JasonLau - PeerSpot reviewer
Security Engineer at a tech services company with 51-200 employees
Real User
Great connectivity, integration capabilities, and analytics
Pros and Cons
  • "The connectivity and analytics are great."
  • "They only classify alerts into three categories: high, medium, and low. So, from the user's point of view, having another critical category would be awesome."

What is our primary use case?

As a security engineer, I help onboard with Sentinel. I enable all the connectors and tune the analytics to minimize the number of false positives.

How has it helped my organization?

We're a Microsoft house and it provides very good visibility into all the threats a company might be facing. 

What is most valuable?

The connectivity and analytics are great.

It allows people to connect to different data sources under a single pane of glass.

The visibility is great in terms of having the notebook features. By using the notebook features, people can generate different graphs, which helps create greater visibility on the front end.

We've been able to integrate other products, including Defender. It's super easy to integrate them. All Microsoft products easily connect with each other. They coordinate together to help with detection and response across our network. This is critical. 

This allows me to have better visibility to understand what is happening on each endpoint.

The threat protection is pretty comprehensive across Microsoft products. Having dependable endpoints and other security tools ensures good security overall. In terms of compliance, you have a lot of data that can help ensure comprehensive information is available and transparent. 

We like that it's on the cloud.

Sentinel does allow us to ingest data from our entire ecosystem. This plays an important security role.

We can investigate threats holistically from one place. Having everything centralized makes security easier and helps us better understand what is happening. 

Sentinel's security protection helps us to better identify anomalies or erratic user behavior. It helps me minimize false positives. 

There is good automation. They do an okay job.

Consolidating into one dashboard has made it possible to have a holistic view of security. I can investigate issues and have better visibility.

Overall, the solution has saved me time. I'm not sure if I can quantify it, as I'm on the engineering side. 

The product has helped save the organization money. 

It has decreased our time to detect and time to respond. 

What needs improvement?

They only classify alerts into three categories: high, medium, and low. So, from the user's point of view, having another critical category would be awesome. That would minimize the level of high alerts and break them down so we understand which are truly critical. We should be able to prioritize more effectively. Right now, this doesn't necessarily help users to prioritize when it comes to the alert or triage.

The bi-directional capabilities are okay. However, sometimes I need to fall back on Defender for cloud.

Buyer's Guide
Microsoft Sentinel
February 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: February 2024.
757,198 professionals have used our research since 2012.

For how long have I used the solution?

I've been using the solution for two or three years now.

What do I think about the stability of the solution?

The stability is okay. I've only experienced one outage.

What do I think about the scalability of the solution?

We have about 200 staff on the solution. 

The scalability is very good. All I have to do is enable data sources in order to expand. 

How are customer service and support?

I haven't had much contact with technical support. My one experience was okay. 

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

I did not previously use a different solution.

How was the initial setup?

The initial deployment is straightforward. The entire process was as simple as following clear steps. We basically create a workspace and push the pipeline.

As long as a person has relevant access to Azure, one person would be enough in terms of handling the deployment. 

We did a deployment in a single location, not across multiple locations. 

There is a bit of maintenance, in terms of ensuring logs are being digested. The number of people involved depends on the situation. We have two to three people who may check logs or connectors. 

What about the implementation team?

We are consultants for clients. We help SMEs deploy the solution. 

What was our ROI?

We have witnessed an ROI while using the solution, however, I cannot quantify the amount exactly.

What's my experience with pricing, setup cost, and licensing?

Sentinel charges based on ingestion. If Microsoft would allow us to view the logs before ingesting something we don't want, that would make the pricing better. Sometimes we don't want to pass illegitimate data into Sentinel, yet I don't have a choice. 

It's not cheap. However, it's okay pricing.

Which other solutions did I evaluate?

I did not evaluate any other options previously.

What other advice do I have?

I'd rate the solution eight out of ten.

I'd tend to go with a single vendor over best of breed. A company like Microsoft allows everything to easily link various products together. 

If you are using Microsoft Sentinel, go for the XDR solutions as well. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer:
Flag as inappropriate
PeerSpot user
Associate Manager at a tech services company with 10,001+ employees
Real User
Easy to manage with good automation and machine learning capabilities
Pros and Cons
  • "The machine learning and artificial intelligence on offer are great."
  • "Azure Sentinel will be directly competing with tools such as Splunk or Qradar. These are very established kinds of a product that have been around for the last seven, eight years or more."

