Microsoft Sentinel Reviews

Sentinel is used to cover cloud-native customers for security monitoring. It includes UEBA, threat intelligence, behavioral analytics, etcetera. We also use it to automate incidents into tickets.

The solution improved our organization in a few ways. The key one is the cloud layer of integrations. When we were on-premises with SAP monitoring we faced a few issues in the integration of cloud infrastructure logs. Once we moved into the Sentinel Cloud the integration was pretty easy. Monitoring the cloud infrastructure and their respective applications and their cloud cloud-native products became pretty easy in terms of integration with monitored areas.

Also, the cost of infrastructure is no longer an issue.

The detection layer has also been improved with analytics. Plus, it keeps on getting better in Sentinel. Since 2020, I've seen Sentinel has made a lot more changes in feature improvements and performance. They’re fine-tuning detection and analysis layers.

The analytics rules are excellent. It's pretty easy to create them. It’s all about SQL queries that we need to deploy at the back end.

The search of the logs is easy. Before, there were no archival logs. Now, in recent versions, it’s easy to bring back the logs from the archives. We can research and query the archive of logs very easily.

The visibility is great. It gives good alerts. The way an analyst can go and drill down into more details is simple, The ability to threat hunt has been useful.

Sentinel helps us prioritize threats across the enterprise. With it, we have a single pane for monitoring security logs. As an MSP, they just ingest all the logs into the system, and this actually leads to a hierarchy for our integrations. It’s easy to review the logs for auditing purposes.

We use more than one Microsoft security product. Other team members use Intune, Microsoft CASB, and Microsoft Defender as well. It’s easy to integrate everything. You just need to enable the connector in the back end. It takes one minute. These solutions work natively together to deliver coordinated detection responses across our environment. We just integrated the Microsoft Defender logs into Sentinel. It already has the prebuilt use cases in Sentinel, including threat-hunting playbooks, and automation playbooks. It's pretty easy and ready to use out of the box.

Sentinel enables us to ingest data from our entire ecosystem. That's really the high point for us. The coverage needs to be expanded. The threat landscape is getting wider and wider and so we need to monitor each and every ecosystem in our customer organization's endpoints, including the endpoints or applications for systems or on the servers or network level. It needs to be integrated on all levels, whether it’s on-premises or cloud. It is really important to have a single point of security monitoring, to have everything coordinated.

Sentinel enables us to investigate threats and respond holistically from one place. For that analyst team, the Sentinel page is like a single point of investigation layer for them. Whenever an incident is created, they can just come in and get deeper into a particular investigation incident. They are able to get more information, figure out the indicators, and make recommendations to customers or internal teams to help them take action.

Given its built-in UEBA and threat intelligence capabilities, the comprehensiveness of Sentinel's security protection is really nice. The UEBA can be integrated with only the AD logs. And, since they need to get integrated with the networks and the VPN layers as well, it’s useful to have comprehensive security. It can be integrated into other Microsoft security products as well.

Sentinel pricing is good. The customer doesn't want to worry about the enterprise infrastructure cost in the system. They worry about the enterprise cost and the management, and operation, CAPEX, et cetera. However, in general, the customer simply needs to worry only about the usage, for example, how much data is getting sent into the system. We can still refine the data ingestion layer as well and decide what needs to be monitored and whatnot. That way, we can pay only for what we are monitoring.

Our Microsoft security solution helps automate routine tasks and help automate the finding of high-value alerts. By leveraging Sentinel's automation playbook, we have automated the integrations and triage as well. This has simplified the initial investigation triage, to the point where we do not need to do any initial investigations. It will directly go on into layer two or it directly goes to the customer status.

Our Microsoft security solution helped eliminate having to look at multiple dashboards and gave us one XDR dashboard. The dashboard is pretty cool. We now have a single pane of glass. A lot of customization needs to be done, however, there are predefined dashboards and a content hub. We still leverage those dashboards to get the single view into multiple days, including the log volumes or types of security monitoring or in the operation monitoring system.

Sentinel saves us time. Even just the deployment, it only takes ten minutes for the could. When you have on-premises tasks that are manual, it can take hours or a day to deploy the entire setup. Integrating the log sources used also takes time. By enabling out-of-the-box tools, we can save a lot of time here and there. Also, once you leverage automation, by simply leveraging logic apps in a local kind of environment, you don’t need to know much coding. You just need knowledge of logic at the back end.

The solution has saved us money. While I’m not sure of the exact commercial price, it’s likely saved about 20% to 30%.

The solution decreased our time to detect and your time to respond. For time to detect, by leveraging analytic rules, we’ve been able to cut down on time. Everything is happening within minutes. We can begin remediation quickly instead of in hours.

The UEBA part needs improvement. They need to bring other log sources to UEBA. 

The reporting could be more structured. There are no reporting modules or anything. It's only the dashboard. Therefore, when a customer requests a report, you need to manually pull the dashboard and send it to the customer for the reporting. However, if there was a report or template there, it would be easier to schedule and send the weekly reports or monthly executive reports.

The log ingestion could be improved on the connector layer.

I've been using the solution since November of 2020. 

The solution is stable. We had some issues with an automation component. There might have been outages on the back end, however, it's mostly fine.

We have about 25 people using the solution in our organization, including analysts. 

You only need to pay for what you are ingesting and monitoring. It scales well. There are no issues with it. 

Support is okay. We don't have many issues on the platform layers. We might reach out to support for integration questions. Largely, the engineering team would handle support cases. 

Neutral

We do use other solutions. We added this solution as we needed to support cloud-native customers. 

We also use LogRhythm among other solutions.

Each solution has its own pros and cons. There isn't a direct contrast to each. Some have better reporting. However, Sentinel has very good analytical rules and automation. LogRhythm, however, requires more backend work. 

The deployment of the Microsoft bundle is pretty easy. It's fast and saves time. In ten minutes, we can deploy Sentinel to the customer and start monitoring data with the existing rules. You'll have dashboards in thirty minutes. One person can do the deployment. To manage the solution, one can manage the injections, and one can manage the detection layers.

