Microsoft Sentinel Reviews

Sentinel is Microsoft's SIEM solution, similar to QRadar, Splunk, etc. It is the primary tool used by our Security Operations Center.

Sentinel enhances our visibility by integrating with on-prem and cloud log sources. It provides visibility into any cloud environment, including GCP and AWS, not just Azure. With Sentinel, we get end-to-end coverage of all types of infrastructure. Last week, I was talking to a client who already had a SIEM solution, and they had just deployed Sentinel through us. I asked them why they wanted Sentinel when they already have an MSP. They told me their SIEM solution doesn't cover the cloud, so there's clearly a gap. Sentinel covers on-premise and all the cloud providers. It has a highly flexible ingestion method. There are seven or eight ways to ingest.

A lack of total visibility is a significant pain point for security analysts working on a SIEM solution. Furthermore, even if they have visibility, they might not be able to take remedial action because the company lacks a license or a separate SOAR solution. In that case, you need to have integration for each playbook. Sentinel addresses all of these issues out of the box. 

The SOAR component of Sentinel can automate some routine tasks. Sentinel comes with around 180 different playbooks you can execute with one click. If you face a type of incident, you can run a specific playbook or automate it to run each time the incident is triggered. These automation features make our lives easier. Analysts have to do the same tasks over and over again. It's a nightmare that makes you want to give up sometimes. You are dealing with the same incidents many times daily for many MSPs and customers. The playbook is incredibly beneficial.

It also reduces the number of dashboards we need to check, and you can create a custom dashboard. There are also several preset dashboards from Microsoft that are solution-specific. For example, if I'm using Defender for Office, it has a separate dashboard for Office that I can customize. I can also see everything from one console if I want. It's highly flexible.

Sentinel saves time because you don't need to look at multiple SIEM solutions, like IBM, Splunk, AlienVault, McAfee, etc. You need to spend time deploying those solutions, and there's a learning curve, whereas Sentinel is cloud-native. You click "next," "next," and "next," and the whole solution is deployed in the cloud in five minutes. Other parts, like integration, are native. It takes only a click to integrate all the services. Sentinel has its own agent, so it's easy to deploy the agent and start collecting logs. Overall, Sentinel requires less effort than other solutions.

It also saves us money because deployment costs less. Many SIEM solutions charge for the log forwarders deployed in the client's system. Sentinel is free. You have a VM in the cloud or on the client infrastructure, and there is just a script to turn that server into a log forwarder. 

Sentinel speeds up our response, but I don't have any hard numbers. It depends on how well you have configured it. You can go to an incident and then click on each playbook in sequence, or it can be automated to run a playbook when an incident is triggered. You don't need to go into the interface and do anything.

Sentinel proactively responds by detecting IOCs in our environment and automatically triggering an incident. The threat intelligence feed is typically based on IOCs, like malicious IP, UR, hostname, file hash, etc. However, real proactive response requires you to buy threat intel from different providers. Those companies provide you with information before an attack occurs anywhere. For example, there could be dark web forums where attackers discuss an attack on organization XYZ, and the threat intel provider informs us about that. That's an entirely different thing, but Microsoft has built-in rules for any threat intelligence matches. 

I've worked on most of the top SIEM solutions, and Sentinel has an edge in most areas. For example, it has built-in SOAR capabilities, allowing you to run playbooks automatically. Other vendors typically offer SOAR as a separate licensed solution or module, but you get it free with Sentinel. In-depth incident integration is available out of the box. 

Having all these solutions built into a single platform is an advantage. Once any malware is detected, it only takes a single click to run the playbook, and it will do the desired actions. It may be blocking an IP address or isolating a machine. 

The SOAR, UEBA, automated detection and response, and threat intelligence capabilities are comprehensive. I have 10-plus years of experience working with different SIEM solutions. This is the best by far. Everything is integrated, and there is so much flexibility, whether you're trying to customize ingestion or run custom playbooks.

Sentinel performs well when searching a large amount of data, like two months of logs. Sentinel uses underlying big data and KQL, which is highly efficient in query performance. I also like Sentinel's user behavior analytics. UEBA is another solution vendors typically sell as a separate product, but it's included with Sentinel for free. It has integration with other multiple cloud platforms, whereas most vendors lack this capability. 

When comparing visibility, we need to also compare at the company level. Microsoft doesn't only provide a security solution. They have a cloud platform with many services and security products that feed threat intelligence into Sentinel. There are many backend things that Microsoft does in cybersecurity. That is an added advantage that comes with this solution.

The native integration with the vast Microsoft ecosystem is a huge advantage. Another good aspect about Sentinel is that you can integrate all the Microsoft technologies with one click using the backend APIs. It's a seamless process because Sentinel is a Microsoft-native solution. It doesn't take much effort to do the integration.

We also use Defender for Endpoint, Defender for Cloud, and Azure firewall. Most of our customers already use some Microsoft services, so when we integrate their environments, we integrate Defender for Endpoint and Defender for Office 365. We also have Azure Activity, Azure Identity Protection, and many other solutions from Microsoft.

Microsoft products can be integrated with one click. You check a box, and it integrates with that service on the backend. You only need to set the permissions only. Integrating third-party solutions requires the same effort that would be necessary for any other SIEM solution. 

All the solutions work together seamlessly to protect our environment. For example, Defender for Endpoint detects threats on the endpoints, and you see the same alerts within Sentinel. If Defender for Office detects a malicious email, it feeds that incident to Sentinel. The whole ecosystem is integrated there.

Sentinel ingests data from our entire environment. There are seven or eight ways to ingest data. You can install agents through LogStack or do it through APA calls. There are many ways to ingest everything that's required. We have had cases of custom applications running critical services for clients who wanted to ensure they were being monitored. 

