Mahmoud Hanafi - PeerSpot reviewer
IT Operation Manager at Orascom Construction Industries
Real User
Top 5
Comprehensive with good automation and prioritizing of threats
Pros and Cons
  • "The Log analytics are useful."
  • "I would like to see more AI used in processes."

What is our primary use case?

We have possible use cases for the solution. We have ten or 12 different use cases under this solution.

What is most valuable?

The Log analytics are useful. You can review many details. 

The portal and the full integration and collaboration between the cloud workloads and multi-tenants have been useful. We can use it with Sharepoint and Exchange.

The solution helps us prioritize all of our threats. It's one of the most important and critical systems we have here. 

We have a lot of Microsoft solutions. For example, we also use Defender for endpoints and Microsoft Cloud. We mostly use Microsoft products, although we also use Crowdstrike. 

It was easy to integrate Defender for Endpoint. Each of these solutions works natively together. It's very crucial that they work together. 

Microsoft is very comprehensive. It helps protect us and offers very clear information. It's easy to assess everything. It's a good user experience. 

We make use of Microsoft Defender for Cloud's bi-directional sync capabilities. We have different customers under our umbrella and multiple subsidiaries. Not all have access to the same license. We don't have the same security exposure everywhere. We can pick and choose who needs access.

Sentinel does enable us to ingest data from our entire ecosystem. This is crucial. That said, it can cost us a lot of money. We try to get feature visibility and enhance the collected logs to be able to identify only certain logs that would need to be uploaded. That said, it's very crucial we can ingest data from anywhere.  

We can investigate threats and respond holistically from one place, one dashboard. Having one dashboard is important as it saves the team from headaches. We can collect all the information we need in one view.

The comprehensiveness of Sentinel is good in that it helps us identify most of our gaps in security. In the last few years, we have been able to fill in most of the gaps.

Once we enabled the connectors and started getting incident reports to our dashboard we were able to realize the benefits of the solution. It took about one month to begin to get the value of this product.

Sentinel helps automate routine tasks and helps automate the findings via high-value alerts. We've been able to automate a lot of the cycle and leave the investigation to humans. Support is very crucial and we can take the right actions fast.

The product helps us prepare for potential threats before they hit and we can take proactive steps. We're very satisfied in terms of security operations.

Before implementing the solution, we didn't know we were wasting a lot of time. Once the solution was in place, we discovered a lot of gaps across the traditional way we were handling security. 

I can't say if we are saving money. However, we're investing in the right places. We're now utilizing services we actually need. From a business perspective, although it does have a cost, it's saving the business since it's protecting us from any security breach.

What needs improvement?

I'd like to see more integration with other technologies beyond the Microsoft OS. 

I would like to see more AI used in processes.

For how long have I used the solution?

I've been using the solution for three or four years. 

Buyer's Guide
Microsoft Sentinel
April 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
768,415 professionals have used our research since 2012.

What do I think about the stability of the solution?

The stability is not an issue. 

What do I think about the scalability of the solution?

We do have plans to increase usage. The solution has the ability to scale. 

How are customer service and support?

We have not opened a ticket for technical support yet. So far, we haven't had any issues. 

My understanding is Microsoft does not have good support and has done a lot of outsourcing. In general, they used to be brilliant as they were focused on customer satisfaction and engaged with experts, however, the quality is not as good.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We also use Crowdstrike as our EDR solution. However, before Sentinel, I did not use anything else in this category.

How was the initial setup?

I took part in the initial deployment. The process was very straightforward. It took about one week to onboard all that we needed. We did it in three phases. First, we did a demo and looked for items that needed to be addressed. We then onboarded the device and put the analytics and logs in place. 

We had a team of three on hand that handled the deployment. They also handle support and maintenance. 

What about the implementation team?

We initially had the assistance of Microsoft partners. However, we failed to get all of the information we needed. We found it more valuable to get assistance from the vendor directly. 

What's my experience with pricing, setup cost, and licensing?

I can't speak to the exact cost.

What other advice do I have?

We are a customer of Microsoft. 

During implementation, it's helpful to get the vendor engaged in the implementation. 

I'd rate the solution nine out of ten.

It's good to go with a single-vendor strategy. I've recommended this product to others.

The user experience should be the number one priority. Microsoft is working on this every day. It's very important to us that the user experience is maintained and there's no conflict between the products or connectors. Having one dashboard makes it easier for admins and businesses to be in touch, engage, and share. For example, my manager can see my reports even if he's not knowledgeable in the technology.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Senior Cyber Security Operations Analyst at a financial services firm with 5,001-10,000 employees
Real User
Top 20
Provides good visibility, integrates with different log sources, and supports automation with Playbooks
Pros and Cons
  • "Microsoft Sentinel provides the capability to integrate different log sources. On top of having several data connectors in place, you can also do integration with a threat intelligence platform to enhance and enrich the data that's available. You can collect as many logs and build all the use cases."
  • "We do have in-built or out-of-the-box metrics that are shown on the dashboard, but it doesn't give the kind of metrics that we need from our environment whereby we need to check the meantime to detect and meantime to resolve an incident. I have to do it manually. I have to pull all the logs or all the alerts that are fed into Sentinel over a certain period. We do this on a monthly basis, so I go into Microsoft Sentinel and pull all the alerts or incidents we closed over a period of thirty days."

What is our primary use case?

We use it for security. It's at the forefront of managing the security within our organization. We use the platform as our main SIEM for enterprise security whereby we have several tools that feed into Microsoft Sentinel and then from there, we have the use cases. It's a major tool for security monitoring within the enterprise.

How has it helped my organization?

Microsoft Sentinel provides the capability to integrate different log sources. On top of having several data connectors in place, you can also do integration with a threat intelligence platform to enhance and enrich the data that's available. You can collect as many logs and build all the use cases. 

Microsoft Sentinel helps to prioritize threats across the enterprise. We do threat categorization based on a risk-based approach. We categorize incidents as critical, high, and medium. The platform gives us the capability of categorizing the threats based on our assets' criticality and the type of data on our systems. At the end of the day, it does help in managing the threats within the organization. There are different levels of threats depending on the data that we have.

We also use Microsoft Defender for Endpoint. We have integrated Microsoft Defender for Endpoint with Microsoft Sentinel. Most of the alerts that come on our Microsoft Defender for Endpoint are fed into Microsoft Sentinel. We manage those alerts through Microsoft Sentinel, but when we are doing our investigations, we always leverage Microsoft Defender for Endpoint because we are able to do the investigation from the original source. Integrating a Microsoft product with other Microsoft products is not as difficult as compared to integrating Microsoft products with other vendor applications. With the inbuilt data connectors that already exist in Microsoft Sentinel, it's much easier to do the integrations with the Azure environment and other Microsoft products. If there's no data connector, it's somehow tricky. If we have a data connector in place, it's better. We also need to do some customization of the data that we ingest because we need to have the right size of the data that we feed into Microsoft Sentinel because of the cost aspect. At the end of the day, we managed to do an integration of on-prem AD with Microsoft Sentinel via a platform that acts as a bridge between them

Microsoft Sentinel and Microsoft Defender for Endpoint work together natively. The alerts are fed into Microsoft Sentinel seamlessly, but when it comes to investigations, you need to leverage Microsoft Defender for Endpoint to isolate a device and to see some of the timelines or actions that were done with that machine. You can't do that with Microsoft Sentinel.

Microsoft Sentinel allows us to investigate threats from one place, but it doesn't let us respond from one place. For responding, we need to narrow down the source of the threat. If it has been flagged from a Cisco perimeter solution that we use, such as Cisco Meraki, we need to go back and check in that platform. If it's flagging an issue that's happening on an endpoint, we need to go back to Microsoft Defender for Endpoint and do further investigation to respond.

Microsoft Sentinel helps to automate routine tasks. We have playbooks and once we establish a baseline or a routine task that needs to be done, we can just automate it through the playbook.