The solution does not require any maintenance. You just have to make sure it's up to date.

We're using it in the automotive and energy industries. 

When we calculated the pricing, we thought it was 10% to 20% less, however, it depends on how much data is being collected. It's not overly expensive. It's fairly priced. 

Security vendors are chosen based on use cases. Those gaps are met by the respective solution. The benefit of a single vendor is that everything is on a single-layer stack. It helps you see everything in one single pane. 

I'd rate the solution eight out of ten. 

We are a Microsoft partner, an MSP. 

We utilize Microsoft Sentinel primarily to monitor our data storage software. Through the implementation of distinct connectors, we can accommodate multiple use cases for Sentinel. This solution also enables us to thwart failover attempts and prevent brute-force attacks. Moreover, we leverage the EDR tools to establish groups. For instance, if an unauthorized individual attempts to access a critical server from outside the designated group, we can promptly identify them by analyzing the event ID.

Using the Microsoft Sentinel Investigation tab, we can observe all activities related to access and unauthorized attempts taking place in our environment.

Sentinel assists us in prioritizing threats across our entire enterprise. When we receive high-priority alerts, we engage with the client to investigate whether they are conducting any testing first. If not, we identify the unknown activity and collaborate with them to resolve the issue as quickly as possible.

We also utilize Office 365. We have seamlessly integrated Office 365 with Sentinel, which is made easy through the provided connectors, especially when our API keys are associated with a cloud machine. All that is needed are the workspace ID, subscription ID, and API key.

The effectiveness of the protection offered by the integrated solutions is substantial. We are capable of preventing spam, tracking the complete trajectory of data transmitted by the end user, including its source, especially when originating from unauthorized URLs. Additionally, we can identify instances of unauthorized mail redirection. Furthermore, we can utilize SPF authentication to safeguard our domain against spoofing.

Microsoft Sentinel allows us to gather data from our entire ecosystem. We also have the capability to exclude non-suspicious or non-malicious data, such as daily reminders, from the daily logs in order to prevent system slowdown.

Sentinel allows us to investigate threats and respond promptly from a central location. We can gather all the necessary information for an investigation with a single click, which will provide us with a comprehensive overview of the actions taken by the suspicious user by reviewing the Event ID.

The built-in SOAR, UEBA, and threat intelligence capabilities of Sentinel are commendable. The UEBA can furnish a summary of all entities and discern unfamiliar ones that are not commonly associated with our system, subsequently tagging them for our review.

It aids in the automation of routine tasks and the identification of high-value alerts. For instance, if we need to compile a list of our administrative or high-profile users, we can establish rules based on high and medium security criteria, or any other specifications we might have. The entries will then correspond to the information aligned with our requirements. Furthermore, we have generated a watchlist of blacklisted users, which assists us in conveniently tracking activities originating from them. 

It provides the ability to create personalized dashboards that offer all the necessary information in a single location. It is important to mention that this feature comes with an extra cost, as is the case with all aspects of Sentinel.

Sentinel's threat intelligence helps prepare us for potential threats before they hit. By utilizing the event summary, we can proactively prepare for unauthorized entries and directly block IPs at the firewall level.

As a partner of Microsoft, they pay us for any POCs we create.

Sentinel has contributed to a reduction in our time for detecting and responding to incidents. As Sentinel operates in the cloud, it offers user-friendly accessibility, enabling us to swiftly access crucial information for responding to potential threats.

The automation rules that enable us to create playbooks for each individual are valuable.

The Identity Behavior tab furnishes us with the entire history linked to each IP or domain that has either accessed or attempted to access our system. By utilizing the data supplied by Sentinel, we can ascertain whether there are any attempts to breach our system. Numerous pre-defined queries are at our disposal, and we also have the option to craft custom queries as needed.

We are invoiced according to the amount of data generated within each log. For example, if I neglect to specify the time period in a search, Sentinel will retrieve all the logs, leading to charges for both pertinent and irrelevant data. This could potentially cause a substantial increase in costs. We incur lower charges for data under 100 GB, but anything surpassing that threshold becomes more expensive.

When setting up EDR for multiple endpoints, we need to create distinct rules for each one to monitor the devices effectively. 

I am currently using Microsoft Sentinel.

Microsoft Sentinel is stable. It is extremely rare that the solution is down.

Microsoft Sentinel is highly scalable. We can create any random custom playbooks. We can create any custom rules over there As per our requirements. We can enable and disable policies also as per our requirements. We can combine both policies accordingly.

The technical support is good.

Positive

Compared to IBM Security QRadar and Securonix, Microsoft Sentinel is more user-friendly. QRadar is quicker to respond but it has stability issues.

We are charged based on the amount of data used, which can become expensive.

I rate Microsoft Sentinel nine out of ten.

Maintenance is overseen by Microsoft. They announce periods of system downtime for maintenance. If we have anything critical that we require while the system is down, we can request it from Microsoft, and they promptly provide it to us.

Microsoft Sentinel offers us query update suggestions every three months. If we find a suggestion we like, we can simply click on it to automatically update our policy.

I believe it is better to choose a single-vendor security suite over a best-of-breed strategy.

When Exchange email is outside the domain, we have found sometimes that there are phishing emails. With the help of Microsoft Defender only, without Sentinel, we would not be able to track them. A couple of times data was compromised. With Sentinel, what we have done is integrate Microsoft Endpoint for Defender, M365 Defender, and our Exchange Online for all the email communications in and out.

With the investigation and threat-hunting services in Sentinel, we have been able to track and map our complete traffic: Where it started from, where it was intercepted, and where the files were downloaded and exchanged. We have been able to see how a phishing email was entering our domain. Accordingly, we understood that we needed to develop or modify some rules in Exchange and now, we do not have any phishing emails.

Sentinel enables us to investigate threats and respond holistically from one place to all of the attack techniques, such as MITRE ATT&CK, manual, DDoS, and brute force attacks. They are quickly identified by Sentinel. That is of high importance because we don't use any other product with Microsoft. Our SOC team continuously analyzes and monitors Sentinel, the activities and events that are happening. That team needs to be equipped with all of the real-time data we are getting from our ecosystem.

