We use it for our security operations center. We have private and multi-cloud environments.
Product Manager, Cyber Security at Mactel
Makes data integration very easy for our SOC
Pros and Cons
- "The features that stand out are the detection engine and its integration with multiple data sources."
- "One key area that can be improved is by building a strong integration with our XDR platform."
What is our primary use case?
How has it helped my organization?
It enables data integration within our hybrid, multi-cloud environment, and it makes this data integration very easy for our security operations center.
Sentinel has helped improve our visibility into user and network behavior. It helps in identifying risky users, creating a watch list for specific users and their activities, which is very important.
It has also been saving us time. It's a complete cloud-based solution, so there is no time wasted on setting up servers, infrastructure, et cetera.
It also reduces the work involved in event investigation because it puts together detection logic through detection rules. That helps in automating incident identification.
What is most valuable?
The features that stand out are the
- detection engine
- integration with multiple data sources.
And while it does not give the tools to detect and investigate, it provides
the ability to integrate multiple tools together on the platform. This is very important for us. Sentinel provides very good integration with Microsoft Power Apps and Power Automate. That is a very handy feature.
It provides a good user interface for an operations analyst and makes it easy for an ops analyst to do incident analysis and investigations.
What needs improvement?
One key area that can be improved is by building a strong integration with our XDR platform.
Buyer's Guide
Microsoft Sentinel
July 2025

Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: July 2025.
862,514 professionals have used our research since 2012.
For how long have I used the solution?
I have been using Microsoft Sentinel for over a year. I'm a product manager, and I do not do hands-on deployment, but I do product definition, platform selection, and product feature definition.
What do I think about the stability of the solution?
It is a stable product.
How are customer service and support?
The technical support team is good. They have account managers aligned with our customers. It is a good, scalable model.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We started with Sentinel only. We have had some experience with Splunk, but Sentinel is more mature, flexible, and scalable.
How was the initial setup?
The install or setup time is very small. Without Sentinel, it would usually take 15 to 30 days to set up a SIEM solution in an environment. With Sentinel, it is very easy. A completely production-grade environment can be set up within a week.
Setting up Sentinel is straightforward. Because it is a cloud-based solution, there is no infrastructure deployment involved. Much of the implementation can be done in automated ways. We leverage that automation for implementation. It doesn't require much staff. It is very automated.
It requires maintenance, and that is part of what we cover by providing our customers with managed services.
What about the implementation team?
Our team does the deployment.
What was our ROI?
We have seen ROI.
What's my experience with pricing, setup cost, and licensing?
The licensing cost is available on the Microsoft Azure calculator. It depends on the size of the deployment, the size of the data ingestion. It is consumption-based pricing. It is an affordable solution.
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner.

Security Engineer at a tech services company with 5,001-10,000 employees
The solution prioritizes threats, integrates easily with other Microsoft products, and can be deployed within half an hour
Pros and Cons
- "We are able to deploy within half an hour and we only require one person to complete the implementation."
- "The playbook development environment is not as rich as it should be. There are multiple occasions when we face problems while creating the playbook."
What is our primary use case?
Our organization is an SSP, a service provider for manual threat detection and hunting. We use Microsoft Sentinel for threat detection. We have a few clients using Microsoft Sentinel, and we provide SOAR services to them.
How has it helped my organization?
Having the ability to respond holistically from one place with Microsoft Sentinel is very useful. We don't need to log into different security consoles. It is less hectic and reduces our time to respond and resolve the issue.
The solution has helped improve our organization by detecting and hunting threats. The solution also correlates alerts from other solutions, such as Defender, Office 365, and other Endpoint solutions. Microsoft Sentinel has automated responses that help us reduce the number of analysts required for example, from ten to six because most of the tasks are done automatically.
The solution's automation of routine tasks helps us automate the finding of high-value alerts by reducing the manual work from 30 minutes down to three. 90 percent of the work is done by Sentinel which runs the playbook and provides us with all the data required to make a decision quickly.
The solution has helped eliminate the need to use multiple dashboards by incorporating SIEM plus SOAR into one convenient location. We don't need to log into each of the solutions individually. We can directly correlate the alerts and incidents from our Sentinel console. Sentinel reduces our time because we don't need to check multiple tabs for multiple solutions. All the information required to investigate and make a decision can be found in the solution's panel view.
We don't have any out-of-the-box threat intelligence from Microsoft, but with the integration of some open-source solutions and premium sources, Microsoft Sentinel helps us take proactive steps before threats enter our environment.
We have custom rules created to check IPs or domains for potential threats. Whenever an IP or domain is visible in our logs, the solution will automatically correlate with the threat intelligence feed and create an alert. If we skip the correlation portion and an alert has been created for a malicious IP or a malicious domain, the solution can check the reputation in different reputation sources such as a virus portal, or threat recorded future, and it will auto-populate the information for the analyst which helps us prepare for potential threats.
The solution has definitely saved us 90 percent of our time. Microsoft Sentinel reduces our time to detect, respond, and resolve incidents. Most of the incidents are detected automatically and we just need the data to make a decision. We don't have to go look for different clues or reputations over the internet or use other solutions.
Microsoft Sentinel has saved us from incurring costs related to a breach by protecting us.
The solution detects incidents and alerts us in real-time based on custom rules that we create or the out-of-the-box rules that are part of Sentinel. The information that auto-populates when we run the playbook reduces our response time in most cases because all the relevant data required for our investigation is provided on the incident details page.
What is most valuable?
Logic apps, playbooks, and dashboarding are all valuable features of this solution.
Microsoft Sentinel prioritizes threats across our organization because the solution allows us to correlate using multiple solutions including Defender.
Integrating Microsoft solutions with each other is very easy. The integrated solutions work together to deliver coordinated detection and response in our environment.
The solution enables us to investigate threats and respond holistically from one place. We can write AQL queries and also create rules to detect the alerts. In the event that we don't have rules, we can proactively hunt through KQL queries.