We have the Sentinel dashboard, but we still need other dashboards for other logs, such as from email. We can't see email logs from Sentinel. We still need a network security monitoring platform. It has helped us to secure 90% of our cloud environment.

With the integrations we have, its threat intelligence helps prepare us for potential threats before they hit and to take proactive steps. We get visibility into what's happening on the AD on a real-time basis. If there's any issue going on with the AD, we are able to fix that within the minimum time possible. It also helps with the visibility of different resources across the cloud environment. However, it can't do all that by itself. We also need other tools. 

It has saved us time. It has helped in handling most of the issues within the cloud environments or any misconfigurations done on the cloud environment. We are able to handle any issues within the shortest time possible. In terms of threat detection, I can give it a nine out of ten. If we didn't have Microsoft Sentinel, it would have taken us three to four days to discover a security incident that is happening or any security misconfiguration in the cloud environment. Within a week, it saves me about three days.

It has saved us money from a security risk perspective, but from a technology perspective, it hasn't saved much. The main value that it's giving to the organization is from a security perspective.

It has saved our time to detect, but that also depends on the original platform. If the original platform, such as Microsoft Defender, fails to detect incidents, then Microsoft Sentinel will definitely not flag anything. The feed that Microsoft Sentinel gets comes from other platforms. With better fine-tuning across the other platforms and with good integrations, it can really help.

What is most valuable?

Playbooks are valuable. When it comes to automation, it helps in terms of managing the logs. It brings the SOAR capability or the SOAR perspective to the platform with the high usage of Microsoft products within our environment. We are utilizing most of the Azure resources. Our AD runs on Azure. We have on-prem and Azure AD, so we have the integrations. At the end of the day, when we are managing the security, we have the capability of initiating some options from Microsoft Sentinel and directly to AD. We also have automation with Cisco Meraki. We have configured playbooks where if there is a suspicious IP, it blocks the IP.

What needs improvement?

Microsoft Sentinel needs to be improved on the metrics part. I've had an issue in the recent past while trying to do my metrics from it. It gives me an initial report, but sometimes an incident is created on Microsoft Sentinel, but you realize that when a lot of information is being fed from Microsoft Defender to Microsoft Sentinel, instead of feeding the existing alert, Microsoft Sentinel creates a new alert. So, metrics-wise, it can do better. It can also do better in terms of managing the endpoint notifications.

We do have in-built or out-of-the-box metrics that are shown on the dashboard, but it doesn't give the kind of metrics that we need from our environment whereby we need to check the meantime to detect and meantime to resolve an incident. I have to do it manually. I have to pull all the logs or all the alerts that are fed into Sentinel over a certain period. We do this on a monthly basis, so I go into Microsoft Sentinel and pull all the alerts or incidents we closed over a period of thirty days. I then calculate the meantime to detect and the mean time to resolve. I have to check when all the tickets were created, when they were handled by the analysts, and when they were closed. I do a manual metrics calculation after pulling all the data. I believe Microsoft can do better on the metrics side of Sentinel. They can provide monthly reports. If I want to submit the reports to my senior management, it will be much easier for me to pull the data as a report. Currently, you can't pull any reports from Sentinel. It would be helpful if they can build a reporting tool within it and allow me to have my own customization. I should be able to customize the reports based on my needs. For example, I should be able to generate a report only for incidents with high and medium severity.

It should also provide information on trends within the platform. There should be reports on specific alerts or security incidents.

They should build more analytics rules to assess key security threats. I have had to build a lot of custom analytics rules. There should be more of them out of the box.

There should be more information about how to utilize the notebooks. They can have a better approach to enlightening the end-users about the straightforward use of notebooks. The data point analysis rules and automation are straightforward compared to the way you utilize the notebooks. They can do better in terms of sharing how we can utilize the notebooks. 

We are able to ingest data across all our tenants and on-prem solutions, but we have been chasing Microsoft for the longest time possible for ingesting some data from Microsoft Dynamics 365. The kind of logs that we need or the kind of security monitoring that we need to do on Microsoft Dynamics 365 versus what's available through data connector tools is different. The best advice that they have managed to give us is to monitor the database logs, but we can't go into monitoring database logs because that's a different platform. There are several things that we want to address across Microsoft Dynamics 365, but the kind of logs that we get from the data connector are not of any significance. It would be better if they could give us customization for that one. That's the worst application from Microsoft to add because we can't monitor any business processes in that application, and there's no capability to do even customization. We are so frustrated with that.

It's quite comprehensive in threat intelligence capabilities, but it takes some time to establish a baseline. They can also improve the UEBA module so that it can help us address and have an overview of the risk. It's not yet that complete. It can establish a baseline for a user, but it doesn't inform how I can leverage the capability to address risks.

We can also have more integrations within Microsoft Sentinel with TI feeds out of the box. Currently, we don't have something out of the box for other TI feeds. Microsoft has its own TI feed, but we aren't utilizing that.

Microsoft Sentinel should provide more capability to end-users for customization of the logs they feed into Microsoft Sentinel.

For how long have I used the solution?

It has been two years.

What do I think about the stability of the solution?

We haven't had any issues with it so far. It's very stable. 

What do I think about the scalability of the solution?

It's scalable. There are data connectors for different technologies and products.

How are customer service and support?

I've not contacted their support for Microsoft Sentinel.

Which solution did I use previously and why did I switch?

I've used QRadar.

How was the initial setup?

We are ingesting on-prem and cloud logs. The initial setup was a bit complex. It wasn't that straightforward because of the integrations.

What about the implementation team?

We had help from a Microsoft partner for visibility and integrations. We had about five engineers involved in its implementation.

In terms of maintenance, it doesn't require any maintenance from our side.

What was our ROI?

Microsoft Sentinel is costly, but it provides value in terms of managing security or managing the threats within our organization.

The return on investment is in terms of better security, visibility, and management. If you don't know what's going on in the cloud environment or the on-prem environment, you might need to pay a huge price in terms of compliance or ransomware to restore your data. We have seen value in investing in Microsoft Sentinel because we are building a better security capability within our environment.

What's my experience with pricing, setup cost, and licensing?

The current licensing is based on the logs that are being ingested on the platform. Most of the SIEM solutions utilize that pricing model, but Microsoft should give us a customization option for controlling the kind of logs that we feed into Microsoft Sentinel. That will be much better. Otherwise, the pricing is a bit higher.

Which other solutions did I evaluate?

We evaluated other solutions. The reason why we chose Microsoft Sentinel was because of the cloud visibility. We needed a lot of visibility across the cloud environment, and choosing another product that's not Microsoft native wouldn't have been easy in terms of integrations and shipping logs from Microsoft Sentinel to on-prem.

A good thing about Microsoft Sentinel as compared to the other platform is that most organizations run on Azure, and the integration of Microsoft Sentinel is much easier with other products, but when it comes to other SIEM solutions, integrating them with Microsoft sometimes becomes an issue.

What other advice do I have?

You need to customize the kind of logs that you feed to Microsoft Sentinel. If you just plug-in data connectors and don't do any customization and feed everything to Microsoft Sentinel, it will be very expensive in terms of cost. You only need the traffic that assists you in addressing security issues within your environment. You only need the information that gives you visibility to address security issues.

Overall, I would rate Microsoft Sentinel an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
PeerSpot user
Buyer's Guide
Microsoft Sentinel
April 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: April 2024.
768,415 professionals have used our research since 2012.
Stian Høydal - PeerSpot reviewer
Cyber Security Consultant at a tech services company with 1,001-5,000 employees
Reseller
Can be quickly deployed, is scalable, and helps to investigate and respond holistically
Pros and Cons
  • "The scalability is great. You can put unlimited logs in, as long as you can pay for it. There are commitment tiers, up to six terabytes per day, which is nowhere close to what any one of our customers is running."
  • "Some of the data connectors are outdated, at least the ones that utilize Linux machines for log forwarding. I believe that Microsoft is already working on improving this."

What is our primary use case?