What is our primary use case?

Sentinel is a solution called SIEM - security information event management. It's for monitoring an entire organization from a security point of view. Along with the monitoring, what happens in the SIEM is you have to raise incidents. If there are any kind of security issues or breaches or people are trying to get into the system, you have to raise an incident ticket. You collect the event information from the systems. You'll be able to see if it's, for example, a machine or account, or an active directory outage. You can process that information using machine learning AI, and then raise incidents. It's basically helping a security operations center team (SOC). With the help of Azure Sentinel, we can build a SOC.

There are plenty of use cases. You have to cover your entire security environment. For example, a brute force attack against your Azure Portal. If someone is trying to guess your password, you will see the incident. When somebody puts four, five wrong passwords, and then a correct password, it could mean someone is trying to guess your password and you would see that. Basically, there are a lot of use cases, however, all of them revolve around monitoring security. Whenever something happens, we should get alerted or we can proactively assess our environment.

With Sentinel, you can also do the hunting. It'll try to identify if your environment is compromised with any kind of attack. In most cases, it'll try to protect your organization before this attack can happen. If somebody is trying to snoop in your environment, we can track him. Or if somebody is trying to guess your password, we can protect the password. If somebody is injecting the malware, we can identify and protect the organization.

How has it helped my organization?

The solution has improved functionality as most of the organization will be in the cloud. If an organization is already on the Azure cloud, then they don't have to go for any other solution for the SIEM. They can easily integrate Sentinel. Most of us are on the Microsoft products, so it's very easy to deploy this with the Microsoft products as well as to the other products. 

What is most valuable?

In terms of Sentinel, it's a best-in-class solution. The SIEM solution is hosted in the cloud. When you compare it with the other tools, the on-premises tools may not be that great.

The best piece about it is when it comes to the traditional SIEM solutions, it's very hard to manage them. First of all, licensing will be there. Then you need to manage underlying infrastructure as well. You also need a big setup. All these things aren't necessary with Sentinel due to the fact that it's on the cloud. You just get a cloud subscription and do a pay-as-you-go model.

The machine learning and artificial intelligence on offer are great. These are the things that happen in the background that we do not see. Whenever you have an incident, it will provide you with all the options so that you can drill down. For example, I have identified one incident where somebody was trying to do a brute-force attack. When this incident was generated, I had a lot of data with which I could start to investigate things.

It provides the best-in-class hunting capabilities. It's very easy to write the hunting logic. You have to write some searching queries. It's very easy to write those all queries and identify the test.

It'll give you the capabilities of automation. Azure is not only about security or infrastructure. It has a lot of programming features, functions, logic apps, and automation. You can easily integrate. If you can do a little bit more programming, then you can integrate it with functions or automation, or anything else.

There is a different tool for security postures. That's called Azure Security Center. From November, it's going to be called Azure Defender. This tool does not do posture management, however, it can integrate with Azure Security Center. There is also this XDR tool, Microsoft Defender. It can easily integrate it. Once you set up the integration between these tools, then you will have the advantage of both the tools. You will have a unified ticketing system where you can view the alerts from XDR and you can view the alerts from the posture management and from the SIEM.

What needs improvement?

Every month there are new features in Sentinel and the tools are stable. All the features and functionality that those tools provide are slowly coming to the Azure Sentinel as well. So it's improving a lot day by day. 

Initially, we had the data connector that could bring the data from any of the platforms that we wanted to monitor. Now, Microsoft has improved the solutions and they're providing a lot of options. While you can (and now have) almost all the functionalities that are needed for SIEM capabilities, it's still adapting to new things as well. 

Azure Sentinel will be directly competing with tools such as Splunk or Qradar. These are very established kinds of a product that have been around for the last seven, eight years or more. They have a lot of good things going for them and are slightly ahead of Microsoft, which is new to the game. However, Microsoft is adapting. Microsoft keeps working on its solutions and offers feature request platforms as well. We have given them a lot of feedback in terms of some customizations - and they keep adding to it. There are a lot of new things that are in the pipeline. In the next four to six months, we will see more new features which will further enhance the existing tools.