The workbook based on KQL queries, which is the query language is very extensive compared to other solutions such as QRada and Splunk.
The solution requires no in-house maintenance because it is all handled by Microsoft. We only need to monitor the updates.
What needs improvement?
The playbook development environment is not as rich as it should be. There are multiple occasions when we face problems while creating the playbook.
The cost is not straightforward and would benefit from a single charge model.
The UI is not impressive, we need to train our analysts to conduct the investigation. Unlike IBM QRadar which has a different UI for searching, there is no UI where we can conduct searches with Sentinel. With Sentinel, all our searches require a KQL query, and if our analysts are not familiar with KQL queries, we have to train them.
The data ingestion can use improvement. There are a few scenarios where we have experienced a delay in data ingestion.
For how long have I used the solution?
I have been using the solution for one and a half years.
What do I think about the stability of the solution?
Sentinel is quite stable because it's a SaaS-based offering, so we don't have to worry about our stability. The solution is available 99.99999 percent of the time. The only time we have an issue is if there is a problem with the Azure portal. Microsoft handles the stability well.
What do I think about the scalability of the solution?
We can scale the solution as much as we want, and with a few clicks, we can increase or decrease capacity.
We currently have four engineering teams that handle the deployments and use case development as well as a SOAR team that consists of ten technical people who all use the solution.
How are customer service and support?
Microsoft Sentinel support is really good. They respond quickly to our requests and they try to resolve our issues as soon as possible. From my experience, Microsoft has the best support.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
For SIEM, we previously used IBM QRadar and Splunk Enterprise Security. For SOAR, We have used IBM Resilient, Palo Alto XSOAR, and D3 SOAR, which is a new tool. D3 SOAR is a startup based in Canada and we used it for POC, but we have not used it in production. Sentinel is a SaaS-based solution. There is less administration required and with a few clicks, we can deploy Microsoft Sentinel, whereas, with other solutions, we have to build everything from scratch. There are other SaaS-based solutions but Sentinel is one of the most popular and because a lot of organizations are already using Microsoft and Azure products, Sentinel is the best compatible solution.
How was the initial setup?
The initial setup for Sentinel is straightforward and the best I have worked with to date. We are able to deploy within half an hour and we only require one person to complete the implementation.
What about the implementation team?
The implementation was completed in-house.
What's my experience with pricing, setup cost, and licensing?
From a cost perspective, there are some additional charges in addition to the licensing. Initially, the cost appears expensive, but over time, the solution justifies that cost. The cost is not straightforward, but instead really complex. We are charged for data ingestion as well as data leaving the environment. We are also charged for running playbooks and for logic apps. Compared with SIEM solutions, whose cost is simply based on EPS or data storage, Microsoft Sentinel's cost is complex. Over time we can predict what the cost of using the solution will be. Other standalone SOAR tools have fixed licensing and their cost is simple. We don't need to pay for each command we run or each integration we have or each automation we do. With Microsoft Sentinel, there is a cost associated with each of the connectors that we use in our playbook. Every time we run that playbook, there will be charges, but the charges are minimal unless we run the playbook repeatedly, then over time the cost shoots up.
Which other solutions did I evaluate?
We occasionally test POC and we are still evaluating other solutions.
What other advice do I have?
I give the solution nine out of ten.
My impression of the visibility into threats that Microsoft Sentinel provides is that the solution is not perfect, but since it is part of Microsoft Workspace, Microsoft already provides so many services to clients, and Microsoft Sentinel is one of them. If we are already using Azure and other services from Microsoft, then Sentinel is easy to implement and use compared to other similar solutions. If I was not using Microsoft Solutions, then I can use other solutions, such as IBM QRadar or Splunk, and when it comes to XSOAR, Palo Alto XSOAR is a much better solution.
We use multiple solutions from Microsoft within our organization including Defender and Endpoint. We have integrated Endpoint with Defender and Microsoft Security Center to receive alerts.
Microsoft Sentinel has out-of-the-box support for up to 90 percent of solutions where we can find a connector to ingest the data directly, but for the remaining 10 percent, we need to write custom tables.
The ability to ingest data is the backbone of our security. If we don't ingest the data, we won't be able to perform anything at all in SIEM. SIEM is based on data ingestion. Once the data is ingested, then on top of that data, we can monitor and detect or hunt, whatever we want. We can create a reporting dashboard, but the data needs to be there.
Microsoft Sentinel's UEBA is quite capable. For SIEM, Splunk and IBM QRadar are slightly better than Sentinel, but Sentinel is catching up fast. The solution has only been in the market for two or three years and has already captured a large share with increasing popularity. For SOAR, Palo Alto XSOAR is much better than Microsoft Sentinel because Sentinel is a SIEM plus SOAR solution whereas Palo Alto XSOAR is a SOAR-focused solution only. What Microsoft Sentinel provides is one solution for SIEM plus SOAR, where we can detect and also respond in one place.
Currently, we have one environment based in a US data center, but we have the ability for multiple solutions in multiple regions within Azure, and we can integrate them using a master and slave configuration that will allow us to run all the queries from the master console.
Using a best-of-breed strategy rather than a single vendor suite is fine if we have a SIEM solution, a SOAR solution, or an Endpoint detection solution until a time when they are no longer compatible with each other and we can not integrate them. If we can not integrate the solutions it becomes difficult for our teams to log into and monitor multiple solutions separately.
I definitely recommend Microsoft Sentinel, but I suggest basing the decision on proof of concept by gathering the requirements, security solutions, and additional log source devices an organization has before using the solution. There are multiple solutions available that may be more suitable in some cases.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer. MSP
Buyer's Guide
Microsoft Sentinel
July 2025

Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: July 2025.
862,514 professionals have used our research since 2012.