The out-of-the-box integration wasn't there, but other methods of ingesting the solution exist. We used one of the custom methods with LogStack, and we could use onboard these applications. Managed services need to have that kind of flexibility for product onboarding.

We have been working with multiple customers, and every time we onboard a customer, we are missing an essential feature that surprisingly doesn't exist in Sentinel. We searched the forums and knowledge bases but couldn't find a solution. When you onboard new customers, you need to enable the data connectors. That part is easy, but you must create rules from scratch for every associated connector. You click "next," "next," "next," and it requires five clicks for each analytical rule. Imagine we have a customer with 150 rules.

It can be a nightmare. It would be much easier if Microsoft provided a way to select all the rules you need, and you can click once to create them. I went to multiple forums to find a way to automate this. Unfortunately, the best I can do is a semi-automated method. Half of them can be automated, but you must do the rest manually. 

For now, we are doing it manually, and our DevOps team is assigned to do this. Some APIs could be used. We leverage the Azure Insights PowerShell module to do the automation part. Currently, the team is working on it, but I know from the discussion that the solution would only be semi-automated. We can't fully automate this because it simply lacks that capability. Many people in the Microsoft community have already requested this solution. Hopefully, Microsoft will implement this feature.

These solutions provide comprehensive protection, but there is always room for improvement. For example, virus removal has 98 different antivirus engines associated. Still, if you are searching for a malicious IP address or a hostname, some solutions will pick it up, and others won't. It's okay overall. I wouldn't say it isn't good enough. It does what we need, but sometimes another solution does it better. It depends on who detects it first.

I've been using Sentinel for nearly a year.

Sentinel is a cloud-based solution, so everything is handled by Microsoft. We haven't experienced any outages. With any on-premise solution, you will see downtime when there are problems or changes in the infrastructure.

Sentinel is highly scalable. It's on the cloud, so we can scale up to any level. There are two models: pay-go and commitment tier. The commitment tier is there to help reduce costs. If you're a large organization with high volumes of data coming in, Microsoft recommends the commitment tier, which will save you 40-60%. Scalability isn't a problem.

I rate Microsoft support nine out of 10. Within all Microsoft services, there is a link you can use to contact support and raise a ticket based on severity. If it's something that will impact business, they are available 24/7. Once we get a call from them, they follow up around the clock until it's closed. It isn't bad.

Positive

I've worked on Splunk, QRadar, LogRhythm, AlienVault, McAfee, Juniper STRM, etc. I started using Sentinel when I joined this company. We are Microsoft Gold partners. However, my feedback is neutral as an analyst. Compared to other solutions I've used, Microsoft is easier in terms of integration and deployment.

We've seen an ROI. Having used multiple SIEM solutions, I would recommend Microsoft Sentinel for the ROI, integration, cloud visibility, customization, etc. 

The price is reasonable because Sentinel includes features like user behavior analytics and SOAR that are typically sold separately. Overall, a standalone on-prem solution would require some high-end servers at a different cost. It is a cloud-based solution, so there are backend cloud computing costs, but they are negligible. 

The most significant cost factor is log ingestion. The best approach with any SIEM solution is only to ingest the necessary security-specific logs. You consume the EPS licenses, memory, bandwidth, and CPU. It doesn't make sense to forward and dump everything into any SIEM solution. If you are doing the architecture correctly, you send the right amount of logs.

On top of that, Sentinel provides you with a workbook that tells you which log costs how much. You can optimize that part so it's cost-effective. Its dashboard offers clear graphs and charts, showing which log sources ingest the most logs, contributing to the cost. We can easily cut 40-60% of the price if we do appropriate fine-tuning. As long as you're doing the fine-tuning regularly, it's a highly cost-efficient solution.

I rate Sentinel 10 out of 10. At the same time, I understand no solution is perfect. I've had multiple issues with SIEM solutions I've used previously. Sentinel is missing one minor feature that could be added eventually. I have no complaints about the core functionality.

A large enterprise client contacted us about replacing Splunk with Sentinel, and their team wanted a side-by-side comparison. They're pretty new to SOC, and I've been in the field for a long time, so I told them that it's hard to do an apples-to-apples comparison. In many instances, you won't see much difference between the two, and Sentinel might beat Splunk in certain cases.

However, the essential component they would be missing in the comparison is the ecosystem. Sentinel can leverage a huge ecosystem on the backend that Splunk or any other solution simply can't. Splunk specializes in SIEM, but Microsoft covers the full cybersecurity spectrum. When comparing solutions, customers should look at the whole ecosystem and not only product features. 

A best-in-breed strategy works for some categories of security products. For example, it was an organizational policy that we would not purchase all of our firewall-related products from one vendor. However, SIEM only does detection based on the type of logs ingested. An organization might have firewalls from Cisco, Fortinet, and Juniper. At the end of the day, these three firewall brands are feeding the logs into one security solution, which is Sentinel. It's a single pane of glass that correlates all threats across your enterprise. It doesn't make sense to have multiple SIEM solutions.

The only cases where it makes sense are in large enterprises like oil and gas. For example, they may have an IT environment and an OT environment. In the IT environment, they have one solution and a different solution in the OT environment. They are silos being managed by different teams. They may have separate budgets and decision-making processes. That's why they have different solutions. Other than that, I really don't see any reason for having two different SIEM solutions in place.

Our two primary uses for the solution are incident management and threat hunting. We use Sentinel and other Microsoft security products for security investigations, threat, team, and incident management purposes. The tool is deployed across multiple departments and locations, with around 8,000 total end users.