We have also integrated our SIEM with multiple firewalls and proxies. The traffic in and out, coming from the firewalls and proxies, is intercepted by Sentinel. We are now getting granular visibility into our traffic. We can see the hits we are getting from various regions, such as the hits that recently came from Russia. We have multiple such attacks on our firewall front end and we have been able to develop more granular rules on our firewalls.

And for DLP we have the help of protection from Microsoft Information Protection labels that we have defined for our data. Whenever this labeled data is shared, the data is limited to the recipients who were specified in the email. Similarly, our OneDrive data has been secured with the MIP Labels. All of this tracking is happening on Sentinel, which is giving us a broader view of where our data is traveling within and outside our organization as well.

People tend to go with Microsoft because it provides you with 360-degree protection, protecting your files, network, infra, and cloud environment. Each of its products is linked and interacts with the others. Microsoft Defender for Cloud will interact with Microsoft Defender for Cloud Apps, for example. And both of them can interact with Sentinel. Sentinel is the central SIEM in Microsoft and has the ability to take all the instructions from all of these Microsoft products and it gives you a central dashboard view in Azure. That helps manage infrastructure and identify threats. It's a single pane of glass. That's why Microsoft is gaining compared to other products.

Eliminating our multiple dashboards was a little tough in the beginning, but the Microsoft support team's expertise helped us create our own dashboard. Previously, when we started integrating all the products, it was very hard for us to give a broader review to management. It was only something the technical guys could do because they know what all those events mean. But when it came to a dashboard and presenting the data to the stakeholders, it was very tough. With the help of Microsoft's expert engineers, we were able to create dashboards into Sentinel, as well as with the help of Azure dashboards and Microsoft Power BI, and we were able to present the data.

We got Sentinel to send the data to Microsoft Power BI and that helped us create some very useful and easy dashboards so that our stakeholders and senior-level management, who are non-technical guys, could understand much better how we are utilizing this product. They can see how much we are making use of it to investigate, hunt, and track the incidents and events, and the unnecessary accessing of applications in the environment. As a result, we started to put granular controls in place and restrict unnecessary websites.

The watchlist is one of the features that we have found to be very helpful. We had some manual data in our Excels that we used to upload to Sentinel. It gives us more insightful information out of that Excel information, including user identities, IP addresses, hostnames, and more. We relate that data with the existing data in Sentinel and we understand more.

Another important feature is the user behavior analytics, UEBA. We can see how our users are behaving and if there is malicious behavior such as an atypical travel alert or a user is somewhere where he is not regularly found. Or, for example, if a user does not generally log in at night but we suddenly find him active at night, the user behavior analytics feature is very useful. It contains information from Azure Identity as well as Office 365.

With the E5 license, we have Microsoft Defender for Cloud Apps, Microsoft Information Protection, Defender for Cloud, and Defender for Office 365. All of these products are integrated with Sentinel because it has those connectors. With both Microsoft and non-Microsoft products it can be integrated easily. We also have ASA on-premises firewalls and we have created a connector and have been sending those syslogs to Sentinel to analyze the traffic. That is the reason we are able to reverse-investigate and hunt threats going on in our network, end to end.

Sentinel enables us to ingest data from our entire ecosystem. In addition to integrating our Cisco ASA Firewall logs, we get our Palo Alto proxy logs and some on-premises data coming from our hardware devices. We also get our Azure Firewall logs, and the logs from the Microsoft 360 bunch of products, like MIP and Defender for Cloud, Defender for Cloud Apps, et cetera.

When I think about the kinds of attack techniques that you are not able to understand at eye level, the AI/ML logic being used by Sentinel helps an administrator understand them in layman's language. It tells you that something has been identified as a malicious event or activity being performed by a user. All of those details are mentioned in an understandable manner. That is very important and is one way Sentinel is playing a wider role in our environment.

We use Microsoft Defender for Cloud and from that we get our regulatory compliance, recommendations, CSPM recommendations, cost recommendations, cost-optimizing strategies, and techniques for things like purchasing reserve instances. It helps us reduce the number of unused VMs or turn off VMs if they're not in production, as well as DevOp VMs in the early hours. We also use it for applying multi-factor authentications for users and reducing the number of owner or administrator roles that are assigned to subscriptions.

And the bi-directional sync capabilities of Defender for Cloud with other Microsoft products is near real-time, taking a couple of seconds. Within a minute, the information is updated, always, for all of the products that are integrated. Some products have a latency of around 4 to 12 hours of latency to update.

The following would be a challenge for any product in the market, but we have some in-house apps in our environment. We were thinking of getting the activities of those apps into Sentinel so that it could apply user behavior analytics to them. But our apps were built with different parameters and the APIs for them are not present in Sentinel. We are working with Microsoft to build those custom APIs that we require. That is currently in progress. 

We are happy with the product, but when it comes to integrating more things, it is a never-ending task. Wherever we have a new application, we wish that Sentinel could also monitor and investigate it. But that's not possible for everything.

I have used Microsoft Sentinel for around two years now.

It is scalable, with the help of the log retention facility in Sentinel in the Log Analytics workspace. We can limit the data that is being retained in it and that limits the cost.

We have it deployed across multiple sites.

In the beginning, it was not so good, but when we switched from standard support to premium support, the support improved.

I have been using QRadar and Splunk, but they both only gave me a centralized SIEM solution, a SOAR, and a VAPT solution. But I wanted to reduce the efforts required when jumping into different portals at different points in time. The way things stood, I had to hire different engineers to maintain those different portals and products. With the help of Sentinel, I could integrate all of my applications with Sentinel, as the APIs were ready and the support for them from Microsoft was good. That's why we thought of moving to Sentinel.

It was pretty hard to convince the stakeholders to invest so much in protecting the ecosystem through investigating and hunting, which is mainly what Sentinel is for. The integration part comes later. But convincing the stakeholders about the cost we would be incurring was a big challenge.