Associate Consultant, SIEM Engineer at a tech services company with 501-1,000 employees
Gives us better security and allows us to capture all the data in a single console, which we can analyze from the cloud
Pros and Cons
- "The best feature is that onboarding to the SIM solution is quite easy. If you are using cloud-based solutions, it's just a few clicks to migrate it."
- "If we want to use more features, we have to pay more. There are multiple solutions on the cloud itself, but the pricing model package isn't consistent, which is confusing to clients."
What is our primary use case?
We have multiple use cases based on the data sources we have onboarded, like Sophos UTM or Firewall.
We also use Microsoft Defender for cloud and Microsoft Office.
We have integrated MD with Sentinel to receive alerts. If there are any suspicious activities in any of our resources, MD will create an alert. Once an alert comes through MDC, it is converted to Sentinel.
It was easy to integrate the solutions. It took about two or three clicks. The solutions work natively together, specifically to give us coordinated detection and response across our environment.
There is a correlation with the mail-based algorithm. We have an AML model algorithm in Sentinel. It has the capability to catch the pattern of attacks and shows that to us in the Sentinel app.
How has it helped my organization?
We mostly have cloud-based solutions, so Sentinel gives us better security. There's a feature that allows us to capture all the data in a single console, which we can analyze from the cloud itself.
We don't have to use third-party services to check these activities. If we see that one of our accounts is compromised or anything has happened, we can remove that person from other groups.
There's a feature that allows us to see what is in a secure state and what is in a critical state.
Sentinel helps automate routine tasks and find high-value alerts. We can have a custom playbook and create automation rules through that. If there is a false positive address, we can do the automation from there. If we want an email notification based on high-activated rules, we can provide the automation rules that will notify us on Outlook or through Teams.
It minimizes our analyst's workload. Once a high activity comes up, we'll get a notification on Teams. As analysts, they will validate and send us the email or notification within 10 to 15 minutes with more valid data. If there's a playbook with the top 10 critical rules, we can create multiple playbooks and attach them with the data that we want to protect.
Once that incentive is triggered, we'll get notifications with the full details of that incentive. If high severity comes up, that email is sent to the client, and we do more analysis on that rather than wasting time on the first analysis. We can directly get into the deeper version of the automation.
If an incident comes up, we have to validate the load and find out the correlation of the users. We can focus on the advanced test rather than wasting time on the previous one. This saves five to ten minutes.
On a monthly basis, the analyst team saves at least three to four hours with automation. We have multiple rules based on our more critical test. From that perspective, analysts don't want to work more on low priorities because we'll be automatically notified of low and high priorities. We focus more on critical users where the threat is high. By focusing on what is a high priority, our analysts save five to six hours per week.
We have multiple dashboard views that allow us to see logs coming from different solutions and users who were involved in the previous incident.
What is most valuable?
The best feature is that onboarding to the SIM solution is quite easy. If you use cloud-based solutions, it's just a few clicks to migrate it.
The console is user-friendly. We have almost 120 different types of data, so the solution helps us to onboard different types of third-party services to the SIM solution. We have UB features, and the SOAR capability in the Sentinel server is also a good feature.
Sentinel's visibility into threats is very good. We have an investigation graph that allows us to see the correlation between the incident and the users. We can see if there are multiple incidents with the same IP address and if there are multiple breaches. We can correlate with the rules and check if any inside threat activities are going on with the malicious site or the malicious URL link that we have onboarded. The threat view provides good visibility.
We can prioritize threats based on our investigation assets. It's very fast. We're able to see the rest of the threat activities and how impactful they are. Based on the AML algorithm, we can get all the stages of the attack as well.
Sentinel enables us to ingest data from our entire ecosystem.
The importance of this ingestion of data to our security operations depends on the data and the type of solutions we have to onboard. We onboard our critical servers and assets to the same solution so we'll have good visibility.
We're able to investigate threats and respond holistically from one place.
We can validate the logs from where the logs have been received. By doing the log analysis, we'll be able to find them. It's a straightforward function and isn't very hard.
There's an incident pane in Sentinel. We have a query package, and we can have a deep dive alert through that, or we can have a deep look into the log. From the console itself, we have a great view of our threats and the current phase we're in.
We have multiple source features. There are between 20 to 30 in addition to data. Microsoft provides custom features through which we can connect with third-party solutions and correlate the incident. For example, if we have multiple incidents, we can use the SOAR capabilities and correlate them with multiple third-party threats. It's an easier way of understanding whether or not we have a malicious bug.
We can see how much time our analysts have taken to raise the ticket and how much time they have taken to resolve the issue assets. We can create a dashboard for that. They're able to notify us within five or ten minutes for high priorities. For the medium priorities, it is 10 to 12 minutes. Our detection time for low priorities is within three hours, but our team still performs under 15 to 18 minutes.
What needs improvement?
If we want to use more features, we have to pay more. There are multiple solutions on the cloud itself, but the pricing model package isn't consistent, which is confusing to clients.
For how long have I used the solution?
We have been using this solution for almost two years.
What do I think about the stability of the solution?
The stability is very good.
What do I think about the scalability of the solution?
I would rate the scalability an eight out of ten.
How are customer service and support?
I would rate technical support a six out of ten. Technical support doesn't understand the features well enough. They will give us links to reference, so we go through those links as a team or Google the solution. We reach out to them if we can't find the solution, but they provide us with the same links and URLs that we've already referred to. It's a hassle because it wastes a week and a half of our time. Their solutions and response time aren't very good.
How would you rate customer service and support?
Neutral
How was the initial setup?
The setup is based on our data sources. We have a segregated timeframe of two payments. It depends on the client or who is doing the operation. Onboarding on the cloud is pretty easy. It takes just a few clicks from migrating the data sources to getting the logs.
For an on-premises or third-party software servicer, it will take more time and troubleshooting to do the setup. It won't be hard if you have a good team for the onboarding process. It can be complicated initially, but the rest of the timeframe will involve fine-tuning the logs and creating the custom rules based on your requirement.