The company I work for delivers SOC-as-a-Service, so I set up Sentinel in the customer's Azure environment and then connect it to our central Sentinel through Azure Lighthouse.

How has it helped my organization?

Microsoft Sentinel has made it easier for us to sell SOC-as-a-Service to, more or less, any customer and not just the big ones.

What is most valuable?

A lot of our customers run Microsoft products, and integrating those with Sentinel is simple and easy. Sentinel can be quickly deployed as well.

As long as the customers are licensed correctly and have, for example, the E5 security package, then the insights into threats provided by Sentinel are pretty good.

Sentinel helps prioritize threats well. The option to dig deeper and go into the different portals is good as well.

Our customers are very happy with incidents being closed in Sentinel and across the tenant.

We are able to fetch data from almost any source with Sentinel. There are some customers who try to customize, but we try to keep it to the out-of-the-box preconfigured data connectors or to what we can find in the Microsoft content hub.

In terms of the importance of data ingestion to our customers' security operations, they only have access to what is in Sentinel. Therefore, it's pretty important for them to have all of their data stored in one location. If it's stored on-premises in Microsoft 365 Defender, then the SOC team won't be able to access that data. Giving a good analysis will then be harder.

It's very important to us to be able to investigate threats and respond holistically from one place. We don't create several accounts for each customer. We utilize one account and then get insight into the Sentinel environments of different customers. It's great that we can do all this in one place.

The comprehensiveness of Sentinel's security protection is pretty good. The effectiveness of the web part of this depends on how well the customer has configured their Azure AD and what information they have included for each user, such as the phone number and the part of the organization where the user works.

One of the big issues for our customers is the need to look at multiple dashboards. Sentinel has eliminated this and made it a lot easier by having everything in one place.

Sentinel has definitely saved us time. It has also decreased our time to detection and our time to respond. We try to have an analysis ready within 30 minutes of an incident coming in.

What needs improvement?

Some of the data connectors are outdated, at least the ones that utilize Linux machines for log forwarding. I believe that Microsoft is already working on improving this.

I would like Microsoft Sentinel to have out-of-the-box threat intelligence because right now, the only option is to add your own threat intelligence.

For how long have I used the solution?

I've been using Microsoft Sentinel for approximately one and a half years.

What do I think about the stability of the solution?

Sentinel has only been down once, as far as I know, as a result of Microsoft doing something with Azure Kubernetes, which affected log analytics and Sentinel. It was down for about 10 hours. Other than that, it's always been up.

What do I think about the scalability of the solution?

The scalability is great. You can put unlimited logs in, as long as you can pay for it. There are commitment tiers, up to six terabytes per day, which is nowhere close to what any one of our customers is running.

How are customer service and support?

I might be more fortunate than others, given the fact that I have easy access to Microsoft support. The only downside is that the support staff are not that technical, but there is a big community around Sentinel. I can ask the question on the forums instead, and I usually get an answer there. All in all, I'd rate technical support at eight out of ten.

How would you rate customer service and support?

Positive

How was the initial setup?

The initial deployment is straightforward. We try to utilize a baseline of analytics rules in addition to connecting any security products already owned by the customer.

We usually deploy one Sentinel per Azure tenant. Maintenance-wise, Microsoft updates the analytics rules and the engine behind Sentinel, and it may require some tuning if it creates a lot of noise. Other than that, it's pretty straightforward. Thus, in comparison to other SIEM solutions that you need to upgrade and then turn off for the functionality to be updated, Sentinel saves us time.

What about the implementation team?

My colleague and I usually work with someone at the customer's location to deploy the solution.

What's my experience with pricing, setup cost, and licensing?

Compared to standalone SIEM and SOAR solutions, it is easy to start off with Sentinel. For example, with QRadar there are minimum licensing requirements, EPS costs compared to how many logs are being ingested, etc.

It can become costly with Sentinel if you try to run all of the raw logs for an entire organization. If you prioritize, however, you can have a cheaper SIEM solution compared to the ones that have a starting price of 50,000 US dollars.

The pricing is based on how much you ingest, so it's pretty straightforward. There are no tiers, and you pay for what you use, unlike with other types of SIEM solutions that are usually based on tiers.

It's a great way to get insight into exactly how much you're using. If you connect a log source that utilizes too much, you could turn it off or tune it down. You could also buy tiers in Sentinel and can save money with tier commitments.

What other advice do I have?

Overall, I'm satisfied with Sentinel and would give it a rating of eight out of ten.

As far as going with a best-of-breed strategy versus a single vendor's suite, Microsoft gives a pretty good solution, especially when you get the E5 security package. It gives you a good view of the security across the organization, so I don't mind going for a single vendor's suite and opting to go completely with Microsoft.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
Technical Specialist at a tech services company with 10,001+ employees
Real User
Has built-in SOAR, user and entity behavior analytics, and threat intelligence capabilities
Pros and Cons
  • "The automation feature is valuable."
  • "The playbook is a bit difficult and could be improved."

What is our primary use case?

We use Microsoft Sentinel for centralized log aggregation and security management. Our environment uses a variety of security products to strengthen its security. This has made it difficult for the SOC team to analyze logs from different consoles and products. To ease the team's workload and help them prioritize events and attacks, we decided to acquire a centralized console. We chose Sentinel because it provides a centralized console where we can ingest and analyze logs. The logs that Sentinel analyzes add value.

How has it helped my organization?

Sentinel's threat visibility is good. It has analytics and threat detection capabilities that we can add to our own playbooks. We can use the predefined log analytics to create our own custom rules. Using these custom rules with predefined logs further improves our environment's security posture.

Sentinel helps us prioritize threats across our enterprise. When we have a lot of alerts and incidents, it is better to understand if they are false positives, because the SOC team sometimes wastes time on false positives, which are not very relevant. We must prioritize positive alerts, which should be given the highest priority. In order to solve this problem.

The manufacturing environment I work in is not very critical, so a simple attack is unlikely to have a major impact on the business. However, data is important in any business, and a data breach can damage our reputation. Therefore, it is important to have a good security posture to avoid threats. Threats and attacks can happen even with the highest level of security. Therefore, we look for products that can give us visibility into our environment and help us to proactively solve problems. Microsoft proactively identifies threats and informs its peers and partners. This allows us to take action to assess the impact of these threats on our environment. By taking proactive measures, we can prevent threats from harming our environment.

We also use Microsoft Defender for Cloud and Microsoft Defender for Identity. We have integrated these solutions with Microsoft Sentinel, and their logs are ingested by Sentinel. We do not incur any costs for ingesting Office 365 logs because Microsoft provides a free login exchange for Microsoft Office 365 and, I believe, for Defender as well into our Sentinel for analysis.

Our Microsoft products work seamlessly together to provide coordinated detection and response in our environment. We use a lot of Microsoft products, and it is best to use them in the same environment. This makes integration and collaboration easier. We also have licensing agreements that give us discounts when we use multiple products together. For example, we use Microsoft 365, OneDrive, and security products. We are also migrating our workloads to Azure. We have already migrated many workloads to Azure, and we are in the process of migrating the remaining workloads. We are heavily dependent on Microsoft, so we believe it is best to use one cloud provider. This makes it easier to manage different services. Additionally, Microsoft provides us with a lot of help and benefits, which can save us money. Cost is one of the factors that businesses consider, and IT is a major investment for businesses. Even though our business is not in the IT industry, IT plays a vital role in driving the business forward. Therefore, our organization needs to ensure that their IT investments are having a positive impact.

The comprehensiveness of the threat protection provided by our Microsoft security products is good. They have a large number of predefined indicators of compromise and a comprehensive team that monitors threats around the world. We receive notifications and newsletters from Microsoft whenever a new threat emerges. When an organization does not have experts on its team, it is very difficult to identify zero-day vulnerabilities or attacks. This makes it difficult for them to identify and mitigate these threats. Microsoft, on the other hand, proactively identifies threats and informs its teams and partners so that they can mitigate or prevent them in their environments.

