Microsoft Sentinel Reviews

Sentinel ingests all the logs from various security products across on-premise and virtual servers. It has a lot of flexibility regarding different third parties that are not Microsoft, which I liked. We had some very, probably not as well-known systems from which it would ingest information. So it was nice to see that it was very flexible.

We have a hybrid setup with Sentinel deployed on the Azure cloud. We've got about 20 server endpoints, 400 desktop or laptop endpoints, and 1,520 network endpoints. The company has around 400 employees and a 10-person IT team operating out of one location in Alabama. 

Sentinel provides a single pane of glass for reviewing logs from disparate sources. Everything is on one XDR dashboard. We have a smaller IT team, so it's cumbersome to go to various places to get information and manage it. Having a clearinghouse of information makes it quicker to get to the critical items and resolve any problem.

Sentinel saved us time because we can find the information we need directly. It's hard to quantify that because we still need to look through lots of information. Without Sentinel, it would take about one to three hours each week to compile information from different sources.

It helps us proactively prevent threats. Sentinel is integrated with Defender and CloudApp. It gives us suggestions about best practices in security and recommends actions if it sees something within the network that seems out of line. The investigation part is thorough. We can figure out exactly what's wrong and what we need to check. Afterward, we have to go to a secondary product.

Sentinel's most important feature is the ability to centralize all the logs in one place. There's no need to search multiple systems for information. The automation capabilities are excellent and can be extended. We haven't tried to extend the automation features, but what is built in is great. 

The solution also has native integration with Microsoft Teams. It creates a Teams chat when there's an issue, so one of our analysts can look at it immediately. It can automatically flag something instead of sending an alert to an email that someone may not read until three weeks later.

Sentinel provides decent visibility, but it's sometimes a little cumbersome to get to the information I want because there is so much information. I would also like to see more seamless integration between Sentinel and third-party security products. 

When alerts appear in the Sentinel console, I can research them and see what to do, but I need to leave Sentinel and go to a second product to execute whatever I need to do. I would like to be able to fix everything within the Sentinel console.  

We used Sentinel for about six months.

We haven't had any issues with Sentinel so far. The uptime has been 100 percent. 

Sentinel is capable of handling all that we ingest. I think we've hit 80 to 100 Gigabytes so far, and it continues to scale upward. I'm pleased with it. It's a rolling scale, so it scales up as needed based on the number of logs you ingest. As long as you're willing to pay to house the data, they'll continue to scale upward with you.

We haven't had to contact Microsoft support for Sentinel yet. That worries me. Sometimes Microsoft support can be a little difficult to reach.

Sentinel was our first foray into the SIEM world. That's one reason we went back and reviewed it again this summer. We wanted to be sure we picked a good product. They mostly gave demos, so we probably didn't get the full run of these secondary products, but it at least gave us a feel for what else was out there.

Setting up Sentinel was pretty straightforward. We set everything up through Azure, and they had excellent documentation as far as integrating modules. They had scripts we could run within other environments to ingest the logs. Getting information into the system was fairly smooth. 

We had to spin up a new virtual machine for Linux because it required a Linux virtual machine within our on-premises environment to send log files. That was the biggest step I had to do. Spinning up another virtual machine is no big deal. 

We didn't pay for any implementation help. Our IT team spent a day talking through the plan. We let the server person spin up our VM and our network person got all the network stuff in place. We came back together and made sure the logs were delivered. Overall, it was a roughly two-week process of setting up and reviewing everything to ensure everything is working correctly. After deployment, there's no maintenance. It's in Azure, so Microsoft handles all the updates and server roles. It's seamless from a maintenance standpoint.

Sentinel was deployed by a four-person in-house IT team consisting of a network admin, systems admin, and a junior engineer who floated between all of us, helping out where they could. I supervised the deployment as the director. 

The jury is still out on whether we see a return, but I am pleased with the investment. Sentinel provides us with some new insights. It helps us improve our security posture with proactive measures, like informing us of best practices. 

These features helped us evaluate things within our network and cloud environments that we needed to tweak. That was a pretty helpful bonus. 

Sentinel's price is comparable to pretty much everything out there. None of it is cheap, but we didn't think we could save money by going a different route. Sentinel was part of our Azure expenditures, so it was easier to add the expense instead of having a completely separate vendor.

The licensing is straightforward because it's within Azure. There are lots of features in Azure that they gave us as a package. It's nice to do this without having to carve out special budgetary items. The flexibility was helpful. 

We looked at a couple of different solutions, including Splunk and Arctic Wolf. We primarily chose Sentinel because we had already carved out a budget within Azure for Sentinel. We could keep it within Azure and roll that into our Azure expenses versus carving out a new budget item for these other products. That was the biggest motivation.

Sentinel kept pace with the other major players in the field. We considered whether there was a better product to ingest all data. We didn't find anything new or different. 

I rate Microsoft Sentinel eight out of ten. If you plan to implement Sentinel, I recommend spending time thinking about all the sources of data you want to ingest. It's flexible in terms of how much you can ingest, but you may not want to pay that much. It might be better to only connect your critical systems to it.

If you're hesitant to adopt Sentinel, you should do a demo. The single pane of glass is nice to have. You'd really have to talk me out of that.

We have had various use cases depending on the needs of our customers.