It doesn't require a lot of maintenance. It's pretty simple. We just had to play with it for a couple of months.
What was our ROI?
We haven't seen any financial ROI.
What's my experience with pricing, setup cost, and licensing?
Sentinel is the best solution that we use. It's a pay-as-you-go model. We can fine-tune the features we want and choose if we want to remove logs. We can also segregate logs, which helps us minimize costs. Sentinel provides free Office 365 and Azure-based logs without pricing assets. When it comes to the third-party solution or our server logs, we just have to do the fine-tuning of the logs.
The pricing isn't very high. It depends on the number of logs you have. If you're expecting to ingest 50 to 60G in a day, but you're only ingesting 20 to 25G per day at first and you have a good team to analyze the logs, then you can segregate the ingestion at under 15G.
What other advice do I have?
I would rate this solution a nine out of ten.
It's very user-friendly. The only issue is that Microsoft's technical support isn't very good. If you have a good team who can onboard the resources to the solution, then you'll be happy with the solution itself.
For us, it's better to go for multiple solutions rather than a single suite because we cannot strictly trust one client. If you only have one cloud-based solution, it's better to use Sentinel to secure it. It's helpful to have a good team that can do the monitoring and onboarding smoothly. You can go with one solution if you have a trusted partner. If you don't, then I would use multiple solutions.
You should purchase the features that Microsoft provides. It's a configured network, so they will correlate with the end resources, RMD, and receiver identity. The fusion-based algorithm rule will detect advanced multistage attacks to stop the attack.
Disclosure: My company has a business relationship with this vendor other than being a customer. Partner
Cyber Security Engineer at a tech services company with 51-200 employees
Provides valuable alerts and saves investigation time, but can use more connectors
Pros and Cons
- "The most valuable feature is the alert notifications, which are categorized by severity levels: informational, low, medium, and high."
- "Microsoft Sentinel should provide an alternative query language to KQL for users who lack KQL expertise."
What is our primary use case?
Microsoft Sentinel serves as a centralized hub for collecting and analyzing logs from various Microsoft tools and other sources. It eliminates the need to develop custom toolsets for detecting malicious activities across different Microsoft tools. Instead, Microsoft Sentinel provides standardized rules and playbooks to streamline the process of identifying and responding to potential threats.
For instance, consider a scenario where an employee clicks on a phishing link in an email, leading to the installation of malware on their system. While the endpoint detection and response tool on the endpoint might not detect malicious activity, Microsoft Sentinel, acting as a central log collector, receives the EDR logs and triggers an event based on pre-defined rules.
Upon detecting the suspicious activity, Microsoft Sentinel automatically executes a playbook, which may involve actions such as killing the malicious process or isolating the affected endpoint. This automated response helps expedite threat containment and reduces the burden on security analysts.
How has it helped my organization?
It is crucial that Sentinel empowers us to safeguard our hybrid, cloud, and multi-cloud environments. We employ a hybrid cloud setup, and securing our environment using Sentinel is significantly simpler than manual methods. We can gather events in the Central Point and develop playbooks and scripts to automate responses. This streamlines the process and enhances our overall security posture. Additionally, if an alert is triggered, we receive an incident notification via email, prompting us to take action and resolve the issue.
Sentinel provides a library of customizable content to address our company's needs.
Microsoft Sentinel has helped our organization with alerts. We'll receive alerts from Sentinel indicating that we're at risk. It's important to address these alerts promptly. We first need to review the information in the email, and then work on the issue in the office. After that, we'll contact the team members on the relevant shift. There's nothing particularly difficult about this process. It's based on our access privileges, which are determined by our role in the company. If we have a high-level role, we'll have access to all the necessary tools and resources. We'll even be able to receive alerts at home if there's a security issue. The company that provides this technology grants work-from-home access based on security considerations. If someone has a critical role, they'll also be equipped with the tools they need to work remotely and connect with their team members. So, the company that provided the technology can resolve the issue first, and then we can address it. Once we've taken care of the issue, everything will be much easier.
By leveraging Sentinel's AI in conjunction with our playbooks for automation, we can enhance the effectiveness of our security team, subject to the specific rules and policies we implement.
The logs provided by Sentinel have helped improve our visibility into our user's network behavior.
Sentinel has helped us save 60 percent of our time by prioritizing the severity of the alerts we receive. When we receive an alert with a high-risk level, we immediately address it to mitigate the potential security threat. Additionally, we have configured our anti-ransomware software, to further protect our systems from cyberattacks. In the event of a ransomware attack, our Halcyon system will generate an encryption key that can be used to unlock our system. This key is securely stored by Halcyon.
Sentinel has helped reduce our investigation times by enabling us to review an alert, generate a ticket, and resolve the issue simultaneously upon receiving the alert.
What is most valuable?
The most valuable feature is the alert notifications, which are categorized by severity levels: informational, low, medium, and high. This allows us to prioritize and address alerts based on their urgency. For instance, we would immediately address high-severity alerts. This feature, along with the ability to create playbooks, significantly enhances our workflow.
What needs improvement?
I would like Microsoft to add more connectors for Sentinel.
Microsoft Sentinel should provide an alternative query language to KQL for users who lack KQL expertise.
For how long have I used the solution?
I have been using Microsoft Sentinel for one and a half years.
What do I think about the stability of the solution?
Microsoft Sentinel is a stable solution.
What do I think about the scalability of the solution?
Microsoft Sentinel is scalable.
How are customer service and support?
We have to write playbooks to resolve our issues.
How would you rate customer service and support?
Neutral
How was the initial setup?
The configuration of Microsoft Sentinel involved a complex process that required thorough familiarity with the available connectors and the policies to be implemented.
What was our ROI?
We have seen a 30 percent return on investment.
What's my experience with pricing, setup cost, and licensing?
