Microsoft Sentinel Reviews

We use it for our security operations center. We have private and multi-cloud environments.

It enables data integration within our hybrid, multi-cloud environment, and it makes this data integration very easy for our security operations center.

Sentinel has helped improve our visibility into user and network behavior. It helps in identifying risky users, creating a watch list for specific users and their activities, which is very important.

It has also been saving us time. It's a complete cloud-based solution, so there is no time wasted on setting up servers, infrastructure, et cetera.

It also reduces the work involved in event investigation because it puts together detection logic through detection rules. That helps in automating incident identification.

The features that stand out are the 

• detection engine
• integration with multiple data sources.

And while it does not give the tools to detect and investigate, it provides
the ability to integrate multiple tools together on the platform. This is very important for us. Sentinel provides very good integration with Microsoft Power Apps and Power Automate. That is a very handy feature.

It provides a good user interface for an operations analyst and makes it easy for an ops analyst to do incident analysis and investigations.

One key area that can be improved is by building a strong integration with our XDR platform.

I have been using Microsoft Sentinel for over a year. I'm a product manager, and I do not do hands-on deployment, but I do product definition, platform selection, and product feature definition.

It is a stable product.

The technical support team is good. They have account managers aligned with our customers. It is a good, scalable model.

Neutral

We started with Sentinel only. We have had some experience with Splunk, but Sentinel is more mature, flexible, and scalable.

The install or setup time is very small. Without Sentinel, it would usually take 15 to 30 days to set up a SIEM solution in an environment. With Sentinel, it is very easy. A completely production-grade environment can be set up within a week.

Setting up Sentinel is straightforward. Because it is a cloud-based solution, there is no infrastructure deployment involved. Much of the implementation can be done in automated ways. We leverage that automation for implementation. It doesn't require much staff. It is very automated.

It requires maintenance, and that is part of what we cover by providing our customers with managed services.

Our team does the deployment.

We have seen ROI.

The licensing cost is available on the Microsoft Azure calculator. It depends on the size of the deployment, the size of the data ingestion. It is consumption-based pricing. It is an affordable solution.

Our use cases range from more complex configurations, looking at things like playbooks, workbooks, and threat-hunting, for which we rolled out architectures in some departments in the Government of Canada, to a more streamlined functionality and looking at things from a correlation perspective. 

We work in tandem with a couple of departments that have products called cloud sensors and those sensors feed telemetry into Sentinel. In its simplest form, we're using it for the ingestion of all that telemetry and looking for anomalies.

The anomalous behavior can include anonymous IPs and geolocation that might indicate bad actors are trying to access a system. If I'm located in Ottawa, Ontario and somebody from Russia is trying to access our tenant, that's going to be pretty suspicious.

Just like the US government has FedRAMP, there is a similar approach, here, for the Government of Canada where the funding for projects takes a cloud-first approach. Most of the departments in the government are now on some kind of cloud journey. When I look at the various projects I've worked on, every single one, to some degree, has an IaaS in Azure environment, and most of those deployments incorporate Sentinel and the log analytics workspace into the solution.

Sentinel helps automate the finding of important alerts as well as routine tasks. When your KQL queries are well-defined, and your threat hunting becomes more routine for parsing through a volume of ingested information, it becomes more of an established process. There would likely be some kind of documentation or procedures for how Sentinel would be managed. The idea is to catch any threat before it actually impacts your organization. Using Sentinel workbooks and playbooks and doing threat-hunting to find things before they actually affect a particular system is the optimal approach. It may depend on the size of the team that is supporting the tool and the knowledge level required to appropriately configure the tool.

I have one department that has quite a mature and robust Sentinel implementation, and they are absolutely doing that. They're using threat-hunting and the ability to create rules to be proactive.

A fully functioning Sentinel system configured properly so that you're doing advanced threat-hunting and trying to catch malware and other kinds of attacks before they impact your systems, could result in enormous cost savings if you're able to identify threats before they actually impact you. I'm sure that Sentinel has saved money for most departments in terms of forensic, digital investigations. But it would be hard for me to put a dollar figure on that. As the Government of Canada is becoming more capable of managing this system, the ability to leverage all of the bells and whistles to help to create a better security posture, and to catch things in advance, will absolutely result in dollar savings.

Similarly, for time to detection, a fully deployed Sentinel system that is properly managed and has a good, robust configuration, would absolutely save time in terms of pinpointing systems where a problem may exist, and employing alternative tools to do scans and configure reviews. But specific savings would depend on the department, the size of the team, and the configuration of the tool.

There are some very powerful features in Sentinel, such as the integration of various connectors. We have a lot of departments that use both IaaS and SaaS services, including M365 as well as Azure services. The ability to leverage connectors into these environments allows for large-scale data injection. We can then use KQL (Kusto Query Language) queries. It queries the telemetry for anomalies. The ability to parse out that information and do specific queries on it, and look for very specific things, is quite a valuable function.