It is a SaaS-based solution. It does not have any versions.

In traditional SIEM solutions, there is a lot of hardware, and there is a lot of maintenance around it. We require a lot of resources for administrative tasks, whereas with Microsoft Sentinel, we don't have to get into all those details straight away. We can concentrate on the use cases such as detection and start ingesting our logs, and right away, get insights from those logs. In addition, traditional SIEM solutions, such as Splunk, QRadar, LogRhythm, or ArcSight, do not support cloud-based logs much. This is where Microsoft Sentinel comes into the picture. Nowadays, everyone is moving to the cloud, and we need solutions like Sentinel to easily ingest logs and then get insights from those logs.

It has definitely helped to improve the security posture.

The in-built SOAR of Sentinel is valuable. Kusto Query Language is also valuable for the ease of writing queries and ease of getting insights from the logs. Schedule-based queries within Sentinel are also valuable. I found these three features most useful for my projects.

Microsoft Sentinel has many native connectors, which are plug-and-play connectors. You don't have to do any kind of analysis before starting. Taking Azure Cloud logs as an example, once you enable Sentinel and the connector, you start getting the logs straight away. You get a visualization within Sentinel through dashboards, which are called workbooks. So, right from day one, you can have security for Azure Cloud. If you have other clouds, such as AWS and GCP, even they can be included right away.

There is not much guidance on the in-built SOAR solution that uses Azure Logic Apps as a service. For people coming from traditional SIEM solutions, it is difficult to understand how SOAR works. Because the security teams are not from a programming or coding background, they cannot directly jump into SOAR. For Kusto Query Language within Sentinel, Microsoft provides a lot of documents and articles, and they also have a community, but when it comes to SOAR, other than a few open articles, there isn't much information. The documentation part of SOAR should be improved.

The dashboards can be improved. Creating dashboards is very easy, but the visualizations are not as good as Microsoft Power BI. People who are using Microsoft Power BI do not like Sentinel's dashboards.

I have been using this solution since October of 2019.

It is stable.

It is a SaaS-based solution. So, as end-users or customers, we don't have to think about scalability. 

Sentinel Contributor and Sentinel Responder are the primary roles of its users. Users with the Sentinel Contributor role can perform anything on Sentinel. The Sentinel Responder role is allocated to L1 and L2 monitoring teams. They actively monitor the Sentinel console for any triggered incidents and remediate those tickets.

In terms of the number of users, it is a typical SOC team, which depends on the number of incidents. We calculate the full-time employees based on how many alerts are being triggered per month. If 1,000 alerts are being triggered per month, we would need eight FTE to run 24/7 operations.

We definitely have plans to increase its usage. Microsoft is continuously improving this product, and we also have private access where we can see what features are being launched and provide input to them.

Microsoft Sentinel is a SaaS-based solution. They are improving it all the time. You can see new features every month and week. They are bringing more and more features based on customer feedback. That's one of the things that I liked the most about Microsoft Sentinel, which I did not see in other products.

I like their support. When you raise a ticket with Microsoft, you'll get a response within four hours or so. A support person is assigned who then directly reaches out to you on Teams to troubleshoot.

They send the ticket to the right team. They reach out and guide appropriately. They inform me that they are taking care of the issue, and if a meeting is required, they ask about a suitable time so that they can block the calendar. I have never encountered any issues with the support team where I had to escalate anything to someone else. I would rate them a nine out of ten.

Positive

I have worked with QRadar and NetIQ Sentinel. These traditional SIEM solutions are not equipped to effectively handle API integrations on the cloud. Nowadays, most organizations are on the cloud. For Microsoft-heavy or cloud-heavy environments, it is very easy to manage and very easy to ingest logs with Microsoft Sentinel.

It was straightforward. Deploying Sentinel doesn't take much time, but the initial design required for any solution takes time. Once you have planned the design, deployment involves using toggle buttons or bars.

In terms of the implementation strategy, being a cloud solution, not all customers are there in a single subscription. There could be various tenants and various subscriptions. We have to consider all the tenants and subscriptions and accordingly design and place Sentinel.

Ideally, it takes two to three months to onboard log sources, and for implementation, three to four resources are required.

We have definitely seen an ROI. In traditional SIEM solutions, we need to have people to maintain those servers and work on the upgrades, whereas when it comes to the SaaS-based solution, we don't need resources for these activities. We can leverage the same resources for Sentinel monitoring and building effective detection rules for threat hunting.

There are no additional costs other than the initial costs of Sentinel.

We didn't evaluate other solutions.

I would recommend this solution. Before implementing it, I will also suggest carefully designing it based on your requirements.

You have two options when it comes to ingesting the logs. If you aren’t bothered about the cost and you need the features, you can ingest all logs into Sentinel. If you are cost-conscious, you can ingest only the required logs into Sentinel.

I would rate it a seven out of ten.

As a security engineer, I help onboard with Sentinel. I enable all the connectors and tune the analytics to minimize the number of false positives.

We're a Microsoft house and it provides very good visibility into all the threats a company might be facing. 

The connectivity and analytics are great.

It allows people to connect to different data sources under a single pane of glass.

The visibility is great in terms of having the notebook features. By using the notebook features, people can generate different graphs, which helps create greater visibility on the front end.

