Cloud and Security Transformation Specialist at Comtact
Reseller
Top 20
Offers advanced threat-hunting, improves security posture, and is very scalable
Pros and Cons
  • "The solution has features that helped improve the security posture of our clients. It provides the ability to correlate a large variety of log sources very cost-effectively, especially for Microsoft sources."
  • "We do see continuous improvement all the time, however, I haven't got a specific feature that is lacking or not well designed."

What is our primary use case?

I work with Azure Sentinel from a commercial perspective. We use Azure Sentinel to provide services to our customers. We use it as a security analytics platform for our customer base.

How has it helped my organization?

About half of our customers that are using it have migrated from an alternative solution, and half of them are using it for the first time or using something like this for the first time. It enabled customers that previously found it difficult to justify the cost of a security-analytics platform to actually deploy one without enormous upfront costs. It’s been cost-effective and it's pay-as-you-go.

What is most valuable?

Its capability in the advanced threat-hunting area is its most valuable aspect.

The solution has features that helped improve the security posture of our clients. It provides the ability to correlate a large variety of log sources very cost-effectively, especially for Microsoft sources.

While the solution has affected our client’s security posture, it’s difficult to give a concise answer to how. All customers that have deployed our Azure-Sentinel-based services have quickly found situations that they weren't already aware of and therefore have been able to take appropriate action. They feel much more confident that potential threats will be discovered in a more timely fashion.

Sentinel affected the end-user experience, in that we get visibility of much more useful data in an easy-to-digest format that provides easy-to-understand value.

What needs improvement?

It is difficult for me to give a straight answer as to what needs improvement, being that I'm not one of the hands-on users. What we do find is that Microsoft is continuously introducing improvements to the platform. We do see continuous improvement all the time, however, I haven't got a specific feature that is lacking or not well designed.

Buyer's Guide
Microsoft Sentinel
May 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: May 2024.
771,946 professionals have used our research since 2012.

For how long have I used the solution?

I've been using the solution for about one year.

What do I think about the stability of the solution?

I've not been aware of any issues or outages that we've experienced with it. We've been very pleased in that respect. There is nothing negative to report in that area.

What do I think about the scalability of the solution?

Scalability is one of the product's big strengths and one of the reasons that we are migrating. One of the issues with traditional platforms is that generally speaking, you have to be very careful sizing them, otherwise, if you undersize it, you're going to have expensive upgrade requirements, particularly if it's an on-premise solution. On the other hand, if you oversize it, you'll be paying too much. Whereas, with Azure Sentinel, it's pay-as-you-go. You don't really concern yourself too much with sizing, apart from budgeting for it. If you just size it for what you need today, and tomorrow, if you need more, it scales at cloud scale. It's one of its big strengths.

How are customer service and support?

Dealing with technical support is not something I do directly. I don't know specifically anything about it, although it's likely that our team has dealt with them in the past.

Which solution did I use previously and why did I switch?

The solutions that I've had personal experience with are AlienVault, Splunk, LogRhythm, and QRadar. I'm sure there's at least one other main one, however, they're the main ones I'm familiar with. We've seen migrations from quite a lot of different traditional platforms.

How was the initial setup?

The initial setup is reasonably straightforward, however, previous experience is very useful, which is why we offer to assist with setup. If customers are looking to do it themselves, it would probably be sensible to work with a partner who has previous experience to be able to deliver the value quickly and not waste time going down a dead end. That said, it's reasonably easy. I don't consider it a difficult platform to deploy.

We usually follow a specific implementation or deployment strategy. The first steps would include a thorough analysis of the clients' environment, understanding from them where the valuable log sources are, and making sure that we fine-tune the system to, again, only be including valuable, relevant information, not a whole load of noise. 

There isn't really much maintenance required. Microsoft maintains the platform. What we do, or what a customer will do if they're managing it themselves, is just manage it for their requirements. Maintenance is not an issue, as Microsoft provides that as part of the platform.

What about the implementation team?

We offer a range of services around Azure Sentinel. There are two main ones. Either we help a customer deploy and configure Azure Sentinel, which they then might manage themselves. However, for most of our customers, we actually provide a complete 24/7 managed service for it. This is due to the fact that the market that we target, which is typically medium-size organizations, would find it difficult to be able to justify the cost of setting up a 24/7 operation for this. We do the 24/7 bit and work as a partner providing the security services.