We use multiple Microsoft security products, the full Defender suite including Defender for Cloud, Cloud Apps, and Identity, all integrated with Sentinel. 

Integrating multiple solutions is straightforward; as they are all Microsoft products, it's easy for Sentinel to ingest the logs and data connectors. The process is very simple, and we can configure log sources or data connectors in Sentinel in a couple of clicks.  

As a next-generation AI-powered SIEM and SOAR tool, Sentinel provides an all-encompassing cyber defense at the cloud scale. The solution's machine learning capabilities make threat hunting and identification rapid across the entire cloud environment.

The solution provides excellent visibility into threats; it's integrated with Microsoft's threat intelligence platform, which forwards information to Sentinel. We have robust threat detection 24/7.   

Sentinel helps us prioritize threats across our enterprise, an essential function that lets us focus on investigating and resolving high-priority incidents first. When the most significant threats are dealt with, we can move on to the medium and low-priority issues.  

The multiple Microsoft solutions work natively together to deliver coordinated detection and response across our environment; they work very well together, and we trust these products to investigate matters further. 

The Microsoft solutions provide comprehensive threat protection across our entire organization.  

Sentinel enables us to ingest data from our entire ecosystem, which is crucial to our security operation. We require the data not just from Microsoft products but also from different firewalls and other security products, including firewall proxies, web proxies, logs, etc. We can quickly integrate multiple data sources in just a few steps. 

The solution's threat intelligence helps prepare us for potential threats before they hit and take proactive steps. Sentinel's intelligent and fast threat detection allows us to respond rapidly to critical and high-priority incidents by leveraging built-in automation and orchestration tools. 

Using Sentinel gives us time savings of 30-40%.  

The solution also decreased our time to detect and respond by 30-40%. 

Sentinel is a SIEM and SOAR tool, so its automation is the best feature; we can reduce human interaction, freeing up our human resources.

The built-in AI and machine learning are excellent; they reduce the number of false positives by around 90%.

The centralized threat collection is a valuable feature. 

The solution is cloud-native, so it's faster and easier to deploy as there is no hardware or software to implement.

The product is flexible enough to deploy in the cloud and on-prem, which is an advantage over other SIEM tools.

Sentinel allows us to investigate threats and respond holistically from one place, which is crucial because time management is essential during a security investigation. Having all the relevant data in one place enables security analysts to investigate and resolve quickly.   

The solution's built-in SOAR, UEBA, and threat intelligence capabilities provide comprehensive protection. The SOAR capability is excellent and better than other products on the market, reducing our dependence on security analysts, and IT takes less investigation time. We can leverage the UEBA to focus on risky users and entities first during an investigation, which is an integral part of the process. 

Compared to standalone SIEM and SOAR products, Sentinel reduces infrastructure costs by around 50% due to the cloud and reduced maintenance relative to legacy solutions. Sentinel is also approximately 70% faster to deploy than legacy solutions with the same rules. 

The solution helped to automate routine tasks and the finding of high-value alerts. This reduced our dependency on security analysts and their workloads because the solution reduced false positive alerts by about 90%. This freed up our analysts and is the most significant benefit of automation.  

The product helped eliminate having to look at multiple dashboards and gave us one XDR dashboard, which provides us with greater visibility and a reduced time to investigate and resolve.  

The data connectors for third-party tools could be improved, as some aren't available in Sentinel. They need to be available in the data connector panel. 

The solution could have more favorable pricing; the cost is relatively high compared to other SIEM tools, which can be prohibitive for smaller organizations. 

We've been using the solution for over a year. 

Sentinel is stable. 

The solution is scalable. 

The technical support is good and responsive, but in some cases, it took a long time to resolve our issue.

Positive

We previously used IBM QRadar as a SIEM tool and switched because Sentinel is cloud-native and has more comprehensive capabilities, including SOAR capabilities. Sentinel fits our clients' requirements better, as many of them utilize the MS Defender security suite, which gives them a specific grant for free data ingestion. The solution also provides greater visibility.

I wasn't involved in the solution's initial setup, and in terms of maintenance, it's very lightweight; updates are Microsoft's responsibility, so we don't need to do anything.

Sentinel is expensive relative to other products of the class, so it often isn't affordable for small-scale businesses. However, considering the solution has more extensive capabilities than others, the price is not so high. Pricing is based on GBs of ingested daily data, either by a pay-as-you-go or subscription model.

The product saved us money, but actual savings depend on the project size, as the pricing is per GB of ingested data. Our savings are approximately 40-50%. 

We evaluated various solutions, including LogRhythm SIEM, Splunk, and Sumo Logic Security. We chose Sentinel because it's more advanced, cost-efficient has greater capabilities and fulfills our requirements better than the other products.

I rate Sentinel nine out of ten. 

To a security colleague who says it's better to go with a best-of-breed strategy over a single vendor's security suite, it's better to go with multiple vendors. This provides better visibility and avoids a single point of failure.

My advice to others considering the product is it depends on the project requirements. For larger organizations, I recommend Sentinel, as it's very advanced. However, for smaller-scale industries, Splunk and IBM QRadar are good options. For primarily cloud-based organizations with the majority of users in the cloud, then Sentinel is again an excellent choice.

We use it for our security operations center. We have private and multi-cloud environments.

It enables data integration within our hybrid, multi-cloud environment, and it makes this data integration very easy for our security operations center.

Sentinel has helped improve our visibility into user and network behavior. It helps in identifying risky users, creating a watch list for specific users and their activities, which is very important.

It has also been saving us time. It's a complete cloud-based solution, so there is no time wasted on setting up servers, infrastructure, et cetera.