We've been able to integrate other products, including Defender. It's super easy to integrate them. All Microsoft products easily connect with each other. They coordinate together to help with detection and response across our network. This is critical. 

This allows me to have better visibility to understand what is happening on each endpoint.

The threat protection is pretty comprehensive across Microsoft products. Having dependable endpoints and other security tools ensures good security overall. In terms of compliance, you have a lot of data that can help ensure comprehensive information is available and transparent. 

We like that it's on the cloud.

Sentinel does allow us to ingest data from our entire ecosystem. This plays an important security role.

We can investigate threats holistically from one place. Having everything centralized makes security easier and helps us better understand what is happening. 

Sentinel's security protection helps us to better identify anomalies or erratic user behavior. It helps me minimize false positives. 

There is good automation. They do an okay job.

Consolidating into one dashboard has made it possible to have a holistic view of security. I can investigate issues and have better visibility.

Overall, the solution has saved me time. I'm not sure if I can quantify it, as I'm on the engineering side. 

The product has helped save the organization money. 

It has decreased our time to detect and time to respond. 

They only classify alerts into three categories: high, medium, and low. So, from the user's point of view, having another critical category would be awesome. That would minimize the level of high alerts and break them down so we understand which are truly critical. We should be able to prioritize more effectively. Right now, this doesn't necessarily help users to prioritize when it comes to the alert or triage.

The bi-directional capabilities are okay. However, sometimes I need to fall back on Defender for cloud.

I've been using the solution for two or three years now.

The stability is okay. I've only experienced one outage.

We have about 200 staff on the solution. 

The scalability is very good. All I have to do is enable data sources in order to expand. 

I haven't had much contact with technical support. My one experience was okay. 

Neutral

I did not previously use a different solution.

The initial deployment is straightforward. The entire process was as simple as following clear steps. We basically create a workspace and push the pipeline.

As long as a person has relevant access to Azure, one person would be enough in terms of handling the deployment. 

We did a deployment in a single location, not across multiple locations. 

There is a bit of maintenance, in terms of ensuring logs are being digested. The number of people involved depends on the situation. We have two to three people who may check logs or connectors. 

We are consultants for clients. We help SMEs deploy the solution. 

We have witnessed an ROI while using the solution, however, I cannot quantify the amount exactly.

Sentinel charges based on ingestion. If Microsoft would allow us to view the logs before ingesting something we don't want, that would make the pricing better. Sometimes we don't want to pass illegitimate data into Sentinel, yet I don't have a choice. 

It's not cheap. However, it's okay pricing.

I did not evaluate any other options previously.

I'd rate the solution eight out of ten.

I'd tend to go with a single vendor over best of breed. A company like Microsoft allows everything to easily link various products together. 

If you are using Microsoft Sentinel, go for the XDR solutions as well. 

The usual use cases would be starting from scratch, implementing Sentinel for clients, onboarding log sources, building analytical use case rules, and supporting the platform for operations.

The main benefit is the ease of integration. Having a cloud-based SIEM means scalability. We also received very good support and documentation from the vendor.

All of the features are great. In fact, when they add new features they are always valuable and interesting. There are so many features on offer.

I really appreciate that it is very well documented.

I also use Defender 365, including Defender for Endpoint. It's easy to integrate with Sentinel. In two clicks we can integrate them together.

I have experience with Defender for Cloud. I'm actually getting into the Center for Cloud right now, so I'm just Learning about it. 

Sentinel enables us to ingest data from our entire ecosystem.

It's important to have data visibility for our security operations. Sentinel enables us to investigate the threats and respond from one place. That is very important for operations. We need to be able to easily look and have visibility over what's happening.

Sentinel enabled us to automate routine tasks. It helps us automate the handling of trivial tasks related to alerts. 

With the solution, we no longer have to look at multiple dashboards. I wouldn't say it has completely eliminated looking at different dashboards. As it stands right now, there are two dashboards that we will have to look at. One is Sentinel, and the other one is a ticketing system.

Compared to what's being used, it's saved us some time overall. The ease of use and the clear documentation are helpful in that regard. Someone who doesn't know how to use it can easily go in and find out.

When it comes to ingesting Azure native log sources, some of the log sources are specific to the subscription, and it is not always very clear. Sometimes, if the individual doesn't know what they are doing, they might enable it only on one subscription and not on everything that they need to monitor.

I've used the solution for two and a half years. 

I haven't experienced any stability issues. I've experienced 100% uptime. 

I've never seen it scale up or down. If necessary, it likely happens in the background. It's not visible to clients, however, I haven't noticed any issues. 

My experience with technical support is good. It was an excellent experience. They were very, very responsive to the questions that we had. If they were not able to answer on the spot, during the call, they took it back and discussed the issue with their team. Getting an answer was fairly fast. Overall, I've had a good experience with support and I can't complain.

I'd like them even more if I was able to request support on behalf of clients without having to actually access the client's Azure or having to identify the client's tenants. 

Positive

I've used Splunk, ArcSight, and QRadar. Sentinel is excellent compared to those solutions. It could always be easier, however, it's pretty much there.

I was involved in the solution's deployment. The cloud deployment takes five minutes and is very easy. The on-premise portion on the other hand, when I first did it a year and a half ago, was a little bit more complex since it involved a lot of customization. However, now it's more streamlined.