For example, there were some custom fields that were missing. We wanted to do mapping of the custom fields and this capability wasn't there in the Sentinel. However, when we requested it they implemented it.

For how long have I used the solution?

I have been on Sentinel for the last two to two and a half years. Initially, I was just doing it for my own self-interest, however, for the last one and a half years, it's been more of a professional relationship and I've been working with it for customers.

What do I think about the stability of the solution?

The solution is quite stable. I have not seen any downtime so far. It is working for customers as well. It's good. It's on a cloud and therefore we need not worry about maintaining the databases or maintaining the platforms, or wherever the data is stored. It's all Microsoft's responsibility.

What do I think about the scalability of the solution?

The scalability is a unique selling proposition for Sentinel. Due to the fact that it's on the cloud, you can scale it up to any limit. Of course, you have to pay for whatever data you are storing. As compared to an on-premises tool the sometimes they may fail to scale, however, this is great. You don't have to bring up a lot of hardware with Sentinel. 

This solution is being used quite extensively right now.

Whether or not the usage will increase depends on the pricing that comes up the more you use it. We have to pay for whatever data, telemetry, that gets into the Sentinel. For example, let's say today I collected 1GB of data, tomorrow I'm going to collect 5GB of data. Microsoft can easily hold this, however, then they also provide you with some kind of plans. You can reserve the space. You can say "I will use 100GB of data per month." Microsoft will give you a discount and you have to pay for the reserved 100GB. It is a pay-as-you-go model.

The solution is used by the development team, which sets it up, and then by the SOC team, which takes over and starts monitoring for security incidents.

How are customer service and support?

Technical support depends on what kind of agreement you have with Microsoft. If you are a premier customer, under the top 100, then they can provide you with some direct connection with the Microsoft program managers. You can have a conversation with them once every two weeks. If you are not in the premier tier, if you are just directly buying it from Azure, then technical support, again, depends. There are two types of technical service. One is the professional and the second one is the premier. Premier support is good. Obviously, you will be paying extra for it. Professional support is not that great. Often, I'd rather not involve them. They will simply mess up things. It's better to just post your questions on the forums and try to get some answers from the experts.

I use all kinds of support. If you are working for a customer who has a very good rapport with Microsoft and they are their top Azure consumer, then they can do things for you. If you give them feedback and you are potentially a big customer for Sentinel, then they will try to adjust things according to your environment. However, if you are not, you are just using Sentinel, then it's okay. It all depends on how much money you are paying and how much business you are doing with Microsoft. 

If a customer is planning to buy Sentinel, then they should initially negotiate with Microsoft for premier support. They can ask for 100 hours of premier support or the fast-track service. You can initially negotiate for a situation where, if some technical issues arise, then you will only work with premier support, and you can reserve your 100 or so hours for that. 

Initially, it's better to agree in advance with Microsoft that you will be needing X number of technical support or the fast-track service or engagement with the Sentinel development team.

Which solution did I use previously and why did I switch?

I did not use a different solution. I'm from the Azure Log Analytics Monitoring part. I came from that side.

We directly jumped into Sentinel. I've heard that people are doing migrations from Splunk. That's the number one tool that's available for SIEM. However, I directly started from Sentinel.

How was the initial setup?

The initial setup is very easy. You just need some basic knowledge of the monitoring platform called Azure Log Analytics. If you have the knowledge of Azure Log Analytics, then you can easily set up this.

If you just want to set up over the Azure Portal, then it will hardly take 15 to 20 minutes to deploy. Of course, this is not the final setup. The final setup is when you will be connecting it with different sources. For example, if you have 100 machines, you will have 100 Linux machines, you will have routers and switches too. Everything you want to monitor needs to be there. You have to implement these all solutions one by one as per your requirement. If your requirement is you will want Linux machine monitoring, you want firewall monitor, then it can take time, however, it is pretty easy to accomplish.

What's my experience with pricing, setup cost, and licensing?

The pricing model is good. Microsoft does the reservations as well. Perfect planning is needed, as, once you reserve the space, you can save up to 30% or 40% of the cost. If you are not doing good planning, then it'll cost you a lot. However, from a costing point of view, it's fair and comparatively low. It's not a costly service.

Which other solutions did I evaluate?