It also reduces the work involved in event investigation because it puts together detection logic through detection rules. That helps in automating incident identification.

The features that stand out are the 

• detection engine
• integration with multiple data sources.

And while it does not give the tools to detect and investigate, it provides
the ability to integrate multiple tools together on the platform. This is very important for us. Sentinel provides very good integration with Microsoft Power Apps and Power Automate. That is a very handy feature.

It provides a good user interface for an operations analyst and makes it easy for an ops analyst to do incident analysis and investigations.

One key area that can be improved is by building a strong integration with our XDR platform.

I have been using Microsoft Sentinel for over a year. I'm a product manager, and I do not do hands-on deployment, but I do product definition, platform selection, and product feature definition.

It is a stable product.

The technical support team is good. They have account managers aligned with our customers. It is a good, scalable model.

Neutral

We started with Sentinel only. We have had some experience with Splunk, but Sentinel is more mature, flexible, and scalable.

The install or setup time is very small. Without Sentinel, it would usually take 15 to 30 days to set up a SIEM solution in an environment. With Sentinel, it is very easy. A completely production-grade environment can be set up within a week.

Setting up Sentinel is straightforward. Because it is a cloud-based solution, there is no infrastructure deployment involved. Much of the implementation can be done in automated ways. We leverage that automation for implementation. It doesn't require much staff. It is very automated.

It requires maintenance, and that is part of what we cover by providing our customers with managed services.

Our team does the deployment.

We have seen ROI.

The licensing cost is available on the Microsoft Azure calculator. It depends on the size of the deployment, the size of the data ingestion. It is consumption-based pricing. It is an affordable solution.

We have multiple use cases based on the data sources we have onboarded, like Sophos UTM or Firewall.

We also use Microsoft Defender for cloud and Microsoft Office.

We have integrated MD with Sentinel to receive alerts. If there are any suspicious activities in any of our resources, MD will create an alert. Once an alert comes through MDC, it is converted to Sentinel.

It was easy to integrate the solutions. It took about two or three clicks. The solutions work natively together, specifically to give us coordinated detection and response across our environment.

There is a correlation with the mail-based algorithm. We have an AML model algorithm in Sentinel. It has the capability to catch the pattern of attacks and shows that to us in the Sentinel app.

We mostly have cloud-based solutions, so Sentinel gives us better security. There's a feature that allows us to capture all the data in a single console, which we can analyze from the cloud itself.

We don't have to use third-party services to check these activities. If we see that one of our accounts is compromised or anything has happened, we can remove that person from other groups.

There's a feature that allows us to see what is in a secure state and what is in a critical state.

Sentinel helps automate routine tasks and find high-value alerts. We can have a custom playbook and create automation rules through that. If there is a false positive address, we can do the automation from there. If we want an email notification based on high-activated rules, we can provide the automation rules that will notify us on Outlook or through Teams.

It minimizes our analyst's workload. Once a high activity comes up, we'll get a notification on Teams. As analysts, they will validate and send us the email or notification within 10 to 15 minutes with more valid data. If there's a playbook with the top 10 critical rules, we can create multiple playbooks and attach them with the data that we want to protect.

Once that incentive is triggered, we'll get notifications with the full details of that incentive. If high severity comes up, that email is sent to the client, and we do more analysis on that rather than wasting time on the first analysis. We can directly get into the deeper version of the automation.

If an incident comes up, we have to validate the load and find out the correlation of the users. We can focus on the advanced test rather than wasting time on the previous one. This saves five to ten minutes.

On a monthly basis, the analyst team saves at least three to four hours with automation. We have multiple rules based on our more critical test. From that perspective, analysts don't want to work more on low priorities because we'll be automatically notified of low and high priorities. We focus more on critical users where the threat is high. By focusing on what is a high priority, our analysts save five to six hours per week.

We have multiple dashboard views that allow us to see logs coming from different solutions and users who were involved in the previous incident.

The best feature is that onboarding to the SIM solution is quite easy. If you use cloud-based solutions, it's just a few clicks to migrate it.

The console is user-friendly. We have almost 120 different types of data, so the solution helps us to onboard different types of third-party services to the SIM solution. We have UB features, and the SOAR capability in the Sentinel server is also a good feature.

Sentinel's visibility into threats is very good. We have an investigation graph that allows us to see the correlation between the incident and the users. We can see if there are multiple incidents with the same IP address and if there are multiple breaches. We can correlate with the rules and check if any inside threat activities are going on with the malicious site or the malicious URL link that we have onboarded. The threat view provides good visibility.

We can prioritize threats based on our investigation assets. It's very fast. We're able to see the rest of the threat activities and how impactful they are. Based on the AML algorithm, we can get all the stages of the attack as well.

Sentinel enables us to ingest data from our entire ecosystem.

The importance of this ingestion of data to our security operations depends on the data and the type of solutions we have to onboard. We onboard our critical servers and assets to the same solution so we'll have good visibility.

We're able to investigate threats and respond holistically from one place.

We can validate the logs from where the logs have been received. By doing the log analysis, we'll be able to find them. It's a straightforward function and isn't very hard.

There's an incident pane in Sentinel. We have a query package, and we can have a deep dive alert through that, or we can have a deep look into the log. From the console itself, we have a great view of our threats and the current phase we're in.

We have multiple source features. There are between 20 to 30 in addition to data. Microsoft provides custom features through which we can connect with third-party solutions and correlate the incident. For example, if we have multiple incidents, we can use the SOAR capabilities and correlate them with multiple third-party threats. It's an easier way of understanding whether or not we have a malicious bug.