Sentinel allows us to ingest data from our entire IT ecosystem, including network devices, servers, endpoints, and firewalls. This is important because if we are not monitoring all of our devices, we cannot know what threats they are facing or what attacks they have already been subjected to. Sentinel scans every device in the environment because it is difficult to see how many devices are compromised by a threat when we have an inventory of thousands of devices. This is why we need a centralized console where we can ingest all of our important logs and correlate them to identify threats. We need to know when our environment has been attacked by zero-day vulnerabilities. If we see that two devices have been affected, we still do not know how many additional devices the attack has compromised. This can only be known if we have all of our logs in our console. Sentinel provides us with a valuable capability: we can simply identify the source, user, or affected machines, and Sentinel will tell us how many machines have already been compromised and how far the threat has spread. This information allows us to isolate or quarantine the affected machines so that they cannot access more of our environment or steal more data.

We can react and respond holistically from one place with Sentinel.

The best part of Sentinel is its built-in SOAR, user and entity behavior analytics, and threat intelligence capabilities, which collaborate with the SIEM. Other products typically sell these capabilities as separate products. When we automate tasks, we reduce the team's manual effort. Whenever we detect an attack or need to provide analytics, we generate a lot of events and alerts. If we don't correlate these events and automatically resolve them, repetitive tasks will have to be performed by team members. This is not an efficient use of resources. Repetitive tasks can be automated by writing scripts and putting them into the system. Sentinel correlates events and creates incidents for us. These incidents can be resolved by scripts, such as by informing users that their IDs have been compromised and they need to reset their passwords or their IDs will be blocked. This saves SOC time so that they can focus on more important tasks, such as detecting and responding to threats that are already impacting the environment. Sentinel's features help organizations reduce manual and repetitive effort.

Sentinel has helped our organization by providing seamless collection and correlation of all logs. It is important to correlate logs into alerts and then to incidents, as this prevents the team that receives the alerts from becoming overloaded. Sentinel's analytics capabilities are also beneficial, as they allow me to easily perform searches and analyses of incidents. I do not have to spend much effort to determine the source of an incident, its impact, or how far it has spread through our environment. Additionally, Sentinel's automation features, such as its playbooks, templates, and integrations, help us to reduce manual effort.

Automating routine tasks that help find high-value alerts reduces the cost and workload of our SOC team. We have created several automation use cases by discussing them with multiple stakeholders and analyzing how frequently we receive the same type of incident alerts. When we receive the same type of incident alerts, we can correlate them and create scripts or automate solutions to resolve them. This helps to reduce the team's workload and headaches. We have already incorporated this automation into our SOC processes. If an incident is created, it is automatically resolved without any user or machine interaction. If we receive an alert that the resolution failed, some team members investigate the cause, such as a missing or disabled user ID or a technical system issue.

Automation has reduced our manual tasks, saving us around 30 percent of our time so that we can focus on more important tasks.

Previously, when I joined the organization, they were using Splunk on-premises and other security tools, such as Trend Micro and Darktrace devices, to collect logs. The security operations center team had to log into each console to see the logs, investigate them, and determine how to mitigate the alerts. This process was slow and inefficient, especially in the event of a critical attack. Sentinel provides a centralized console for log collection and analysis which helps the SOC team respond to alerts more quickly and reduce the impact of threats.

Microsoft Sentinel helped us eliminate the need for multiple dashboards by providing a single XDR dashboard. They have data connectors that can integrate with different security tools because they partner with other security companies to provide us with the functionality we need to integrate into our environment. Microsoft is at its best when we can integrate with our peers and security companies that are bringing new features to improve our security posture. We can then integrate these features with Sentinel, benefit from them, and ingest our logs into Sentinel as well. We no longer need to log in to multiple security tools; we can simply go to Sentinel, view the incidents and alerts that are being generated, and take action.

What is most valuable?

The automation feature is valuable. There are many events that happen, and we require manual effort from our SOC team to mitigate each one. When we started automating tasks, it helped us to reduce the time it takes to react to attacks. Attacks may not be able to penetrate our environment as easily because of this. Therefore, I believe that Sentinel's automation is the best.

What needs improvement?

The integration is not that difficult. The configuration is simple, but the data connector documentation is lacking in useful information. If Microsoft improves the documentation, we will be able to see how to complete the integration from start to finish. In the past, we have encountered problems during the integration process because the documentation was incomplete. For example, we recently deployed Microsoft Defender for Identity with the help of our Active Directory team. Initially, they told us that only a few ports were required, but later they said that more ports were needed. Our environment did not allow these additional ports, and we were not aware of this requirement. This delayed the project and caused frustration for our team members. The customer also expected the project to be completed sooner, but unexpected firewall rules and undocumented configuration requirements prevented us from doing so. We had to open a case with Microsoft for assistance, and we were eventually able to resolve the issue.

The playbook is a bit difficult and could be improved. For those who do not have a deep understanding of playbooks or programming languages, it would be better to have extensive documentation and information available online. When I started working with Sentinel, there were times when we had to refer to the documentation to get information about the configuration or implementation steps. If we encountered errors in the implementation, we had to rely on the internet to figure out how to fix them. The information available online is not that comprehensive and does not cover specific maintenance tasks. If the documentation were improved a bit, and the playbook and automation were made easier to use, it would be a great benefit for technical users.

The AI and Machine Learning can be improved.

For how long have I used the solution?

I have been using Microsoft Sentinel for over one year.

What do I think about the stability of the solution?

I have not seen any downtime with Sentinel. Sentinel is stable.

What do I think about the scalability of the solution?

Sentinel is highly scalable. We can easily integrate more devices without any effort. Microsoft has a large data center, and they are always ready to add our devices.

How are customer service and support?

Microsoft technical support has declined in quality over the years. I have only been using Sentinel for a year, but I have experience with Microsoft technical support through Azure and other Microsoft products. In the past, we were able to resolve tickets quickly with minimal back-and-forth. However, recently, the quality of support has degraded. We had a few critical cases that directly impacted production, but Microsoft did not assign their senior engineers to these cases. This wasted a lot of our time, as we had to explain the problems to multiple support representatives.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We previously used Splunk SOAR in conjunction with Trend Micro and Darktrace to ingest logs, but we switched to Sentinel because it is more seamless.

How was the initial setup?

The initial setup was successful. The configuration is not difficult. There were some challenging areas. However, we had access to free tools and a Microsoft contact who was always available to help us if we encountered any knowledge gaps. When setting up Sentinel for the first time in our environment, we always have an expert with us to assist with the setup, as not everyone has extensive knowledge of implementing the product. The expert is there to help us with the implementation if we get stuck on a step.

We decided which devices and types of alerts or information we wanted to ingest. At that time, we were not using automation. Our environment was in poor condition, and we were not utilizing the automated features of Sentinel. We only required the basic features of Sentinel, which were to ingest logs from the devices we were interested in, correlate them, analyze them, and integrate them with our service tools and alerting. For alerting, we used ServiceNow as our ticketing system. We would receive a ticket from ServiceNow for the SOC team, and then the SOC team would investigate and mitigate the issue. However, as time went on, the number of events increased, and the time it took to investigate them also increased. If we did not automate our environment, we would have to keep increasing the size of our SOC team or the number of SOC members to handle the workload. We could not meet the priority requirements. That is when we proposed using some of the automation features to help with low-priority alerts.

The deployment required three to four people. I joined the team for the implementation phase. So, by the time I joined, a lot of decisions had already been made, and a low-level plan had been decided upon. This was a low-level design and plan that we had to follow.

What about the implementation team?

We had help from our Microsoft representative for the implementation. This contact was provided to us by Microsoft from the initial trial period all the way through the implementation.

What's my experience with pricing, setup cost, and licensing?