There is no maintenance necessary. It's a managed service. There's no patching of any sort. The on-premises components may require a little bit of maintenance every now and then if they need a patch or upgrade. If there are any changes in the environment they would have to be reflected in the configurations. 

I handled the implementation myself. 

I know the price, however, I don't know how it compares with other SIEM solutions. I don't have that visibility. I overheard not too long ago that Sentinel is on the expensive side. However, there are some capabilities that are fairly new that Sentinel offers to lower the cost. 

I'd rate the solution a nine out of ten. 

Our customers primarily use the solution to monitor their infrastructure locally.  Some of our customers want to monitor logs to find some abnormal instances, so, they use Microsoft Sentinel to identify threats or identify what is happening in their infrastructure.

Microsoft Sentinel is easy to use compared to some third-party solutions, for example, if we want to get a log using a lot of the third-party solutions it is very difficult because we have to configure it. But in Microsoft Sentinel, if you want to get a log, you just click next, next, next, and see the log. It's straightforward to use the solution. Microsoft Sentinel is on the cloud, so we don't need to maintain a lot of the OS issues we have with other products. Sometimes SIEM has problems that require a lot of maintenance to resolve the OS issues and that takes a lot of time to deal with, but the Microsoft Sentinel benefit is you're on the Cloud. We don't have to spend time dealing with OS issues. We can use that time to focus on critical incidents.

The most valuable features in my experience are the UEBA, LDAP, the threat scheduler, and integration with third-party straight perform like the MISP.

The product can be improved by reducing the cost to use AI machine learning. In my experience in Taiwan, if you want to use Microsoft machine learning for Microsoft Sentinel, the cost is high. The high cost keeps customers from using the feature.

Currently, I think that the customized log can be improved because I check some documents, and Microsoft Sentinel can only customize some file logs. If some logs can be in a database or some user Syslog for all the events in Microsoft Sentinel to be supported. I can't choose to parse the log. I hope Microsoft Sentinel can support more and more different event types for customization. The solution ends up passing a lot of the logs.

I have been using Microsoft Sentinel for 13 months.

The solution is very stable.

The solution is easy to scale.

Technical support uses a ticket system. We just use the portal and I can open a ticket for them, and they will respond back to us. The technical support team is very good they solve a lot of the issues for us, or help us solve a lot of issues, but sometimes the issues can be more complicated and they cannot help us. If I submit a complicated ticket to technical support and they still don't know how to resolve it we are required to use premium support and that option comes with an additional fee. If you have less complicated issues free technical support can resolve the ticket but with more complex tickets you need to use the premium service.

Positive

The initial setup is very easy we just choose where to create, and then next, done, finished. Very easy. The deployment took less than five minutes and only required one person.

The implementation was completed in-house on my own. I just studied Microsoft documents and trained myself. If I still don't know something, I open a ticket to Microsoft to get some help.

The solution is expensive and there is a daily usage fee.

I give the solution an eight out of ten.

I am a third-party user of the solution, but if I were an outside user of Microsoft Sentinel, I really like it because they have a lot of the functions that others don't have. Things like the UEBA and intelligence from Microsoft. Microsoft has already studied a lot of threat intelligence, and they have the capability to help us detect what kind of content will match Microsoft intelligence. I like this and also has a lot of AI machine learning. This will help me to review or, learn easily. I hope this product will help me with a lot of things.

The solution states that it provides good visibility into threats by identifying vulnerabilities. I'm not clear on the vulnerability feature. I am not sure if most customers are familiar with the feature. I believe the feature is used to detect a lot of threats, but what kind of vulnerability? I am still not familiar with the feature.

I think because our enterprise has a lot of different Standard Operating Procedures it depends on the customer, for example, the solution helps detect ransomware, and that helps the organization prioritize dealing with the ransomware situation above other threats.

We have one customer that has implemented Microsoft Security E5. That means they also have Microsoft Defender 365. They use this to detect their infrastructure and their endpoints as well as if they have a SaaS platform they can monitor abnormal behavior.

I have integrated Microsoft Sentinel and Microsoft Defender 365, and they are very easy to integrate. They also have a correlate function and they have rules called Fusion. This Fusion function helps us investigate the correlation between the products.

Because my job is to help the customer integrate, I don't know how well the solutions work together to deliver detection and response for our customers. I am not involved once the solutions are deployed.

In Taiwan, we don't have customers that use Microsoft Defender for Cloud but I use it in my lab.

Some of our customers have additional solutions that are not Mircosoft. I have some customers, who have some data from the Microsoft device, from Windows and maybe events, and others that are not Microsoft products. The customers use their own on-premise, third-party products and buy their solutions. Hence, it is difficult to say if Microsoft Sentinel enables us to ingest data from the whole enterprise.

You can investigate the threats and respond from one place using Microsoft Sentinel. We should report correlation too. It's effortless to investigate responses in Microsoft Sentinel.

In Taiwan, we don't believe in automating routine tasks. There are a lot of things we still do manually and are not using the automated function of Microsoft Sentinel except to send mail.

With Microsoft Sentinel, we use one unified dashboard that is very easy.

We don't use the threat intelligence from Microsoft Sentinel because it is not public, so when a threat is detected that matches the Microsoft database threat intelligence, they only send us an alert, but they don't provide the content inside. Instead, we use open-source threat intelligence and integrated it into the solution.