We can see how much time our analysts have taken to raise the ticket and how much time they have taken to resolve the issue assets. We can create a dashboard for that. They're able to notify us within five or ten minutes for high priorities. For the medium priorities, it is 10 to 12 minutes. Our detection time for low priorities is within three hours, but our team still performs under 15 to 18 minutes.

If we want to use more features, we have to pay more. There are multiple solutions on the cloud itself, but the pricing model package isn't consistent, which is confusing to clients.

We have been using this solution for almost two years.

The stability is very good.

I would rate the scalability an eight out of ten.

I would rate technical support a six out of ten. Technical support doesn't understand the features well enough. They will give us links to reference, so we go through those links as a team or Google the solution. We reach out to them if we can't find the solution, but they provide us with the same links and URLs that we've already referred to. It's a hassle because it wastes a week and a half of our time. Their solutions and response time aren't very good.

Neutral

The setup is based on our data sources. We have a segregated timeframe of two payments. It depends on the client or who is doing the operation. Onboarding on the cloud is pretty easy. It takes just a few clicks from migrating the data sources to getting the logs.

For an on-premises or third-party software servicer, it will take more time and troubleshooting to do the setup. It won't be hard if you have a good team for the onboarding process. It can be complicated initially, but the rest of the timeframe will involve fine-tuning the logs and creating the custom rules based on your requirement.

It doesn't require a lot of maintenance. It's pretty simple. We just had to play with it for a couple of months.

We haven't seen any financial ROI.

Sentinel is the best solution that we use. It's a pay-as-you-go model. We can fine-tune the features we want and choose if we want to remove logs. We can also segregate logs, which helps us minimize costs. Sentinel provides free Office 365 and Azure-based logs without pricing assets. When it comes to the third-party solution or our server logs, we just have to do the fine-tuning of the logs.

The pricing isn't very high. It depends on the number of logs you have. If you're expecting to ingest 50 to 60G in a day, but you're only ingesting 20 to 25G per day at first and you have a good team to analyze the logs, then you can segregate the ingestion at under 15G.

I would rate this solution a nine out of ten.

It's very user-friendly. The only issue is that Microsoft's technical support isn't very good. If you have a good team who can onboard the resources to the solution, then you'll be happy with the solution itself.

For us, it's better to go for multiple solutions rather than a single suite because we cannot strictly trust one client. If you only have one cloud-based solution, it's better to use Sentinel to secure it. It's helpful to have a good team that can do the monitoring and onboarding smoothly. You can go with one solution if you have a trusted partner. If you don't, then I would use multiple solutions.

You should purchase the features that Microsoft provides. It's a configured network, so they will correlate with the end resources, RMD, and receiver identity. The fusion-based algorithm rule will detect advanced multistage attacks to stop the attack.

Microsoft Sentinel serves as a centralized hub for collecting and analyzing logs from various Microsoft tools and other sources. It eliminates the need to develop custom toolsets for detecting malicious activities across different Microsoft tools. Instead, Microsoft Sentinel provides standardized rules and playbooks to streamline the process of identifying and responding to potential threats.

For instance, consider a scenario where an employee clicks on a phishing link in an email, leading to the installation of malware on their system. While the endpoint detection and response tool on the endpoint might not detect malicious activity, Microsoft Sentinel, acting as a central log collector, receives the EDR logs and triggers an event based on pre-defined rules.

Upon detecting the suspicious activity, Microsoft Sentinel automatically executes a playbook, which may involve actions such as killing the malicious process or isolating the affected endpoint. This automated response helps expedite threat containment and reduces the burden on security analysts.

It is crucial that Sentinel empowers us to safeguard our hybrid, cloud, and multi-cloud environments. We employ a hybrid cloud setup, and securing our environment using Sentinel is significantly simpler than manual methods. We can gather events in the Central Point and develop playbooks and scripts to automate responses. This streamlines the process and enhances our overall security posture. Additionally, if an alert is triggered, we receive an incident notification via email, prompting us to take action and resolve the issue.

Sentinel provides a library of customizable content to address our company's needs.

Microsoft Sentinel has helped our organization with alerts. We'll receive alerts from Sentinel indicating that we're at risk. It's important to address these alerts promptly. We first need to review the information in the email, and then work on the issue in the office. After that, we'll contact the team members on the relevant shift. There's nothing particularly difficult about this process. It's based on our access privileges, which are determined by our role in the company. If we have a high-level role, we'll have access to all the necessary tools and resources. We'll even be able to receive alerts at home if there's a security issue. The company that provides this technology grants work-from-home access based on security considerations. If someone has a critical role, they'll also be equipped with the tools they need to work remotely and connect with their team members. So, the company that provided the technology can resolve the issue first, and then we can address it. Once we've taken care of the issue, everything will be much easier.

By leveraging Sentinel's AI in conjunction with our playbooks for automation, we can enhance the effectiveness of our security team, subject to the specific rules and policies we implement.

The logs provided by Sentinel have helped improve our visibility into our user's network behavior.

Sentinel has helped us save 60 percent of our time by prioritizing the severity of the alerts we receive. When we receive an alert with a high-risk level, we immediately address it to mitigate the potential security threat. Additionally, we have configured our anti-ransomware software, to further protect our systems from cyberattacks. In the event of a ransomware attack, our Halcyon system will generate an encryption key that can be used to unlock our system. This key is securely stored by Halcyon.

Sentinel has helped reduce our investigation times by enabling us to review an alert, generate a ticket, and resolve the issue simultaneously upon receiving the alert.

The most valuable feature is the alert notifications, which are categorized by severity levels: informational, low, medium, and high. This allows us to prioritize and address alerts based on their urgency. For instance, we would immediately address high-severity alerts. This feature, along with the ability to create playbooks, significantly enhances our workflow.