The large-scale data ingestion and the ability to use KQL queries to establish connectors into various data sources provide very expansive visibility. With playbooks into which you incorporate rules, you can be very granular or specific about what you're looking for. It provides a great deal of visibility into that telemetry coming in from various services across your tenant.

In terms of data ingestion from an entire ecosystem, there might be some services for which Microsoft has not built a connector yet for Sentinel. But for most of the major services within Azure, including M365, those connectors do exist. That's a critical piece. As a SIEM, the way that it identifies anything anomalous is by correlating all those sources and searching the telemetry for anomalies. It's critical to ensure that you can ingest all that information and correlate it accordingly.

The comprehensiveness of Sentinel's security protection is highly effective and it scales well. It has the ability to do automated responses that are based on rules and on Sentinel's ability to learn more about the environment. The AI piece allows for behavioral and learning processes to take place, but the underlying logic is in the rules that you create via playbooks and workbooks. That whole functionality is highly effective, as long as you have good KQL literacy, how your alerts are configured, and where your alerts are configured. Are they via email or SMS? There are a lot of variables for how you want or expect Sentinel to behave. It's quite a comprehensive architecture to make sure that you've got all those pieces in place. When configured properly, Sentinel is a very powerful tool, and it's very beneficial.

My only complaint about Sentinel has to do with how you leverage queries. If you have good knowledge of KQL, things are fine. But if you're looking to use canned queries, the interface could be a little more straightforward. It's not immediately intuitive regarding how you use it. You have to take a canned query and paste it into an operational box and then you hit a button. Then it does the analysis of the telemetry. If things could be improved anywhere, it might be there. They could improve the ease of deploying these queries.

I have been using Sentinel since 2018.

Sentinel is very good if you have the right support tier in place. If you don't have the right support tier, then it can become quite laborious to find a technician who is knowledgeable, because the tier-one support might be out-of-country. You have to pay for the ability to get to a senior guy who is quite knowledgeable. That's an area of cost that may be impactful to the proper operation of the tool itself. But when you do talk to somebody who's knowledgeable, it's great.

Positive

It's expensive, but it's beneficial.

Because of the way that the Government of Canada allows access to the Azure marketplace, we don't typically employ other cloud SIEMs. However, many departments of the government use on-prem SIEMs. When I consider the licensing and the functionality for those on-prem SIEMs, Sentinel is fairly pricey. That being said, for an Azure tenant, it's really the only game in town, unless you're pulling in information or you're exporting information from Sentinel to a third-party source on-prem for further analysis or storage.

Cost-wise, Sentinel is based on the volume of information being ingested, so it can be quite pricey. The ability to use strategies to control what data is being ingested is important.

Because it's expensive, I've seen other departments that have on-prem SIEMs that reanalyze telemetry that is exported from the Azure cloud. It's not like-for-like, though.

Many organizations leverage the MITRE ATT&CK framework. Within MITRE there are all kinds of tactics that could be brought to bear on any unsuspecting department or target. Or they align with something like OWASP. But with Sentinel, you're able to delineate what categories you want to prioritize. For anything web-based, because everything is based on APIs and is based on a web interface, you might want to prioritize OWASP-based threats. But if you look at things like APTs, advanced, persistent threats, and various bad actors that MITRE categorizes, that gives you a really good source of information in terms of what to prioritize.

There are a lot of Microsoft security products: Defender for Cloud, Security Center, Azure Monitor. On the SaaS side, we leverage Compliance Manager. And within the dashboards for M365, you've got the ability to leverage policies. For some clients I've worked on, we have things like DLP policies, to prevent unauthorized exfiltration of data. But for IaaS, where Azure typically resides, Defender for Cloud is a big one.

With the use of connectors, if you're looking to provide data telemetry from various services back into Sentinel to do threat-hunting, it is quite a straightforward process. If you're looking to look at things like logging and auditing and how storage accounts integrate, that's a bit more complex, but it's not rocket science. It's certainly quite feasible.

Because they're all services incorporated into Azure, and into IaaS from a broader perspective, there's fairly straightforward integration. Everything is API driven. As long as you can take advantage of that within your dashboard and your admin center, you can enable them very simply through that. If you're looking for historical data through login auditing, it's a matter of parsing through some of that information to get some of those key nuggets of information. But the broader ability to spin up a bunch of services through Azure and have them communicate and work together to build a better security posture is very straightforward.

Cloud platforms, whether Microsoft or AWS or Google, are always in flux. There are always services coming down the line, as well as updates or upgrades, and refinements to these services. Very rarely do you find a static service. When I look at the comprehensiveness of Sentinel from when I started to use it back in 2018 and through to early 2023, there have been a fair number of changes to the functionality of the tool. There are more connectors coming online all the time. It's evolving to make it more and more comprehensive in terms of what kind of information you can pull into Sentinel. It's more and more comprehensive as time goes on; the tool just improves.

We have multiple use cases based on the data sources we have onboarded, like Sophos UTM or Firewall.

We also use Microsoft Defender for cloud and Microsoft Office.

