilizing most of the Azure resources. Our AD runs on Azure. We have on-prem and Azure AD, so we have the integrations. At the end of the day, when we are managing the security, we have the capability of initiating some options from Microsoft Sentinel and directly to AD. We also have automation with Cisco Meraki. We have configured playbooks where if there is a suspicious IP, it blocks the IP.

Microsoft Sentinel needs to be improved on the metrics part. I've had an issue in the recent past while trying to do my metrics from it. It gives me an initial report, but sometimes an incident is created on Microsoft Sentinel, but you realize that when a lot of information is being fed from Microsoft Defender to Microsoft Sentinel, instead of feeding the existing alert, Microsoft Sentinel creates a new alert. So, metrics-wise, it can do better. It can also do better in terms of managing the endpoint notifications.

We do have in-built or out-of-the-box metrics that are shown on the dashboard, but it doesn't give the kind of metrics that we need from our environment whereby we need to check the meantime to detect and meantime to resolve an incident. I have to do it manually. I have to pull all the logs or all the alerts that are fed into Sentinel over a certain period. We do this on a monthly basis, so I go into Microsoft Sentinel and pull all the alerts or incidents we closed over a period of thirty days. I then calculate the meantime to detect and the mean time to resolve. I have to check when all the tickets were created, when they were handled by the analysts, and when they were closed. I do a manual metrics calculation after pulling all the data. I believe Microsoft can do better on the metrics side of Sentinel. They can provide monthly reports. If I want to submit the reports to my senior management, it will be much easier for me to pull the data as a report. Currently, you can't pull any reports from Sentinel. It would be helpful if they can build a reporting tool within it and allow me to have my own customization. I should be able to customize the reports based on my needs. For example, I should be able to generate a report only for incidents with high and medium severity.

It should also provide information on trends within the platform. There should be reports on specific alerts or security incidents.

They should build more analytics rules to assess key security threats. I have had to build a lot of custom analytics rules. There should be more of them out of the box.

There should be more information about how to utilize the notebooks. They can have a better approach to enlightening the end-users about the straightforward use of notebooks. The data point analysis rules and automation are straightforward compared to the way you utilize the notebooks. They can do better in terms of sharing how we can utilize the notebooks. 

We are able to ingest data across all our tenants and on-prem solutions, but we have been chasing Microsoft for the longest time possible for ingesting some data from Microsoft Dynamics 365. The kind of logs that we need or the kind of security monitoring that we need to do on Microsoft Dynamics 365 versus what's available through data connector tools is different. The best advice that they have managed to give us is to monitor the database logs, but we can't go into monitoring database logs because that's a different platform. There are several things that we want to address across Microsoft Dynamics 365, but the kind of logs that we get from the data connector are not of any significance. It would be better if they could give us customization for that one. That's the worst application from Microsoft to add because we can't monitor any business processes in that application, and there's no capability to do even customization. We are so frustrated with that.

It's quite comprehensive in threat intelligence capabilities, but it takes some time to establish a baseline. They can also improve the UEBA module so that it can help us address and have an overview of the risk. It's not yet that complete. It can establish a baseline for a user, but it doesn't inform how I can leverage the capability to address risks.

We can also have more integrations within Microsoft Sentinel with TI feeds out of the box. Currently, we don't have something out of the box for other TI feeds. Microsoft has its own TI feed, but we aren't utilizing that.

Microsoft Sentinel should provide more capability to end-users for customization of the logs they feed into Microsoft Sentinel.

It has been two years.

We haven't had any issues with it so far. It's very stable. 

It's scalable. There are data connectors for different technologies and products.

I've not contacted their support for Microsoft Sentinel.

I've used QRadar.

We are ingesting on-prem and cloud logs. The initial setup was a bit complex. It wasn't that straightforward because of the integrations.

We had help from a Microsoft partner for visibility and integrations. We had about five engineers involved in its implementation.

In terms of maintenance, it doesn't require any maintenance from our side.

Microsoft Sentinel is costly, but it provides value in terms of managing security or managing the threats within our organization.

The return on investment is in terms of better security, visibility, and management. If you don't know what's going on in the cloud environment or the on-prem environment, you might need to pay a huge price in terms of compliance or ransomware to restore your data. We have seen value in investing in Microsoft Sentinel because we are building a better security capability within our environment.

The current licensing is based on the logs that are being ingested on the platform. Most of the SIEM solutions utilize that pricing model, but Microsoft should give us a customization option for controlling the kind of logs that we feed into Microsoft Sentinel. That will be much better. Otherwise, the pricing is a bit higher.

We evaluated other solutions. The reason why we chose Microsoft Sentinel was because of the cloud visibility. We needed a lot of visibility across the cloud environment, and choosing another product that's not Microsoft native wouldn't have been easy in terms of integrations and shipping logs from Microsoft Sentinel to on-prem.

A good thing about Microsoft Sentinel as compared to the other platform is that most organizations run on Azure, and the integration of Microsoft Sentinel is much easier with other products, but when it comes to other SIEM solutions, integrating them with Microsoft sometimes becomes an issue.

You need to customize the kind of logs that you feed to Microsoft Sentinel. If you just plug-in data connectors and don't do any customization and feed everything to Microsoft Sentinel, it will be very expensive in terms of cost. You only need the traffic that assists you in addressing security issues within your environment. You only need the information that gives you visibility to address security issues.

Overall, I would rate Microsoft Sentinel an eight out of ten.

I'm using it as a SIEM solution. If I consider the leading clouds, especially Google and Amazon, so we don't have a dedicated SIEM solution available in either and we have to create a SIEM solution by using the native services of those clouds. But Microsoft Sentinel gives us an opportunity to use a direct SIEM solution. 

I have clients from different regions and they already have environments on the cloud with various vendors, as well as on-prem. The problem they came to me with was that they wanted to secure their environments. They wanted to monitor all the vulnerability management, patches, and vulnerability scans in a single place. They have third-party data sources that they wanted to monitor things in a single dashboard. I suggested they use Microsoft Sentinel because it can integrate many third-party vendors into a single picture.

Those are the kinds of scenarios in which I suggest that my clients use Microsoft Sentinel.

One thing that makes our work easier is that Sentinel enables you to investigate threats and respond from one place. We don't need to jump into different portals. We configure the rules there and we have the response plans as well as the recommendations from the Sentinel itself and, from there, we can take action. It saves time. That is a good and really important feature.

Working with Sentinel, trust is something we have gained. My company is a consulting firm and we have multiple clients in different regions. We have Australian clients and have to deal with Australian policies, as well as in India where there are different kinds of government policies. With all these policies that our clients have to accommodate, when we deploy Sentinel, the trust we are gaining from them is good.

We are also able to optimize costs, have stability, and an improved work culture by using Sentinel.

Another benefit is the automation of routine functions, like the creation of incidents. Our SOC doesn't need to create incidents manually. We have playbooks to automate things. That saves time on a daily basis.

A monotonous job was the need to send an email to an affected user to tell them to take an action because their third-party tool was something we didn't have access to. For example, we do not have visibility into the portal of Palo Alto, CyberArk, or Zscaler. My team's job in that situation was to send an email for every alert to tell someone to take action. Now, they don't need to waste their time. With automation, we can create a playbook for that. When an alert is generated, it automatically triggers the affected user to take action accordingly. In the time we have saved, my team has been able to learn and customize KQL queries and enhance their KQL skills.

Another area where it is helping us is in creating a single dashboard for our environment. We can collect all the logs into a log analytics workset and run queries on top of it. We get all the results in the dashboard. Even a layman can understand this stuff. The way Microsoft presents it is really incredible. We can download that dashboard or a report from the dashboard and present it in a team meeting. That is really useful.