I'm not the decision-maker. I was mostly from the Azure Log Analytics Monitoring background, however, when this was released, even the Microsoft CEO and CTO were touting its abilities. Initially, I looked at it for self-interest, and then we thought of implementing it for our labs, and then we found it fruitful. Then we started getting Sentinel projects. 

What other advice do I have?

I'm a consultant and service provider.

It's hosted on a cloud. There is nothing like versioning or anything. It's just software as a service.

I would rate the solution at around eight out of ten. When we do the migration, there are still few people who are used to it. Not many have hands-on experience. Sometimes we struggle in maintaining gaps.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
Microsoft Sentinel
February 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: February 2024.
757,198 professionals have used our research since 2012.
Sr. Microsoft Solutions Specialist at a tech vendor with 1,001-5,000 employees
MSP
A great service that provides an additional layer of protection and security for all on-prem and on-cloud data points
Pros and Cons
  • "One of the most valuable features is that it creates a kind of a single pane of glass for organizations that already use Microsoft software. So, when they have things like Microsoft 365, it is very easy for them to kind of plug in or enroll those endpoints into the Azure Sentinel service."
  • "I can't think of anything other than just getting the name out there. I think a lot of customers don't fully understand the full capabilities of Azure Sentinel yet. It is kind of like when they're first starting to use Azure, it might not be something they first think about. So, they should just kind of get to the point where it is more widely used."

What is our primary use case?

Our clients use it for just an overall health check and security check for their deployments, whether it's on-prem or in Azure. Azure Sentinel basically collects the data from any kind of endpoint or server that is enrolled in the service, irrespective of whether they are on-prem or in the cloud. It can be laptop servers, virtual machines. It is a cloud solution, but it does extend to on-prem deployment.

I have been using the most up-to-date version. 

What is most valuable?

One of the most valuable features is that it creates a kind of a single pane of glass for organizations that already use Microsoft software. So, when they have things like Microsoft 365, it is very easy for them to kind of plug in or enroll those endpoints into the Azure Sentinel service.

What needs improvement?

I can't think of anything other than just getting the name out there. I think a lot of customers don't fully understand the full capabilities of Azure Sentinel yet. It is kind of like when they're first starting to use Azure, it might not be something they first think about. So, they should just kind of get to the point where it is more widely used.

For how long have I used the solution?

I have been using Azure Sentinel since it came out, so it has been at least a couple of years.

What do I think about the stability of the solution?

It is very stable. It has been around for a while, and it is a Microsoft product. So, it is pretty secure and pretty stable.

What do I think about the scalability of the solution?

Like all Azure services, it is definitely very scalable. You can very easily and very quickly enroll devices and other data points into Azure. 

How are customer service and support?

Microsoft tech support is pretty good when it comes to Azure. It is really easy to open a ticket because you can do that right through the Azure portal. In addition, my company and other companies that kind of resell Azure services, oftentimes have our own help desk included with the consumption of Azure services. So, we have a 24/7 help desk that works on top of that. There are many managed services partners, like my company, that provide additional services in tech support on top of what Microsoft already has.

How was the initial setup?

It is very straightforward.

What's my experience with pricing, setup cost, and licensing?

It is kind of like a sliding scale. There are different tiers of pricing that go from $100 per day up to $3,500 per day. So, it just kind of depends on how much data is being stored. There can be additional costs to the standard license other than the additional data. It just kind of depends on what other services you're spinning up in Azure, or if you're using something like Azure log analytics.

What other advice do I have?

For any customers who are either looking at Azure or already have Azure or Microsoft 365, this is a great service to look at because it does provide an additional layer of protection and security for all of their data points, whether they are on-prem or in the cloud.

I would rate Azure Sentinel a nine out of 10.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Director - Technology Risk & Cyber at a financial services firm with 10,001+ employees
Real User
Efficient and helpful for identifying the security issues and responding quickly, but lacks simple documentation and specific training
Pros and Cons
  • "It is quite efficient. It helps our clients in identifying their security issues and respond quickly. Our clients want to automate incident response and all those things."
  • "Its documentation is not so simple. It is easy for somebody who is Microsoft certified or more closely attached to Microsoft solutions. It is not easy for those who are working on open-source platforms. There isn't a central point where everything is documented, and there is no specific training or certification."

What is our primary use case?