We have integrated MD with Sentinel to receive alerts. If there are any suspicious activities in any of our resources, MD will create an alert. Once an alert comes through MDC, it is converted to Sentinel.

It was easy to integrate the solutions. It took about two or three clicks. The solutions work natively together, specifically to give us coordinated detection and response across our environment.

There is a correlation with the mail-based algorithm. We have an AML model algorithm in Sentinel. It has the capability to catch the pattern of attacks and shows that to us in the Sentinel app.

We mostly have cloud-based solutions, so Sentinel gives us better security. There's a feature that allows us to capture all the data in a single console, which we can analyze from the cloud itself.

We don't have to use third-party services to check these activities. If we see that one of our accounts is compromised or anything has happened, we can remove that person from other groups.

There's a feature that allows us to see what is in a secure state and what is in a critical state.

Sentinel helps automate routine tasks and find high-value alerts. We can have a custom playbook and create automation rules through that. If there is a false positive address, we can do the automation from there. If we want an email notification based on high-activated rules, we can provide the automation rules that will notify us on Outlook or through Teams.

It minimizes our analyst's workload. Once a high activity comes up, we'll get a notification on Teams. As analysts, they will validate and send us the email or notification within 10 to 15 minutes with more valid data. If there's a playbook with the top 10 critical rules, we can create multiple playbooks and attach them with the data that we want to protect.

Once that incentive is triggered, we'll get notifications with the full details of that incentive. If high severity comes up, that email is sent to the client, and we do more analysis on that rather than wasting time on the first analysis. We can directly get into the deeper version of the automation.

If an incident comes up, we have to validate the load and find out the correlation of the users. We can focus on the advanced test rather than wasting time on the previous one. This saves five to ten minutes.

On a monthly basis, the analyst team saves at least three to four hours with automation. We have multiple rules based on our more critical test. From that perspective, analysts don't want to work more on low priorities because we'll be automatically notified of low and high priorities. We focus more on critical users where the threat is high. By focusing on what is a high priority, our analysts save five to six hours per week.

We have multiple dashboard views that allow us to see logs coming from different solutions and users who were involved in the previous incident.

The best feature is that onboarding to the SIM solution is quite easy. If you use cloud-based solutions, it's just a few clicks to migrate it.

The console is user-friendly. We have almost 120 different types of data, so the solution helps us to onboard different types of third-party services to the SIM solution. We have UB features, and the SOAR capability in the Sentinel server is also a good feature.

Sentinel's visibility into threats is very good. We have an investigation graph that allows us to see the correlation between the incident and the users. We can see if there are multiple incidents with the same IP address and if there are multiple breaches. We can correlate with the rules and check if any inside threat activities are going on with the malicious site or the malicious URL link that we have onboarded. The threat view provides good visibility.

We can prioritize threats based on our investigation assets. It's very fast. We're able to see the rest of the threat activities and how impactful they are. Based on the AML algorithm, we can get all the stages of the attack as well.

Sentinel enables us to ingest data from our entire ecosystem.

The importance of this ingestion of data to our security operations depends on the data and the type of solutions we have to onboard. We onboard our critical servers and assets to the same solution so we'll have good visibility.

We're able to investigate threats and respond holistically from one place.

We can validate the logs from where the logs have been received. By doing the log analysis, we'll be able to find them. It's a straightforward function and isn't very hard.

There's an incident pane in Sentinel. We have a query package, and we can have a deep dive alert through that, or we can have a deep look into the log. From the console itself, we have a great view of our threats and the current phase we're in.

We have multiple source features. There are between 20 to 30 in addition to data. Microsoft provides custom features through which we can connect with third-party solutions and correlate the incident. For example, if we have multiple incidents, we can use the SOAR capabilities and correlate them with multiple third-party threats. It's an easier way of understanding whether or not we have a malicious bug.

We can see how much time our analysts have taken to raise the ticket and how much time they have taken to resolve the issue assets. We can create a dashboard for that. They're able to notify us within five or ten minutes for high priorities. For the medium priorities, it is 10 to 12 minutes. Our detection time for low priorities is within three hours, but our team still performs under 15 to 18 minutes.

If we want to use more features, we have to pay more. There are multiple solutions on the cloud itself, but the pricing model package isn't consistent, which is confusing to clients.

We have been using this solution for almost two years.

The stability is very good.

I would rate the scalability an eight out of ten.

I would rate technical support a six out of ten. Technical support doesn't understand the features well enough. They will give us links to reference, so we go through those links as a team or Google the solution. We reach out to them if we can't find the solution, but they provide us with the same links and URLs that we've already referred to. It's a hassle because it wastes a week and a half of our time. Their solutions and response time aren't very good.

Neutral

The setup is based on our data sources. We have a segregated timeframe of two payments. It depends on the client or who is doing the operation. Onboarding on the cloud is pretty easy. It takes just a few clicks from migrating the data sources to getting the logs.

For an on-premises or third-party software servicer, it will take more time and troubleshooting to do the setup. It won't be hard if you have a good team for the onboarding process. It can be complicated initially, but the rest of the timeframe will involve fine-tuning the logs and creating the custom rules based on your requirement.