What was our ROI?

I don't have any specific numbers, however, we've seen customers that have switched from previous solutions have said that the ROI on this has been much quicker, within a couple of months, basically, due to the fact that there is no massive upfront investment. It's pay-as-you-go. We've seen a quick and impressive ROI.

Which other solutions did I evaluate?

I haven't personally evaluated any other solution, although chances are members of my team have.

What other advice do I have?

We are independent, however, we are a Microsoft gold partner. They supply us with the technology and we help customers use it. There's a relationship. That said, our company is not part of Microsoft or anything like that.

I would not necessarily call Azure Sentinel a SaaS solution, however, I suppose it is in a way as it's all provided as a service by Microsoft. PaaS might be the best way of describing it. 

The one thing I would advise new users is to make sure that Azure Sentinel is on the list of platforms to evaluate, and particularly if they are heavy Microsoft users. By that, I mean, Azure and Microsoft 365. Obviously, pretty much everyone's on Microsoft 365, however, particularly if a user is a heavy Azure user, then they should find the proposition pretty compelling. 

I'd rate the solution at a nine out of ten. We've been very impressed with it, and customers that have gone in this direction have been as well.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Consultant at a tech services company with 11-50 employees
Real User
Top 10
Gives you one place to close incidents, and KQL is definitely a step up when it comes to security
Pros and Cons
  • "I like the unified security console. You can close incidents using Sentinel in all other Microsoft Security portals, when it comes to incident response."
  • "The built-in SOAR is not really good out-of-the-box. The SOAR relies on logic apps and you almost need to have some kind of developer background to be able to make these logic apps. Most security people cannot develop anything..."

What is our primary use case?

Microsoft Sentinel is basically a major log, on top of which you can build queries that can analyze the data you get. It's used to build up security operations centers. In addition, it is a SIEM and SOAR solution.

How has it helped my organization?

The first benefit is that you have one place to close incidents. That's definitely an advantage. 

Another benefit is KQL, Kusto Query Language, and the analytic rules with which you can spot suspicious behavior of all kinds. It's definitely a step up when it comes to security. You see the benefits almost instantly.

In addition, automation helps prioritize what needs to be looked at, and what can just be closed and forgotten.

And when you combine the threat intelligence with Defender for Endpoint's recommendations, it's a really strong way to protect things or be proactive when it comes to security, with the CVEs, et cetera.

Overall, our Microsoft solution saves time. Without it, you might have to navigate six or seven portals, but with it, you only have to look at one place, and that saves some time. Most of the time, it eliminates having to look at multiple dashboards and gives you one XDR dashboard. Ideally, that should make working with IT security easier. It also decreases the time it takes to detect and respond.

As a consultant, none of the customers I work for has been hacked or has been close to being hacked. That would be the best way to judge if it saves money because just putting Sentinel on top of all these security products doesn't save you money. It's possible it saves you money. 

What is most valuable?

I like the unified security console. You can close incidents using Sentinel in all other Microsoft Security portals when it comes to incident response.

The solution helps prioritize threats across your enterprise and that is quite important. There is a concept called "alert fatigue," and Sentinel can also cause that because it detects so many false positives. But usually, the high and medium risks it identifies are things you need to take a look at. So prioritization is quite important.

We also use Defender for Cloud, Defender for Endpoint, and Defender for Cloud Apps. It's quite easy to integrate these Microsoft products because they can easily communicate with other Microsoft products. The tricky part is to integrate other vendors' products, like Cisco or Linux, with Microsoft Sentinel. The actual integration is easy, but they generate a lot of data. But with its entire Defender suite, Microsoft is trying to cover everything in Azure and that is a really strong point.

Sentinel enables you to ingest data from your entire ecosystem and that is vital, but sometimes it's a bit hard to figure out what data you actually need.

Also, the UEBA is a neat feature.

What needs improvement?

The built-in SOAR is not really good out-of-the-box. The SOAR relies on logic apps and you almost need to have some kind of developer background to be able to make these logic apps. Most security people cannot develop anything, but if you want to make full use of the SOAR part of Microsoft Sentinel, you need to be able to develop these logic apps. You can say, "Okay, that's simple," but it's not simple for someone who doesn't develop.