Using Microsoft Sentinel has reduced the time spent per incident from three hours to one and a half to two hours.

The solution has not saved any money because it is still expensive. We have a large customer demand but all the vendors are as expensive as Microsoft Sentinel. I think they are very expensive. The solution has a daily usage charge.

Depending on the rule being used the solution can save us time in detecting incidents or threats. I can say we just use the default, sometimes it's very long and doesn't really take a lot of time. We get the result to tell me, "Oh. You have an incident happen." But I still don't know why Microsoft usually misses the threats. I still don't know why they design it like this, because I have had some instances in my past experience where the rule is if a threat is detected we must immediately alert first. Perhaps the detection module for Microsoft Sentinel is old. It starts to already alert us and that is a default rule. So, I still don't know why Microsoft Sentinel was created like this. I still don't understand. If you use a UEBA, to detect some threats in some abnormal behavior it's very fast, but if you use the scheduler to detect a lot, sometimes it takes a long time.

In my experience, everything is working and the solution doesn't have any bugs.

The solution is only released on the cloud on Azure. You can't deploy the solution on-premise.

Currently, I only deploy in a single environment. I don't have another environment because almost all our customers use a single environment. Perhaps in the future, they will add another cloud that will use Microsoft Sentinel. That is a very long time in the future. In my experience, the solution is used only in a single environment. We have two people in our organization that use the solution and four to five large customers.

Since Microsoft Sentinel is cloud-based it updates automatically and requires no maintenance from our end.

I think I'm more likely to use a single vendor over using a best-of-breed strategy because a single vendor, integrates together all of the things. I don't need to customize. Trend Micro doesn't understand Microsoft products, and Microsoft products, don't know Trend Micro products. If I choose to use a single solution that means they will handle all of those things. I don't need to use or take the time to customize some functions. I don't need to do that. I prefer to use a single vendor.

If a customer is already using a lot of Microsoft solutions I would recommend Microsoft Sentinel because it is very easy to integrate, but if a customer is using multiple different third-party security solutions I would not recommend Microsoft Sentinel because it will take more time to integrate it and check everything.

I support Microsoft Sentinel as a Microsoft partner. We work on various scenarios, such as emails and data connectors. I support licenses by helping them enroll and advising them on the prerequisites they need to meet. I show them how to get started with Microsoft Sentinel. 

I'm the technical lead for Microsoft, so I've worked on several Microsoft security products, including Sentinel, Cloud App Security, Defender, Azure Information Protection, and Azure Key Vault. These are now my significant areas. It wasn't easy to integrate Sentinel with other products initially, but we had a smooth experience once the data connectors and everything were in place.

We are from the support team, so we operate in multiple environments depending on the use case. It works smoothly in every environment, including hybrid ones.

I've seen scenarios where the customer's security score was at 60, but we managed to increase it to 80 or 90 based on the recommendations from Sentinel. We use Sentinel to investigate the activity logs and address the issues. The security score increases once we fix those. 

The benefit Sentinel provides depends on the organization and how they have recruited engineering staff. If the engineers can maintain two or three products, then it's easy for them, but it hasn't reduced any difficulty from my perspective. 

Sentinel saved us time. When this product was introduced, many customers used other SIEM and SOAR technologies separately. Now that we have Sentinel in place, customers only need to learn how to use this product, so it's 50% to 60% more efficient. It's also more cost-effective because you aren't paying separately for those security components. Sentinel is all-inclusive. 

Sentinel integrates seamlessly with Azure platform services, making it more reliable and cost-effective. I can't say with certainty because it's outside my department, but my best guess is that Sentinel can reduce costs by about 30% to 40%. I would also estimate that it reduces our response time by roughly that amount. 

The bidirectional sync capabilities ingest the data and show us alerts that help us prioritize our policy settings and secure our environment. Once we ingest the IP address, we can monitor the network traffic. It ingests everything from the IP address to the applications we use at the cloud level. Having every event, alert, and output from Log Analytics integrated into one platform is essential. We can ingest everything using the syslogs and data connectors. For example, I'm using Windows Server 2016. It will send the data to the cloud, and Microsoft Sentinel pulls it from there. It removes the sysadmin logs and the other logs, so we can easily see the DDoS attacks and other threats.

It ingests the networking stuff and other things, too. It collects everything the company needs to secure the data from data engineers, Log Analytics engineers, information production engineers, etc. It ingests data from everywhere and stores it in one place. You can pull whatever data you need. 

A security product must be integrated with multiple other technologies like SIEM and SOAR to give you the best results and analyze user behavior. Sentinel uses connectors to integrate all Azure products and third-party security tools.

Sentinel provides excellent threat visibility, enabling us to dig deep. It directly connects to Azure Log Analytics, allowing us to do research and pull logs. It uses SOAR intelligence to detect and fix issues using AI and machine learning algorithms.

The ability of all these solutions to work together natively is essential. We have an Azure subscription, including Log Analytics. This feature automatically acts as one of the security baselines and detects recommendations because it also integrates with Defender. We can pull the sysadmin logs from Azure. It's all seamless and native. 