It doesn't require a lot of maintenance. It's pretty simple. We just had to play with it for a couple of months.

We haven't seen any financial ROI.

Sentinel is the best solution that we use. It's a pay-as-you-go model. We can fine-tune the features we want and choose if we want to remove logs. We can also segregate logs, which helps us minimize costs. Sentinel provides free Office 365 and Azure-based logs without pricing assets. When it comes to the third-party solution or our server logs, we just have to do the fine-tuning of the logs.

The pricing isn't very high. It depends on the number of logs you have. If you're expecting to ingest 50 to 60G in a day, but you're only ingesting 20 to 25G per day at first and you have a good team to analyze the logs, then you can segregate the ingestion at under 15G.

I would rate this solution a nine out of ten.

It's very user-friendly. The only issue is that Microsoft's technical support isn't very good. If you have a good team who can onboard the resources to the solution, then you'll be happy with the solution itself.

For us, it's better to go for multiple solutions rather than a single suite because we cannot strictly trust one client. If you only have one cloud-based solution, it's better to use Sentinel to secure it. It's helpful to have a good team that can do the monitoring and onboarding smoothly. You can go with one solution if you have a trusted partner. If you don't, then I would use multiple solutions.

You should purchase the features that Microsoft provides. It's a configured network, so they will correlate with the end resources, RMD, and receiver identity. The fusion-based algorithm rule will detect advanced multistage attacks to stop the attack.

I use the solution to ensure proper security analytics and threat intelligence across the enterprise. The tool helps me to know the type of attack detection that happens and the kind of visibility, proactive hunting, and threat response we have.

We use the tool because we want a solution that can quickly analyze large volumes of data across the enterprise. Microsoft Sentinel is a one-stop solution for all our security needs. It gives threat visibility, enables proactive hunting, and provides investigation reports.

The product can integrate with any device. It has connectors. So, we do not have big issues in building connectors. Microsoft Sentinel gives us a unified set of tools to detect, investigate, and respond to incidents. It also helps us recover things. It is very important to our organization. It centralizes our total threat collection and detection and generates investigation reports.

The AI capabilities must be improved. The product must efficiently leverage the AI capabilities for threat detection and response. The product does not provide auto-configuration features. So, we need to do configuration, policy changes, and group policies ourselves. If AI can do these functions, it will be easier for the customers.

I have been using the solution for three years.

The product is stable.

We have around 1500 users. We have only one administrator. The product is easily scalable. As long as the enterprise grows, we will continue using Microsoft Sentinel.

The technical support team is very good.

Positive

We were using Splunk before. We decided to switch to Microsoft Sentinel because we were unable to work on large data using Splunk. Splunk did not have AI capabilities and was not user-friendly.

The product is deployed on the cloud. It is a SaaS solution. The initial deployment was easy. We ensured that all the devices and the APIs were configured well. We needed two engineers from our team for the deployment. We have deployed the tool in a single location. The solution does not need any maintenance.

We took help from an integrator to deploy the tool. It was a user-friendly experience.

The solution is efficient. We could see the returns on investment immediately. It doesn’t take much time.

The product is costly compared to Splunk. When we pay for the product, we also have Azure Monitor Log Analytics as part of the package. It is economical for us.

We use the tool to help secure our cloud-native security solutions. By enabling us to secure our cloud environments, it acts as a single solution for attack detection and threat visibility for proactive hunting. The solution gives us a library of customizable content that helps us address our unique needs. It also gives regular patch updates. It helps us to be updated with the latest threats happening across the world.

We use the Microsoft Sentinel Content hub. Integration with Active Directory is also helpful for us. The content hub enables us to see the latest features. We have Extended Detection and Response in SentinelOne. It provides effective protection for the platform. It provides more cybersecurity by providing more visibility and protects our enterprise.

The content hub helps us centralize out-of-the-box security information and event management content. It discovers and manages the built-in content. It provides an end-to-end security for us.

Microsoft Sentinel correlates signals from first and third-party sources into a single high-confidence incident. It can extract the information through the respective APIs of the third parties. It has increased our threat intelligence, monitoring, and incident analysis efficiency.

We use Microsoft Sentinel's AI in automation. The generative AI features enable real-time threat hunting and detection. The solution has helped improve our visibility into user and network behavior. The generative AI provides better detection and response capabilities and faster response times with actionable intelligence.

The product has saved us time. It helps us get various log files. When there’s an incident, it enables us to do investigations faster. The tool saves us three days in a week. It reduces the work involved in our event investigation by streamlining the processes and making automation effective. Event investigation is much faster.

If someone is looking for a comprehensive solution, Microsoft Sentinel is a good choice. It will fulfill all our needs, including attack detection, threat visibility, and response.

Overall, I rate the solution an eight out of ten.

Sentinel is used to cover cloud-native customers for security monitoring. It includes UEBA, threat intelligence, behavioral analytics, etcetera. We also use it to automate incidents into tickets.