Currently, given our use case, the cost of Sentinel is justified, but it is expensive. It is not so cheap that any organization can afford it. However, if an organization has a requirement for good security posture and can invest in security tools, they should have at least a decent budget to afford Sentinel. Sentinel does offer good features, such as SIEM, SOAR, and automation. However, we need to monitor our budget because ingestion can increase at any time and exceed our budget. We can set alerts to notify us if our budget is increasing significantly on a monthly or yearly basis. We can then control our budget by adjusting what we ingest. We can ingest any amount of data because there is a lot of data flowing in. However, some data is not necessary to ingest because it is not valuable to our analytics. Therefore, being careful about what data we ingest through Sentinel will help us stay within our budget.

Which other solutions did I evaluate?

We evaluated IBM QRadar and Splunk. Splunk has been in the market for a long time and is trusted by many organizations. While it was once a leader in its field, it does not seem to be keeping up with new features and automation. However, I am not aware of their current state of development.

We saw good features in both Splunk and QRadar, but QRadar had more features that were relevant to us. However, we are moving more towards the cloud. Previously, we had on-premises infrastructure, but we migrated to Azure when a new management team came in.

When we evaluated Microsoft Sentinel, we found that it had good functionality and met our requirements. We also liked that it is a cloud-based solution, so we do not have to worry about underlying hardware, features, operating systems, or management. We simply need to configure the application, which is relatively straightforward. We also do not need to make any upfront capital expenditures.

However, we need to consider the cost of ingesting logs into our environment. Microsoft charges for the amount of data ingested per day, so we need to keep our costs within budget.

QRadar is more complex and difficult to configure than Sentinel. Sentinel is easy to expand. If we add new devices to our environment, we can simply connect them directly to Sentinel. We do not need to worry about additional hardware or configuration.

Overall, Sentinel is a good choice for us because it is cloud-based, easy to configure, and scalable.

What other advice do I have?

I would rate Microsoft Sentinel an eight out of ten.

Whether to use separate SIEM and SOAR solutions or Microsoft Sentinel depends on each organization's specific needs. All SIEM and SOAR tools are expensive because they provide essential security features. Organizations with the resources to pay for these features may choose to purchase Sentinel or another SIEM or SOAR solution. However, small and medium-sized businesses may not be able to afford these tools. Instead, they may choose to use a third-party service provider that already has a license for an SIEM solution such as QRadar or Sentinel.

Sentinel ingests data from over 1,500 endpoints, including technical devices, Windows devices, and Linux devices in our environment.

There is no maintenance required on our end. Microsoft is doing everything for us. We only have to have our configurations in place.

Before using Sentinel, organizations should clearly understand their use cases and requirements. They can take a trial of Sentinel and collaborate with Microsoft to create use cases that demonstrate the value of the investment. Because there are thousands of SIEM and SOAR tools on the market, organizations should evaluate multiple solutions to see what benefits they offer. They can then create use cases for each solution in their environment and take trials to implement them. Organizations should compare the solutions based on visibility, budget, and additional features. Anyone who is considering using a SIEM or SOAR solution should evaluate multiple solutions. Budgeting is very important.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
PeerSpot user
Viraj Shinde - PeerSpot reviewer
SOC Analyst at Aujas Networks Pvt Ltd
Real User
We can easily automate rules that enable us to create playbooks, provides good visibility into our environment, and seamless integration capability
Pros and Cons
  • "The Identity Behavior tab furnishes us with the entire history linked to each IP or domain that has either accessed or attempted to access our system."
  • "We are invoiced according to the amount of data generated within each log."

What is our primary use case?

We utilize Microsoft Sentinel primarily to monitor our data storage software. Through the implementation of distinct connectors, we can accommodate multiple use cases for Sentinel. This solution also enables us to thwart failover attempts and prevent brute-force attacks. Moreover, we leverage the EDR tools to establish groups. For instance, if an unauthorized individual attempts to access a critical server from outside the designated group, we can promptly identify them by analyzing the event ID.

How has it helped my organization?

Using the Microsoft Sentinel Investigation tab, we can observe all activities related to access and unauthorized attempts taking place in our environment.

Sentinel assists us in prioritizing threats across our entire enterprise. When we receive high-priority alerts, we engage with the client to investigate whether they are conducting any testing first. If not, we identify the unknown activity and collaborate with them to resolve the issue as quickly as possible.

We also utilize Office 365. We have seamlessly integrated Office 365 with Sentinel, which is made easy through the provided connectors, especially when our API keys are associated with a cloud machine. All that is needed are the workspace ID, subscription ID, and API key.

The effectiveness of the protection offered by the integrated solutions is substantial. We are capable of preventing spam, tracking the complete trajectory of data transmitted by the end user, including its source, especially when originating from unauthorized URLs. Additionally, we can identify instances of unauthorized mail redirection. Furthermore, we can utilize SPF authentication to safeguard our domain against spoofing.

Microsoft Sentinel allows us to gather data from our entire ecosystem. We also have the capability to exclude non-suspicious or non-malicious data, such as daily reminders, from the daily logs in order to prevent system slowdown.

Sentinel allows us to investigate threats and respond promptly from a central location. We can gather all the necessary information for an investigation with a single click, which will provide us with a comprehensive overview of the actions taken by the suspicious user by reviewing the Event ID.

The built-in SOAR, UEBA, and threat intelligence capabilities of Sentinel are commendable. The UEBA can furnish a summary of all entities and discern unfamiliar ones that are not commonly associated with our system, subsequently tagging them for our review.

It aids in the automation of routine tasks and the identification of high-value alerts. For instance, if we need to compile a list of our administrative or high-profile users, we can establish rules based on high and medium security criteria, or any other specifications we might have. The entries will then correspond to the information aligned with our requirements. Furthermore, we have generated a watchlist of blacklisted users, which assists us in conveniently tracking activities originating from them. 

It provides the ability to create personalized dashboards that offer all the necessary information in a single location. It is important to mention that this feature comes with an extra cost, as is the case with all aspects of Sentinel.

Sentinel's threat intelligence helps prepare us for potential threats before they hit. By utilizing the event summary, we can proactively prepare for unauthorized entries and directly block IPs at the firewall level.

As a partner of Microsoft, they pay us for any POCs we create.

Sentinel has contributed to a reduction in our time for detecting and responding to incidents. As Sentinel operates in the cloud, it offers user-friendly accessibility, enabling us to swiftly access crucial information for responding to potential threats.

What is most valuable?

The automation rules that enable us to create playbooks for each individual are valuable.

The Identity Behavior tab furnishes us with the entire history linked to each IP or domain that has either accessed or attempted to access our system. By utilizing the data supplied by Sentinel, we can ascertain whether there are any attempts to breach our system. Numerous pre-defined queries are at our disposal, and we also have the option to craft custom queries as needed.

What needs improvement?

We are invoiced according to the amount of data generated within each log. For example, if I neglect to specify the time period in a search, Sentinel will retrieve all the logs, leading to charges for both pertinent and irrelevant data. This could potentially cause a substantial increase in costs. We incur lower charges for data under 100 GB, but anything surpassing that threshold becomes more expensive.

When setting up EDR for multiple endpoints, we need to create distinct rules for each one to monitor the devices effectively. 

For how long have I used the solution?

I am currently using Microsoft Sentinel.

What do I think about the stability of the solution?

Microsoft Sentinel is stable. It is extremely rare that the solution is down.

What do I think about the scalability of the solution?

Microsoft Sentinel is highly scalable. We can create any random custom playbooks. We can create any custom rules over there As per our requirements. We can enable and disable policies also as per our requirements. We can combine both policies accordingly.

How are customer service and support?

The technical support is good.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Compared to IBM Security QRadar and Securonix, Microsoft Sentinel is more user-friendly. QRadar is quicker to respond but it has stability issues.

What's my experience with pricing, setup cost, and licensing?

We are charged based on the amount of data used, which can become expensive.

What other advice do I have?

I rate Microsoft Sentinel nine out of ten.

Maintenance is overseen by Microsoft. They announce periods of system downtime for maintenance. If we have anything critical that we require while the system is down, we can request it from Microsoft, and they promptly provide it to us.