Everything shares a common database so that every product can be integrated depending on your enterprise licenses. Microsoft is effortless from a customer's perspective. You get a wide range of features with one license, including threat detection, information protection, infrastructure solutions, and endpoint protection. One or two enterprise licenses cover everything. 

Sentinel is an excellent product with multiple dashboards if you want to look at something specific. It also has a centralized dashboard for everything if you want to see the overview of what's essential. I use multiple dashboards because it's easier for us as support team members. 

Microsoft Defender has a built-in threat expert option that enables you to contact an expert. That feature isn't available in Sentinel because it's a huge product that integrates all the technologies. I would like Microsoft to add the threat expert option so we can contact them. There are a few other features, like threat assessment that the PG team is working on. I expect them to release this feature in the next quarter.

I have been using Microsoft Sentinel for two-and-a-half years

Sentinel is stable. 

I rate Microsoft technical nine out of 10. 

Positive

Setting up Microsoft Sentinel is straightforward because it's a cloud platform. You can install it with a few clicks. It isn't like the on-premises solutions we have used in the past, where you need to spend a couple of hours. You can deploy Sentinel with one person in around five minutes if you have all the resources, permissions, and rules.

Like all products, Sentinel requires some maintenance. There are planned and unplanned outages. Depending on when Microsoft releases the updates, it can be challenging, but they usually notify us ahead of time.

Microsoft offers the best value from a customer perspective.  With a small amount of money, customers can take advantage of an array of technologies because everything is connected from the Microsoft perspective. The return on investment is massive. You don't need to recruit multiple engineers. One engineer who is familiar with Microsoft products can manage the solution. 

I think Sentinel's pricing is reasonable. It's more reliable if it can integrate with other enterprise technologies, so you have to pay for that. We have to consider the size of the organization. We might shift to other security products for a smaller company. Given the reliability of Microsoft support, Sentinel is cost-effective.  

Sentinel is one of the best products compared to other SIEM solutions like CyberArk. Microsoft's market share is enormous, and they have surpassed AWS, so more companies are adopting Sentinel. A company can centralize everything with Sentinel, and that's great from a cost perspective. 

I rate Microsoft Sentinel nine out of 10. I see a few areas of improvement, but they are already working on implementing these features. If someone asked me whether I would recommend an a la carte approach using the best-in-breed solutions or an all-in-one integrated package from a single vendor, I would say that both approaches have advantages. However, I think it's good to hand everything over to the vendor. A vendor will take the sole responsibility and do the work for you. 

I also recommend becoming an expert in Microsoft Sentinel because it has a bright future. You can earn a decent salary once you have hands-on experience with this product. Sentinel is not well known, but I think it will have 60 to 70 percent of the market share.

We're a managed security service provider using Sentinel for its primary SIEM capability. Our company looks after multiple Sentinel instances for a variety of customers. However, we don't do anything through Lighthouse because every customer we monitor wants everything in their own tenant space. 

The company ensures suitable detections are created and loaded into the Sentinel side, and we provide them with KQL to help them with some in-house use cases with a security focus. We also made some dashboards so they could visualize their data and what their issues would look like. We adopt different deployment models depending on the customer. It's usually a public cloud or hybrid in some instances.

We work with a few Microsoft products, but it's mostly the Defender for Cloud Suite, including Defender for Endpoint and Defender for Cloud. It's undergone a rebrand from the Cloud Application Security side. We also use Azure Active Directory, Microsoft Cloud Security, and several other Azure and Office 365 applications.

Sentinel made it easier to put everything into one place instead of checking multiple tools, especially when working with Microsoft shops. They focus a lot of the efforts on the Sentinel side, so the data is being correctly pushed across and easily integrated with third-party capabilities. Palo Alto and Cisco feeds can work almost side by side with the native Microsoft feeds seamlessly.

Sentinel helps us automate routine tasks and findings of high-value alerts from a detection perspective. Still, I haven't made much use of the SOAR capabilities with the Logic Apps side of things because of the cost associated with them, especially at volume from an enterprise environment. It was felt that using those features might push some of the usage costs up a bit. We thought it was more of a nice-to-have than something essential for the core services we wanted to leverage. We avoided using that again, but it was more of a cost issue than anything. 

Instead of having to look at dashboards from multiple parties, we have one place to go to find all the information we want to know. This consolidation has simplified our security operations. 

Usually, it isn't good to have all your eggs in one basket. However, with Azure replicating across the data center, it's better to have all your eggs in one basket to effectively leverage the raw data that would typically be going into multiple other tools. Having everything in one place allows a nice, clear, concise view if you want to see all your network data, which you can do easily with Sentinel.

Some of the UEBA features helped us identify abnormal behaviors and challenge users to ensure it's undertaking particular activities. You can isolate accounts that may have been compromised a bit quicker.

Sentinel reduced implementation time and sped up our response. I can't give a precise figure for how much time we've saved. Onboarding an Azure feed to a third-party SIEM system might take a couple of days or weeks to get the relevant accounts, etc., in place. Onboarding is a matter of minutes with Sentinel if it's a Microsoft feed. Having everything in one place makes our response a little quicker and easier. The KQL can be easily transferred to support the threat-hunting side because all the information is just there.

Our threat visibility also improved. Sentinel changed a lot since I started using it. It's like a whole new product, especially with the tighter integrations on the Defender for Cloud. For customers heavily reliant on Microsoft and Azure, it's much cleaner and more accessible than logging in to multiple tools. 