Also, the bi-directional sync in Microsoft Defender for Cloud should be enabled out-of-the-box. Otherwise, while you can close incidents in Sentinel, they will not be closed in all the other portals. That is really important.

In addition, the watch list could be improved. Microsoft could develop some analytic templates based on these watch lists, for example.

And if you don't have any KQL knowledge, Sentinel is actually quite hard to use or to get the most out of.

For how long have I used the solution?

I have been working with Microsoft Sentinel for approximately one year.

What do I think about the stability of the solution?

It's a stable solution.

What do I think about the scalability of the solution?

My clients are looking to increase their usage of Sentinel. Every time I look, there is a new data connector, so it seems like it's a product that is constantly in development.

How are customer service and support?

I haven't used their technical support.

How was the initial setup?

The initial deployment, for me, is not really complex. It takes one hour or less. But to be able to use Sentinel to its full capabilities, you must definitely know something.

In terms of an implementation strategy, you need to really think ahead about who should be able to do this, and who should be able to do that, and respond to that, et cetera. A proof of concept would include dealing with the architecture, gathering initial data sources and/or automation, and then learning how to navigate in Sentinel. One person can do it.

My clients are enterprise-level companies and the solution requires maintenance. It includes updating analytics, importing, and creating new analytics. It depends on the company. If you have 100 employees, one employee might be enough to maintain things, but if you have 10,000 employees and 10,000 devices, you might need more employees.

What's my experience with pricing, setup cost, and licensing?

No license is required to make use of Sentinel, but you need to buy products to get the data. In general, the price of those products is comparable to similar products.

What other advice do I have?

My advice is to start out with a little bit of data and build on top of that. Don't enable too many data connectors in the beginning. Get familiar with the product, and remember to work with Sentinel every day. That's the only way the product gets better.

It comes with some out-of-the-box analytics, but to get the full and best usage out of it, you have to really keep developing it with hunting queries, analytics, et cetera. The visibility provided by the built-in analytics rules, what they detect, is rather good, but Microsoft Sentinel requires ongoing work. It helps automate routine tasks as well, but that's not something that comes "for free." It also requires ongoing work.

Threat intelligence is something that you must be more than just a novice in Sentinel to make use of.

Overall, I find Sentinel to be a really strong solution. Sentinel is where you can see the overall security status of your company. I really enjoy working with Microsoft Defender and the entire suite, combined with Microsoft Sentinel.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
Microsoft Sentinel
May 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: May 2024.
771,946 professionals have used our research since 2012.
Sharjeel Khan - PeerSpot reviewer
Head of Security Operations at Edotco Group
Real User
Top 5
Agile, integrates well with other solutions and offers fair pricing
Pros and Cons
  • "The initial setup is very simple and straightforward."
  • "We'd like to see more connectors."

What is our primary use case?

We primarily use the solution for the surrounding management. 

What is most valuable?

The correlation is very useful.

We like that it is an integrated platform. 

It's very much an agile product.

Everything works very well across the product.

The initial setup is very simple and straightforward. 

It is a scalable solution. 

The performance has been good.

What needs improvement?

We'd like to see more connectors.

The solution needs to offer a bit more advancement, enhancement, and scalability with other products as well, including the market competitors.

What do I think about the stability of the solution?

The solution is stable. The performance is good. There are no bugs or glitches. 

What do I think about the scalability of the solution?

The server is scalable.

How are customer service and support?

We haven't really used support all that much. That said, we haven't really had issues with them.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I've worked with other solutions, including, for example, Splunk. For me, each solution has a limitation when it comes to some use cases. It all depends upon the business strategies. 

How was the initial setup?

The initial implementation is very easy. It's straightforward. It's not complex or difficult at all. A company shouldn't have any problems executing a setup.

The deployment process itself is very quick. It only takes maybe 30 to 40 minutes. 

We don't really need any maintenance on the solution. We're usually required to do maintenance when the agent determines it.

What about the implementation team?

We did not require any third parties when it came to setting it up. We didn't use any integrators or consultants. The implementation was handled by in-house personnel. 

What's my experience with pricing, setup cost, and licensing?

There is a community version. Whether or not the pricing is expensive depends on what a company needs and if it covers its requirements. I've been satisfied with the pricing so far. I don't find it overly expensive. 

You do pay a subscription fee for the service if you aren't using the community version. 

Which other solutions did I evaluate?