The solution improved our organization in a few ways. The key one is the cloud layer of integrations. When we were on-premises with SAP monitoring we faced a few issues in the integration of cloud infrastructure logs. Once we moved into the Sentinel Cloud the integration was pretty easy. Monitoring the cloud infrastructure and their respective applications and their cloud cloud-native products became pretty easy in terms of integration with monitored areas.

Also, the cost of infrastructure is no longer an issue.

The detection layer has also been improved with analytics. Plus, it keeps on getting better in Sentinel. Since 2020, I've seen Sentinel has made a lot more changes in feature improvements and performance. They’re fine-tuning detection and analysis layers.

The analytics rules are excellent. It's pretty easy to create them. It’s all about SQL queries that we need to deploy at the back end.

The search of the logs is easy. Before, there were no archival logs. Now, in recent versions, it’s easy to bring back the logs from the archives. We can research and query the archive of logs very easily.

The visibility is great. It gives good alerts. The way an analyst can go and drill down into more details is simple, The ability to threat hunt has been useful.

Sentinel helps us prioritize threats across the enterprise. With it, we have a single pane for monitoring security logs. As an MSP, they just ingest all the logs into the system, and this actually leads to a hierarchy for our integrations. It’s easy to review the logs for auditing purposes.

We use more than one Microsoft security product. Other team members use Intune, Microsoft CASB, and Microsoft Defender as well. It’s easy to integrate everything. You just need to enable the connector in the back end. It takes one minute. These solutions work natively together to deliver coordinated detection responses across our environment. We just integrated the Microsoft Defender logs into Sentinel. It already has the prebuilt use cases in Sentinel, including threat-hunting playbooks, and automation playbooks. It's pretty easy and ready to use out of the box.

Sentinel enables us to ingest data from our entire ecosystem. That's really the high point for us. The coverage needs to be expanded. The threat landscape is getting wider and wider and so we need to monitor each and every ecosystem in our customer organization's endpoints, including the endpoints or applications for systems or on the servers or network level. It needs to be integrated on all levels, whether it’s on-premises or cloud. It is really important to have a single point of security monitoring, to have everything coordinated.

Sentinel enables us to investigate threats and respond holistically from one place. For that analyst team, the Sentinel page is like a single point of investigation layer for them. Whenever an incident is created, they can just come in and get deeper into a particular investigation incident. They are able to get more information, figure out the indicators, and make recommendations to customers or internal teams to help them take action.

Given its built-in UEBA and threat intelligence capabilities, the comprehensiveness of Sentinel's security protection is really nice. The UEBA can be integrated with only the AD logs. And, since they need to get integrated with the networks and the VPN layers as well, it’s useful to have comprehensive security. It can be integrated into other Microsoft security products as well.

Sentinel pricing is good. The customer doesn't want to worry about the enterprise infrastructure cost in the system. They worry about the enterprise cost and the management, and operation, CAPEX, et cetera. However, in general, the customer simply needs to worry only about the usage, for example, how much data is getting sent into the system. We can still refine the data ingestion layer as well and decide what needs to be monitored and whatnot. That way, we can pay only for what we are monitoring.

Our Microsoft security solution helps automate routine tasks and help automate the finding of high-value alerts. By leveraging Sentinel's automation playbook, we have automated the integrations and triage as well. This has simplified the initial investigation triage, to the point where we do not need to do any initial investigations. It will directly go on into layer two or it directly goes to the customer status.

Our Microsoft security solution helped eliminate having to look at multiple dashboards and gave us one XDR dashboard. The dashboard is pretty cool. We now have a single pane of glass. A lot of customization needs to be done, however, there are predefined dashboards and a content hub. We still leverage those dashboards to get the single view into multiple days, including the log volumes or types of security monitoring or in the operation monitoring system.

Sentinel saves us time. Even just the deployment, it only takes ten minutes for the could. When you have on-premises tasks that are manual, it can take hours or a day to deploy the entire setup. Integrating the log sources used also takes time. By enabling out-of-the-box tools, we can save a lot of time here and there. Also, once you leverage automation, by simply leveraging logic apps in a local kind of environment, you don’t need to know much coding. You just need knowledge of logic at the back end.

The solution has saved us money. While I’m not sure of the exact commercial price, it’s likely saved about 20% to 30%.

The solution decreased our time to detect and your time to respond. For time to detect, by leveraging analytic rules, we’ve been able to cut down on time. Everything is happening within minutes. We can begin remediation quickly instead of in hours.

The UEBA part needs improvement. They need to bring other log sources to UEBA. 

The reporting could be more structured. There are no reporting modules or anything. It's only the dashboard. Therefore, when a customer requests a report, you need to manually pull the dashboard and send it to the customer for the reporting. However, if there was a report or template there, it would be easier to schedule and send the weekly reports or monthly executive reports.

The log ingestion could be improved on the connector layer.

I've been using the solution since November of 2020. 

The solution is stable. We had some issues with an automation component. There might have been outages on the back end, however, it's mostly fine.

We have about 25 people using the solution in our organization, including analysts. 