We internally do not use this solution. We provide advisory for Azure Sentinel because we are Microsoft's partner.

Our clients use it for Security Operations Centers. Some of the clients wish to build a Security Operation Center. They want to perform threat analysis and see that the environment is secure and monitor it. That's why we deploy SIEM solutions.

In terms of deployment, what we see here in Asia, specifically in Malaysia, are hybrid and public cloud deployments.

How has it helped my organization?

It helps our clients in enhancing their security. 

What is most valuable?

It is quite efficient. It helps our clients in identifying their security issues and respond quickly. Our clients want to automate incident response and all those things.

What needs improvement?

Its documentation is not so simple. It is easy for somebody who is Microsoft certified or more closely attached to Microsoft solutions. It is not easy for those who are working on open-source platforms. There isn't a central point where everything is documented, and there is no specific training or certification.

For how long have I used the solution?

It has been almost three years.

What do I think about the stability of the solution?

It is stable. Those who have adopted it are okay with it.

What do I think about the scalability of the solution?

It is a cloud solution, so it is scalable.

How are customer service and support?

Most of us know how Microsoft operates. They are quite good at that.

How was the initial setup?

Its setup is of moderate complexity for me, but I have heard it is complex for others because of the query language and other things.

There is documentation, but I don't think Microsoft is providing a central point where everything is documented. In fact, there is no specific training or certification. There is Microsoft Secure training, but it is not so dedicated. All these things make it moderate.

What's my experience with pricing, setup cost, and licensing?

I have had mixed feedback. At one point, I heard a client say that it sometimes seems more expensive. Most of the clients are on Office 365 or M365, and they are forced to take Azure SIEM because of the integration.

What other advice do I have?

We see that a lot of clients are trying to explore more apart from Azure. Some of the clients are interested in Splunk. Some of the clients are interested in seeing what's available from AWS. This year is quite different in Malaysia because the government has opened up the adoption of public cloud in all sectors, especially in the financial sector. So, we are seeing new requirements coming up. 

I would rate Azure Sentinel a seven out of 10.

Disclosure: My company has a business relationship with this vendor other than being a customer: partner
PeerSpot user
Integrator, Microsoft Security Advisor at a tech consulting company with 5,001-10,000 employees
Real User
Top 20
Easy to integrate, offers good documentation, and the setup is simple
Pros and Cons
  • "The main benefit is the ease of integration."
  • "When it comes to ingesting Azure native log sources, some of the log sources are specific to the subscription, and it is not always very clear."

What is our primary use case?

The usual use cases would be starting from scratch, implementing Sentinel for clients, onboarding log sources, building analytical use case rules, and supporting the platform for operations.

How has it helped my organization?

The main benefit is the ease of integration. Having a cloud-based SIEM means scalability. We also received very good support and documentation from the vendor.

What is most valuable?

All of the features are great. In fact, when they add new features they are always valuable and interesting. There are so many features on offer.

I really appreciate that it is very well documented.

I also use Defender 365, including Defender for Endpoint. It's easy to integrate with Sentinel. In two clicks we can integrate them together.

I have experience with Defender for Cloud. I'm actually getting into the Center for Cloud right now, so I'm just Learning about it. 

Sentinel enables us to ingest data from our entire ecosystem.

It's important to have data visibility for our security operations. Sentinel enables us to investigate the threats and respond from one place. That is very important for operations. We need to be able to easily look and have visibility over what's happening.

Sentinel enabled us to automate routine tasks. It helps us automate the handling of trivial tasks related to alerts. 

With the solution, we no longer have to look at multiple dashboards. I wouldn't say it has completely eliminated looking at different dashboards. As it stands right now, there are two dashboards that we will have to look at. One is Sentinel, and the other one is a ticketing system.

Compared to what's being used, it's saved us some time overall. The ease of use and the clear documentation are helpful in that regard. Someone who doesn't know how to use it can easily go in and find out.

What needs improvement?

When it comes to ingesting Azure native log sources, some of the log sources are specific to the subscription, and it is not always very clear. Sometimes, if the individual doesn't know what they are doing, they might enable it only on one subscription and not on everything that they need to monitor.

For how long have I used the solution?

I've used the solution for two and a half years. 

What do I think about the stability of the solution?