Slowly but surely, we started integrating many of our products into Sentinel and it started showing us things on the dashboard. And with the help of the Logic Apps, we were able to do multiple other things, like automatically creating tickets out of the incidents that are detected by Sentinel, and assigning them to the SOC team. It reduced the SOC team's workload because they used to manually investigate activities and events. Sentinel killed those manual tasks and started giving "ready-made" incidents to work on and mitigate. It has helped my SOC team because that team was facing a lot of issues with workload.

Then we also got visibility into different products, like Microsoft Defender, and Defender for Cloud Apps, whereas we used to have to jump into different portals to see and analyze the logs. Now, we don't have to go to any other product. All the integration is happening with Sentinel, and with the help of the AI/ML in Sentinel, investigating and threat-hunting have become easier.

It took around six months for us to realize these benefits because we were slowly integrating things, one by one, into it. We were a little late in identifying the awesome capabilities it has.

Most of our products are integrated but a few of our products are facing challenges getting connected. We are dealing with it with Microsoft and they are creating a few connectors for us.

We had to pay extra compared to what we would pay for other products in the market. But you have to lose something to gain something. Sentinel reduced the efforts we are putting into monitoring different products on different portals, and reduced the different kinds of expertise we needed for that process. Now, there are two to three people handling Sentinel.

The pricing was a big concern and it was very hard to explain to our stakeholders why they should bear the licensing cost and the Log Analytics cost. And the maintenance and use costs were on the higher side compared to other products. But the features and capabilities were going to ease things for my operations and SOC teams. Finally, the stakeholders had clarity.

Microsoft is costlier. Some organizations may not be able to afford the cost of Sentinel orchestration and the Log Analytics workspace. The transaction hosting cost is also a little bit on the high side, compared to AWS and GCP. But because it gives a 360-degree combination of security products that are linked with each other, Microsoft is getting more market share compared to Splunk, vScaler, or CrowdStrike.

But if I want to protect my files, to see where my files have been sent, or if the file I'm receiving is free of malware, or even if one of my users has tried to open it, Windows Defender would track it first. The ATP (Advanced Threat Protection) scans my emails and the attachments first. It determines if the attachment is safe and, if it is not safe, it will block it. I don't have to create any granular or manual settings. That connectivity across different products has a brighter future. That's the reason, even though we have a small budget, that we are shifting to Microsoft.

There are competitive applications in the market, like vScaler, Splunk, QRadar, and CrowdStrike. These are also good in terms of their features and capabilities. But these products only work as a SIEM or VAPT solution. They won't scan everything that we need to protect.

But if you are only considering SOAR, I prefer CrowdStrike because of cost and the features it provides. The AI/ML is also more developed compared to Sentinel.

But why Sentinel? Because it not only covers Microsoft products, but it also has API connectors to connect with any non-Microsoft products. It has inbound APIs for connectivity to QRadar, vScaler, or Splunk, so we can bring their data into Sentinel to be analyzed. Splunk is doing its job anyway, but Sentinel can filter the information and use it to investigate things. 

Those have great visibility and great potential over Sentinel. But for products that are out of the ecosystem, those competitive solutions might face issues in connecting or integrating with them.

We have created a logic app that creates tickets in our service desk. Whenever a ticket is raised, it is automatically assigned to one of the members of our SOC team. They investigate, or reverse-investigate, and track the incident.

Every solution requires continuous maintenance. We cannot rely on AI/ML for everything. Whenever there is a custom requirement or we want to do something differently, we do sit with the team to create the required analytic rules, et cetera. It doesn't involve more than three to four people.

In terms of the comprehensiveness of Sentinel when it comes to security, it plays a wide role in analysis, including geographical analysis, of our multiple sites. It is our centralized eye where we can have a complete analysis and view of our ecosystem.

Go with a single vendor security suite if you have the choice between that and a best-of-breed strategy. It is better to have a single vendor for security in such a complex environment of multiple vendors, a vendor who would understand all the requirements and give you a central contact. And the SLA for response should be on the low side in that situation, as Microsoft, with its premium support, gives an SLA of an immediate callback, within two to three minutes of creating a ticket.

My customers mainly want to correlate logs so that they have a single point for their log information. In addition to correlating logs, they want to automate tasks.

Microsoft Sentinel is just a "watch tower" to get all the logs and manage threats. After that, you have the Microsoft Defender products that help to reduce threats. For example, Microsoft Defender for Endpoint is an anti-virus and EDR that helps to eliminate threats on devices such as laptops and smartphones. Microsoft Defender for Office 365 enables protection for Teams, Mail, or SharePoint, and Microsoft Defender for Identity helps to reduce risk on Active Directory or Azure AD. So Microsoft Defender products are the tools for reducing threats, and Microsoft Sentinel is the tool for analyzing incidents and threats.

Each time I deploy Sentinel, it helps the client get information about the overall security of their IT system. It brings together all the logs in a single place, so it's easy to track attacks and get information about breaches.

It also eliminates having to look at multiple dashboards. If you centralize the logs, you don't need to go to the firewall to get alerts or to the antivirus console or to a network device. You get everything in a single place, which means you have incidents in a single place, and then you can have a dashboard. You can check the built-in dashboard, or you can create one on your own, and these dashboards can be refreshed automatically or you can refresh them whenever you want.

The solution is well integrated with the Microsoft environment, so if a customer has a lot of Microsoft services, such as M365 or Azure, the solution fits well in their environment. Because I deploy solutions in general, I also use Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Office 365. It's really straightforward to integrate these products. You have just to check a box and all the logs from these products go to Sentinel. And if the customer has a Microsoft 365 E5 license, the Defender logs are free.

It also helps to prioritize threats across an enterprise. When you receive an alert of an incident, you can categorize it as a low, medium, or high priority. That's really important because sometimes low-priority incidents are just false positives. We need to categorize incidents to get to the high-risk incidents.

Sentinel also enables you to ingest data from your entire ecosystem and not just from the Microsoft ecosystem. It can receive data from third-party vendors' products such as firewalls, network devices, and antivirus solutions. It's not only a Microsoft solution, it's for everything. There are native connectors to get information from third-party vendors, but if you don't have a connector for something, you can get information from protocols such as syslog.