We're always happy to evaluate any other products on the market.

What other advice do I have?

We are a gold customer.

I would recommend the product if it made sense for an individual company's use case. 

For the people who are on the cloud, I would suggest they go for Sentinel regardless of any other SIEM. It will do a good integration with other solutions, and with other cloud providers while providing a holistic view as well.

I'd rate the solution an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Network & Security Manager at SNP Technologies, Inc.
Real User
Great security automation and orchestrations with the capability to do deep analysis
Pros and Cons
  • "Sentinel has features that have helped improve our security poster. It helped us in going ahead and identifying the gaps via analysis and focusing on the key elements."
  • "The solution could improve the playbooks."

What is our primary use case?

We use the solution as more of a security management tool. It's a combination of monitoring and security management.

What is most valuable?

The most valuable features of this solution are the analysis and the automation. The security automation and orchestrations are great. Other tools, which I can't really name right now, don't have the potential automation this has. They do to a certain extent, however, we have to go ahead and integrate other different solutions on top. On the other hand, with Azure Sentinel, we have out-of-box solutions within Azure using Azure playbooks, where we can automate, filter, and complete tasks that reduce the manual effort. That comes under security automation and orchestration. An incident or an alert can be generated, a playbook can be triggered and completed. The manual effort can be reduced via automation.

The analysis is an important feature. It gives us a deep analysis of not just the alert, but also checks on the dependent resources or to ensure dependency matching is correctly done. We can see, with any issue, how deep it's affecting us, for example.

Sentinel has features that have helped improve our security poster. It helped us in going ahead and identifying the gaps via analysis and focusing on the key elements.

Sentinel has not affected the end-user experience in any way. These are basically integrated with solutions from Microsoft or vendor solutions. Therefore, the end-user experience doesn’t change.

What needs improvement?

The solution could improve the playbooks. As of now, we are customizing those playbooks for our needs. However, if there were out-of-box solutions available, which could automate a few tasks by default, that would really be of great help.

For how long have I used the solution?

I've used the solution for over two years.

What do I think about the stability of the solution?

Performance is not something that we need to worry about as this is a service from Microsoft, and the underlying infrastructure of Sentinel is fully managed by Microsoft. All we need to do is go ahead and get started with the service. Once we have enabled Sentinel, it's all about integrating it with other logs. That's it. 

What do I think about the scalability of the solution?

Scalability is something that's pretty easy in terms of integrating it with other log workspaces. I know there is a cost involved, however, in terms of scaling, it's pretty easy.

We have huge applications with a user base of about 10,000 to 25,000 users for this application. In terms of the end-users who have resources like VDI solutions or other solutions, there are about 5,000 to 7,000. Therefore, end-users and application users are different. 

How are customer service and support?

Technical support is pretty straightforward. It's a no-brainer around that. They have standard SOPs they follow. There's nothing out-of-box that they provide as a solution as such as that is something that needs to be customized. If there is any customization, support, they would not be able to help us. It's all about going ahead and following the standard SOP.

They know what they're doing. However, when it comes to Sentinel, a lot of customizations are required, which support doesn't provide any assistance around.

Which solution did I use previously and why did I switch?

I've worked with various other SIM solutions. There are only a few other competitors or SIM tools, which also have AI-based analysis.

With Microsoft, the advantage is that it can correlate with a lot of other solutions as Azure itself is a cloud provider and they have a lot of environments that they go ahead and manage in terms of the SIM. They can go ahead and have correlation on alerts. The AI can go and learn from other infrastructure and can also analyze everything in a better way. That's not the same case with other vendors or other competing SIM tools.

In terms of the automation part, for other vendor SIM tools, we'll have to go ahead and integrate it with a third-party provider and basically build a custom script for automation. With Sentinel, we have out-of-box solutions for automation where Azure playbooks really come in handy.

How was the initial setup?

It's a service from Microsoft, so there is nothing else that needs to be deployed. We just go ahead and enable it. It hardly takes five minutes to get started by enabling Sentinel.

Sentinel is a pretty straightforward product. In terms of the advanced configurations, security automation and orchestration, that's a bit complex. That said, getting started with Sentinel is an easy process.

What was our ROI?

I would say that there's definitely a Return of Value. I can't really comment on Return on Investment yet.