I think some of the two-way integrations started to come through for the Defender for Cloud suite as well, so whenever you closed off notifications and threats, et cetera, that were being flagged up in Sentinel, it replicated that information further back to the source products as well, which I thought was a very nifty feature.

It helps us prioritize threats, especially with the way that the various signatures and alerts are deployed. You can flag priority values, and we leveraged Sentinel's capabilities to dynamically read values coming through from other threat vendors. We could assign similar alerts and incidents being created off the back of that. It was good at enabling that customizability.

The ability to prioritize threats is crucial because every business wants to treat threats differently. One organization might want to prioritize specific threats or signatures more than another customer based on how they've structured and layered their defense. It's useful from that perspective.

The native integration of the Microsoft Security solution has been essential because it helps reduce some false positives, especially with some of the impossible travel rules that may be configured in Microsoft 365. For some organizations, that might be benign because they use VPNs, etc.

Sentinel lets you ingest data from your entire ecosystem. When I started using it, there wasn't a third-party ingestion capability. We could get around that using Logstash. It was straightforward. The integration with the event hub side allowed us to bring in some stuff from other places and export some logs from Sentinel into Azure Data Explorer when we had legal requirements to retain logs longer. 

I've used  UEBA and the threat intel, which are about what I expect from those sorts of products, especially the threat intel. I like how the UEBA natively links to some Active Directory servers. It's excellent. Integration with the broader Microsoft infrastructure is painless if your account has the correct permissions. It was just ticking a box. It's clear from the connector screen what you need to do to integrate it.

The integration of all these solutions helped because they all feed into the same place. We can customize and monitor some of the alert data from these various products to create other derivative detections. It's like an alert for our alerts.  

For example, we could look at a particular user IP or similar entity attribute and set an alert if they've met specific conditions. If there are more than a given number of alerts from different products, we treat that as a higher priority. It's beneficial for that.

Sentinel could improve its ticketing and management. A few customers I have worked with liked to take the data created in Sentinel. You can make some basic efforts around that, but the customers wanted to push it to a third-party system so they could set up a proper ticketing management system, like ServiceNow, Jira, etc.  

It would be helpful for incident responders to be able to assign tickets and have permissions assigned to them. Once you have escalated tickets from Level 1 to Level 2, there may be areas where you want to control who has access to the raw Sentinel tool. 

I started using Sentinel in July of last year.

Sentinel's stability is great. We only had one outage for a couple of hours, but that was a global Azure issue. 

I think I've not had to worry too much about the scaling. It seems to be able to handle whatever has been thrown at it. I assume that's part of the SaaS piece that Sentinel falls under. Microsoft will worry about what's happening behind the scenes and spin up whatever resources are needed to make sure it can do what it needs to do.

I rate Microsoft support a ten out of ten. We had a few issues with certain filters working with some connectors. There were problems with certain bits of data being truncated and potentially lost. I spoke to some people from the Israeli team. They responded quickly and tried to be as helpful as they could. 

Support made a solid effort to understand the problem and resolve it. They maintained regular communications and provided reassurance that they were sorting out the problems.

Positive

I used Elasticsearch, Kibana, and Splunk. We switched to Sentinel because of the ease of use and integration. Microsoft infrastructure forms the backbone of our environment. We use Azure for hosting, Active Directory for user accounts, and Office 365 for communications and data storage. 

Sentinel made a lot of sense, especially given our difficulties getting our data onboarded into the Elasticsearch stack. We saw similar challenges with Splunk. Sentinel works natively with Microsoft, but we've still had some pain points with some of the data sources and feeds. I think that's just more about how the data has been structured, and I believe some of those issues have been rectified since they've been flagged with Microsoft support.

At the same time, Sentinel is a little more costly than Splunk and the Elasticsearch stack. However, it's easier to manage Sentinel and get it up and running. That's where a cost-benefit analysis comes in. You're paying more because it's easier to integrate with your environment than some of the other providers, but I'd say it is a little on the costly side.

I've spun up my instance of Sentinel for development purposes at home, and it was quick and easy to get through. The documentation was thorough. From the Azure portal, you click Sentinel to ensure all the prerequisites and dependencies are up and running. On the connector side, it's just a matter of onboarding the data. It's straightforward as long as you have the correct permissions in place.

Deployment requires two or three people at most. You probably don't even need that many. Two of the three were just shadowing to get experience, so they could run with their deployments.

It doesn't require much maintenance. Microsoft does a great job of building a SaaS solution. Any problems in the region where Sentinel is hosted are visible on the Azure portal. Once the initial configuration and data sources are deployed, it takes minimal upkeep.

The deployment was done in-house.

It's hard to say whether Sentinel saved us money because you only know the cost of a breach after the fact. We'll probably spend more on Sentinel than other products, but hopefully, we'll see a return by identifying and remediating threats before they've become an actual cost for our clients. 

Sentinel has made it a little easier to get the initial Level 1 analysts onboarded because they don't need to know how to use, say, Palo Alto's Panorama. They can focus their efforts on one query language that enables them to go across multiple different vendors, products, and tools. It's quicker for a Level 1 analyst to get up to speed and become useful if they don't need to learn five or six different ways to query various technologies.