It's really important that Sentinel allows you to investigate threats and respond holistically from one place. It's important to know where an attacker went. For example, an attacker could go through a firewall and then to a specific application, and you need to know where the attacker started first.

When you enable this feature, Sentinel automatically gets information about the users and devices, and you can then search for specific entities. For example, if you know that a specific user is at risk, you can enter the username and get all the information about the user: on which device he's connected, to which servers he's connected, and what he did on these devices, among other things. This ability is important to a breach.

With Sentinel, you have some built-in rules to automate tasks. You can also create your own automation based on Logic Apps in Azure. You can do what you want with scripting with PowerShell or Python. The first time you have a given incident, you do some troubleshooting and when you write up this incident you can create a knowledge base. Once this knowledge base is done, you can try to automate the troubleshooting. If you do it via automation, you can close this incident because the incident will be managed automatically with Sentinel. And that helps you to save time.

Sentinel should be improved with more connectors. At the moment, it only covers a few vendors. If I remember correctly, only 100 products are supported natively in Sentinel, although you can connect them with syslog. But Microsoft should increase the number of native connectors to get logs into Sentinel. Each time we have a connector, it eases the configuration of Sentinel, and we don't need custom deployments to get the information from a specific vendor. 

The second thing they should do is create more built-in rules for the dashboard, automation, and hunting. The first time you use Sentinel, it's not easy to use the product because, beyond the dashboards, you need to know the Kusto Query Language (KQL) to create the right requests.

I have been using Microsoft Sentinel for two years. I implemented the solution for a customer a couple of months ago.

There is no problem with the stability of Sentinel. It's really stable. I have never experienced an issue with accessing the product.

It's a SaaS solution, so you don't need to scale it. It scales by itself. 

If you need a multi-tenant implementation, for example, if you have a SOC and you have several customers, you can get your own Sentinel, and you can ask the customers to deploy Sentinel in their environments. You can then gather logs from several Sentinels in a single point.

I haven't contacted Microsoft for support of Sentinel, but each time I contacted them for other products, it was a bad experience. The technical support of Microsoft is a negative point because, most of the time, they don't have the answer.

I used QRadar and a Symantec solution, but that was 10 years ago.

The first deployment was not complex. The first step, when you want to connect a solution to Sentinel, is pretty straightforward. When you want to use the built-in dashboard, it's also straightforward. But once you want to do some customization, like a custom dashboard, custom automation, or custom hunting rule, it can be complex because you have to know several languages, how Log Analytics works, and how Logic Apps works for automation.

Most of the time, I deploy a single Sentinel in a single location because it is a worldwide SaaS solution. And most of the time I deploy Sentinel to be used on-premises and in Azure, and I deploy Azure Sentinel for a SOC team. I have never deployed a multi-tenant Azure Sentinel setup, although it's possible to do.

In the beginning, when a customer uses Sentinel, they cannot use it on their own. They require some assistance. That is why, after deployment, a consultant is usually onsite two days per month to add some connectors and custom rules, and to end some incidents.

Sentinel is a pay-as-you-go solution. To use it, you need a Log Analytics workspace. This is where the logs are stored and the cost of Log Analytics is based on gigabytes. You can get a discount of 10 percent if you get to 100 terabytes of data. On top of that, there is the cost of Sentinel, which is about €2 per gigabyte.

If a customer has an M365 E5 license, the logs that come from Microsoft Defender are free.

The solution is really easy to deploy compared to other solutions such as Splunk.

Taking proactive steps to prevent breaches is a default. It's not like competitors on the market. Sentinel doesn't give you advice about how to set some settings on your device to protect them from a specific breach. But you can use Microsoft Defender for Endpoint for devices and it helps you to know if a device is breachable from a specific attack and how to be protected against it.

The cost and ease of use of Sentinel compared with other standalone SIEM and SOAR solutions depends on whether the customer has the whole stack, meaning an M365 E5 license. If so, they get a really good discount because all the logs from Microsoft Defender are free. But if they don't have an M365 E5 license, those logs are not free and the solution can be expensive.

We haven't evaluated other options recently because our customer wanted Sentinel. But one of the differences I see between Sentinel and competitors' solutions is in the normalization of logs. With Sentinel, normalization is done automatically, whereas with other solutions, you need time to do the normalization manually. By "normalization" I mean lining up the fields. For example, in some logs, the time is in the first field, while in other logs, the description is in the first field. You need to sort the fields, but this task is done automatically by Sentinel.

Before using Sentinel, I recommend reading the documentation and watching the YouTube Ninja Training channel. They go through all options for Sentinel. 

In addition, I recommend knowing KQL—it's a requirement—and how to automate tasks in Azure. Other than these points, Sentinel is easy to enter because if you have a native connector, it's just "next, next, next." But when you want to do customization, it can sometimes be hard to do what you want.

When you look at going with a best-of-breed strategy versus a single vendor's security stack, it depends on the strategy of the customer. Sometimes, the customer prefers to get all its security products from a single vendor because they get discounts when they do that. Other customers prefer to have several vendors for security reasons. From my point of view, there is no correct answer. If I were responsible for the security of a company, I think I would prefer to use an all-Microsoft security stack because it's easier to interconnect the solutions and you get more information as a result.

I'm currently using this solution for monitoring our SOC. I also implement Sentinel for clients.

We use Defender for Cloud, Defender for Endpoint, Defender for Office 365, and Defender for Identity. They were easy to integrate. It's necessary to understand the background of the data source to integrate the devices into Sentinel. If it is cloud-based, we can utilize the GeoLogic app or Azure function to integrate the log sources or use the slot method.

These solutions work natively together to deliver coordinated detection and response across our enterprise. We have different EDR solutions in our environment, and we have integrated them with Sentinel. We directly monitor all of the other security devices from Sentinel.

I haven't seen many issues with integrating different products. We can set a robust error detection mechanism. If there are some issues while integrating the logs, we can do automated alerting and easily troubleshoot any issues.

There are no issues with integrating multiple-location firewalls. We have Sentinel deployed in the US and other geolocations.

There are between 15 to 20 people using this solution in my team.