I would like Microsoft to add more connectors for Sentinel.

Microsoft Sentinel should provide an alternative query language to KQL for users who lack KQL expertise. 

I have been using Microsoft Sentinel for one and a half years.

Microsoft Sentinel is a stable solution. 

Microsoft Sentinel is scalable.

We have to write playbooks to resolve our issues.

Neutral

The configuration of Microsoft Sentinel involved a complex process that required thorough familiarity with the available connectors and the policies to be implemented.

We have seen a 30 percent return on investment.

Sentinel is costly.

I would rate Microsoft Sentinel seven out of ten.

We have five people in our organization who utilize Sentinel.

No maintenance is required from our end.

We have possible use cases for the solution. We have ten or 12 different use cases under this solution.

The Log analytics are useful. You can review many details. 

The portal and the full integration and collaboration between the cloud workloads and multi-tenants have been useful. We can use it with Sharepoint and Exchange.

The solution helps us prioritize all of our threats. It's one of the most important and critical systems we have here. 

We have a lot of Microsoft solutions. For example, we also use Defender for endpoints and Microsoft Cloud. We mostly use Microsoft products, although we also use Crowdstrike. 

It was easy to integrate Defender for Endpoint. Each of these solutions works natively together. It's very crucial that they work together. 

Microsoft is very comprehensive. It helps protect us and offers very clear information. It's easy to assess everything. It's a good user experience. 

We make use of Microsoft Defender for Cloud's bi-directional sync capabilities. We have different customers under our umbrella and multiple subsidiaries. Not all have access to the same license. We don't have the same security exposure everywhere. We can pick and choose who needs access.

Sentinel does enable us to ingest data from our entire ecosystem. This is crucial. That said, it can cost us a lot of money. We try to get feature visibility and enhance the collected logs to be able to identify only certain logs that would need to be uploaded. That said, it's very crucial we can ingest data from anywhere.  

We can investigate threats and respond holistically from one place, one dashboard. Having one dashboard is important as it saves the team from headaches. We can collect all the information we need in one view.

The comprehensiveness of Sentinel is good in that it helps us identify most of our gaps in security. In the last few years, we have been able to fill in most of the gaps.

Once we enabled the connectors and started getting incident reports to our dashboard we were able to realize the benefits of the solution. It took about one month to begin to get the value of this product.

Sentinel helps automate routine tasks and helps automate the findings via high-value alerts. We've been able to automate a lot of the cycle and leave the investigation to humans. Support is very crucial and we can take the right actions fast.

The product helps us prepare for potential threats before they hit and we can take proactive steps. We're very satisfied in terms of security operations.

Before implementing the solution, we didn't know we were wasting a lot of time. Once the solution was in place, we discovered a lot of gaps across the traditional way we were handling security. 

I can't say if we are saving money. However, we're investing in the right places. We're now utilizing services we actually need. From a business perspective, although it does have a cost, it's saving the business since it's protecting us from any security breach.

I'd like to see more integration with other technologies beyond the Microsoft OS. 

I would like to see more AI used in processes.

I've been using the solution for three or four years. 

The stability is not an issue. 

We do have plans to increase usage. The solution has the ability to scale. 

We have not opened a ticket for technical support yet. So far, we haven't had any issues. 

My understanding is Microsoft does not have good support and has done a lot of outsourcing. In general, they used to be brilliant as they were focused on customer satisfaction and engaged with experts, however, the quality is not as good.

Neutral

We also use Crowdstrike as our EDR solution. However, before Sentinel, I did not use anything else in this category.

I took part in the initial deployment. The process was very straightforward. It took about one week to onboard all that we needed. We did it in three phases. First, we did a demo and looked for items that needed to be addressed. We then onboarded the device and put the analytics and logs in place. 

We had a team of three on hand that handled the deployment. They also handle support and maintenance. 

We initially had the assistance of Microsoft partners. However, we failed to get all of the information we needed. We found it more valuable to get assistance from the vendor directly. 

I can't speak to the exact cost.

We are a customer of Microsoft. 

During implementation, it's helpful to get the vendor engaged in the implementation. 

I'd rate the solution nine out of ten.

It's good to go with a single-vendor strategy. I've recommended this product to others.

The user experience should be the number one priority. Microsoft is working on this every day. It's very important to us that the user experience is maintained and there's no conflict between the products or connectors. Having one dashboard makes it easier for admins and businesses to be in touch, engage, and share. For example, my manager can see my reports even if he's not knowledgeable in the technology.

Our organization is an SSP, a service provider for manual threat detection and hunting. We use Microsoft Sentinel for threat detection. We have a few clients using Microsoft Sentinel, and we provide SOAR services to them.

Having the ability to respond holistically from one place with Microsoft Sentinel is very useful. We don't need to log into different security consoles. It is less hectic and reduces our time to respond and resolve the issue.

The solution has helped improve our organization by detecting and hunting threats. The solution also correlates alerts from other solutions, such as Defender, Office 365, and other Endpoint solutions. Microsoft Sentinel has automated responses that help us reduce the number of analysts required for example, from ten to six because most of the tasks are done automatically.

The solution's automation of routine tasks helps us automate the finding of high-value alerts by reducing the manual work from 30 minutes down to three. 90 percent of the work is done by Sentinel which runs the playbook and provides us with all the data required to make a decision quickly.

The solution has helped eliminate the need to use multiple dashboards by incorporating SIEM plus SOAR into one convenient location. We don't need to log into each of the solutions individually. We can directly correlate the alerts and incidents from our Sentinel console. Sentinel reduces our time because we don't need to check multiple tabs for multiple solutions. All the information required to investigate and make a decision can be found in the solution's panel view.