I haven't experienced any stability issues. I've experienced 100% uptime. 

What do I think about the scalability of the solution?

I've never seen it scale up or down. If necessary, it likely happens in the background. It's not visible to clients, however, I haven't noticed any issues. 

How are customer service and support?

My experience with technical support is good. It was an excellent experience. They were very, very responsive to the questions that we had. If they were not able to answer on the spot, during the call, they took it back and discussed the issue with their team. Getting an answer was fairly fast. Overall, I've had a good experience with support and I can't complain.

I'd like them even more if I was able to request support on behalf of clients without having to actually access the client's Azure or having to identify the client's tenants. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I've used Splunk, ArcSight, and QRadar. Sentinel is excellent compared to those solutions. It could always be easier, however, it's pretty much there.

How was the initial setup?

I was involved in the solution's deployment. The cloud deployment takes five minutes and is very easy. The on-premise portion on the other hand, when I first did it a year and a half ago, was a little bit more complex since it involved a lot of customization. However, now it's more streamlined.

There is no maintenance necessary. It's a managed service. There's no patching of any sort. The on-premises components may require a little bit of maintenance every now and then if they need a patch or upgrade. If there are any changes in the environment they would have to be reflected in the configurations. 

What about the implementation team?

I handled the implementation myself. 

What's my experience with pricing, setup cost, and licensing?

I know the price, however, I don't know how it compares with other SIEM solutions. I don't have that visibility. I overheard not too long ago that Sentinel is on the expensive side. However, there are some capabilities that are fairly new that Sentinel offers to lower the cost. 

What other advice do I have?

I'd rate the solution a nine out of ten. 

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
PeerSpot user
Harman Saggu - PeerSpot reviewer
Cyber Security Engineer at a tech services company with 51-200 employees
Real User
Top 10
Provides valuable alerts and saves investigation time, but can use more connectors
Pros and Cons
  • "The most valuable feature is the alert notifications, which are categorized by severity levels: informational, low, medium, and high."
  • "Microsoft Sentinel should provide an alternative query language to KQL for users who lack KQL expertise."

What is our primary use case?

Microsoft Sentinel serves as a centralized hub for collecting and analyzing logs from various Microsoft tools and other sources. It eliminates the need to develop custom toolsets for detecting malicious activities across different Microsoft tools. Instead, Microsoft Sentinel provides standardized rules and playbooks to streamline the process of identifying and responding to potential threats.

For instance, consider a scenario where an employee clicks on a phishing link in an email, leading to the installation of malware on their system. While the endpoint detection and response tool on the endpoint might not detect malicious activity, Microsoft Sentinel, acting as a central log collector, receives the EDR logs and triggers an event based on pre-defined rules.

Upon detecting the suspicious activity, Microsoft Sentinel automatically executes a playbook, which may involve actions such as killing the malicious process or isolating the affected endpoint. This automated response helps expedite threat containment and reduces the burden on security analysts.

How has it helped my organization?

It is crucial that Sentinel empowers us to safeguard our hybrid, cloud, and multi-cloud environments. We employ a hybrid cloud setup, and securing our environment using Sentinel is significantly simpler than manual methods. We can gather events in the Central Point and develop playbooks and scripts to automate responses. This streamlines the process and enhances our overall security posture. Additionally, if an alert is triggered, we receive an incident notification via email, prompting us to take action and resolve the issue.

Sentinel provides a library of customizable content to address our company's needs.

Microsoft Sentinel has helped our organization with alerts. We'll receive alerts from Sentinel indicating that we're at risk. It's important to address these alerts promptly. We first need to review the information in the email, and then work on the issue in the office. After that, we'll contact the team members on the relevant shift. There's nothing particularly difficult about this process. It's based on our access privileges, which are determined by our role in the company. If we have a high-level role, we'll have access to all the necessary tools and resources. We'll even be able to receive alerts at home if there's a security issue. The company that provides this technology grants work-from-home access based on security considerations. If someone has a critical role, they'll also be equipped with the tools they need to work remotely and connect with their team members. So, the company that provided the technology can resolve the issue first, and then we can address it. Once we've taken care of the issue, everything will be much easier.

By leveraging Sentinel's AI in conjunction with our playbooks for automation, we can enhance the effectiveness of our security team, subject to the specific rules and policies we implement.