We have seen a lot of manual codes being reduced and a focus on real issues, which are really impactful rather than going ahead and analyzing or monitoring each and every alert. With our Sentinel AI-based analysis, we can go ahead and focus on the critical issues rather than monitoring each and every alert or incident.

What's my experience with pricing, setup cost, and licensing?

Licenses won't work as this is a pay-as-you-go model. Companies pay in terms of the number of logs being integrated within Sentinel, and the price is quoted that way. Sentinel is pretty pricey compared to the other competitors where they have licenses. For Sentinel, it's a bit pricey when it comes to big environments.

What other advice do I have?

For those who want to adopt Sentinel, I'd advise that it's a really one-stop solution for all the security needs. It can be integrated with all solutions out there. It can be one single control where you can go ahead and manage the security from. You don't have to go ahead and log into different endpoint portals, or threat-protection portals, or any third-party vendor solutions as such. 

I would rate the solution at about a nine out of ten. There is definitely a scope of improvement in terms of the feature sets or the possibilities that we could go ahead and unlock.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
System Engineer at a tech vendor with 5,001-10,000 employees
MSP/MSSP
Top 20
Provides visibility into threats by creating alerts and enables us to ingest data from our entire system if we want
Pros and Cons
  • "The data connectors that Microsoft Sentinel provides are easy to integrate when we work with a Microsoft agent."
  • "The troubleshooting has room for improvement."

What is our primary use case?

Our organization is a service company, therefore, we are proposing Microsoft Sentinel as an MSSP solution to our clients. Additionally, we are offering other solutions with Microsoft Sentinel. We have integrated Microsoft Sentinel with MISP, an open source intelligence trading platform, to create a deluxe solution. Furthermore, we use the five-year tool in conjunction with Microsoft Sentinel.

We pitched the solution for BFSI, healthcare, and ONG sectors.

The solution can be deployed based on the client's requirements.

How has it helped my organization?

Microsoft Sentinel provides visibility into threats by creating alerts, which will generate an instance and notify us. We can also view files and prioritize alerts using Microsoft Sentinel. Additionally, there is a tool with Sentinel that allows us to check alerts, which will help us identify false positives and false negatives, which is very beneficial for analysts.

Microsoft Sentinel helps us prioritize threats across our enterprise.

Microsoft Sentinel's ability to help us prioritize threats is a very important must-have feature for our organization.

Integrating Microsoft Sentinel with additional Microsoft solutions such as Microsoft Security Center is easy because we use a Microsoft agent. There is a default integration available with multiple connectors and we can use the agent to install data into Microsoft Sentinel.

The integrated solutions work natively together to deliver a coordinated detection and response across our environment. We use a playbook for the response process. We also integrated ServiceNow tools and Sentinel for ITSM. We are also designing the playbooks to meet our requirements.

Having the ability to integrate solutions with Microsoft Sentinel is an important feature.

Microsoft Sentinel provides comprehensive protection. 

Our organization has a strong partnership with Microsoft. Most of the services we receive are quite cost-effective. Microsoft provides market listings, allowing us to design our solution and place it on Microsoft's market listings, resulting in mutual benefits for both Microsoft and our organization.

We used Microsoft Defender for Cloud to get to the Azure security center for Sentinel. We wanted to work with a particular server but at the time the requirement was in order to use Defender we had to enable the solution across the subscription and not on one particular server.

Microsoft Sentinel enables us to ingest data from our entire system if we want.

Microsoft Sentinel enables us to investigate and respond to threats from one place. We can control everything from a single pane of glass.

Microsoft's built-in UEBA and threat intelligence capabilities play a major role in our security.

We can automate routine tasks, prioritize alerts using the playbook, and use the analytical rule's default settings when creating an alert. This helps to reduce false positives so that we only receive one alert for each issue.

Microsoft's XDR enabled us to avoid having to view multiple dashboards. We can integrate a variety of tools with Sentinel, allowing us to monitor all relevant information from a single screen.

The integration into one dashboard reduced our analytical work because it reduces the time required to review and respond to threats. 

The solution helped us prepare for potential threats proactively. Microsoft Sentinel helped our organization save money by preventing attacks. The solution helped reduce the threat detection time by up to 40 percent.

What is most valuable?

The data connectors that Microsoft Sentinel provides are easy to integrate when we work with a Microsoft agent.

The UI design for the investigation portion of Microsoft Sentinel is great.