Overall, per week, Sentinel saves us 40 to 45 hours, per person. We have a team of 20 people who log in to Sentinel and each of those people is saving something like 40 to 45 hours by using it. In that time we can work on different technologies. It has also definitely decreased our time to detection by 80 percent.

The most amazing aspect of Microsoft Sentinel is the daily upgrading of the product. They have third-party connectors that their people are enhancing on a daily basis. That is what I like about the product. Their people are not sitting idly and saying, "Okay, we have created the product, now just use it." It's nothing like that. They are continuously working on it to make it number one in the market.

It also has a playbook feature so that we can do automation in Sentinel itself, based on the data sources and the logs that we are receiving. That means we don't need to do manual stuff again and again.

Using Sentinel, we can collect all the logs of third-party vendors and use them to analyze what kinds of scenarios are going on in the environment. On top of that, we can create analytics rules to monitor the environment and take action accordingly if there is a suspicious or malicious event.

Something else that is great is the visibility into threats. We have an AI feature enabled in Sentinel and that gives us great visibility into the data sources we have integrated. And for data sources that we don't have integrated, we have a Zero Trust feature and we get great visibility into the threat log. Visibility-wise, Sentinel is fantastic.

The ingestion of data from our entire environment is very important to our security operations. We have clients in insurance and multiple firms that deal with taxation, and we need to do an audit yearly. To do that, we need the data from the whole environment to be ingested into the workspace.

They can work on the EDR side of things. It is already really superb, because of the kinds of features we get with the EDR solution. It's not a standard EDR and they have recently enhanced things. But the problem is with onboarding devices. I have different OS flavors, including a large number of Linux, Windows, macOS, and some on-prem machines as well.

Every time we need to onboard these kinds of machines into the EDR, we need to do it with the help of Intune, to sync up the devices, and do the configuration. I'm looking for something on the EDR side that will reduce this kind of work. They can eliminate having to do manual configuration for the machines, and check the different types of configurations for each OS. In some cases, it does not support some OSs. If they could reduce this type of work, that would be really amazing.

I have been using this product for the last three and a half years.

It is reliable. I would rate it a nine out of 10 for performance and reliability.

The scalability is also a nine out of 10.

We have the solution in different locations and regions. Most of my clients are in Singapore, Australia, and India and we have some European clients as well. On average, our clients have 2,200 employees.

Most of the time, their technical support is very good and very supportive. But sometimes we feel that they don't want to help us. Recently, we had a major issue and we tried to involve a Microsoft engineer. I felt he was not aware of the things we were asking for. 

I said, "That machine is hosted on Microsoft Azure and you and people are managing that stuff, so you need to know that machine inside and out." He said, "No, the configuration and integration parts, in the machine itself, is something I'm not aware of. You people did this, and you need to take care of it." I told him that the challenge we were facing was with the configuration and we do not get those kinds of logs. I suggested he engage some Linux OS expertise for this call, but he said, "No, we don't have a Linux OS expert."

Sometimes we face this kind of challenge, but most of the time their people are very helpful.

Neutral

It is a very simple process to integrate things. On a scale of one to 10, where 10 is "easy," I would rate it at nine. We have a team that takes part with me in the implementation and we divide the work.

And we don't need to worry too much about maintenance. Microsoft takes care of that part.

We do it all in-house.

Microsoft can enhance the licensing side. I feel there is confusion sometimes. They should have a list of features when we opt for Microsoft Sentinel. They should have a single license in which we have the opportunity to use the EDR or CASB solution. Right now, for Sentinel, we have to pay for a license for something in the Azure portal. Then, if we want to work with CASB, we need to buy a different license. And if we want to go for EDR, we need to buy another license. They do provide a type of comparison with a combo of licenses, but I feel very confused sometimes about subscriptions and licensing.

Also, sometimes it's quite tough to reach them when we need a license. We have to wait for some time. When we drop an email to contact them, it is at least 24 until they reply. They should be able to get back to us in one hour or even 30 minutes. They do have a premium feature where, within one or two hours, they are bound to respond to a query. But with licensing, sometimes this is a challenge. They don't respond on time.

If I compare Sentinel with standalone SIEM and SOAR solutions when it comes to cost, Sentinel is good. It is really cheap but that does not mean it compromises on features, ease of use, or flexibility, compared to what the other vendors are providing. When I look at other similar solutions, like Splunk, QRadar, and ArcSight, they are charging more than Microsoft, but ultimately they are not giving us the features that Microsoft is offering us.

Sentinel is far better than these other solutions. I have worked with Splunk in the past and many of my colleagues are working in the QRadar as well. When I talk to them, and when I compare the features, these solutions are not at all near to Microsoft Sentinel.

So while we do create a type of SIEM solution in other platforms in the cloud, using the native services, Microsoft gives us a direct solution at a very reasonable rate. They are charging less money, but they will never compromise the quality or the features. Microsoft is updating Sentinel on a regular basis. If I look at Sentinel three and a half years back, and the Sentinel of today, the difference is really unbelievable.

As part of our consulting team, I have never suggested that someone go for a third-party solution. Some of my clients have a whole environment on AWS and GCP and they have said, "Can we create some kind of SIEM solution for my cloud by using something we have in Microsoft?" I give them a comparison between using the native services and Microsoft Sentinel. The main point I tell them is about the cost. They are convinced and say, "Okay, if we get those kinds of features at that cost, we are good to go with the Microsoft Sentinel." And they don't need to migrate their whole environment into Sentinel or Microsoft Azure. They can continue to use whatever they are using. We can onboard their logs into Sentinel and, on top of that, create use cases and dashboards, and they can monitor things.

Microsoft is proactive in helping you be ready for potential threats, but I'm not involved in that part. It's something my counterpart takes care of. But I have heard from them that it is proactive.

We also use Microsoft's CASB solution, Microsoft Defender for Cloud, and Defender for Endpoint. There is some complexity when it comes to integration of Defender for Endpoint. This is the feedback I have submitted to Microsoft. When we do the integration of Defender for Endpoint, we have more than 12,000 machines, with different OSs. Onboarding all those machines into the environment is a challenge because of the large number of machines.

Although it's not creating any kind of mess, compared with Sentinel or the CASB product, Defender for Endpoint is something Microsoft can work on to create an option where we don't need to onboard all these machines into Intune and then into Defender for Endpoint. If that step can be omitted, Defender for Point will also be a good solution because it is also working on an AI basis.

These Microsoft products do work together to deliver coordinated detection and response. We simultaneously get the benefits of all these products.

We are also using Microsoft Defender for Cloud to see the security posture of our environment and it also has some great features. It helps us understand vulnerability issues and, on the top of that, we get recommendations for resolving those issues. The security posture is based on the policies it has, as well as third-party CIS benchmarks that people are using in the backend to provide the recommendations. It's good.

We have created an automation rule, but not directly using Defender for Cloud's bi-directional feature. The automation we have created is logic using a bidirectional aspect for Sentinel incidents. When we get incidents in Sentinel, we can trigger those same incidents in ServiceNow as well. We have a SOC team that manages our incident response plan and ServiceNow. Once they take an action in ServiceNow, they don't need to go to Microsoft Sentinel again and take action on the incident. It will automatically reflect the action they have taken.

Between best-of-breed versus a single vendor for security, Microsoft is on top. They are continuously enhancing their product and other cloud platforms don't have a direct SIEM solution. We need to customize other solutions every time if we want to opt for another cloud vendor. This is the advantage of Microsoft Sentinel at this point in time.