The logs provided by Sentinel have helped improve our visibility into our user's network behavior.

Sentinel has helped us save 60 percent of our time by prioritizing the severity of the alerts we receive. When we receive an alert with a high-risk level, we immediately address it to mitigate the potential security threat. Additionally, we have configured our anti-ransomware software, to further protect our systems from cyberattacks. In the event of a ransomware attack, our Halcyon system will generate an encryption key that can be used to unlock our system. This key is securely stored by Halcyon.

Sentinel has helped reduce our investigation times by enabling us to review an alert, generate a ticket, and resolve the issue simultaneously upon receiving the alert.

What is most valuable?

The most valuable feature is the alert notifications, which are categorized by severity levels: informational, low, medium, and high. This allows us to prioritize and address alerts based on their urgency. For instance, we would immediately address high-severity alerts. This feature, along with the ability to create playbooks, significantly enhances our workflow.

What needs improvement?

I would like Microsoft to add more connectors for Sentinel.

Microsoft Sentinel should provide an alternative query language to KQL for users who lack KQL expertise. 

For how long have I used the solution?

I have been using Microsoft Sentinel for one and a half years.

What do I think about the stability of the solution?

Microsoft Sentinel is a stable solution. 

What do I think about the scalability of the solution?

Microsoft Sentinel is scalable.

How are customer service and support?

We have to write playbooks to resolve our issues.

How would you rate customer service and support?

Neutral

How was the initial setup?

The configuration of Microsoft Sentinel involved a complex process that required thorough familiarity with the available connectors and the policies to be implemented.

What was our ROI?

We have seen a 30 percent return on investment.

What's my experience with pricing, setup cost, and licensing?

Sentinel is costly.

What other advice do I have?

I would rate Microsoft Sentinel seven out of ten.

We have five people in our organization who utilize Sentinel.

No maintenance is required from our end.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Flag as inappropriate
PeerSpot user
Sharjeel Khan - PeerSpot reviewer
Head of Security Operations at Edotco Group
Real User
Top 5
Agile, integrates well with other solutions and offers fair pricing
Pros and Cons
  • "The initial setup is very simple and straightforward."
  • "We'd like to see more connectors."

What is our primary use case?

We primarily use the solution for the surrounding management. 

What is most valuable?

The correlation is very useful.

We like that it is an integrated platform. 

It's very much an agile product.

Everything works very well across the product.

The initial setup is very simple and straightforward. 

It is a scalable solution. 

The performance has been good.

What needs improvement?

We'd like to see more connectors.

The solution needs to offer a bit more advancement, enhancement, and scalability with other products as well, including the market competitors.

What do I think about the stability of the solution?

The solution is stable. The performance is good. There are no bugs or glitches. 

What do I think about the scalability of the solution?

The server is scalable.

How are customer service and support?

We haven't really used support all that much. That said, we haven't really had issues with them.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I've worked with other solutions, including, for example, Splunk. For me, each solution has a limitation when it comes to some use cases. It all depends upon the business strategies. 

How was the initial setup?

The initial implementation is very easy. It's straightforward. It's not complex or difficult at all. A company shouldn't have any problems executing a setup.

The deployment process itself is very quick. It only takes maybe 30 to 40 minutes. 

We don't really need any maintenance on the solution. We're usually required to do maintenance when the agent determines it.

What about the implementation team?

We did not require any third parties when it came to setting it up. We didn't use any integrators or consultants. The implementation was handled by in-house personnel. 

What's my experience with pricing, setup cost, and licensing?

There is a community version. Whether or not the pricing is expensive depends on what a company needs and if it covers its requirements. I've been satisfied with the pricing so far. I don't find it overly expensive. 

You do pay a subscription fee for the service if you aren't using the community version. 

Which other solutions did I evaluate?

We're always happy to evaluate any other products on the market.

What other advice do I have?

We are a gold customer.

I would recommend the product if it made sense for an individual company's use case. 

For the people who are on the cloud, I would suggest they go for Sentinel regardless of any other SIEM. It will do a good integration with other solutions, and with other cloud providers while providing a holistic view as well.