You only need to pay for what you are ingesting and monitoring. It scales well. There are no issues with it. 

Support is okay. We don't have many issues on the platform layers. We might reach out to support for integration questions. Largely, the engineering team would handle support cases. 

Neutral

We do use other solutions. We added this solution as we needed to support cloud-native customers. 

We also use LogRhythm among other solutions.

Each solution has its own pros and cons. There isn't a direct contrast to each. Some have better reporting. However, Sentinel has very good analytical rules and automation. LogRhythm, however, requires more backend work. 

The deployment of the Microsoft bundle is pretty easy. It's fast and saves time. In ten minutes, we can deploy Sentinel to the customer and start monitoring data with the existing rules. You'll have dashboards in thirty minutes. One person can do the deployment. To manage the solution, one can manage the injections, and one can manage the detection layers.

The solution does not require any maintenance. You just have to make sure it's up to date.

We're using it in the automotive and energy industries. 

When we calculated the pricing, we thought it was 10% to 20% less, however, it depends on how much data is being collected. It's not overly expensive. It's fairly priced. 

Security vendors are chosen based on use cases. Those gaps are met by the respective solution. The benefit of a single vendor is that everything is on a single-layer stack. It helps you see everything in one single pane. 

I'd rate the solution eight out of ten. 

We are a Microsoft partner, an MSP. 

As a security engineer, I help onboard with Sentinel. I enable all the connectors and tune the analytics to minimize the number of false positives.

We're a Microsoft house and it provides very good visibility into all the threats a company might be facing. 

The connectivity and analytics are great.

It allows people to connect to different data sources under a single pane of glass.

The visibility is great in terms of having the notebook features. By using the notebook features, people can generate different graphs, which helps create greater visibility on the front end.

We've been able to integrate other products, including Defender. It's super easy to integrate them. All Microsoft products easily connect with each other. They coordinate together to help with detection and response across our network. This is critical. 

This allows me to have better visibility to understand what is happening on each endpoint.

The threat protection is pretty comprehensive across Microsoft products. Having dependable endpoints and other security tools ensures good security overall. In terms of compliance, you have a lot of data that can help ensure comprehensive information is available and transparent. 

We like that it's on the cloud.

Sentinel does allow us to ingest data from our entire ecosystem. This plays an important security role.

We can investigate threats holistically from one place. Having everything centralized makes security easier and helps us better understand what is happening. 

Sentinel's security protection helps us to better identify anomalies or erratic user behavior. It helps me minimize false positives. 

There is good automation. They do an okay job.

Consolidating into one dashboard has made it possible to have a holistic view of security. I can investigate issues and have better visibility.

Overall, the solution has saved me time. I'm not sure if I can quantify it, as I'm on the engineering side. 

The product has helped save the organization money. 

It has decreased our time to detect and time to respond. 

They only classify alerts into three categories: high, medium, and low. So, from the user's point of view, having another critical category would be awesome. That would minimize the level of high alerts and break them down so we understand which are truly critical. We should be able to prioritize more effectively. Right now, this doesn't necessarily help users to prioritize when it comes to the alert or triage.

The bi-directional capabilities are okay. However, sometimes I need to fall back on Defender for cloud.

I've been using the solution for two or three years now.

The stability is okay. I've only experienced one outage.

We have about 200 staff on the solution. 

The scalability is very good. All I have to do is enable data sources in order to expand. 

I haven't had much contact with technical support. My one experience was okay. 

Neutral

I did not previously use a different solution.

The initial deployment is straightforward. The entire process was as simple as following clear steps. We basically create a workspace and push the pipeline.

As long as a person has relevant access to Azure, one person would be enough in terms of handling the deployment. 

We did a deployment in a single location, not across multiple locations. 

There is a bit of maintenance, in terms of ensuring logs are being digested. The number of people involved depends on the situation. We have two to three people who may check logs or connectors. 

We are consultants for clients. We help SMEs deploy the solution. 

We have witnessed an ROI while using the solution, however, I cannot quantify the amount exactly.

Sentinel charges based on ingestion. If Microsoft would allow us to view the logs before ingesting something we don't want, that would make the pricing better. Sometimes we don't want to pass illegitimate data into Sentinel, yet I don't have a choice. 

It's not cheap. However, it's okay pricing.

I did not evaluate any other options previously.

I'd rate the solution eight out of ten.

I'd tend to go with a single vendor over best of breed. A company like Microsoft allows everything to easily link various products together. 

If you are using Microsoft Sentinel, go for the XDR solutions as well. 

We are using Microsoft Sentinel for our traditional SOC. So previously, we had multiple products, like VM products, log analytics products, and analysts. We are making so much effort to analyze incidents and events in the security operation center., after which we decide whether it's an incident or an event, and we take action. After Sentinel's implementation, it would be much better and much simpler. For instance, we can now save much more time since in Sentinel, there is artificial intelligence, so the system will decide for you instead of a human. The system will learn what kind of thing you should take action on, and it will save some time since you do not need much human power. In traditional SOC systems, there were three or four people. But in Sentinel, it's much easier, and you do not need so many people in the SOC. So you will save time and keep it cost-effective.