I would recommend Microsoft Sentinel to anybody.

I and my colleagues feel that Microsoft Sentinel is the number-one product for anyone considering something similar. We have other tools as well, but none compare with Sentinel.

We utilize Microsoft Sentinel to monitor files for suspicious activities, such as unauthorized user login information, remote logins from outside the secure region, and primarily attachments.

Microsoft Sentinel offers good visibility into threats because we can integrate it with both Defender for Cloud and Defender for Endpoint. We conducted a test to determine the extent of visibility achievable through Sentinel integration, aiming to identify the primary sources of attacks.

We also use Microsoft Office 365, Defender for Cloud, and Defender for Endpoint.

When it concerns cybersecurity, particularly regarding zero-day attacks, Microsoft tends to promptly release TVEs. These updates enable us to patch systems that are susceptible to specific zero-day attacks.

Sentinel allows us to gather data from our entire ecosystem. We can install connectors or an agent on the user's system, or we can do it manually.

Sentinel enables us to investigate threats and respond promptly from a unified platform. Upon receiving alerts, we can navigate to the corresponding tab for analytics, where we can initiate an investigation to view comprehensive details about the threat's origin and its interactions.

It has assisted our organization in enhancing our preparedness and thwarting phishing emails and attacks. We encounter attacks on a daily basis from individuals attempting to execute scripts via websites. Every month, we can conduct simulations to train our personnel in recognizing and evading threats. Sentinel is particularly effective in mitigating risks posed by employees who click on dubious email attachments.

Sentinel assists in automating routine tasks and identifying high-value alerts. Although I haven't extensively used it, playbooks can be employed to create automated responses for alerts and to resolve them.

It assists in eliminating the need to utilize multiple dashboards. We configured one of our servers as a honeypot, enabling us to observe all access and related details from a unified dashboard.

The threat intelligence assists us in preparing for potential threats before they occur and taking any necessary proactive measures. When a potential threat is identified, we are also given recommendations on how to proceed.

Sentinel has helped decrease our time to detect and respond. The automation has reduced the time I spend on low-level threats, allowing me to focus on the priority threats.

Microsoft Sentinel comes preloaded with templates for teaching and analytics rules. we can also create our own.

We need to continually test and define analytics rules due to the possibility of triggering false positives if we simply use the preloaded templates and neglect them.

We attempted to integrate our Microsoft solutions, but we occasionally faced problems when connecting with other systems. While it functioned effectively with Linux and Unix systems, a Windows 11 update led to complications. Sentinel was unable to capture essential logs on certain computers. As a result, we were compelled to create two SIEMs using Splunk and QualysGuard. This was necessary because certain operating systems experienced issues, particularly after receiving updates.

Although Sentinel is a comprehensive security solution, it could be more user-friendly. When I started using it, it was a bit confusing. I think that certain features should be placed in separate tabs instead of being clustered together in one place.

The KQL query does not function effectively with Windows 11 machines, and in the majority of machine-based investigations, KQL queries are essential for organizing the data during investigations.

I have been using Microsoft Sentinel for two years.

I have not experienced any stability issues with Microsoft Sentinel.

Scaling is straightforward. For instance, if an organization opts to establish a new department and intends to add ten machines to that department, all that is required is to create a new load analysis workspace, incorporate the machines into that workspace, and subsequently link it to Sentinel.

Microsoft Sentinel requires an E5 license. When considering this from the perspective of a large enterprise organization, the cost might be justified. However, for smaller organizations, it is comparatively expensive when compared to other SIEM and SOAR solutions. Open-source SIEMs like OSSEC are also available. These can be integrated with other open-source tools to address similar issues as Microsoft Sentinel, often at minimal or no cost.

I would rate Microsoft Sentinel an eight out of ten.

Our Microsoft security solutions both cooperate and have limitations in working seamlessly together to provide coordinated detection and response across our environment. The individual who initially implemented these solutions did so in a manner that prevents us from accessing all the necessary information to effectively utilize Sentinel with a single administrative account, as intended.

Most of our servers are on-premises but we have two that are connected to Defender for Cloud. Those are mostly pickup servers.

Microsoft takes care of the maintenance for Sentinel.

Using a best-of-breed strategy is superior to relying on a single-vendor security suite. I have observed while working with Splunk and QualysGuard, that they are capable of detecting certain low-level threats more promptly than Sentinel. Occasionally, these threats manage to slip through when using Sentinel.

Microsoft Sentinel is a commendable solution, and its value justifies the cost. However, it should be noted that it comes with a significant price tag. Therefore, any organization considering implementing this solution should ensure they are financially prepared for it. I strongly advise obtaining certification and acquiring proficiency in using Sentinel. It is an excellent tool equipped with numerous features. Unfortunately, many users remain unaware of these features or lack the understanding of how to utilize them effectively. It's worth mentioning that Microsoft Defender and Intune serve to further enhance Sentinel's capabilities, elevating it into an even more powerful tool.

I work as a security team leader and consultant in the Netherlands. Additionally, I am the main architect for my organization. Our current focus is on building our own Security Operations Center for media entities, and we offer this service to our customers as well. Our solution ensures zero bypasses and integrates the XDR suite of our clients. Therefore, any customer looking for the same solution can benefit from our expertise.

Microsoft Sentinel has the potential to assist us in prioritizing threats across our entire enterprise. However, its effectiveness relies heavily on the quality of our analytics roles. If we have appropriate alerts in place, we can avoid unnecessary noise. If we can accurately prioritize incidents and assign the appropriate level, it will significantly aid us. Additionally, automation can help analysts make informed decisions by consolidating incidents and alerts.

I have completed many customer integrations. Currently, I am working with one of the largest healthcare retailers and a very large insurance company. They have a variety of other products, such as effective AI, Infoblocks, and Akamai as a last resort. Our goal is to consolidate all the alerts from these products into Sentinel, which sometimes requires processing or editing. We refer to this as social editing, which essentially means fixing issues. Ultimately, our objective is to have a comprehensive overview of everything in a single dashboard.

The effectiveness of the integrated solutions that work together natively varies. At times, a data connector may work well, while at other times, it may not. I have noticed that Sentinel has significant potential for the development of data connectors and passes. This observation is due to one of my customers requiring a considerable amount of additional processing for data connectors, which prompted us to make a request to Microsoft. Currently, we are pleased to see that Microsoft is integrating this functionality. On the other hand, we also have plans to work with a local collector that involves parsing logs and collecting log data using custom parsing services.

The effectiveness of integrated security products in providing comprehensive threat protection is improving. However, there is a risk of overlap in the functionalities of Microsoft's various products, leading to duplicate alerts or unwanted charges. Nonetheless, compliance is improving. Additionally, the endpoint portal is starting to function more like an application portal for multiple products. Using only the Defender portal instead of Sentinel would benefit many customers at present, though additional sources may provide added value. There are also many developments in this area worth exploring.

Microsoft Sentinel has the capability to collect data from our entire ecosystem, but it comes with a cost. As the head of IT, I would have the ability to obtain any sensitive data that I need. If there is a substantial amount of data, I can handle it. However, we need to establish a use case for the data before proceeding, as it could become too expensive for us to handle. Therefore, we will not be ingesting all the data available.

Microsoft Sentinel allows us to investigate and respond to threats holistically from a single platform. This capability is powerful because we can create our own queries, and the language used is user-friendly. However, we must ensure that the data in Sentinel is properly structured. This means ensuring that our timestamps are consistent and accurate and that the quality of our data is high. By doing so, querying becomes easy and effective.