I'd rate the solution an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Cyber Security Analyst at a tech services company with 11-50 employees
Real User
It creates a focal point for incidents, so it's much easier to get a comprehensive view of our security posture
Pros and Cons
  • "I like the ability to run custom KQL queries. I don't know if that feature is specific to Sentinel. As far as I know, they are using technology built into Azure's Log Analytics app. Sentinel integrates with that, and we use this functionality heavily."
  • "When we pass KPIs to the governance department, there's no option to provide rights to the data or dashboard to colleagues. We can use Power BI for this, but it isn't easy or convenient. They should just come up with a way to provide limited role-based access to auditing personnel"

What is our primary use case?

We use Sentinel to monitor logs, build alarms, correlate events, and fire up specific automation boards in the event of a security incident. 

How has it helped my organization?

Sentinel creates a focal point for cybersecurity incidents, so it's much easier to correlate logs and incidents to get a more comprehensive view of our security posture. Microsoft provides many educational resources, so onboarding new people is easy. 

It took us about a month to realize the benefits of Sentinel. Integrating all the Microsoft security products into the solution was straightforward. It seamlessly integrates with Microsoft Logic Apps, so it's easy to develop custom playbooks and automate many manual tasks. 

Automation has made us more efficient and effective because we're free to focus on priority alerts. Sentinel has reduced the time spent on menial security tasks by 30-40 percent. Sentinel consolidates our dashboards into a single XDR console, one of our strategic goals. We're moving all of the data into Microsoft Sentinel to create a single point of truth for security incidents.

Microsoft provides some threat intelligence for significant incidents. They provide us with remediation and mitigation controls we can implement to react to these potential threats much faster.

What is most valuable?

I like the ability to run custom KQL queries. I don't know if that feature is specific to Sentinel. As far as I know, they use technology built into Azure's Log Analytics app. Sentinel integrates with that, and we use this functionality heavily.

Threat prioritization is a crucial feature. It already has them in order, so we know we should investigate high alerts first and move down the line to the less urgent ones. 

We use all of the other Microsoft security solutions in addition to Sentinel. They all can be integrated together seamlessly to deliver comprehensive threat detection and response. 

What needs improvement?

I would like to see additional artificial intelligence capabilities. They're already working on this with new features like Microsoft Security Copilot. This will help us investigate incidents much faster. 

When we pass KPIs to the governance department, there's no option to provide rights to the data or dashboard to colleagues. We can use Power BI for this, but it isn't easy or convenient. They should just come up with a way to provide limited role-based access to auditing personnel 

For how long have I used the solution?

I have used Sentinel for two years.

What do I think about the stability of the solution?

We haven't experienced any downtime, so I think Sentinel is highly stable. 

What do I think about the scalability of the solution?

Sentinel runs on the cloud, so it scales automatically. 

How are customer service and support?

I rate Microsoft's support a 10 out of 10. They can connect you with the developers, and you get answers quickly. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I also worked with RSA enVision at my previous company. Sentinel has advantages because of its tight integration with the Microsoft ecosystem. It's effortless to set up because you don't need specific connectors. Sentinel works out of the box. It makes sense for a company that primarily works with Microsoft products to use Sentinel for security monitoring.

How was the initial setup?

Sentinel runs on the Microsoft Azure Cloud, so it was easy to set up. It took about two days to set it up. You start by integrating the Microsoft security solutions using the available connectors and move on to the firewall, SysTalk databases, and application-specific logs. 

It's a bit more complicated to come up with custom rules and alarms, so that's the last part of our implementation strategy. We completed the deployment with two or three people and the help of Microsoft support. Because Sentinel is deployed in the cloud, it doesn't require any maintenance. 

What was our ROI?

Our ROI comes from automating lots of tasks. 

What's my experience with pricing, setup cost, and licensing?

Microsoft Sentinel is pretty expensive, and they recently announced that they will increase the price of all Microsoft services running in Azure by 11 percent. Luckily, I'm not responsible for the financial side. For one of my clients, the estimated cost is 880,000 euros for one year. There are additional costs for the service agreement. 

What other advice do I have?

I rate Microsoft Sentinel an eight out of ten. I recommend taking advantage of the virtual training before you implement Sentinel. Familiarize yourself with the product, dashboards, features, integration, etc., before you decide to use it. 

A single-vendor strategy is preferable because it's easier to integrate them. Otherwise, it can get complicated.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.
Updated: February 2024
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.