Previously, we were incurring a huge cost being paid to a person. But in Sentinel, you do not hire anyone because the system provides system insights through the cloud applications. So you do not need to put effort, or you don't need to hire either of the senior people. So in, in your SOC team, would be mid-level people, and it would be fine. Also, you do not need so many people. So, one or two people left the organization after the central implementation. So we just have an agreement with one company at a professional level since they're also managing Sentinel. We do not need to pay for the maintenance of applications. So that's also a benefit for us. So, in this case, we are only paying Sentinel yearly or annual costs.

Previously, we could not do some automation. So in Sentinel, we create some playbooks, and with some features in the playbooks, we have some capabilities. For example, when a virus enters the system, we will take action to keep the system safe. So, the machine with the virus can be automatically isolated from the network, and this might be a pretty cool feature in the solution currently.

Microsoft Sentinel has improved our entire SOC, like our log system and incident response. So we are able to quickly respond to incidents and take action. Even though Microsoft Sentinel has already improved our system, it should further improve for on-premises systems or traditional systems, especially to get or collect logs from the legacy systems. Also, Microsoft should improve Sentinel, considering that from the legacy systems, it cannot collect logs.

I have been using Microsoft Sentinel for about six months. My company has a partnership with Microsoft.

I have not contacted technical support.

We are using Microsoft Intune. From the mobile device management point of view, it makes work very easy. We are just planning that with Microsoft Intune, we can easily export some logs to Sentinel to analyze them. We are not using this feature right now, but we are planning. If you are using Microsoft applications, it's very easy to integrate them with other Microsoft products.

Defender is something that we are using as an antivirus for Android applications, but we are not using it on the cloud.

From a cost point of view, it is not a cheap product. It's, like, an enterprise-level application. So if you compare it with a low-level application, it's expensive, but if you compare it with the same-level application, it's pretty much cost-effective, I think. Because for other products, you need to purchase them by paying thousands of dollars. In Sentinel, you pay for how much you use, or you just pay for how much you consume storage, log interface, or system. It will not be a one-time cost, but it will be like a continuous rental system, where you subscribe to an application, and then you use it. That's very easy. I think the company got the solution for a long time. If you purchase some products, you need to invest in something, and it increases your investment budgeting. Many enterprises do not like investments. But this is not a one-time cost, to be honest, since continuously, we will pay. This is maybe a negative point of view, but considering from company to company, it entirely depends on a company's strategy.

Previously, it was a little bit difficult to find where an incident came from, including which IP address and which country. So in Sentinel, it's very easy to find where the incident came from since we can easily get the information from the dashboard, after which we take action quickly.

Sentinel does provide me with the ability to set priorities on all the threats across your entire enterprise. So, it is very important because we were previously getting the service from the outside. It would be yes. Sentinel is a next-generation SOC. So, Sentinel also still develops some applications on Sentinel's site, so maybe in the next release, they will introduce a much more effective version for the company. I'm not sure how many companies use it right now. Maybe in the future, more companies will use Sentinel because its features are such that compared to the traditional SOC systems, they are not affected since the system is a cloud-based system. So it's easy to manage. Also, you don't need to care about it from an infrastructure point of view. Additionally, we don't need to take care of products, and we don't need to take care of maintenance. From a product point of view, we do not need to manage since we just need to focus on the incident event.

Right now, we are using very traditional applications, so there is no use of native Microsoft applications right now.

Sentinel enables me to ingest or collect data from my entire ecosystem, but not all of them, because some traditional applications cannot provide some data needed for export. It cannot allow you to get reports or logs from outside. It's a challenging point, so this might be an opportunity for us to change the traditional application. In traditional applications, and sometimes in IT systems, it might be very difficult to get data insight. In some cases, we need to change the application since, in traditional applications, you cannot get support. To fix it, you need to decide something, or maybe you need to decide on the application change. It might be an opportunity for you. But in the next-generation application, there is no problem. With a new application, you can easily integrate with Sentinel. In Sentinel, the negative point is just related to cloud applications. With cloud applications, maybe sometimes you cannot get data from the on-prem application. So if you use a cloud system, like Sentinel, which is a cloud system, then it's very easy. If you are using an on-prem system, Microsoft Sentinel sometimes may not be easy to integrate.

Sentinel allows me to investigate threats and respond quickly and thoroughly from just one place. It accelerates our investigation, especially our event investigation and incident investigation. Using Sentinel, we take quick actions and get quick insights after its standard implementation. So it is time-efficient.

Previously, we had no SOAR applications. In Sentinel, if you want to take action quickly, you need to create playbooks so that if something happens, you can just develop an application like a playbook in Sentinel so that if something happens, you can tell Sentinel to take action. You can freely create your own playbooks since it's very easy. In my opinion, this is the best feature of one product. Normally, you need to purchase two applications or two products. But in Sentinel, they combine everything together. This is the most beautiful feature for me.