If we have a background in Azure, then it's relatively easy to understand the SOAR capabilities since it's built on Azure foundations and logic apps. This makes it more powerful.

The cost of Microsoft Sentinel is reasonable when compared to other SIEM and SOAR solutions. While the cost of ingestion may be high, the platform offers numerous capabilities for automation, alerting, monitoring, and operations. Therefore, we are receiving good value for our investment, even though it may not be the cheapest option on the market. Microsoft Sentinel's ongoing development of new features justifies the price point. For example, I compared it to a customer who used Splunk last year, and Splunk was more expensive and had fewer features.

Sentinel assists in automating routine tasks and identifying high-value alerts. For instance, we can configure it to automatically detect risks on specific accounts and receive notifications through an automatic inbox. While we exercise caution in implementing automation, we can leverage it during hours when staffing is limited to ensure timely and appropriate actions.

Sentinel's threat intelligence helps us prepare for potential threats and take action before they can impact us. Obtaining threat intelligence feeds from Microsoft would also be beneficial. We may eventually need to acquire an Excel feed, either from Microsoft or another source, but we must ensure that these expenses provide tangible value. I believe that the machine learning used by Microsoft Infusionsoft provides valuable threat intelligence with reliable patterns.

I've noticed that some customers are using on-premises environments such as Oxite for this particular task. However, since we're on a cloud platform, we don't have to handle and operate the systems as much because they are cloud services. This allows us to focus on the platform, the content, and making it work. The integration with Microsoft works well, and we can use similar queries in Sentinel as we do in Defender for Endpoint, which saves us time.

If we compare the current situation to that of five years ago, we can see that every company was spending less on this type of product because the threat wasn't as significant. However, over time, we have witnessed a significant increase in cyberattacks. As a result, every budget has been increased to address this issue. Therefore, in my opinion, Sentinel is not merely saving money; rather, we are utilizing our resources more efficiently.

I believe one of the main advantages is Microsoft Sentinel's seamless integration with other Microsoft products. This means that if we need to work with customers who already use the entire defense suite, we can easily collaborate with them. Additionally, the KQL language created is very robust and has a manageable learning curve for those who already have some experience. Furthermore, we can use KQL in other Microsoft platforms, making it a versatile tool. The AI aspect is also noteworthy, as it utilizes existing resources in Azure. For instance, if we have previous experience building Azure functions or using wireless technology, we can incorporate these skills into our playbook development in Sentinel.

Microsoft Sentinel provides visibility into threats, and the incident alert display has improved. However, I don't believe it is efficient or pleasant to work with, especially for specialists who work with it all day. We are considering putting our incident alerts into ServiceNow first, which would improve instant handling, logging, and monitoring, and streamline the investigation process. This is a potential area for improvement, but currently, the system is workable and easy to use. I understand that improvements are in progress, and I expect the system to get even better with time.

When we look at external SOAR and orchestration platforms, we have a better overview of all the rules, their behavior, and the correlation between them. From a technical perspective, it works well, but from a functional overview, there's room for improvement. For example, we need a clear understanding of what playbooks we have in our SOAR capabilities. Currently, we have a long list, and we need to know what each playbook does. If we want to add some playbooks in Azure, we need to consider the playbooks that we have in Azure that are not related to any schedule. This can make the environment a bit messy. While building them ourselves, we can have a clear understanding of the why, what, and how, but it can be complicated to know which playbook does what at a given moment or what role it best fits.

Currently, the watchlist feature is being utilized, and although there have been improvements, it is still not fully optimized. When examining the watchlist, it appears that it is not adequately supported in Sentinel's repository feature. As a result, we are constantly having to find workarounds, which is functional but require more effort. It is possible for Microsoft to improve efficiency, but they have not done so yet. 

I have been using Microsoft Sentinel for three years.

Last year, there were some issues with Azure Sentinel, which is a specific service within the Azure platform. These issues affected the performance of Sentinel and caused some concerns. While the situation has improved, there may be further challenges as the platform continues to grow. As a cloud service, there is a risk of outages, which can be difficult to address. Overall, there are currently no complaints about the stability of Azure Sentinel, but it is important to stay vigilant about potential issues that may arise.

Sentinel's scalability is impressive. Currently, we have not encountered any limitations. While there may be a limit on the number of rules with a large amount of data, we have not reached that point. The system performs well, aided by the basic and archive loss features. In the event that those features are insufficient, we still have additional options available. Overall, I believe that Sentinel is highly scalable.

We used to utilize ArcSight Interset, an outdated on-premises product that wasn't suitable for our move to the cloud or offering services to our customers. Since we mainly use Microsoft products, we switched to Sentinel enthusiastically. Sentinel is a perfect fit for our organization.

The initial setup was straightforward and adoption was fast. Currently, our approach within the organization is, to begin with a simple implementation and ensure it is functional before incorporating more complex integrations. We started with basic tasks such as editing data files and integrating on-premises data responses. Once we have established a solid foundation, we will build upon it to create a more advanced version.

If we take all areas into account, we would need a considerable number of people for deployment. I believe we would need around 15 to 20 individuals, including engineering consultants, ServiceNow personnel, and others.

I give Microsoft Sentinel an eight out of ten.

We use the entire range of security measures except for Defender for IP. This is similar to how we use Defender for servers. In Azure, these measures are used on the front-end point, server, and callbacks. As for our customer implementations, I am responsible for carrying them out. For our own laptops, we have a strategy where we use Carbon Black instead of Defender for Endpoint. However, we still use Defender AV, and for other cloud applications, we use Defender for Office 365. The reason we continue to use Carbon Black is due to its legacy status.

Sentinel is a cloud service platform that is particularly useful for those who require sizable, scalable, and high-performing solutions.

Sentinel always requires some maintenance, which includes examining the ingested data to determine if it is being used for a specific purpose. It is important to evaluate the amount of data being stored and ensure that we are paying the correct price. Additionally, any necessary updates should be made to patch up any queries. These actions will result in improved efficiency and effectiveness.

The choice of the best-of-breed solution depends on the company's specific needs, but given the shortage of skilled personnel in many organizations, managing multiple products can be challenging. If we opt for a best-of-breed solution, we may end up having to maintain expertise in several different areas. On the other hand, choosing a single vendor, such as Microsoft, can be advantageous in terms of discounts, support, and skill maintenance. Our experience suggests that when evaluating a solution, it's essential to know the requirements, risks, and desired outcomes beforehand, rather than trying to ingest all available data, which can be costly and inefficient.

My client has a huge environment in Azure. They have around 30,000 resources spread across the globe. They also have a huge presence on-premises itself. So, for on-prem, they have a SIEM solution already in place. But for the cloud, they didn't have anything. So, basically, no visibility into any kind of attacks or any kind of logging or monitoring in the cloud. We could not scale up our on-prem counterpart for it due to various reasons of cost and how much resources it would take. Microsoft Sentinel seemed like a pretty good solution since it's cloud-native, it's hosted by Azure itself. So we went ahead with the solution.

Microsoft Sentinel has given us great visibility into our cloud workloads and cloud environment as a whole. And not just that, but even, in fact, with the MCAS and email-security solutions also. We get a lot of visibility into what kind of emails we are getting and how many of them are malicious versus legitimate. From a visibility and compatibility perspective, it's really a nice product to have as a SIEM solution for your cloud environment. In fact, we have integrated this with our AWS, as well. At this point in time, it's just one account, but we plan on expanding more. So all the logs from our AWS environment flow to the solution. Microsoft Sentinel performs the analytics and gives us the alert for that.