We don't have any out-of-the-box threat intelligence from Microsoft, but with the integration of some open-source solutions and premium sources, Microsoft Sentinel helps us take proactive steps before threats enter our environment.

We have custom rules created to check IPs or domains for potential threats. Whenever an IP or domain is visible in our logs, the solution will automatically correlate with the threat intelligence feed and create an alert. If we skip the correlation portion and an alert has been created for a malicious IP or a malicious domain, the solution can check the reputation in different reputation sources such as a virus portal, or threat recorded future, and it will auto-populate the information for the analyst which helps us prepare for potential threats.

The solution has definitely saved us 90 percent of our time. Microsoft Sentinel reduces our time to detect, respond, and resolve incidents. Most of the incidents are detected automatically and we just need the data to make a decision. We don't have to go look for different clues or reputations over the internet or use other solutions.

Microsoft Sentinel has saved us from incurring costs related to a breach by protecting us.

The solution detects incidents and alerts us in real-time based on custom rules that we create or the out-of-the-box rules that are part of Sentinel. The information that auto-populates when we run the playbook reduces our response time in most cases because all the relevant data required for our investigation is provided on the incident details page.

Logic apps, playbooks, and dashboarding are all valuable features of this solution. 

Microsoft Sentinel prioritizes threats across our organization because the solution allows us to correlate using multiple solutions including Defender.

Integrating Microsoft solutions with each other is very easy. The integrated solutions work together to deliver coordinated detection and response in our environment.

The solution enables us to investigate threats and respond holistically from one place. We can write AQL queries and also create rules to detect the alerts. In the event that we don't have rules, we can proactively hunt through KQL queries.

The workbook based on KQL queries, which is the query language is very extensive compared to other solutions such as QRada and Splunk.

The solution requires no in-house maintenance because it is all handled by Microsoft. We only need to monitor the updates.

The playbook development environment is not as rich as it should be. There are multiple occasions when we face problems while creating the playbook. 

The cost is not straightforward and would benefit from a single charge model. 

The UI is not impressive, we need to train our analysts to conduct the investigation. Unlike IBM QRadar which has a different UI for searching, there is no UI where we can conduct searches with Sentinel. With Sentinel, all our searches require a KQL query, and if our analysts are not familiar with KQL queries, we have to train them. 

The data ingestion can use improvement. There are a few scenarios where we have experienced a delay in data ingestion.

I have been using the solution for one and a half years.

Sentinel is quite stable because it's a SaaS-based offering, so we don't have to worry about our stability. The solution is available 99.99999 percent of the time. The only time we have an issue is if there is a problem with the Azure portal. Microsoft handles the stability well.

We can scale the solution as much as we want, and with a few clicks, we can increase or decrease capacity.

We currently have four engineering teams that handle the deployments and use case development as well as a SOAR team that consists of ten technical people who all use the solution.

Microsoft Sentinel support is really good. They respond quickly to our requests and they try to resolve our issues as soon as possible. From my experience, Microsoft has the best support.

Positive

For SIEM, we previously used IBM QRadar and Splunk Enterprise Security. For SOAR, We have used IBM Resilient, Palo Alto XSOAR, and D3 SOAR, which is a new tool. D3 SOAR is a startup based in Canada and we used it for POC, but we have not used it in production. Sentinel is a SaaS-based solution. There is less administration required and with a few clicks, we can deploy Microsoft Sentinel, whereas, with other solutions, we have to build everything from scratch. There are other SaaS-based solutions but Sentinel is one of the most popular and because a lot of organizations are already using Microsoft and Azure products, Sentinel is the best compatible solution.

The initial setup for Sentinel is straightforward and the best I have worked with to date. We are able to deploy within half an hour and we only require one person to complete the implementation. 

The implementation was completed in-house.

From a cost perspective, there are some additional charges in addition to the licensing. Initially, the cost appears expensive, but over time, the solution justifies that cost. The cost is not straightforward, but instead really complex. We are charged for data ingestion as well as data leaving the environment. We are also charged for running playbooks and for logic apps. Compared with SIEM solutions, whose cost is simply based on EPS or data storage, Microsoft Sentinel's cost is complex. Over time we can predict what the cost of using the solution will be. Other standalone SOAR tools have fixed licensing and their cost is simple. We don't need to pay for each command we run or each integration we have or each automation we do. With Microsoft Sentinel, there is a cost associated with each of the connectors that we use in our playbook. Every time we run that playbook, there will be charges, but the charges are minimal unless we run the playbook repeatedly, then over time the cost shoots up.

We occasionally test POC and we are still evaluating other solutions.

I give the solution nine out of ten.

My impression of the visibility into threats that Microsoft Sentinel provides is that the solution is not perfect, but since it is part of Microsoft Workspace, Microsoft already provides so many services to clients, and Microsoft Sentinel is one of them. If we are already using Azure and other services from Microsoft, then Sentinel is easy to implement and use compared to other similar solutions. If I was not using Microsoft Solutions, then I can use other solutions, such as IBM QRadar or Splunk, and when it comes to XSOAR, Palo Alto XSOAR is a much better solution.

We use multiple solutions from Microsoft within our organization including Defender and Endpoint. We have integrated Endpoint with Defender and Microsoft Security Center to receive alerts.

Microsoft Sentinel has out-of-the-box support for up to 90 percent of solutions where we can find a connector to ingest the data directly, but for the remaining 10 percent, we need to write custom tables.