Sentinel helps automate routine tasks and help automate the finding of high-value alerts. We do not need to create manual operations like when our system engineers see the incident and they do a system analysis. So after Sentinel, the system analysis is not done by anyone since Sentinel can already make decisions and then take action by itself. So at this point, there's no human power. Sometimes human power is needed, but maybe eighty percent or ninety percent of the time, there is no human power needed. So, it has caused significant improvements in our entire company.

Sentinel has helped eliminate having to look at multiple dashboards and giving us just one XDR dashboard. Previously, we had to check multiple dashboards, especially in relation to whether logs were coming and other things, like incidents and events. In Sentinel, you do not need to check many dashboards. So you are just designing one dashboard, and then, on the entire dashboard, you will see everything. So, it now saves time since previously there were multiple dashboards causing our engineers and our analysts to get confused at times. So they used to ask our managers to understand better. Currently, it is very easy to understand since one needs to check in on one dashboard, and there's no confusion among the engineers. But they do not need to ask anyone to understand. Apart from better understanding, it has improved our systems.

From a security point of view, you need to go with multiple vendors, but this is a traditional system. But right now, if you want to create a good security system, you need to implement each product with one vendor. Because vendors currently state that, if you want to have a high-level security system. You need to implement each product on a security level from one vendor. Microsoft-level vendors offer many features, but people only just purchase or use one product, and that's all. It's not good for security infrastructure. So, you need to implement all security products from just one vendor. I think one vendor and the needed security products will be enough for a company. Sentinel is our next-generation SOC. Currently, I don't see any competitors at this level.

I rate the overall solution a nine out of ten.

We use Sentinel to monitor logs, build alarms, correlate events, and fire up specific automation boards in the event of a security incident. 

Sentinel creates a focal point for cybersecurity incidents, so it's much easier to correlate logs and incidents to get a more comprehensive view of our security posture. Microsoft provides many educational resources, so onboarding new people is easy. 

It took us about a month to realize the benefits of Sentinel. Integrating all the Microsoft security products into the solution was straightforward. It seamlessly integrates with Microsoft Logic Apps, so it's easy to develop custom playbooks and automate many manual tasks. 

Automation has made us more efficient and effective because we're free to focus on priority alerts. Sentinel has reduced the time spent on menial security tasks by 30-40 percent. Sentinel consolidates our dashboards into a single XDR console, one of our strategic goals. We're moving all of the data into Microsoft Sentinel to create a single point of truth for security incidents.

Microsoft provides some threat intelligence for significant incidents. They provide us with remediation and mitigation controls we can implement to react to these potential threats much faster.

I like the ability to run custom KQL queries. I don't know if that feature is specific to Sentinel. As far as I know, they use technology built into Azure's Log Analytics app. Sentinel integrates with that, and we use this functionality heavily.

Threat prioritization is a crucial feature. It already has them in order, so we know we should investigate high alerts first and move down the line to the less urgent ones. 

We use all of the other Microsoft security solutions in addition to Sentinel. They all can be integrated together seamlessly to deliver comprehensive threat detection and response. 

I would like to see additional artificial intelligence capabilities. They're already working on this with new features like Microsoft Security Copilot. This will help us investigate incidents much faster. 

When we pass KPIs to the governance department, there's no option to provide rights to the data or dashboard to colleagues. We can use Power BI for this, but it isn't easy or convenient. They should just come up with a way to provide limited role-based access to auditing personnel 

I have used Sentinel for two years.

We haven't experienced any downtime, so I think Sentinel is highly stable. 

Sentinel runs on the cloud, so it scales automatically. 

I rate Microsoft's support a 10 out of 10. They can connect you with the developers, and you get answers quickly. 

Positive

I also worked with RSA enVision at my previous company. Sentinel has advantages because of its tight integration with the Microsoft ecosystem. It's effortless to set up because you don't need specific connectors. Sentinel works out of the box. It makes sense for a company that primarily works with Microsoft products to use Sentinel for security monitoring.

Sentinel runs on the Microsoft Azure Cloud, so it was easy to set up. It took about two days to set it up. You start by integrating the Microsoft security solutions using the available connectors and move on to the firewall, SysTalk databases, and application-specific logs. 

It's a bit more complicated to come up with custom rules and alarms, so that's the last part of our implementation strategy. We completed the deployment with two or three people and the help of Microsoft support. Because Sentinel is deployed in the cloud, it doesn't require any maintenance. 

Our ROI comes from automating lots of tasks. 

Microsoft Sentinel is pretty expensive, and they recently announced that they will increase the price of all Microsoft services running in Azure by 11 percent. Luckily, I'm not responsible for the financial side. For one of my clients, the estimated cost is 880,000 euros for one year. There are additional costs for the service agreement. 

I rate Microsoft Sentinel an eight out of ten. I recommend taking advantage of the virtual training before you implement Sentinel. Familiarize yourself with the product, dashboards, features, integration, etc., before you decide to use it. 

A single-vendor strategy is preferable because it's easier to integrate them. Otherwise, it can get complicated.