The comprehensiveness and coverage of multiple different solutions, on-prem solutions, and cloud solutions, are the two aspects, Microsoft Sentinel really has an edge over other products.

Visibility into threats is above average. Since I also went through some slides of Microsoft and they receive a lot of telemetry because of their Windows platform, because of Azure. What I saw in those slides is that they benefit from this telemetry and create a rich threat-intelligence, kind of a backend service, which supports Sentinel and literally enriches the detection capabilities for Microsoft Sentinel.

Correlation is something that helps us instead of looking at every single alert. So, if we get a phishing email and five users click on it, instead of going through five individual detections, it correlates all of that and presents it in one single incident correlating all these five events. So, in terms of that correlation, it is pretty good. In terms of responding to these alerts, I know there is some automation. There were multiple calls with Microsoft when we were setting up this solution. They showed us how we can do this and they gave us a demo, which was really nice to see the automation. But from the response point of view, we haven't enabled any automation as of now because we are still in the nascent stages of setting this up. We have done multiple integrations, but, still, there's a lot of ground to cover. So, the response is something we would look at last. I think the response side also has a lot of automation and correlation, but we haven't worked on that as of now.

The time to detect and time to respond has been reduced considerably. Detect, because the analytics that is done by Microsoft Sentinel is near real-time, and response is based on us. So, when we see the alert, we respond to it, and we wait on the teams to receive an answer. Previously, the SOC guys were doing this. It was really slow and, sometimes, proceeded at a snail's pace. With Microsoft Sentinel, at least one part of it got addressed, which was running these queries with the SIEM and getting to analyze multiple events to go onto a specific security incident. That time has been saved by Sentinel. I would say 20 to 30% of the time to respond and detect has been saved.

In terms of Microsoft Sentinel, I think a large part of it has been automated by Azure itself. From a customer point of view, all you have to do is just run some queries and get the data. In terms of connections or the connectors for multiple data sources or multiple log sources, it's very easy to just set it up, be it Azure-native services or something customized, like some connection with the on-prem servers or things like that, or even connections with the other cloud platforms, such as AWS. The connectors are really one thing I appreciate. I think it sets Microsoft Sentinel apart from other solutions. Apart from that, the analytics that it performs and the built-in queries that it has, are valuable. A lot of automation on part of Microsoft Sentinel is really commendable.

Microsoft Sentinel definitely helps prioritize threats across our enterprise. I think Microsoft Defender for Cloud would also come in when we talk about this because Microsoft Defender for Cloud and Microsoft Sentinel work in conjunction with each other. We can set it up that way so any alerts that are found in Microsoft Defender for Cloud are forwarded to Microsoft Sentinel. Then, the prioritization is set based on the standard criticality, high, medium, low and informational. So, from our sense, what we can do is, we can simply target the high incidents.

Another thing is that it very efficiently correlates all the events. So if multiple emails have been sent from a single email ID, which is supposed to be a phishing email, Sentinel identifies it, flags all the emails, and it can very beautifully track all of it from their console such as who clicked it, when did they click it, which ID was it, who received it. So, in terms of all that, correlation also helps us prioritize those events.

Prioritization is important. If we have a bunch of alerts and we started investigating some alerts that are not of that much value, some alerts would get ignored if the prioritization was not set correctly. So if it's a phishing attempt and, in another area, we find that there's a brute-force attack going on, we would first want to address the phishing attempt since, in my opinion, in my experience, the probability of getting a link clicked is high rather than a password getting compromised by a brute-force attack. So, in those terms, prioritization really helps us.

Microsoft Sentinel definitely enables us to ingest data from the entire ecosystem. Microsoft Sentinel has around 122 or 123 connectors. Although we haven't set up the solution for our whole ecosystem, be it on-prem, Azure Cloud, AWS cloud, or any other cloud for that matter, looking at the connectors, I feel like there's a whole lot of support, and possibly, we can cover our whole ecosystem, with some exceptions for some solutions. Exceptions are always there. From a coverage point of view, I think it's pretty good. We can cover at least 80 to 90% of our ecosystem. Obviously, it comes at a cost. So at that point in time, it could get very costly. That is one downside.

From the SOC point of view, everything depends on how good the data you are ingesting is and the amount of data you are ingesting. So, the more data we have, the better insights we would have into what activities are going on in our cloud environment, and in our on-prem environment. So it's very critical to have the right data ingested into things like Microsoft Sentinel. Otherwise, you could have a great solution but an ineffective solution in place if you don't have data ingestion configured in the right manner.

Investigations are something really remarkable. We can drill down right to the raw logs by running different queries and getting those on the console itself.

The number one area of improvement for Sentinel would be the cost. 
At this point in time, I feel like, simply because we are a huge organization spread across the globe, we can afford it, but small and medium businesses cannot afford it. Maybe it's not meant for them? I don't know; that's a debatable topic. But even for organizations like ours, a problem that we face and for some of my other friends that I have talked to, it's a great solution, but we cannot deploy it everywhere because, frankly, we overrun our budget.

One thing that would really help or benefit would be the alerts that get thrown up. I've seen multiple alerts. For example, external file activity or external user activity. I open those alerts and there is absolutely no information in them. If there's external user activity, then who is that user, what is something that they are doing, how did Microsoft Sentinel detect this, or what were the analytics based on this outcome that it was a malicious activity or there was something anomalous or something like that? There is some particular type of alerts where a bit more data enrichment would help us.

The alerts get thrown out, and this is something we generally see with any kind of SIEM or any kind of other detection-based solution. For example, in an EDR solution or a vulnerability solution, the typical problem is alert fatigue. We get so many alerts that we start to see a large amount of them, and then we don't know where to start. Although here, we have the prioritization already shared by Microsoft Sentinel, so we have a starting point, but then it never ends. Perhaps tweaking and reducing the number of alerts that get thrown out, and enriching those alerts with more data would help. A lot of these alerts are just very normal things. They are not security incidents in their truest form, but it does take up our time just viewing those alerts. And sometimes, it also lacks a lot of information, like who did what, at exactly what time, and why did Microsoft Sentinel think that it was a malicious incident. That is one question I see a lot of times myself and don't get an answer for, like, "Okay, I get this a lot, but why do you think it's a security event?" So, enriching those alerts with more data might be a good area of improvement for Microsoft Sentinel.

The number of dashboards is something we complained a lot to Microsoft about, "You have great solutions, but you have a different console or a different dashboard for everything. So, as a person who is responding to these alerts, it really becomes overwhelming juggling between multiple different screens, dashboards, tabs, and windows." They have acknowledged this and they have mentioned to us that a lot of other customers made the same complaint and they're working on integrating these dashboards. So, for example, if you are using Microsoft Defender for Cloud, in one click you can reach a Microsoft Sentinel page wherein it would show you the raw logs. It sometimes gets overwhelming viewing the same alert on multiple different dashboards. In one sense, if I had to give an example, you might see an alert on Microsoft Sentinel, but it won't have much data to it. To drill down to the very specific raw data, you would have to go to some other console. You would have to go to the source of that event or detection, be it Microsoft Defender for Cloud, MDI, or MCAS. So in those terms, we have to sometimes juggle through all these dashboards and tabs of multiple solutions.

I have been using the solution for eight months.

I think the solution is pretty stable. I didn't see any aberrations or anomalous behavior of Microsoft Sentinel. And that's the benefit of having a managed service. Downtime is quite less. Especially from providers like Microsoft. With Microsoft Sentinel, we didn't feel like there were any hiccups in the operations or any sort of problems we faced with the solution, as of now.