The solution is deployed on the cloud.

We mainly use this solution for monitoring purposes. We previously used on-premises data sources, but we wanted to integrate lots of log sources that weren't directly supported by other solutions. Sentinel provides the capability to integrate unsupported log sources. We have integrated lots of unsupported security devices with Sentinel as well.

Sentinel helps automate routine tasks and helps automate the finding of high-value alerts. Microsoft provides some very useful out-of-box automation playbooks that we can utilize in our day-to-day operations. This increases the efficiency of security analysts and our response time. We are using those solutions in our environment to do automation, increase productivity, and enhance the efficiency of our security analysts. Sentinel reduces our overall investigation time compared to other solutions.

Sentinel has helped eliminate the need to look at multiple dashboards. We can use the workbook for that. Correlating everything into a single workbook isn't available right now, but it's achievable in the future.

The solution's threat intelligence helps prepare us for potential threats before they hit and helps us take proactive steps. We have integrated one open-source solution for IOC monitoring, and Microsoft even provides the IOC data. To be proactive, we also rely on other solutions like Defender for Endpoint for detecting those threats before they actually happen.

We added IOCs into Sentinel from a monitoring perspective. If we can detect ransomware, we can prioritize that and work on mitigation.

Microsoft Sentinel saves us time. It has provided us with a very rich automation solution. We can see most of the details directly on the Sentinel site. We don't need to log in and check for different things, so it saves a lot of time for associates. It saves us about 30 to 40 minutes on average per incident.

The solution decreases our time to detect and respond. We can increase detection using dashboards. The automation and playbooks help us respond to threats if the user is compromised. We can directly reset the user's password or disable the user from the Sentinel portal by using the playbooks. We're saving about 15 to 20 minutes on our response times.

Sentinel is a Microsoft product, so they provide very robust use cases and analytic groups, which are very beneficial for the security team. I also like the ability to integrate data sources into the software for on-premise and cloud-based solutions. We can very easily integrate the devices with Sentinel. There are multiple ways that we can utilize the product. I also like how the solution processes data.

The solution helps prioritize threats across our enterprise. We can set the severity for the low and medium-priority severity incidents. Sentinel has machine learning and fusion rules, which help us effectively prioritize. Prioritization is very important for us in this security landscape because attacks are getting stronger.

Sentinel provides a lot of out-of-box analytic rules with Sentinel. It's very good at detecting threats compared to the different SIEM solutions in the market now.

Sentinel enables us to easily ingest data from our entire ecosystem. Attacks can happen from any of the devices. Even the IoT is vulnerable now. We can integrate different solutions for it. For instance, there is Microsoft Defender for IoT, which we can integrate into Sentinel. That provides a single pane of glass for security. In any SOC, we need to have multiple solutions. Sentinel is a great solution for managing and monitoring those products.

Sentinel enables us to investigate threats and respond holistically from one place. We can integrate other solutions like ServiceNow with Sentinel, and we can set the bidirectional sync.

Sentinel's security protection is comprehensive. In the area of UEBA, I use the entity behavior settings of Sentinel. It provides some enhancement in security monitoring, but it still needs some improvement regarding user and entity behavior.

There is room for improvement in entity behavior and the integration site. It's a new solution, so it can include different security products in the data connector section. I've also experienced some performance issues with the runbook. It takes a lot of time to load.

In the automation section, there are some limitations.

I have used this solution for two and a half years.

It is pretty stable. I haven't had any issues in the two and a half years that I've worked with Sentinel.

The price goes up whenever we integrate more log sources, but there aren't any issues with scalability. We can increase it very easily.

Technical support is good. They're very quick to respond when we raise a case.

I would rate technical support a nine out of ten.

Positive

Splunk is also the leader in this market. I prefer Sentinel because it's a Microsoft product that provides a lot of free and built-in use cases.

We switched to Sentinel because it's a cloud-native solution. On-premises solutions involve managing IT databases and doing some upgrade activities, but we don't need to manage any of that in Sentinel. We can focus directly on security monitoring and detection and response.

The setup was straightforward. I worked on multiple projects before the deployment of Sentinel.

The amount of time it takes to deploy the solution depends on the client's network area, the firewall, and log sources. We have deployed the solution for user bases of 4,000 to 5,000. Deployment was completed within one month by integrating all the required processes.

We had a team of three people for deployment. I took care of the integration of the log sources, and the other two people took care of the customization.

Sentinel doesn't require much maintenance.

We evaluated Splunk and a few other solutions.

I would rate this solution as nine out of ten. 

My advice is that colleagues who have worked on different solutions, whether on-premises or cloud, should use the Ninja training. Microsoft provides this training directly. It is publicly available and provides a better understanding of how to utilize the solution more effectively.

I think it's ideal to go with different vendors across our environment rather than a single vendor for security purposes.

Sentinel ingests all the logs from various security products across on-premise and virtual servers. It has a lot of flexibility regarding different third parties that are not Microsoft, which I liked. We had some very, probably not as well-known systems from which it would ingest information. So it was nice to see that it was very flexible.

We have a hybrid setup with Sentinel deployed on the Azure cloud. We've got about 20 server endpoints, 400 desktop or laptop endpoints, and 1,520 network endpoints. The company has around 400 employees and a 10-person IT team operating out of one location in Alabama. 

Sentinel provides a single pane of glass for reviewing logs from disparate sources. Everything is on one XDR dashboard. We have a smaller IT team, so it's cumbersome to go to various places to get information and manage it. Having a clearinghouse of information makes it quicker to get to the critical items and resolve any problem.

Sentinel saved us time because we can find the information we need directly. It's hard to quantify that because we still need to look through lots of information. Without Sentinel, it would take about one to three hours each week to compile information from different sources.

It helps us proactively prevent threats. Sentinel is integrated with Defender and CloudApp. It gives us suggestions about best practices in security and recommends actions if it sees something within the network that seems out of line. The investigation part is thorough. We can figure out exactly what's wrong and what we need to check. Afterward, we have to go to a secondary product.