Sentinel is costly.
What other advice do I have?
I would rate Microsoft Sentinel seven out of ten.
We have five people in our organization who utilize Sentinel.
No maintenance is required from our end.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
IT Operation Manager at Orascom Construction Industries
Comprehensive with good automation and prioritizing of threats
Pros and Cons
- "The Log analytics are useful."
- "I would like to see more AI used in processes."
What is our primary use case?
We have possible use cases for the solution. We have ten or 12 different use cases under this solution.
What is most valuable?
The Log analytics are useful. You can review many details.
The portal and the full integration and collaboration between the cloud workloads and multi-tenants have been useful. We can use it with Sharepoint and Exchange.
The solution helps us prioritize all of our threats. It's one of the most important and critical systems we have here.
We have a lot of Microsoft solutions. For example, we also use Defender for endpoints and Microsoft Cloud. We mostly use Microsoft products, although we also use Crowdstrike.
It was easy to integrate Defender for Endpoint. Each of these solutions works natively together. It's very crucial that they work together.
Microsoft is very comprehensive. It helps protect us and offers very clear information. It's easy to assess everything. It's a good user experience.
We make use of Microsoft Defender for Cloud's bi-directional sync capabilities. We have different customers under our umbrella and multiple subsidiaries. Not all have access to the same license. We don't have the same security exposure everywhere. We can pick and choose who needs access.
Sentinel does enable us to ingest data from our entire ecosystem. This is crucial. That said, it can cost us a lot of money. We try to get feature visibility and enhance the collected logs to be able to identify only certain logs that would need to be uploaded. That said, it's very crucial we can ingest data from anywhere.
We can investigate threats and respond holistically from one place, one dashboard. Having one dashboard is important as it saves the team from headaches. We can collect all the information we need in one view.
The comprehensiveness of Sentinel is good in that it helps us identify most of our gaps in security. In the last few years, we have been able to fill in most of the gaps.
Once we enabled the connectors and started getting incident reports to our dashboard we were able to realize the benefits of the solution. It took about one month to begin to get the value of this product.
Sentinel helps automate routine tasks and helps automate the findings via high-value alerts. We've been able to automate a lot of the cycle and leave the investigation to humans. Support is very crucial and we can take the right actions fast.
The product helps us prepare for potential threats before they hit and we can take proactive steps. We're very satisfied in terms of security operations.
Before implementing the solution, we didn't know we were wasting a lot of time. Once the solution was in place, we discovered a lot of gaps across the traditional way we were handling security.
I can't say if we are saving money. However, we're investing in the right places. We're now utilizing services we actually need. From a business perspective, although it does have a cost, it's saving the business since it's protecting us from any security breach.
What needs improvement?
I'd like to see more integration with other technologies beyond the Microsoft OS.
I would like to see more AI used in processes.
For how long have I used the solution?
I've been using the solution for three or four years.
What do I think about the stability of the solution?
The stability is not an issue.
What do I think about the scalability of the solution?
We do have plans to increase usage. The solution has the ability to scale.
How are customer service and support?
We have not opened a ticket for technical support yet. So far, we haven't had any issues.
My understanding is Microsoft does not have good support and has done a lot of outsourcing. In general, they used to be brilliant as they were focused on customer satisfaction and engaged with experts, however, the quality is not as good.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We also use Crowdstrike as our EDR solution. However, before Sentinel, I did not use anything else in this category.
How was the initial setup?
I took part in the initial deployment. The process was very straightforward. It took about one week to onboard all that we needed. We did it in three phases. First, we did a demo and looked for items that needed to be addressed. We then onboarded the device and put the analytics and logs in place.
We had a team of three on hand that handled the deployment. They also handle support and maintenance.
What about the implementation team?
We initially had the assistance of Microsoft partners. However, we failed to get all of the information we needed. We found it more valuable to get assistance from the vendor directly.
What's my experience with pricing, setup cost, and licensing?
I can't speak to the exact cost.
What other advice do I have?
We are a customer of Microsoft.
During implementation, it's helpful to get the vendor engaged in the implementation.
I'd rate the solution nine out of ten.
It's good to go with a single-vendor strategy. I've recommended this product to others.
The user experience should be the number one priority. Microsoft is working on this every day. It's very important to us that the user experience is maintained and there's no conflict between the products or connectors. Having one dashboard makes it easier for admins and businesses to be in touch, engage, and share. For example, my manager can see my reports even if he's not knowledgeable in the technology.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Cyber security engineer at a tech services company with 10,001+ employees
Automation features save time by 75% when working on specific incidents and reduces workload for false positives
Pros and Cons
- "I like the KQL query. It simplifies getting data from the table and seeing the logs. All you need to know are the table names. It's quite easy to build use cases by using KQL."
- "The performance could be improved. If I create 15 to 20 lines for a single-use case in KQL, sometimes it takes more time to execute. If I create use cases within a certain timeline, the result will show in .01 seconds. A complex query takes more time to get results."
What is our primary use case?
We use Sentinel to manage data based on data connectors and log sources. We have to build the use cases. I create policies and periodically fine-tune them. There are a lot of cloud applications for that, like Microsoft Active Directory, Office 365, and Microsoft Identity Protection.
For instance, when a privileged account's password is changed frequently, it should trigger an alert and will create an incident. Another use case is the ability to summarize all DB activity.
We also use Defender for Endpoint, and I have experience with Defender for Cloud and Microsoft Identity Protection.
The cloud-native solution covers an entire IT organization. It could be located in China, Russia, Pakistan, or India. It doesn't matter.
This solution is mostly deployed on the cloud. The solution is used across our entire organization. There are more than 1,000 end users.
How has it helped my organization?
The solution increases security. It also reduces complexity because we can monitor everything from a single solution. We can manage a firewall, servers, connected DOS, etc. Even if it's a third-party application, we can manage it.