This is something good about having a managed product, you don't have to worry about scaling. And this is exactly the problem we felt with our existing on-prem solution LogRhythm: the scaling was not possible because of the cost included. With Microsoft Sentinel, you have to pay extra, but you don't have to worry about setting up more servers, configuring them, patching them, doing all the maintenance, and doing additional administrative work. The solution is pretty scalable.

Based on our interactions at the time of setup, after that, we didn't really require that much assistance from Microsoft. So, at the time of setup, they really helped us with insights and with decisions that we had to take based on our organization type and how we work. We have teams distributed globally across multiple time zones, and similarly, we have data and operations distributed all over the world. So this becomes a challenge when dealing with anything related to IT. So, Microsoft did really help us with setting it up. From a technical-assistance point of view, at the initial stages, it was a good experience.

Neutral

Our on-prem solution is LogRhythm and the reason we decided to add Microsoft Sentinel was scaling up of LogRhythm would have been a huge cost to us. Because right now, on-prem LogRhythm is running on multiple VMs, so their cost structure is very different. If you run the same setup on Azure, it's just an exorbitant amount of money. So that was one factor that we chose not to scale up LogRhythm to our cloud environment and looked for some other solution. The other reason we went for Microsoft Sentinel was that it is cloud-native. Since it's a managed service from Microsoft and from Azure themselves, not just time but also a lot of responsibility on our end gets transferred to the cloud provider of just setting up and maintaining that infrastructure, updating and patching all those systems, and doing that maintenance work. That overhead gets taken off our heads. That's why we were looking for a cloud-native solution. And hence, in our comparison, in our multiple rounds of discussion with internal stakeholders within the cybersecurity team, Microsoft Sentinel seemed like a perfect fit, so we went ahead with the solution.

The initial setup is pretty straightforward. We didn't face many problems or complexity. We had everything running in a couple of weeks. The deployment was just me and one other person from the security team. She had a lot more experience with Microsoft 365 and the MCAS side of things. And I was more from an Azure infrastructure point of view, Defender for Cloud and the like.

We started the deployment from scratch and we brought on Microsoft for assistance. We already have a huge presence in Azure, so we already had a Microsoft contact. We reached out to them. We mentioned that we want Microsoft Sentinel on board. We got in touch with their own cloud security and Microsoft Sentinel experts. They advised us, but I can say all the setup and all the operational side of things we did because if Microsoft did it then that would be handled by the consulting arm of Microsoft and that would be a full-fledged project, which would have its own cost. So Microsoft had to play a role as an advisor. We used to get about four IT calls to set it up. Whatever Microsoft recommended us to do, we went ahead with that.

First of all, we enabled everything that was free of cost. When you onboard Microsoft Sentinel, you pay some fee for the solution itself, and with that, you get some free connectors. So Azure AD sign-in and audit logs are one thing, Azure activity logs, and Microsoft Defender for Cloud are another. All these integrations don't cost anything extra over and above. So we started off with integrating all of that, and later on, slowly and steadily, we scaled up our integrations. There's still a lot of ground to cover. We aren't there yet with what we envisioned initially.

At this time I don't have an answer about a return on investment but it is something we have been contemplating inside our own team and we have been thinking of since we talked about how good a solution Microsoft Sentinel is. We cannot enable it across the organization, so we are thinking about creating a story of how much value, not in just terms of money but how much value in terms of security has the solution brought for us, and communicating this idea to other stakeholders in other teams and probably to the leadership, and maybe getting a little more budget for this project.

Microsoft Sentinel is definitely costly. If we factor in the cost of other services, MCAS, MDI, and Microsoft Defender for Cloud, it gets seriously costly, to the extent that we cannot enable it across the organization. It simply overshoots the budget by a huge margin. When talking about the Microsoft Sentinel piece itself, let's say we have set up custom integrations and it does not cost us that much, it is definitely costly. If we talk about log retention, then it is even more costly. Comparing it to the other solutions, in fact, when we started off with the SIEM solutions for the cloud, we did do a comparison between which one would be the best: the classic Splunk, like we used in our on-prem, or maybe Microsoft Defender for Cloud. So, for our use case, Splunk was also a bit costly but less than Microsoft Sentinel. We went ahead with Microsoft Sentinel being a cloud-native platform on our side, the effort would be a lot less. Splunk would require to be set up from scratch. From a cost perspective, Microsoft Sentinel is quite costly.

We compared Splunk with Microsoft Sentinel.

I give the solution an eight out of ten.

We have used and tested additional Microsoft solutions. At one point in time, we used Microsoft Defender for Identity, MDI solution, but it was for three to four months only. We discontinued it because it was more of an experiment and the guys from Microsoft gave us the license for that product for a limited time for testing. We were short on budgets, hence we could not leverage or we could not go ahead and purchase it. Another product was MCAS, Microsoft Cloud App Security. Primarily, we use Microsoft Sentinel. Microsoft Defender for Cloud is also used, but it has not been enabled on a lot of resources because it has a cost implication. So cost is a huge factor that we have to think about every time we do anything in security related to all these four products. 

Wherever it is possible, wherever we have identified some critical resources and we had the budget, we enabled Microsoft Defender for Cloud and then integrated it with Microsoft Sentinel. Integration is super easy for anything which is an Azure service. It's mostly about doing a couple of clicks or maybe running a couple of commands. For Azure-native services, it's very easy, be it integrating the Azure AD logs or Microsoft Defender for Cloud or things like that. If I remember correctly, I integrated Microsoft Defender simply by flipping a toggle on the console. So it was easy to integrate Microsoft Defender for Cloud.

The coordination among all these tools is really marvelous. Although my role is not exactly that of an incident responder or from a SOC point of view, if I was a SOC person or an incident responder, it really takes the load off of my work to look around and to correlate that, and open four, five tabs and just juggling through them and trying to make a story. Microsoft Defender for Cloud, Microsoft Sentinel, and MCAS, all of them do it for us. So you just have a single pane of glass. Although these are four different products and you sometimes do have to juggle around, but not to that extent. Many times, it happens that your job gets done with just a single pane of glass.

I think the coverage is comprehensive from a protection point of view for all these four, or five products from Microsoft.

The bi-directional sync capabilities of Microsoft Defender is an option that we get at the time of integrating the solution. This is exactly what I mean by using the toggle button to integrate Microsoft Defender for Cloud with Microsoft Sentinel.

I would say the sync capabilities are both critical and a nice add-on to have. Even if it's not critical and there was no sync between Microsoft Defender for Cloud and Microsoft Sentinel, we would still be doing our job of looking at two multiple portals. But since Microsoft does it for us, then it's really good to have. It takes the load off our shoulders and we could do other tasks and possibly look at more alerts instead of juggling through these portals between Microsoft Defender for Cloud, Microsoft Sentinel, MCAS, and MDI.

Investigations are something really remarkable. We can drill down right to the raw logs by running different queries and getting those on the console itself.
In terms of response, I do not have that much experience in automating the responses or letting Azure handle it, because we feel like the automation here might go wrong and we might have to face another incident caused by some sort of misconfiguration. So, at this point in time, we respond manually to the alerts. We don't use many of the response capabilities of Microsoft Sentinel. I did have a look at what I think, these are called playbooks, which are based on LogicHub. They do seem very promising, but we haven't used those functionalities as of now.

If I had to rank the three capabilities in terms of comprehensiveness, at the top would be SOAR. I would put threat intelligence and UEBA second. I haven't used both of these capabilities that much. We haven't enabled UEBA in our environment. Threat intelligence is the default one. Again, this is something we haven't enabled on a custom basis or something add-on; it's the default one that Microsoft provides.

