Our customers primarily use the solution to monitor their infrastructure locally. Some of our customers want to monitor logs to find some abnormal instances, so, they use Microsoft Sentinel to identify threats or identify what is happening in their infrastructure.
Microsoft Sentinel is easy to use compared to some third-party solutions, for example, if we want to get a log using a lot of the third-party solutions it is very difficult because we have to configure it. But in Microsoft Sentinel, if you want to get a log, you just click next, next, next, and see the log. It's straightforward to use the solution. Microsoft Sentinel is on the cloud, so we don't need to maintain a lot of the OS issues we have with other products. Sometimes SIEM has problems that require a lot of maintenance to resolve the OS issues and that takes a lot of time to deal with, but the Microsoft Sentinel benefit is you're on the Cloud. We don't have to spend time dealing with OS issues. We can use that time to focus on critical incidents.
The most valuable features in my experience are the UEBA, LDAP, the threat scheduler, and integration with third-party straight perform like the MISP.
The product can be improved by reducing the cost to use AI machine learning. In my experience in Taiwan, if you want to use Microsoft machine learning for Microsoft Sentinel, the cost is high. The high cost keeps customers from using the feature.
Currently, I think that the customized log can be improved because I check some documents, and Microsoft Sentinel can only customize some file logs. If some logs can be in a database or some user Syslog for all the events in Microsoft Sentinel to be supported. I can't choose to parse the log. I hope Microsoft Sentinel can support more and more different event types for customization. The solution ends up passing a lot of the logs.
I have been using Microsoft Sentinel for 13 months.
The solution is very stable.
The solution is easy to scale.
Technical support uses a ticket system. We just use the portal and I can open a ticket for them, and they will respond back to us. The technical support team is very good they solve a lot of the issues for us, or help us solve a lot of issues, but sometimes the issues can be more complicated and they cannot help us. If I submit a complicated ticket to technical support and they still don't know how to resolve it we are required to use premium support and that option comes with an additional fee. If you have less complicated issues free technical support can resolve the ticket but with more complex tickets you need to use the premium service.
The initial setup is very easy we just choose where to create, and then next, done, finished. Very easy. The deployment took less than five minutes and only required one person.
The implementation was completed in-house on my own. I just studied Microsoft documents and trained myself. If I still don't know something, I open a ticket to Microsoft to get some help.
The solution is expensive and there is a daily usage fee.
I give the solution an eight out of ten.
I am a third-party user of the solution, but if I were an outside user of Microsoft Sentinel, I really like it because they have a lot of the functions that others don't have. Things like the UEBA and intelligence from Microsoft. Microsoft has already studied a lot of threat intelligence, and they have the capability to help us detect what kind of content will match Microsoft intelligence. I like this and also has a lot of AI machine learning. This will help me to review or, learn easily. I hope this product will help me with a lot of things.
The solution states that it provides good visibility into threats by identifying vulnerabilities. I'm not clear on the vulnerability feature. I am not sure if most customers are familiar with the feature. I believe the feature is used to detect a lot of threats, but what kind of vulnerability? I am still not familiar with the feature.
I think because our enterprise has a lot of different Standard Operating Procedures it depends on the customer, for example, the solution helps detect ransomware, and that helps the organization prioritize dealing with the ransomware situation above other threats.
We have one customer that has implemented Microsoft Security E5. That means they also have Microsoft Defender 365. They use this to detect their infrastructure and their endpoints as well as if they have a SaaS platform they can monitor abnormal behavior.
I have integrated Microsoft Sentinel and Microsoft Defender 365, and they are very easy to integrate. They also have a correlate function and they have rules called Fusion. This Fusion function helps us investigate the correlation between the products.
Because my job is to help the customer integrate, I don't know how well the solutions work together to deliver detection and response for our customers. I am not involved once the solutions are deployed.
In Taiwan, we don't have customers that use Microsoft Defender for Cloud but I use it in my lab.
Some of our customers have additional solutions that are not Mircosoft. I have some customers, who have some data from the Microsoft device, from Windows and maybe events, and others that are not Microsoft products. The customers use their own on-premise, third-party products and buy their solutions. Hence, it is difficult to say if Microsoft Sentinel enables us to ingest data from the whole enterprise.
You can investigate the threats and respond from one place using Microsoft Sentinel. We should report correlation too. It's effortless to investigate responses in Microsoft Sentinel.
In Taiwan, we don't believe in automating routine tasks. There are a lot of things we still do manually and are not using the automated function of Microsoft Sentinel except to send mail.
With Microsoft Sentinel, we use one unified dashboard that is very easy.
We don't use the threat intelligence from Microsoft Sentinel because it is not public, so when a threat is detected that matches the Microsoft database threat intelligence, they only send us an alert, but they don't provide the content inside. Instead, we use open-source threat intelligence and integrated it into the solution.
Using Microsoft Sentinel has reduced the time spent per incident from three hours to one and a half to two hours.
The solution has not saved any money because it is still expensive. We have a large customer demand but all the vendors are as expensive as Microsoft Sentinel. I think they are very expensive. The solution has a daily usage charge.
Depending on the rule being used the solution can save us time in detecting incidents or threats. I can say we just use the default, sometimes it's very long and doesn't really take a lot of time. We get the result to tell me, "Oh. You have an incident happen." But I still don't know why Microsoft usually misses the threats. I still don't know why they design it like this, because I have had some instances in my past experience where the rule is if a threat is detected we must immediately alert first. Perhaps the detection module for Microsoft Sentinel is old. It starts to already alert us and that is a default rule. So, I still don't know why Microsoft Sentinel was created like this. I still don't understand. If you use a UEBA, to detect some threats in some abnormal behavior it's very fast, but if you use the scheduler to detect a lot, sometimes it takes a long time.
In my experience, everything is working and the solution doesn't have any bugs.
The solution is only released on the cloud on Azure. You can't deploy the solution on-premise.
Currently, I only deploy in a single environment. I don't have another environment because almost all our customers use a single environment. Perhaps in the future, they will add another cloud that will use Microsoft Sentinel. That is a very long time in the future. In my experience, the solution is used only in a single environment. We have two people in our organization that use the solution and four to five large customers.
Since Microsoft Sentinel is cloud-based it updates automatically and requires no maintenance from our end.
I think I'm more likely to use a single vendor over using a best-of-breed strategy because a single vendor, integrates together all of the things. I don't need to customize. Trend Micro doesn't understand Microsoft products, and Microsoft products, don't know Trend Micro products. If I choose to use a single solution that means they will handle all of those things. I don't need to use or take the time to customize some functions. I don't need to do that. I prefer to use a single vendor.
If a customer is already using a lot of Microsoft solutions I would recommend Microsoft Sentinel because it is very easy to integrate, but if a customer is using multiple different third-party security solutions I would not recommend Microsoft Sentinel because it will take more time to integrate it and check everything.