The solution helps automate routine tasks and find high-value alerts. For example, we can create analytical rules and build the use cases so that any suspicious incoming traffic is blocked.
The solution has eliminated the need to look at multiple dashboards. Everything is accessible from a single dashboard.
Our team is currently being trained on how to use threat intelligence to help prepare and take proactive steps for potential threats before they hit. If there are any zero-day vulnerabilities, Microsoft will update the platform, so that all of the organizations that use Sentinel will have coverage.
What is most valuable?
I like the KQL. It simplifies getting data from the table and seeing the logs. All you need to know are the table names. It's quite easy to build use cases by using KQL.
Sentinel provides visibility into threats. It provides anonymous IP and URL detection in our environment. We can easily get the logs.
It helps prioritize threats in the organization. We can build analytic rules. Microsoft Sentinel provides a lot of alternative use cases, but we have to prepare them.
Sentinel enables us to ingest data from our entire ecosystem because it's a cloud-native SIEM. We can integrate everything into Sentinel. In any organization, log management is an important aspect. For auditing and compliance, an organization has to validate the logs.
Sentinel enables us to investigate threats and respond holistically from one place. There's an incident option that allows us to view information about a specific instance, an anomaly, and activities that have happened in the last 24 hours. It will show the specific incident, the host, the time, and what the user is accessing. It shows everything in a single pane, which is very useful.
There's a lot of technical documentation for automation. It's easy to understand. You can build it according to your needs. You can automate playbooks. You can integrate a number of digital platforms into your environment.
What needs improvement?
The performance could be improved. If I create 15 to 20 lines for a single-use case in KQL, sometimes it takes more time to execute. If I create use cases within a certain timeline, the result will show in .01 seconds. A complex query takes more time to get results.
For how long have I used the solution?
I have used this solution for two years.
What do I think about the stability of the solution?
The solution is very stable. We haven't experienced any outages so far. There is a failover function. If a region has an outage, there is backup support, which is advertised in the software on SIEM.
What do I think about the scalability of the solution?
The solution is scalable.
How are customer service and support?
I would rate technical support as nine out of ten.
Which solution did I use previously and why did I switch?
We previously used Splunk. We switched because of the cost.
How was the initial setup?
I wasn't involved in deployment. Maintenance isn't needed often.
What was our ROI?
Sentinel saves us time. KQL is fast. The response of the query output is quick compared to other products. We can create a lot of automation in that particular environment, which reduces the workload for a lot of false positives.
Logic App allows us to create mini-automations. XOR plays a huge role in Microsoft Sentinel. It automates soft operations workloads.
The solution saves us time by 75%. By using automation instead of working on a specific incident for 30 minutes, it takes a maximum of five minutes.
This solution saves us money. Microsoft offers discounts if you purchase GB per day.
Sentinel decreases the time it takes to detect and the time it takes to respond by 70%.
What's my experience with pricing, setup cost, and licensing?
In a protected cloud, Microsoft is quite manageable. It allows you to pay as you go. If you're replacing cloud resources, you'll eventually have thousands of virtual machines, but you'll be able to pay for only 500 virtual machines.
The pay-as-you-go model is beneficial to customers.
Which other solutions did I evaluate?
My organization tried an open-source platform, but it didn't give a proper output, so we compiled some other solutions. We prefer Microsoft products, so we went with Sentinel.
What other advice do I have?
I would rate this solution as nine out of ten.
To a security colleague who says it's better to go with a best-of-breed strategy rather than a single-vendor security suite, I would say that if you have a single-bundle security solution, you can cover all of your security needs in an IT organization. It's beneficial for support, makes data visibility clearer, and improves security. I would recommend a single-bundle security solution as a better way to go for deployment.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
SIEM Engineer at a tech services company with 501-1,000 employees
Enables us to monitor many different environments for cybersecurity incidents, and we use it as our main alerting tool to let us know when this activity happens
Pros and Cons
- "The automation rules and playbooks are the most useful that I've seen. A number of other places segregate the automation and playbook as separate tools, whereas Microsoft is a SIEM and SOAR tool in one."
- "Documentation is the main thing that could be improved. In terms of product usage, the documentation is pretty good, but I'd like a lot more documentation on Kusto Query Language."
What is our primary use case?
We use Microsoft Sentinel to monitor many different environments for cybersecurity incidents, and we use it as our main alerting tool to let us know when this activity happens. It also interfaces with all of our other Defender products, such as Defender for Office 365, Defender for Endpoint, et cetera.
Almost all of our solutions are based in Azure. We use Defender for Endpoint, Defender for Office 365, Defender for cloud, Sentinel, and Azure Active Directory Identity Protection.
I use the latest version of Sentinel.
Sentinel is mostly used within our security operations center and our security team. We have about 50 endpoint users.
How has it helped my organization?
The backbone of our organization is built on Microsoft Sentinel, its abilities, and the abilities of our Defender stack. Ideally, we'd have more data, but a lot of data and functionality are in one place. The Lighthouse feature is outside Sentinel, but it allows us to have multiple environments integrated into one and to access lots of different Sentinel environments through that. It's very easy to manage a security workload with Sentinel.
I would like to see better integration with CICD. It should be easier to use GitHub, Jenkins, or whatever our code management stack looks like. Whether or not you use Azure DevOps, being able to manage the code you have is fairly important.
Since using Sentinel, we've experienced a faster response time and easier development features. There aren't as many hurdles to moving a configuration.
I'm not sure how long it took to realize the benefits because it was deployed before my time here. It took me about three months to get familiar with what Sentinel has to offer and how we could leverage it, so it will be about three months before you start getting proper value from it.
There are still elements of Sentinel that I haven't used to their fullest potential, like the Jupyter Notebooks and internet hunting queries.
The solution is good at automating routine tasks and alleviating the burden for analysts.