In regards to proactiveness, I don't feel like there is anything proactive about the solution. It's mostly reactive. The nature of the whole SIEM is reactive: you analyze the logs, you get some alerts, and then you react to those alerts. I think in terms of prediction, I don't see it like that. But in terms of using threat intelligence, I definitely think that it really adds value when, for example, there's something legitimate in the email, there's something malicious. But when it comes to the unknown, when you cannot determine if it's good or bad, it adds value there, its threat intelligence, by simply stating that. Just a couple of days back, we had an alert that said that "URL was clicked," and it wasn't able to determine the nature of the URL: Was it malicious? Was it bad? So it gave us a low or an informational alert. Threat intelligence helps us in those situations.

The solution has saved us time in two aspects. A tremendous amount of time is saved in terms of integration. Nowadays every organization across any sector you talk about has a lot of IT solutions and security solutions in place. You talk about network devices, VPNs, security devices, these collaboration services, et cetera, all of these generate a lot of data integrating and investing all of that data into SIEM is really critical for the SIEM to function properly. That is something that Microsoft Sentinel does quite well. And I see that they are always working on not just creating those integrations but also making them very easy to configure, from a customer point of view. So, those integrations are one thing that I really like about Microsoft Sentinel. The second is the correlation of these alerts across multiple of these integrations. So, integrations and correlations are two aspects that I really like about the solution. I would say the solution saved me around 50% of the time. Simply, it's less of running the queries on a standard SIEM solution and more of clicking on the dashboards. So the typing time gets taken off and the loading time of getting the results back, and doing this over and over again with a typical SIEM solution, that has been absorbed, by the solution. Microsoft Sentinel does it for us. Our time has been saved in that sense.

I would say that, since the solution saved us time, and time is money, in that sense, the solution has saved us money. On the other, hand the solution's cost is such that it might have balanced out. So, I can say it saved us money in one sense, but I don't think it's because of the solution, it's because of how the processes are set up in our firm. When we find some detections primarily from Microsoft Defender for Cloud, we share it with the team and we get to know that "XYZ resource is not in use anymore," and it probably gets deleted. So, in that sense, resource getting deleted, obviously, would stop incurring the money and the extra cost that we would have been paying. In that sense, our money is saved, but I wouldn't really put Microsoft Sentinel there because if there was any other solution that would also do the same, the resource would eventually get deleted.

Microsoft Sentinel runs on top of Log Analytics. And right now, we have it just hosted in the European region, but logs get ingested from all over the world, and the logs are of all types. Such as Microsoft Defender for Cloud, Azure AD sign-in logs, audit logs, Azure activity logs, and MCAS. We stopped using MDIs. We also have AWS. From AWS, there is a couple of log types. I think it's the CloudTrail, and events around S3 buckets and Kubernetes, although we don't use Kubernetes. That is all that is configured as of now with Microsoft Sentinel.

Four people in our organization use the solution. We have a dedicated SOC team, two guys are from the SOC team: one is me, and one is another person who has experience with Microsoft 365, and two people from the cybersecurity team.

I don't think there is any maintenance required. But there is overhead administration. So far, what I have experienced, it's just about integration. If you have to get started with the integration, then that's the overhead administrative effort on your head. Otherwise, it's not much of a problem. Everything is pretty smooth and automated with regard to maintenance.

There's one guy in our organization who for some reason, doesn't really like Microsoft and its products. He thinks that it's a way for them to catch us in a net and then upsell all their services to us. But I have a different, opposing view. I think, yes, they do have their own strategy of upselling and cross-selling all their products and solutions, but I think they are pretty good when working with them with those solutions, be it Azure as a whole cloud service, or just one part of it like Microsoft Sentinel. It takes off a lot of overhead, also, in terms of when you want some support, since it's a one-vendor-based solution, they would be much more helpful to support you and give you the right resolution in comparison to having three different products from three different vendors. What happens is, more often than not, they all start blaming each other, and then there's a blame game going on, and we, as a customer, have to suffer with whatever problem we are dealing with. So, I would go with having one vendor's solution, provided the vendor is not the kind of vendor that just sees you as a cash cow.

The only advice I would give to someone is that when you are evaluating the solution, if possible, you onboard people from Microsoft so they can help you and guide you. It's their product, they know how to best use it. So you would be in a better position right from the get-go, and it would also save a lot of time and effort in case you did something wrong or you chose a bad design decision, which might end up wasting a lot of time in the future. So, one piece of advice I would say is, simply to onboard Microsoft and it won't cost you extra. I don't think it would cost you extra. If you are already using any good Azure service or Azure itself, then that could be possible with the help of the account manager and the relationship that you have already with Microsoft. 

I work for a security operation center. We use Microsoft Sentinel to monitor the tenants of our customers and provide automated investigations and feedback and alerting.

If something happens or if we get an alert, we also use it to investigate further. We do a deep analysis of the logs that we ingest from our customers. We also have many automation rules built into Microsoft Sentinel to reduce the noise and not-true positive alerts.

There is the ease of setup and ease of use. When we get new customers, we do not need to go onsite, build a system inside their on-premise network, and spend a lot of time setting up the systems. We can easily deploy a new Sentinel solution for a customer with automated templates, which benefits a lot in onboarding new customers. Because we have integrated it with many other security solutions from Microsoft, we can also perform many actions for which we otherwise would have needed VPN access or would have had to go to the customer site. So, the main benefit is that we can easily do anything from anywhere without having to spend much time setting up and onboarding.

We have combined it with other tools such as Microsoft 365 Defender Suite. With all tools combined and the customization that we have developed, we get pretty good insights into possible threats. It all depends on the logs you ingest. If you ingest the right logs, you can get very meaningful insights.

It helps us to prioritize threats across the enterprise. It does that in a very good way. It prioritizes the threats based on multiple factors. If multiple similar incidents happen or suspicious related activities happen at the same time, the incident gets a high priority because that's likely to be a real threat, but it also ingests the priorities that come from the other tools. You also have the ability to adapt priorities because each customer is different. Each business is different. We give our customers a standby for tickets that come in with priority two or higher. Microsoft Sentinel also gives us the chance to lower priority on some cases or upper the priority on some cases depending on the business use case of the customer.

We are a Microsoft security company, so we try to use as many Microsoft security tools as possible. We have Microsoft Defender for Cloud and Microsoft Defender for Office 365 as well. They are integrated into Defender 365 currently. We use the compliance portal. We use Microsoft Purview. We use Microsoft Sentinel. We use Microsoft Defender for Key Vault. We try to use as many security solutions as possible.

We have integrated these products with each other, and we have succeeded in it as well. Each product is at least integrated with Microsoft Sentinel by either using the way provided by Microsoft or a custom way to ingest data. We have integrated Defender 365 and other tools as well. We try to ingest alerts only from one place, if possible. We have integrated everything into one portal, and we ingest the data only from that portal. The integration for Microsoft solutions mostly works natively, but some of our customers have third-party solutions that we can integrate as well.

It's very important that Microsoft solutions work natively. When they work natively, you can have more built-in functionality for them. They are much more maintainable, and it does not take as much time to set up versus when you have to make a custom integration to something.

Microsoft Sentinel enables us to ingest data from the entire ecosystem. We can make custom integrations. If you have Linux machines or on-premises networks, you can set up a log forwarder inside the network and ingest the data that way into Microsoft Sentinel. There are many possibilities to ingest data from all locations, which is necessary for an XDR/SIEM solution. This ingestion of data is one of the most important things for our security operations because if we cannot ingest any data, we are partially blind on that side.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place. You do have to learn the KQL language, but it's similar to many other languages that are created by Microsoft or adopted by Microsoft. It's not that hard to learn. If you know it well, you can easily perform analysis on a whole bunch of data, whereas without Microsoft Sentinel, you would have to perform the analysis at many different places. Microsoft Sentinel gives you the possibility to do it just in one place.