Sentinel's most important feature is the ability to centralize all the logs in one place. There's no need to search multiple systems for information. The automation capabilities are excellent and can be extended. We haven't tried to extend the automation features, but what is built in is great. 

The solution also has native integration with Microsoft Teams. It creates a Teams chat when there's an issue, so one of our analysts can look at it immediately. It can automatically flag something instead of sending an alert to an email that someone may not read until three weeks later.

Sentinel provides decent visibility, but it's sometimes a little cumbersome to get to the information I want because there is so much information. I would also like to see more seamless integration between Sentinel and third-party security products. 

When alerts appear in the Sentinel console, I can research them and see what to do, but I need to leave Sentinel and go to a second product to execute whatever I need to do. I would like to be able to fix everything within the Sentinel console.  

We used Sentinel for about six months.

We haven't had any issues with Sentinel so far. The uptime has been 100 percent. 

Sentinel is capable of handling all that we ingest. I think we've hit 80 to 100 Gigabytes so far, and it continues to scale upward. I'm pleased with it. It's a rolling scale, so it scales up as needed based on the number of logs you ingest. As long as you're willing to pay to house the data, they'll continue to scale upward with you.

We haven't had to contact Microsoft support for Sentinel yet. That worries me. Sometimes Microsoft support can be a little difficult to reach.

Sentinel was our first foray into the SIEM world. That's one reason we went back and reviewed it again this summer. We wanted to be sure we picked a good product. They mostly gave demos, so we probably didn't get the full run of these secondary products, but it at least gave us a feel for what else was out there.

Setting up Sentinel was pretty straightforward. We set everything up through Azure, and they had excellent documentation as far as integrating modules. They had scripts we could run within other environments to ingest the logs. Getting information into the system was fairly smooth. 

We had to spin up a new virtual machine for Linux because it required a Linux virtual machine within our on-premises environment to send log files. That was the biggest step I had to do. Spinning up another virtual machine is no big deal. 

We didn't pay for any implementation help. Our IT team spent a day talking through the plan. We let the server person spin up our VM and our network person got all the network stuff in place. We came back together and made sure the logs were delivered. Overall, it was a roughly two-week process of setting up and reviewing everything to ensure everything is working correctly. After deployment, there's no maintenance. It's in Azure, so Microsoft handles all the updates and server roles. It's seamless from a maintenance standpoint.

Sentinel was deployed by a four-person in-house IT team consisting of a network admin, systems admin, and a junior engineer who floated between all of us, helping out where they could. I supervised the deployment as the director. 

The jury is still out on whether we see a return, but I am pleased with the investment. Sentinel provides us with some new insights. It helps us improve our security posture with proactive measures, like informing us of best practices. 

These features helped us evaluate things within our network and cloud environments that we needed to tweak. That was a pretty helpful bonus. 

Sentinel's price is comparable to pretty much everything out there. None of it is cheap, but we didn't think we could save money by going a different route. Sentinel was part of our Azure expenditures, so it was easier to add the expense instead of having a completely separate vendor.

The licensing is straightforward because it's within Azure. There are lots of features in Azure that they gave us as a package. It's nice to do this without having to carve out special budgetary items. The flexibility was helpful. 

We looked at a couple of different solutions, including Splunk and Arctic Wolf. We primarily chose Sentinel because we had already carved out a budget within Azure for Sentinel. We could keep it within Azure and roll that into our Azure expenses versus carving out a new budget item for these other products. That was the biggest motivation.

Sentinel kept pace with the other major players in the field. We considered whether there was a better product to ingest all data. We didn't find anything new or different. 

I rate Microsoft Sentinel eight out of ten. If you plan to implement Sentinel, I recommend spending time thinking about all the sources of data you want to ingest. It's flexible in terms of how much you can ingest, but you may not want to pay that much. It might be better to only connect your critical systems to it.

If you're hesitant to adopt Sentinel, you should do a demo. The single pane of glass is nice to have. You'd really have to talk me out of that.

Our team uses Microsoft Sentinel to monitor all security incidents. Security analysts working the intake process configure rules that trigger alerts based on specific criteria and route them to the appropriate team based on the event ID. This unified view within Sentinel allows me to investigate each incident, tracing its origin, path, and endpoint. By analyzing the information gathered, I can then determine whether the alert is a true positive or a false positive.

The visibility into threats that Microsoft Sentinel provides is excellent.

Microsoft Sentinel prioritizes threats across our organization, with levels P1, P2, and P3. This helps me determine how to investigate since some alerts, especially P1s, might seem critical at first glance. However, further investigation may reveal non-critical situations, like a P1 triggered by an authorized user's access from an unfamiliar IP or location. Analyzing logs can help identify these scenarios and ensure appropriate responses.

Microsoft Sentinel and Defender seamlessly integrate to provide a unified system for detecting and responding to security threats across our entire environment. This is crucial for meeting compliance standards and informing client communication. By investigating all security events and summarizing key findings in reports, we can not only highlight critical incidents but also demonstrate the steps we're taking to reduce the overall number of high, medium, and low-severity threats for our clients.

I would rate the comprehensiveness of the threat-protection that Microsoft Sentinel provides an eight out of ten.

Once data is ingested, the process begins with reviewing the ticket information. This can then lead us to Sentinel, where we can view logs. The depth of our investigation determines the next step: a login to Defender, which provides the full range of investigation tools to pinpoint the root cause of the incident.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place.

I would rate the comprehensiveness of Microsoft Sentinel eight out of ten.

Microsoft Sentinel helps automate routine tasks and the finding of high-value alerts.

Microsoft Sentinel simplifies security management by offering a single, unified XDR dashboard, eliminating the need to switch between and monitor multiple disconnected security tools.

The threat intelligence gives us a proactive advantage by anticipating potential threats, allowing us to prioritize and swiftly address critical incidents before they cause harm.

Microsoft Sentinel has helped save us time.

The detection is in real-time with Microsoft Sentinel. 

While Microsoft Sentinel provides a log of security events, its true power lies in its integration with Microsoft Defender. Defender extends Sentinel's capabilities by allowing for in-depth investigation. Imagine investigating a phishing email: through Defender within Sentinel, we can view the email itself, block the malicious email address and its domain, and even take down its IP address – all within a unified platform.