Automation has moderately affected our security operations, although there is scope for it to significantly affect SecOps. There is definitely the capability for Sentinel to do pretty much all of your first-line response, which would be a significant improvement. It's a moderate effect because we only use automation in a few areas.
There are a few different dashboards for each of the Microsoft tools. We have a dashboard for Defender, one for Sentinel, and one for Active Directory Identity Protection. It consolidated alerts in some aspects, but a lot of information is still scattered.
It's fairly good for being reactive and responding to threats and looking for indicators of compromise. Overall, it helped us prepare for potential threats before they hit.
Sentinel saves us time. The automation feature especially saves us time because we can automate a lot of menial tasks. If other businesses could do that, it would eliminate a lot of their first-line response.
Sentinel saves us about 20 hours per week, which is the equivalent of a part-time staff member.
It saved us money. It's a very cost-efficient SIEM to use and still provides a good level of coverage despite that.
Sentinel saved us about 50% of the cost of Splunk. It decreased our time to detect and respond by about 10-15%.
What is most valuable?
The automation rules and playbooks are the most useful that I've seen. A number of other places segregate the automation and playbook as separate tools, whereas Microsoft is a SIEM and SOAR tool in one.
It provides us with very high visibility. It allows us to see a lot holistically across our environment in Azure. It integrates very well with other products like Defender.
It helps us prioritize threats across our enterprise. There are many things we can do to deal with prioritizing threats, such as having automation rules that automatically raise the priority of certain incidents. We're also able to make changes to the rule sets themselves and say, "I believe this to be a higher priority than is listed in the tool."
Prioritization is probably the most important thing to us because as an organization, we have a number of threats coming in at any moment, and each of them has its own valid investigation path. We need to know which ones are business critical and which ones need to be investigated and either ruled out or remediated as soon as possible. Prioritizing what to work on first is the biggest thing for us.
If you have the right licenses and access to all the products, it's fairly easy to integrate these products into Sentinel. Sometimes they don't pull as much information as possible, and I've noticed that there is a cross-functional issue where these tools will flag and alert themselves.
We can have it configured to create an alert in Microsoft Sentinel, but sometimes it doesn't create a bridge between them. When we finish our investigation and close the ticket on Sentinel, it sometimes doesn't go back to the tool and update that. That's the only issue that I have found with the integration. Everything else is straightforward and works well.
The solutions work natively together to deliver coordinated detection responses across our environment. It's probably one of the better-engineered suites. In other places, I've experienced an endpoint detection and response system that's completely different: proprietary coupled with a proprietary and different SIEM tool or maybe a different sort of tool. They are individual tools, and it can sometimes feel like they're engineered differently, but at the same time, they integrate better than anything else on the market as a suite of tools.
These solutions provide pretty comprehensive threat protection. A lot of them are technology agnostic, so you can have endpoints on Linux and Mac OS. It's pretty comprehensive. There's always a little oversight in any security program where you have to balance the cost of monitoring everything with the risk of having some stuff unmonitored, but that's probably an issue outside of this tool.
It enables us to ingest data from our entire ecosystem. It's difficult to ingest non-native data. It's not as easy as in Splunk because Splunk is probably the leading SIEM tool. If you have a native tool that's out of the Microsoft security stack, you can bring it into Sentinel and have an alert on it.
This ingestion of data is vital for our security operations. It's the driver behind everything we do. We can do threat hunting, but if we don't have logs or data to run queries, then we're pretty much blind. I've worked in places where compliance and regulatory adherence are paramount and having logs, log retention, and evidence of these capabilities is extremely important. One of the more vital things that our organization needs to operate well, is good data.
A lot of the alerts come in from other tools, so sometimes we have to actually use that tool to get the proper information. For example, if we get an alert through Defender for Office 365, to actually see an offending email or attachment or something like that, we have to go into the Defender console and dig that out, which is inconvenient. As an aggregator, it's not bad compared to the other solutions on the market. In an ideal scenario, having more information pulled through in the alerts would be an improvement.
A lot of Sentinel's data is pretty comprehensive. The overarching theme with Sentinel is that it's trying to be a lot of things in one. For a UEBA tool, people will usually have separate tools in their SIEM to do this, or they'll have to build their own complete framework from scratch. Already having it in Sentinel is pretty good, but I think it's just a maturity thing. Over the next few years, as these features get more fleshed out, they will get better and more usable. At the moment, it's a bit difficult to justify dropping a Microsoft-trained UEBA algorithm in an environment where it doesn't have too much information. It's good for information purposes and alerting, but we can't do a lot of automation or remediation on it straight away.
What needs improvement?
Although the integrations are good, it can sometimes be information overload. A number of the technologies run proprietary Microsoft algorithms, like machine learning algorithms and detection algorithms, as well as having out-of-the-box SIEM content developed by Microsoft. As an engineer that focuses on threat detection, it can sometimes be hard to see where all of the detections are coming from. Although the integrations are good, it can sometimes be information overload.
Documentation is the main thing that could be improved. In terms of product usage, the documentation is pretty good, but I'd like a lot more documentation on Kusto Query Language. They could replicate what Splunk has in terms of their query language documentation. Every operator and sub-operator has its own page. It really explains a lot about how to use the operators, what they're good for, and what they're not good for in terms of optimizing CPU usage.
In Splunk, I would like to see some more advanced visualization. There are only some basic ones in Sentinel.
For how long have I used the solution?
I've been using Microsoft Sentinel for about one year, but more heavily over the past five months.
What do I think about the stability of the solution?
It's pretty stable. We don't have any performance or capacity issues with it.
What do I think about the scalability of the solution?
It's scalable when using solutions like Lighthouse.
How are customer service and support?
I haven't needed to use technical support yet, but the documentation in the community is very good.
Which solution did I use previously and why did I switch?