We do not use all the functionalities of Microsoft Sentinel. For example, hunting queries are something that we do not use often, but their threat intelligence is updated quite regularly. We have tried it in Purview, which is a separate threat intelligence license that you can buy from Microsoft, but Microsoft also provides basic rules that alert on multiple threat indicators they detected earlier. They are very useful at the beginning sometimes. You have to remove those rules yourself as soon as they get outdated. The alerting that we get out of the threat intelligence provided by Microsoft itself has been valuable many times for our use cases.

Microsoft Sentinel helps automate routine tasks and the finding of high-value alerts. If we see many recurring alerts that are always suspicious but not really malicious, we can build our own automation rules that auto-close these alerts or automatically lower the priority on those alerts so that we are not getting too many notifications from alerts that are not worth investigating. It's really easy to do that. You can do it in many ways. To do the automation, there is a user-friendly interface. There are just drag-and-drop steps. It helps a lot, and it's easy to implement as well.

It has helped to eliminate having to look at multiple dashboards and have one dashboard for the analysis part, but for the response actions, it hasn't eliminated that because we have to log on to the Microsoft Defender security portals to perform most of those actions. For the analysis part, the alerting part, and the automated investigation part, this is the solution.

Its threat intelligence helps prepare us for potential threats before they hit and take proactive steps. For example, as soon as the Log4j vulnerability was known to the public, we immediately got alerts. We were able to take immediate action and remediate the vulnerability. We immediately knew how to prioritize our customers because we knew which customers already had active exploitation. Most of the time, such attempts were blocked, and if they got through, then the machine was luckily not really vulnerable, but it has been very helpful at that point to immediately assess the criticality for our customers. The attempts were not successful for many reasons. It also blocked them immediately.

It has saved us time. Especially because of the automated investigation part, it saved us a lot of time. We also have automated reporting, which also saves a lot of time each month. We provide our customers with a monthly report. If we had to do it manually and gather data from many different places, it would take a lot of time. Even if we had to fill it in manually in Microsoft Sentinel, it would take a lot of time, but because Microsoft Sentinel already ingests all of the data we use in our reports, we were able to write an integration with Microsoft Sentinel, which takes care of 75% of our reporting, and then we only have to do our analysis part. The data is already filled in, which saves a lot of time each month. The time savings went from one day per customer to one hour or two hours. For nearly fifteen customers, it was fifteen days, and now, it's 30 hours, which is more or less four days. It saves a lot of time each month that can now be spent on improving our service or performing deeper investigations on newly known threats and proactively act on them.

It hasn't reduced our time to detect because we have been using Microsoft Sentinel from the beginning. So, we always had the same response time because we only used Microsoft Sentinel for our alerting. It integrates well with Atlassian tools and ServiceNow tools, which gives us the ability to be alerted very fast on something, and then we can act immediately.

It's easy to use. It's a very good product. It can easily ingest data from anywhere. It has an easily understandable language to perform actions. You can use the entire Azure cloud to perform automated actions and automate investigations. The possibilities are more or less limitless because you can integrate Microsoft Sentinel with many resources inside the Azure cloud. If you integrate the security tooling with it, you can also make use of the data that Microsoft gathers from all Windows operating systems about malware, for instance, or about possible attacks. They ingest that data from so many sources, and you can make use of it. It helps a lot in discovering new vulnerabilities. We can almost immediately investigate them because Microsoft is always on top of things.

Threat intelligence could be better because we have had some cases where we got alerted online for many things all of a sudden. It was because some updates happened in the background, and we didn't agree with the use cases or how they were built. That part of threat intelligence could be a little better.

We have also had incidents where other tooling got an update but Microsoft Sentinel didn't update.

Microsoft Sentinel is a simple and straightforward solution. It could have a better API to be able to automate many things more extensively and get more extensive data and more expensive deployment possibilities. It can gain some points on the automation part and the integration part. The API is very limited, and I would like to see it extended a bit more.

We have recently turned on the bi-directional sync capabilities of Microsoft Defender for Cloud. It works pretty well, but sometimes, it just syncs only the incidents and not the alerts behind them or the other way around. That was the only thing. That was a recent complaint we had. Other than that, it works well.

I've been using Microsoft Sentinel for nearly two years.

It's very stable. We have many different Microsoft Sentinel instances running. Apart from some cleanup and maintenance, they all are running without any issues.

It's very scalable. As long as you send the right logs, it can ingest them perfectly, but, of course, the more logs you ingest, the higher the price, so you have to be very careful and very concerned about the logs you are ingesting in Microsoft Sentinel. You have to make sure that the logs that you ingest provide value for your security and are not useless.

I have not contacted them regarding Microsoft Sentinel, but I have contacted them for other solutions. Sometimes, we can't figure something out ourselves or we have questions about the new features that are made public. If we have a question or need assistance in any way in providing support to our customers, we can count on support to help us. I have not had a bad experience with them. We are also a Microsoft partner, so we get quick replies and have direct contacts within Microsoft sometimes for some cases. If we need support, they always help us very well.

Overall, I would rate them a seven out of ten because sometimes, they take a long time or you get redirected many times to another colleague before the issue is resolved, but in the end, they always help us out, and everything is fixed.

Neutral

In my previous job, we worked with local or on-premise systems, but the security monitoring was not that strong at that time. This is my second job, and in this job, I've only worked with Microsoft Sentinel.

I worked on one of the deployment scripts we use for our customers, but I was not involved in its initial deployment. I deployed it once for a customer by using the Azure resource manager template that I built. It was rather complex because the documentation was not up to date or correct at that time. When working with Microsoft Sentinel, sometimes the documentation is not as up-to-date or complete as it should be in my opinion.

The number of people involved in its deployment depends on the size of the customer, but usually, one or two people from the team do the deployment. One person works on the deployment of Microsoft Sentinel, and the other one usually works on the deployment of other components, such as analytics, automation, etc.

It does require maintenance. In order to stay up to date and keep evolving on the threat landscape, you have to keep looking for new analytic rules, new investigation techniques, and new automations. You have to constantly improve your Sentinel in order to stay on point and detect and have complete detection scenarios. Sometimes, the rules that are provided by Microsoft or the settings or conditions that are provided by Microsoft get deprecated or get a new update. You have to follow that up as well in order to stay up to date with the things Microsoft changes or recommends.

If you want to use Microsoft Sentinel, you should start thinking about the logs that you want to ingest. You should identify the ones that are important and also think of the use cases and what you want to detect from those logs. If you make the right choices on these two things, the setup and the integration with other tools will be very easy because you know from where you want to ingest logs and you know how to create analytics rules, automation rules, and things like that to detect the things that are critical or important to the security of your business.

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that with a single vendor, we can integrate everything like a single product. We use Azure Active Directory, so we can easily secure authentication across multiple products and manage access permissions. On top of that, we have a single pane of glass where we can investigate and perform analysis in a very easy and user-friendly way, which saves a lot of time. We don't have to click through many different portals and know where to look each time. We don't have to learn the configuration, the setup, and the actions we can perform in each system because everything has the same interface. We only have to learn the things that Microsoft provides and not different products. The single pane of glass saves time and makes it much easier to investigate and respond and secure the environment.

Overall, I would rate Microsoft Sentinel an eight out of ten. I'm very happy with it, but no product is perfect. It can improve on some points, but overall, it's very good.