Microsoft Sentinel offers us query update suggestions every three months. If we find a suggestion we like, we can simply click on it to automatically update our policy.

I believe it is better to choose a single-vendor security suite over a best-of-breed strategy.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
PeerSpot user
Ankit-Joshi - PeerSpot reviewer
Senior Cyber Security Consultant at a financial services firm with 10,001+ employees
Real User
Top 20
Helps us monitor our SOC, provides the capability to integrate unsupported log sources, and saves about 40 minutes per incident
Pros and Cons
  • "Sentinel is a Microsoft product, so they provide very robust use cases and analytic groups, which are very beneficial for the security team. I also like the ability to integrate data sources into the software for on-premise and cloud-based solutions."
  • "There is room for improvement in entity behavior and the integration site."

What is our primary use case?

I'm currently using this solution for monitoring our SOC. I also implement Sentinel for clients.

We use Defender for Cloud, Defender for Endpoint, Defender for Office 365, and Defender for Identity. They were easy to integrate. It's necessary to understand the background of the data source to integrate the devices into Sentinel. If it is cloud-based, we can utilize the GeoLogic app or Azure function to integrate the log sources or use the slot method.

These solutions work natively together to deliver coordinated detection and response across our enterprise. We have different EDR solutions in our environment, and we have integrated them with Sentinel. We directly monitor all of the other security devices from Sentinel.

I haven't seen many issues with integrating different products. We can set a robust error detection mechanism. If there are some issues while integrating the logs, we can do automated alerting and easily troubleshoot any issues.

There are no issues with integrating multiple-location firewalls. We have Sentinel deployed in the US and other geolocations.

There are between 15 to 20 people using this solution in my team.

The solution is deployed on the cloud.

How has it helped my organization?

We mainly use this solution for monitoring purposes. We previously used on-premises data sources, but we wanted to integrate lots of log sources that weren't directly supported by other solutions. Sentinel provides the capability to integrate unsupported log sources. We have integrated lots of unsupported security devices with Sentinel as well.

Sentinel helps automate routine tasks and helps automate the finding of high-value alerts. Microsoft provides some very useful out-of-box automation playbooks that we can utilize in our day-to-day operations. This increases the efficiency of security analysts and our response time. We are using those solutions in our environment to do automation, increase productivity, and enhance the efficiency of our security analysts. Sentinel reduces our overall investigation time compared to other solutions.

Sentinel has helped eliminate the need to look at multiple dashboards. We can use the workbook for that. Correlating everything into a single workbook isn't available right now, but it's achievable in the future.

The solution's threat intelligence helps prepare us for potential threats before they hit and helps us take proactive steps. We have integrated one open-source solution for IOC monitoring, and Microsoft even provides the IOC data. To be proactive, we also rely on other solutions like Defender for Endpoint for detecting those threats before they actually happen.

We added IOCs into Sentinel from a monitoring perspective. If we can detect ransomware, we can prioritize that and work on mitigation.

Microsoft Sentinel saves us time. It has provided us with a very rich automation solution. We can see most of the details directly on the Sentinel site. We don't need to log in and check for different things, so it saves a lot of time for associates. It saves us about 30 to 40 minutes on average per incident.

The solution decreases our time to detect and respond. We can increase detection using dashboards. The automation and playbooks help us respond to threats if the user is compromised. We can directly reset the user's password or disable the user from the Sentinel portal by using the playbooks. We're saving about 15 to 20 minutes on our response times.

What is most valuable?

Sentinel is a Microsoft product, so they provide very robust use cases and analytic groups, which are very beneficial for the security team. I also like the ability to integrate data sources into the software for on-premise and cloud-based solutions. We can very easily integrate the devices with Sentinel. There are multiple ways that we can utilize the product. I also like how the solution processes data.

The solution helps prioritize threats across our enterprise. We can set the severity for the low and medium-priority severity incidents. Sentinel has machine learning and fusion rules, which help us effectively prioritize. Prioritization is very important for us in this security landscape because attacks are getting stronger.

Sentinel provides a lot of out-of-box analytic rules with Sentinel. It's very good at detecting threats compared to the different SIEM solutions in the market now.

Sentinel enables us to easily ingest data from our entire ecosystem. Attacks can happen from any of the devices. Even the IoT is vulnerable now. We can integrate different solutions for it. For instance, there is Microsoft Defender for IoT, which we can integrate into Sentinel. That provides a single pane of glass for security. In any SOC, we need to have multiple solutions. Sentinel is a great solution for managing and monitoring those products.

Sentinel enables us to investigate threats and respond holistically from one place. We can integrate other solutions like ServiceNow with Sentinel, and we can set the bidirectional sync.

Sentinel's security protection is comprehensive. In the area of UEBA, I use the entity behavior settings of Sentinel. It provides some enhancement in security monitoring, but it still needs some improvement regarding user and entity behavior.

What needs improvement?

There is room for improvement in entity behavior and the integration site. It's a new solution, so it can include different security products in the data connector section. I've also experienced some performance issues with the runbook. It takes a lot of time to load.

In the automation section, there are some limitations.

For how long have I used the solution?

I have used this solution for two and a half years.

What do I think about the stability of the solution?

It is pretty stable. I haven't had any issues in the two and a half years that I've worked with Sentinel.

What do I think about the scalability of the solution?

The price goes up whenever we integrate more log sources, but there aren't any issues with scalability. We can increase it very easily.

How are customer service and support?

Technical support is good. They're very quick to respond when we raise a case.

I would rate technical support a nine out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Splunk is also the leader in this market. I prefer Sentinel because it's a Microsoft product that provides a lot of free and built-in use cases.

We switched to Sentinel because it's a cloud-native solution. On-premises solutions involve managing IT databases and doing some upgrade activities, but we don't need to manage any of that in Sentinel. We can focus directly on security monitoring and detection and response.

How was the initial setup?

The setup was straightforward. I worked on multiple projects before the deployment of Sentinel.

The amount of time it takes to deploy the solution depends on the client's network area, the firewall, and log sources. We have deployed the solution for user bases of 4,000 to 5,000. Deployment was completed within one month by integrating all the required processes.

We had a team of three people for deployment. I took care of the integration of the log sources, and the other two people took care of the customization.

Sentinel doesn't require much maintenance.

Which other solutions did I evaluate?

We evaluated Splunk and a few other solutions.

What other advice do I have?

I would rate this solution as nine out of ten. 

My advice is that colleagues who have worked on different solutions, whether on-premises or cloud, should use the Ninja training. Microsoft provides this training directly. It is publicly available and provides a better understanding of how to utilize the solution more effectively.

I think it's ideal to go with different vendors across our environment rather than a single vendor for security purposes.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Lead Azure Sentinel Architect at a financial services firm with 10,001+ employees
Real User
Quick to deploy, good performance, and automatically scales with our requirements
Pros and Cons
  • "The most valuable feature is the performance because unlike legacy SIEMs that were on-premises, it does not require as much maintenance."
  • "If Azure Sentinel had the ability to ingest Azure services from different tenants into another tenant that was hosting Azure Sentinel, and not lose any metadata, that would be a huge benefit to a lot of companies."

What is our primary use case?

Azure Sentinel is a next-generation SIEM, which is purely cloud-based. There is no on-premises deployment. We primarily use it to leverage the machine learning and AI capabilities that are embedded in the solution.

How has it helped my organization?

This solution has helped to improve our security posture in several ways. It includes machine learning and AI capabilities, but it's also got the functionality to ingest threat intelligence into the platform. Doing so can further enrich the events and the data that's in the backend, stored in the Sentinel database. Not only does that improve your detection capability, but also when it comes to threat hunting, you can leverage that threat intelligence and it gives you a much wider scope to be able to threat hunt against.

The fact that this is a next-generation SIEM is important because everybody's going through a digital transformation at the moment, and there is actually only one true next-generation SIEM. That is Azure Sentinel. There are no competing products at the moment.