I previously used Splunk. The move to Sentinel was definitely cost-based. A lot of people are moving away from Splunk to a more cost-effective SIEM like Sentinel. We also chose Sentinel because of the ease of maintenance. Splunk's enterprise security has some good queries out of the box, but if I were a small organization, I would use Sentinel because it has more out-of-the-box features.
How was the initial setup?
The log collection facilities must be maintained. Maintaining the solution requires a team of fewer than five people. It mainly involves ensuring that the rules are up to date, the connectors and log collection mechanisms are working correctly, and that they're up to date. It also involves ensuring that the right rules are deployed and the automation rules are in place.
What was our ROI?
Our ROI is 50% over and above what we spend on it in terms of what we can get back from Microsoft Sentinel, everything we use it for, and the time we save.
What's my experience with pricing, setup cost, and licensing?
Some of the licensing models can be a little bit difficult to understand and confusing at times, but overall it's a reasonable licensing model compared to some other SIEMs that charge you a lot per data.
There are additional fees for things like data usage and CPU cycles. When you're developing queries or working on queries, make sure that they're optimized so you don't use as much CPU when they run.
Which other solutions did I evaluate?
We spoke with Google about Chronicle Backstory. It looks pretty powerful, but it wasn't mature enough for what we were looking for at that time.
The only other real standalone solution I've had a good experience with is Splunk and Splunk Phantom. In terms of cost, it's astronomically different. Microsoft Sentinel can sometimes be expensive depending on how many logs you're taking, but it will never be in the same realm as Splunk. Sentinel is easy to use, but Splunk is so expensive because it's very easy to use.
Microsoft Sentinel is a better SOAR solution than Phantom. Phantom has good integrations, but it isn't really built for custom scripting. If you're going to be paying more, you would expect that to be better. Sentinel is better in that aspect. Sentinel's cost-effectiveness blows a lot of other solutions out of the water, especially if you're already in Azure and you can leverage some relationships to bring that cost down.
What other advice do I have?
I would rate this solution eight out of ten. It's heading in the right direction, but it's already pretty good and mature.
If a security colleague said it's better to go with the best-of-breed strategy rather than a single vendor security suite, I would understand that completely. Some people see tying yourself into a single vendor as a vulnerability. It's not quite spread out, but I think you can manage a single vendor security solution if you have a good relationship with the vendor and you really leverage your connections within that business.
It's good to diversify your products and make sure that you have a suite of products available from different companies and that you use the best that's available. In terms of this technology stack, it's pretty good for what it does.
My advice is to really focus on what's possible and what you could do with the SIEM. There are a lot of features that don't get used and maximized for their purpose from day one. It takes a couple of months to properly deploy the solution to full maturity.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Cost Engineer at a tech vendor with 10,001+ employees
Signal correlation and dashboards are fantastic but can have more automation
Pros and Cons
- "The signal correlation and dashboards features of Microsoft Sentinel are fantastic because it correlates the signal logs with other products. The customizable dashboards are also valuable."
- "The signal correlation and dashboards features of Microsoft Sentinel are fantastic because it correlates the signal logs with other products."
- "Microsoft Sentinel can be improved in terms of automation or connecting with security products so that it is easier to use for general IT admins."
- "Microsoft Sentinel can be improved in terms of automation or connecting with security products so that it is easier to use for general IT admins."
What is our primary use case?
We are developing our security signals for Microsoft Sentinel, so we are making a connector for Microsoft Sentinel. We try to use several features.
When using mobile devices, if there is an attacker or malware, the signal goes to the Microsoft Sentinel console from there. Our IT admin looks at those incidents.
The importance of that for our organization is because we are using our mobile devices for work. Mobile devices are not safe enough.
What is most valuable?
I focus on mobile devices while using Microsoft Sentinel. Mainly we want to expand our Identity performers.
The signal correlation and dashboards features of Microsoft Sentinel are fantastic because it correlates the signal logs with other products. The customizable dashboards are also valuable.
Microsoft Sentinel's ability to correlate data from multiple sources and its detection capabilities are essential.
What needs improvement?
Microsoft Sentinel can be improved in terms of automation or connecting with security products so that it is easier to use for general IT admins.
For how long have I used the solution?
I started using Microsoft Sentinel last June, so it has been about a year.
Which solution did I use previously and why did I switch?
I was not using any other solutions for this specific task before Microsoft Sentinel. We ultimately chose Microsoft Sentinel because we have partnerships.
What was our ROI?
We have not yet seen a return on investment with Microsoft Sentinel. We expect to see a return on investment this year.
What other advice do I have?
We try to use the security incidents feature in Microsoft Sentinel, but I have not seen the actual incident yet. I could not find good use cases. My experience with the collaboration capabilities of Microsoft Sentinel is limited, as I am still getting used to it.
I would rate Microsoft Sentinel a seven out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company does not have a business relationship with this vendor other than being a customer.
Last updated: May 1, 2025
Flag as inappropriate
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros
sharing their opinions.
Updated: July 2025
Product Categories
Security Information and Event Management (SIEM) Security Orchestration Automation and Response (SOAR) Microsoft Security Suite AI-Powered Cybersecurity PlatformsPopular Comparisons
CrowdStrike Falcon
Microsoft Intune
Microsoft Defender for Endpoint
Splunk Enterprise Security
Microsoft Entra ID
Microsoft Defender for Cloud
Microsoft Defender XDR
Microsoft Purview Data Governance
IBM Security QRadar
Cortex XDR by Palo Alto Networks
Azure Key Vault
Elastic Security
Azure Firewall
Azure Front Door
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What are your approaches on Azure Sentinel content deployment automation?
- Which is better - Azure Sentinel or AWS Security Hub?
- Which solution do you prefer: Microsoft Sentinel or Palo Alto Networks Cortex XSOAR?
- What is a better choice, Splunk or Azure Sentinel?
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- What's The Best Way to Trial SIEM Solutions?
- Which is the best SIEM solution for a government organization?
- What is the difference between IT event correlation and aggregation?