I would like Microsoft Sentinel to enhance its SOAR capabilities. 

I have been using Microsoft Sentinel for two years.

I would rate the stability of Microsoft Sentinel ten out of ten.

I would rate the scalability of Microsoft Sentinel ten out of ten.

I evaluated a few other SIEM solutions but I prefer Microsoft Sentinel because it is straightforward and I can also use Defender to investigate.

I would rate Microsoft Sentinel nine out of ten.

While Microsoft Sentinel offers SIEM capabilities for security information and event management, it doesn't fully replace the need for a separate SOAR solution, which specializes in security orchestration, automation, and response.

In addition to Microsoft Sentinel, I've also used IBM Security QRadar, which I believe is a superior solution because it functions as both a SIEM and SOAR, offering a more comprehensive approach to handling complex security processes.

I advise taking the course before using Microsoft Sentinel to have a better understanding of the solution.

I recommend trying Microsoft Sentinel.

We primarily use the solution for security purposes, to record events, and generate alerts, so that our security team can review the items and take proper action.

We work jointly with an MSSP, we have about 14 people working on a 24/7 schedule, around 25 people might use our Sentinel workspace regularly, and more than 40 people benefit directly from the output of this solution.

With Microsoft Sentinel we have detected threats in early stages of an attack through custom detection rules, helping us prevent escalation and further compromise.

Sentinel has provided visibility of administration events, which allows us to audit security processes and discover misconfigurations and errors.

Using Sentinel we have definitely saved time in our detection and response efforts.

Microsoft Sentinel as a SIEM uses KQL (Kusto Query Language) in their detection rules, which is an optimized query language with some really powerful functions. Generally SIEM vendors use different query languages. KQL queries can use complex logic and be executed in a few seconds, which would not be possible or may take up several minutes in other SIEMs, and now some vendors are trying to implement their own version of KQL.

Sentinel provides us with good visibility of threats. The different kinds of logs it ingests are good as long as the log sources are correct. It can integrate some out-of-the-box log sources in a short time, and log data fields are usually very complete. We don't have experience integrating custom log sources, but it should be possible.

Out-of-the-box log sources have the same data structure in all Sentinel workspaces, which allows queries and detection rules to be shared easily between Sentinel customers. We could rapidly adapt to a new threat with public detection rules created by Microsoft or other security professionals.

We work with Microsoft Sentinel and other Microsoft security solutions like Defender. We've integrated all of them together easily from their web portals. As long as you have the right privileges, integrating these solutions might be as simple as a click. Microsoft security solutions work natively together to deliver coordinated detection and response, which is important to us.

Sentinel allows us to ingest data from our entire ecosystem, wether it might be an on-prem or cloud service. It allows us to correlate different data tables, to create complex threat detections, and to investigate holistically across our infrastructure.

I like the automation portion of the product, it helps us automate routine tasks. We have created some automation playbooks in Microsoft Sentinel, however, in our environment these are not specific to security tasks.

Microsoft Sentinel has a lot of out-of-the-box detection rules. Many of these rules have not been tested, they may execute but they have errors or do not work as expected. Due to this I've made more than 80 requests for modifications in Microsoft Sentinel public repository. If you want to ensure that Sentinel detection works, you need to review the logic of the detection rules one by one, and this shouldn't be the case.

Sentinel does not seem to have rules by default that check and notify of execution errors. I have had to create custom rules to detect when a log source or automation rule stops working as expected.

There can be discrepancies between Microsoft tools. Not all information appears in Sentinel. Sometimes there are items provided in Microsoft 365 Defender that you could search for in Sentinel and you would not find them and therefore assume they do not exist.

The solution is powerful but it can be expensive. Other solutions that are on-premises should be cheaper.

I've been using the solution for more than three years.

The solution is largely stable but not completely. I have had issues with some log sources that stop being ingested or are delayed, and also with automation rules not responding to incidents. Sometimes automation rules stop working intermittently, and this issue might happen during a month or two, and then they go back to working as expected without being notified of any issue by Microsoft.

The scalability is excellent, Sentinel has some limits regarding the amount of ingested data and enabled Sentinel resources, but these limits exist for extreme cases, which our workspace and organization are not even close to.

I'd rate it ten out of ten.

I've opened many support tickets. When you open a support ticket, it will typically be resolved within the first interaction. And they've solved all of my support tickets quite quickly. Even if I have made a mistake when opening support tickets, it's always been a positive experience.

Positive

I've used a few different solutions, including ArcSight, LogRhythm, and QRadar. 

I don't have much insight into ArcSight.

LogRhythm did not let me create complex detection rules.

With QRadar, when we are looking at queries, they can be slow. However, IBM is trying to create its own KQL implementation for QRadar in order to make them faster. 

But I don't have the same level of administration experience with these tools than with Sentinel.

We had some cloud engineers who created our instance on Azure. They enabled the connectors for some out-of-the-box log sources, and created other kinds of neccesary resources, specially to connect on-premises resources to Sentinel. We did not have issues that didn't depend directly on us.

At first we enabled all the detection rules we could, without deeply inspecting them, we assumed they would work. We would not take this approach again, detection rules should be reviewed and enabled one by one.

Maintenance is minimal. It's all on the cloud. If something does not work as expected, we open a support ticket. Since the tool is supported by Microsoft, you are paying them to also maintain it, basically.

Our implementation was handled in-house.

I would recommend to check regularly for deviations or unexpected surges of ingested events, which will affect the cost. I do not directly handle the pricing portion of the solution. There is a calculator in Azure that helps you estimate the cost. 

It's ideal to go with a best-in-breed strategy rather than a single vendor. You need to know what is available in the market. Companies should be free to use any security tool that they consider to fit their needs. 

For companies considering Sentinel, they need to ensure a threat detection engineer will be available to manage their detection rules, you shouldn't enable all of them blindly. You may get value from Microsoft Sentinel, however, you need to continuously invest time and ensure everything is set up and working as expected. 

I'd rate the solution nine out of ten.