The main benefit is that as companies migrate their systems and services into the Cloud, especially if they're migrating into Azure, they've got a native SIEM available to them immediately. With the market being predominately Microsoft, where perhaps 90% of the market uses Microsoft products, there are a lot of Microsoft houses out there and migration to Azure is common.

Legacy SIEMs used to take time in planning and looking at the specifications that were required from the hardware. It could be the case that to get an on-premises SIEM in place could take a month, whereas, with Azure Sentinel, you can have that available within two minutes. 

This product improves our end-user experience because of the enhanced ability to detect problems. What you've got is Microsoft Defender installed on all of the Windows devices, for instance, and the telemetry from Defender is sent to the Azure Defender portal. All of that analysis in Defender, including the alerts and incidents, can be forwarded into Sentinel. This improves the detection methods for the security monitoring team to be able to detect where a user has got malicious software or files or whatever it may be on their laptop, for instance.

What is most valuable?

It gives you that single pane of glass view for all of your security incidents, whether they're coming from Azure, AWS, or even GCP. You can actually expand the toolset from Azure Sentinel out to other Azure services as well.

The most valuable feature is the performance because unlike legacy SIEMs that were on-premises, it does not require as much maintenance. With an on-premises SIEM, you needed to maintain the hardware and you needed to upgrade the hardware, whereas, with Azure Sentinel, it's auto-scaling. This means that there is no need to worry about any performance impact. You can send very large volumes of data to Azure Sentinel and still have the performance that you need.

What needs improvement?

When you ingest data into Azure Sentinel, not all of the events are received. The way it works is that they're written to a native Sentinel table, but some events haven't got a native table available to them. In this case, what happens is that anything Sentinel doesn't recognize, it puts it into a custom table. This is something that you need to create. What would be good is the extension of the Azure Sentinel schema to cover a lot more technologies, so that you don't have to have custom tables.

If Azure Sentinel had the ability to ingest Azure services from different tenants into another tenant that was hosting Azure Sentinel, and not lose any metadata, that would be a huge benefit to a lot of companies.

For how long have I used the solution?

I have been using Azure Sentinel for between 18 months and two years.

What do I think about the stability of the solution?

I work in the UK South region and it very rarely has not been available. I'd say its availability is probably 99.9%.

What do I think about the scalability of the solution?

This is an extremely scalable product and you don't have to worry about that because as a SaaS, it auto-scales.

We have been 20 and 30 people who use it. I lead the delivery team, who are the engineers, and we've got some KQL programmers for developing the use cases. Then, we hand that over to the security monitoring team, who actually use the tool and monitor it. They deal with the alerts and incidents, as well as doing threat hunting and related tasks.

We use this solution extensively and our usage will only increase.

How are customer service and support?

I would rate the Microsoft technical support a nine out of ten.

Support is very good but there is always room for improvement.

Which solution did I use previously and why did I switch?

I have personally used ArcSight, Splunk, and LogRythm.

Comparing Azure Sentinel with these other solutions, the first thing to consider is scalability. That is something that you don't have to worry about anymore. It's excellent.

ArcSight was very good, although it had its problems the way all SIEMs do.

Azure Sentinel is very good but as it matures, I think it will probably be one of the best SIEMs that we've had available to us. There are too many pros and cons to adequately compare all of these products.

How was the initial setup?

The actual standard Azure Sentinel setup is very easy. It is just a case where you create a log analytics workspace and then you enable Azure Sentinel to sit over the top. It's very easy except the challenge is actually getting the events into Azure Sentinel. That's the tricky part.

If you are talking about the actual platform itself, the initial setup is really simple. Onboarding is where the challenge is. Then, once you've onboarded, the other challenge is that you need to develop your use cases using KQL as the query language. You need to have expertise in KQL, which is a very new language.

The actual platform will take approximately 10 minutes to deploy. The onboarding, however, is something that we're still doing now. It's use case development and it's an ongoing process that never ends. You are always onboarding.

It's a little bit like setting up a configuration management platform and you're only using one push-up configuration.

What was our ROI?

We are getting to the point where we see a return on our investment. We're not 100% yet but getting there.

What's my experience with pricing, setup cost, and licensing?

Azure Sentinel is very costly, or at least it appears to be very costly. The costs vary based on your ingestion and your retention charges. Although it's very costly to ingest and store data, what you've got to remember is that you don't have on-premises maintenance, you don't have hardware replacement, you don't have the software licensing that goes with that, you don't have the configuration management, and you don't have the licensing management. All of these costs that you incur with an on-premises deployment are taken away.

This is not to mention running data centers and the associated costs, including powering them and cooling them. All of those expenses are removed. So, when you consider those costs and you compare them to Azure Sentinel, you can see that it's comparative, or if not, Azure Sentinel offers better value for money.

All things considered, it really depends on how much you ingest into the solution and how much you retain.

Which other solutions did I evaluate?

There are no competitors. Azure Sentinel is the only next-generation SIEM.

What other advice do I have?

This is a product that I highly recommend, for all of the positives that I've mentioned. The transition from an on-premises to a cloud-based SIEM is something that I've actually done, and it's not overly complicated. It doesn't have to be a complex migration, which is something that a lot of companies may be reluctant about.

Overall, this is a good product but there are parts of Sentinel that need improvement. There are some things that need to be more adaptable and more versatile.

I would rate this solution a nine out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
AidanMcLaughlin - PeerSpot reviewer
SIEM Engineer at a tech services company with 501-1,000 employees
Real User
Top 20
Enables us to monitor many different environments for cybersecurity incidents, and we use it as our main alerting tool to let us know when this activity happens
Pros and Cons
  • "The automation rules and playbooks are the most useful that I've seen. A number of other places segregate the automation and playbook as separate tools, whereas Microsoft is a SIEM and SOAR tool in one."
  • "Documentation is the main thing that could be improved. In terms of product usage, the documentation is pretty good, but I'd like a lot more documentation on Kusto Query Language."

What is our primary use case?

We use Microsoft Sentinel to monitor many different environments for cybersecurity incidents, and we use it as our main alerting tool to let us know when this activity happens. It also interfaces with all of our other Defender products, such as Defender for Office 365, Defender for Endpoint, et cetera.

Almost all of our solutions are based in Azure. We use Defender for Endpoint, Defender for Office 365, Defender for cloud, Sentinel, and Azure Active Directory Identity Protection.

I use the latest version of Sentinel.

Sentinel is mostly used within our security operations center and our security team. We have about 50 endpoint users.

How has it helped my organization?

The backbone of our organization is built on Microsoft Sentinel, its abilities, and the abilities of our Defender stack. Ideally, we'd have more data, but a lot of data and functionality are in one place. The Lighthouse feature is outside Sentinel, but it allows us to have multiple environments integrated into one and to access lots of different Sentinel environments through that. It's very easy to manage a security workload with Sentinel. 

I would like to see better integration with CICD. It should be easier to use GitHub, Jenkins, or whatever our code management stack looks like. Whether or not you use Azure DevOps, being able to manage the code you have is fairly important.

Since using Sentinel, we've experienced a faster response time and easier development features. There aren't as many hurdles to moving a configuration.

I'm not sure how long it took to realize the benefits because it was deployed before my time here. It took me about three months to get familiar with what Sentinel has to offer and how we could leverage it, so it will be about three months before you start getting proper value from it.

There are still elements of Sentinel that I haven't used to their fullest potential, like the Jupyter Notebooks and internet hunting queries.

The solution is good at automating routine tasks and alleviating the burden for analysts.

Automation has moderately affected our security operations, although there is scope for it to significantly affect SecOps. There is definitely the capability for Sentinel to do pretty much all of your first-line response, which would be a significant improvement. It's a moderate effect because we only use automation in a few areas.

There are a few different dashboards for each of the Microsoft tools. We have a dashboard for Defender, one for Sentinel, and one for Active Directory Identity Protection. It consolidated alerts in some aspects, but a lot of information is still scattered.

It's fairly good for being reactive and responding to threats and looking for indicators of compromise. Overall, it helped us prepare for potential threats before they hit.