The ability to ingest data is the backbone of our security. If we don't ingest the data, we won't be able to perform anything at all in SIEM. SIEM is based on data ingestion. Once the data is ingested, then on top of that data, we can monitor and detect or hunt, whatever we want. We can create a reporting dashboard, but the data needs to be there.

Microsoft Sentinel's UEBA is quite capable. For SIEM, Splunk and IBM QRadar are slightly better than Sentinel, but Sentinel is catching up fast. The solution has only been in the market for two or three years and has already captured a large share with increasing popularity. For SOAR, Palo Alto XSOAR is much better than Microsoft Sentinel because Sentinel is a SIEM plus SOAR solution whereas Palo Alto XSOAR is a SOAR-focused solution only. What Microsoft Sentinel provides is one solution for SIEM plus SOAR, where we can detect and also respond in one place.

Currently, we have one environment based in a US data center, but we have the ability for multiple solutions in multiple regions within Azure, and we can integrate them using a master and slave configuration that will allow us to run all the queries from the master console.

Using a best-of-breed strategy rather than a single vendor suite is fine if we have a SIEM solution, a SOAR solution, or an Endpoint detection solution until a time when they are no longer compatible with each other and we can not integrate them. If we can not integrate the solutions it becomes difficult for our teams to log into and monitor multiple solutions separately.

I definitely recommend Microsoft Sentinel, but I suggest basing the decision on proof of concept by gathering the requirements, security solutions, and additional log source devices an organization has before using the solution. There are multiple solutions available that may be more suitable in some cases.

We use Sentinel to manage data based on data connectors and log sources. We have to build the use cases. I create policies and periodically fine-tune them. There are a lot of cloud applications for that, like Microsoft Active Directory, Office 365, and Microsoft Identity Protection.

For instance, when a privileged account's password is changed frequently, it should trigger an alert and will create an incident. Another use case is the ability to summarize all DB activity.

We also use Defender for Endpoint, and I have experience with Defender for Cloud and Microsoft Identity Protection.

The cloud-native solution covers an entire IT organization. It could be located in China, Russia, Pakistan, or India. It doesn't matter.

This solution is mostly deployed on the cloud. The solution is used across our entire organization. There are more than 1,000 end users.

The solution increases security. It also reduces complexity because we can monitor everything from a single solution. We can manage a firewall, servers,  connected DOS, etc. Even if it's a third-party application, we can manage it.

The solution helps automate routine tasks and find high-value alerts. For example, we can create analytical rules and build the use cases so that any suspicious incoming traffic is blocked.

The solution has eliminated the need to look at multiple dashboards. Everything is accessible from a single dashboard.

Our team is currently being trained on how to use threat intelligence to help prepare and take proactive steps for potential threats before they hit. If there are any zero-day vulnerabilities, Microsoft will update the platform, so that all of the organizations that use Sentinel will have coverage. 

I like the KQL. It simplifies getting data from the table and seeing the logs. All you need to know are the table names. It's quite easy to build use cases by using KQL.

Sentinel provides visibility into threats. It provides anonymous IP and URL detection in our environment. We can easily get the logs.

It helps prioritize threats in the organization. We can build analytic rules. Microsoft Sentinel provides a lot of alternative use cases, but we have to prepare them.

Sentinel enables us to ingest data from our entire ecosystem because it's a cloud-native SIEM. We can integrate everything into Sentinel. In any organization, log management is an important aspect. For auditing and compliance, an organization has to validate the logs.

Sentinel enables us to investigate threats and respond holistically from one place. There's an incident option that allows us to view information about a specific instance, an anomaly, and activities that have happened in the last 24 hours. It will show the specific incident, the host, the time, and what the user is accessing. It shows everything in a single pane, which is very useful.

There's a lot of technical documentation for automation. It's easy to understand. You can build it according to your needs. You can automate playbooks. You can integrate a number of digital platforms into your environment.

The performance could be improved. If I create 15 to 20 lines for a single-use case in KQL, sometimes it takes more time to execute. If I create use cases within a certain timeline, the result will show in .01 seconds. A complex query takes more time to get results.

I have used this solution for two years.

The solution is very stable. We haven't experienced any outages so far. There is a failover function. If a region has an outage, there is backup support, which is advertised in the software on SIEM.

The solution is scalable.

I would rate technical support as nine out of ten. 

We previously used Splunk. We switched because of the cost.

I wasn't involved in deployment. Maintenance isn't needed often.

Sentinel saves us time. KQL is fast. The response of the query output is quick compared to other products. We can create a lot of automation in that particular environment, which reduces the workload for a lot of false positives. 

Logic App allows us to create mini-automations. XOR plays a huge role in Microsoft Sentinel. It automates soft operations workloads.

The solution saves us time by 75%. By using automation instead of working on a specific incident for 30 minutes, it takes a maximum of five minutes. 

This solution saves us money. Microsoft offers discounts if you purchase GB per day.

Sentinel decreases the time it takes to detect and the time it takes to respond by 70%.

In a protected cloud, Microsoft is quite manageable. It allows you to pay as you go. If you're replacing cloud resources, you'll eventually have thousands of virtual machines, but you'll be able to pay for only 500 virtual machines.

The pay-as-you-go model is beneficial to customers.

My organization tried an open-source platform, but it didn't give a proper output, so we compiled some other solutions. We prefer Microsoft products, so we went with Sentinel. 

I would rate this solution as nine out of ten. 

To a security colleague who says it's better to go with a best-of-breed strategy rather than a single-vendor security suite, I would say that if you have a single-bundle security solution, you can cover all of your security needs in an IT organization. It's beneficial for support, makes data visibility clearer, and improves security. I would recommend a single-bundle security solution as a better way to go for deployment.