Sentinel's pricing is on the higher side, but you can get a discount if you can predict your usage. You have to pay ingestion and storage fees. There are also fees for Logic Apps and particular features. It seems heavily focused on microtransactions, but they may be slightly optional. By contrast, Splunk requires no additional fee for their equivalent of Logic. You have a little more flexibility, but Sentinel's costs add up. 

I rate Sentinel an eight out of ten. My only issue is the cost. I would recommend Sentinel, but it depends on what you want to get from your investment. I've seen Sentinel deployed in everything from nonprofits to global enterprises. With multiple vendors, you're more at risk of causing analyst fatigue.

Microsoft has done a great job of integrating everything into one place. The setup and configuration of Azure's general hosting environments reduce the risk. Most services are on the cloud, so Sentinel makes it much quicker and easier to get up and running. You don't need to worry about training and getting multiple certifications to have an effective SOC.

I recommend sticking with Sentinel and putting in as many data sources as you can afford. Put it through its paces based on a defense-in-depth model. Take advantage of all the information Microsoft and others have made available in places like GitHub, where there is a vast repository of valuable detections that can be tweaked depending on your environment.

It makes it a lot easier to get started. Many people approaching security with a blank canvas aren't sure where to go. There are a lot of valuable resources and information available.

I'm into monitoring and deploying. When an incident occurs in Sentinel, we try to triage it then investigate it, then we try to gather more details about it through other blades in Sentinel. We try to gather more information about the IP address, and user details from the Sentinel itself, as well as Active Directory. 

They have good playbooks or logic apps to take action on behalf of the user. They're automated actions that we configure for when a particular condition occurs. It reduces human effort a lot and performs tasks on its own. 

There is an option wherein we can add multiple usernames or any details in multiple numbers, and we can just use that instead of manually adding all the names.

When it comes to threats, every environment is different, and the data connectors are different. So it depends on what data connectors are configured to your environment. It could be specific to that. However, Sentinel is a pretty good product. It does threat detection very well. Depending on the user, and how he configures it, Sentinel will do a good job in delivering the output.

We already have priority-based use cases which we set during the creation of any use cases for any threat detection. It also allows us to change the priority whenever a threat occurs. Currently, in the environment in which I am working, we don't manually change the severity or the priority whenever the threat occurs. We will deal with it in its original form. However, it could be a good feature for us to use and also very helpful to set the priority level whenever it is necessary. 

There is a specific incident blade that we can respond from. Or we have log analytics in Sentinel in which we can do threat hunting. We have various ways to gain visibility.

Threat intelligence is under development. It's not completely ready, however, it is a very good feature and can find multiple threats. It's completely managed by Micorosft. So far, it's a very good feature. 

The UI of Sentinel is very good and easy to use, even for beginners. 

It's very easy to deploy a new use case. We can create them very easily. Adding connectors is simple. 

The preview mode is good. Sometimes it helps us pick up on malicious threats. It can sometimes provide false positives as well. For the most part, we can deal with it; it's good. That said, it's a work in progress. 

There are good guides that allow us to easily add new features to our environment. 

Workbooks allow us to display charts and help us provide very useful visuals. 

Automation is very good.

The solution has helped us to save time. 

I'm aware that we can have one centralized dashboard. We can view multiple dashboards in one central place. We can merge all tables and visualizations into one single pane of glass. It's easy to configure. However, we do not really work with a consolidated dashboard. We have a few for the reports. 

The solution has decreased the time to detection and time to respond via custom use cases. However, I cannot quantify the exact amount of time saved. On average, it saves 30 to 40 minutes a day. 

We're satisfied with the comprehensiveness of the security protection. That said, we do have issues sometimes where there have been global outages and we need to raise a ticket with Microsoft. Those have become repetitive and happen more often. Still, there are many choices and features, which is useful.

There are some false positives.

When an incident occurs, it will just be displayed on your screen. However, if they had some sort of sound or tone to alert the analyst, that would be ideal. It would help them notice when something is triggered. 

I've been using the solution for two years and five months. 

There are no issues or outages. It's 90% to 95% stable. 

Our environment is mostly in Europe and there are multiple end-users.

Since this is just monitoring and threat detection, it can scale well. We can add new servers and increase the amount of logs flowing into Sentinel easily. There's no issue with that. 

Microsoft is quick to respond depending on the severity of the ticket. It's usually fixed within two to three hours maximum. The tech support understands the product well. 

Positive

I have not used any other products.

The maintenance is minimal. If there is a global issue, we'd have to raise a ticket with Microsoft. 

I'm not aware of the exact costs involved. 

I did not evaluate other options before using this solution. 

We do not use more than one Microsoft security product. We don't work with Defender, for example. 

We do not yet use it to ingest data from the rest of our ecosystem. We have seven to ten people that work directly with the product.

This is a good tool with a lot of good features. 

I'd recommend the product. The UI is good which makes it simple for new users. It will make it easy to train new engineers.

It's important to go with a best-in-breed rather than a single vendor. If there is any issue with the monitoring with one solution, it's good to have a backup option that might pick up what the other could miss. Having more than one solution - and different vendor options - allows you to have an "option B".

I'd rate the solution seven out of ten. There are still a lot of improvements that can be done.