Sentinel saves us time. The automation feature especially saves us time because we can automate a lot of menial tasks. If other businesses could do that, it would eliminate a lot of their first-line response.

Sentinel saves us about 20 hours per week, which is the equivalent of a part-time staff member.

It saved us money. It's a very cost-efficient SIEM to use and still provides a good level of coverage despite that. 

Sentinel saved us about 50% of the cost of Splunk. It decreased our time to detect and respond by about 10-15%.

What is most valuable?

The automation rules and playbooks are the most useful that I've seen. A number of other places segregate the automation and playbook as separate tools, whereas Microsoft is a SIEM and SOAR tool in one.

It provides us with very high visibility. It allows us to see a lot holistically across our environment in Azure. It integrates very well with other products like Defender.

It helps us prioritize threats across our enterprise. There are many things we can do to deal with prioritizing threats, such as having automation rules that automatically raise the priority of certain incidents. We're also able to make changes to the rule sets themselves and say, "I believe this to be a higher priority than is listed in the tool."

Prioritization is probably the most important thing to us because as an organization, we have a number of threats coming in at any moment, and each of them has its own valid investigation path. We need to know which ones are business critical and which ones need to be investigated and either ruled out or remediated as soon as possible. Prioritizing what to work on first is the biggest thing for us.

If you have the right licenses and access to all the products, it's fairly easy to integrate these products into Sentinel. Sometimes they don't pull as much information as possible, and I've noticed that there is a cross-functional issue where these tools will flag and alert themselves.

We can have it configured to create an alert in Microsoft Sentinel, but sometimes it doesn't create a bridge between them. When we finish our investigation and close the ticket on Sentinel, it sometimes doesn't go back to the tool and update that. That's the only issue that I have found with the integration. Everything else is straightforward and works well.

The solutions work natively together to deliver coordinated detection responses across our environment. It's probably one of the better-engineered suites. In other places, I've experienced an endpoint detection and response system that's completely different: proprietary coupled with a proprietary and different SIEM tool or maybe a different sort of tool. They are individual tools, and it can sometimes feel like they're engineered differently, but at the same time, they integrate better than anything else on the market as a suite of tools.

These solutions provide pretty comprehensive threat protection. A lot of them are technology agnostic, so you can have endpoints on Linux and Mac OS. It's pretty comprehensive. There's always a little oversight in any security program where you have to balance the cost of monitoring everything with the risk of having some stuff unmonitored, but that's probably an issue outside of this tool.

It enables us to ingest data from our entire ecosystem. It's difficult to ingest non-native data. It's not as easy as in Splunk because Splunk is probably the leading SIEM tool. If you have a native tool that's out of the Microsoft security stack, you can bring it into Sentinel and have an alert on it.

This ingestion of data is vital for our security operations. It's the driver behind everything we do. We can do threat hunting, but if we don't have logs or data to run queries, then we're pretty much blind. I've worked in places where compliance and regulatory adherence are paramount and having logs, log retention, and evidence of these capabilities is extremely important. One of the more vital things that our organization needs to operate well, is good data.

A lot of the alerts come in from other tools, so sometimes we have to actually use that tool to get the proper information. For example, if we get an alert through Defender for Office 365, to actually see an offending email or attachment or something like that, we have to go into the Defender console and dig that out, which is inconvenient. As an aggregator, it's not bad compared to the other solutions on the market. In an ideal scenario, having more information pulled through in the alerts would be an improvement.

A lot of Sentinel's data is pretty comprehensive. The overarching theme with Sentinel is that it's trying to be a lot of things in one. For a UEBA tool, people will usually have separate tools in their SIEM to do this, or they'll have to build their own complete framework from scratch. Already having it in Sentinel is pretty good, but I think it's just a maturity thing. Over the next few years, as these features get more fleshed out, they will get better and more usable. At the moment, it's a bit difficult to justify dropping a Microsoft-trained UEBA algorithm in an environment where it doesn't have too much information. It's good for information purposes and alerting, but we can't do a lot of automation or remediation on it straight away.

What needs improvement?

Although the integrations are good, it can sometimes be information overload. A number of the technologies run proprietary Microsoft algorithms, like machine learning algorithms and detection algorithms, as well as having out-of-the-box SIEM content developed by Microsoft. As an engineer that focuses on threat detection, it can sometimes be hard to see where all of the detections are coming from. Although the integrations are good, it can sometimes be information overload.

Documentation is the main thing that could be improved. In terms of product usage, the documentation is pretty good, but I'd like a lot more documentation on Kusto Query Language. They could replicate what Splunk has in terms of their query language documentation. Every operator and sub-operator has its own page. It really explains a lot about how to use the operators, what they're good for, and what they're not good for in terms of optimizing CPU usage.

In Splunk, I would like to see some more advanced visualization. There are only some basic ones in Sentinel.

For how long have I used the solution?

I've been using Microsoft Sentinel for about one year, but more heavily over the past five months.

What do I think about the stability of the solution?

It's pretty stable. We don't have any performance or capacity issues with it.

What do I think about the scalability of the solution?

It's scalable when using solutions like Lighthouse.

How are customer service and support?

I haven't needed to use technical support yet, but the documentation in the community is very good.

Which solution did I use previously and why did I switch?

I previously used Splunk. The move to Sentinel was definitely cost-based. A lot of people are moving away from Splunk to a more cost-effective SIEM like Sentinel. We also chose Sentinel because of the ease of maintenance. Splunk's enterprise security has some good queries out of the box, but if I were a small organization, I would use Sentinel because it has more out-of-the-box features.

How was the initial setup?

The log collection facilities must be maintained. Maintaining the solution requires a team of fewer than five people. It mainly involves ensuring that the rules are up to date, the connectors and log collection mechanisms are working correctly, and that they're up to date. It also involves ensuring that the right rules are deployed and the automation rules are in place.

What was our ROI?

Our ROI is 50% over and above what we spend on it in terms of what we can get back from Microsoft Sentinel, everything we use it for, and the time we save.

What's my experience with pricing, setup cost, and licensing?

Some of the licensing models can be a little bit difficult to understand and confusing at times, but overall it's a reasonable licensing model compared to some other SIEMs that charge you a lot per data.

There are additional fees for things like data usage and CPU cycles. When you're developing queries or working on queries, make sure that they're optimized so you don't use as much CPU when they run.

Which other solutions did I evaluate?

We spoke with Google about Chronicle Backstory. It looks pretty powerful, but it wasn't mature enough for what we were looking for at that time.

The only other real standalone solution I've had a good experience with is Splunk and Splunk Phantom. In terms of cost, it's astronomically different. Microsoft Sentinel can sometimes be expensive depending on how many logs you're taking, but it will never be in the same realm as Splunk. Sentinel is easy to use, but Splunk is so expensive because it's very easy to use.

Microsoft Sentinel is a better SOAR solution than Phantom. Phantom has good integrations, but it isn't really built for custom scripting. If you're going to be paying more, you would expect that to be better. Sentinel is better in that aspect. Sentinel's cost-effectiveness blows a lot of other solutions out of the water, especially if you're already in Azure and you can leverage some relationships to bring that cost down.

What other advice do I have?

I would rate this solution eight out of ten. It's heading in the right direction, but it's already pretty good and mature.

If a security colleague said it's better to go with the best-of-breed strategy rather than a single vendor security suite, I would understand that completely. Some people see tying yourself into a single vendor as a vulnerability. It's not quite spread out, but I think you can manage a single vendor security solution if you have a good relationship with the vendor and you really leverage your connections within that business.

It's good to diversify your products and make sure that you have a suite of products available from different companies and that you use the best that's available. In terms of this technology stack, it's pretty good for what it does.

My advice is to really focus on what's possible and what you could do with the SIEM. There are a lot of features that don't get used and maximized for their purpose from day one. It takes a couple of months to properly deploy the solution to full maturity.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.
Updated: April 2024
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.