The alerting of the queries works great and it is easy to develop a query around our requirements using Microsoft Sentinel.

What needs improvement?

The GUI functionality has room for improvement.

The playbook can sometimes be hefty and has room for improvement.

The troubleshooting has room for improvement.

For how long have I used the solution?

I have been using the solution for three years.

What do I think about the stability of the solution?

The solution is stable.

What do I think about the scalability of the solution?

The solution is scalable.

How are customer service and support?

The technical support depends on if we have upgraded our support or not. The basic support has a wait time but the premium support is great.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used IBM Security QRadar. The data connectors are more complicated and there are more configurations required with IBM Security QRadar compared to Microsoft Sentinel. The alerts are much better with Microsoft Sentinel.

How was the initial setup?

The initial setup is straightforward.

What about the implementation team?

The implementation is completed in-house with Microsoft documentation.

What's my experience with pricing, setup cost, and licensing?

In comparison to other security solutions, Microsoft Sentinel offers a reasonable price for the features included.

What other advice do I have?

I give the solution an eight out of ten.

The maintenance is completed by Microsoft.

I recommend Microsoft Sentinel to others.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Senior Microsoft 365 Consultant at The Collective Consulting
Real User
Quick to set up with good automation and integrates well with Microsoft products
Pros and Cons
  • "Sentinel uses Azure Logic Apps for automation, which is really powerful. This allows us to easily automate responses to incidents."
  • "The solution should allow for a streamlined CI/CD procedure."

What is our primary use case?

We are running an MDR service for our customers and use Azure Sentinel as the SIEM product to allow us to have an overview of all our customers, but also to easily push configurations to different customers.

We use Azure Sentinel as an alert aggregator to import all of the incidents/alerts from the different (Microsoft) security products in order to have a single pane of glass. On top of that, we create our own custom Analytics Rule that can be used to add our own added value. This enables us to create our own IP to protect customers. 

How has it helped my organization?

It's really convenient for us to aggregate the logs/alerts from all our customers into a single pane of glass. By using the automation capabilities, it's relatively easy to sync all incidents to our ITSM tool which we can use to follow up on incidents. As it's based on the Microsoft stack, it's convenient for our engineers to learn the product. As Azure Sentinel is also a big focus for Microsoft, we have the ability to work with them on certain products. This creates visibility within the community and for new customers.

What is most valuable?

There are three valuable aspects of the solution: MSSP support, integration with Microsoft, and Automation. By using Azure Lighthouse, an MSSP can easily integrate their applications into their own baseline of policies/configurations.

Because Sentinel is built as an MS-first product, it integrates natively with other Microsoft products, which is really convenient as we are standardized on it. Without much work, you can connect any Microsoft product to it. 

Last, but not least, Sentinel uses Azure Logic Apps for automation, which is really powerful. This allows us to easily automate responses to incidents.

What needs improvement?

Azure Sentinel is constantly growing. Throughout the two years we have been using it, we have seen it expand tremendously. A lot of the limitations we had originally seen have already been mitigated. A couple of potential improvements could be: allow for a streamlined CI/CD procedure. Now it's a combination of using API/Powershell and ARM which is not ideal. Also, it should allow us to ingest on-prem logs by using a SaaS platform to ingest CEF/Syslog logs that also allow for prefiltering. This would allow us to minimize the cost of the solution.

For how long have I used the solution?

I've been using the solution for 1.5 years.

Which solution did I use previously and why did I switch?

We didn't use another SIEM product before Azure Sentinel. 

What's my experience with pricing, setup cost, and licensing?

The cost can be a little confusing at first, but the Azure calculator is a great place to start. I would advise to start with integrating Microsoft products first, as this is the most convenient way forward and allows you to learn the product as you go.

In general, Azure Sentinel can be set up really quickly.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: We are a Microsoft partner
PeerSpot user
Principal Cloud Architect at Viria Security Oy
Real User
UI-based analytics are excellent; great tools for cleaning data
Pros and Cons
  • "The UI-based analytics are excellent."
  • "The on-prem log sources still require a lot of development."

What is our primary use case?

We use this solution for analyzing Microsoft cloud-based log services and for security data. The services include Microsoft 365, Azure Security Center logs and Microsoft cache logs. We are gold security partners with Azure. 

What is most valuable?

The UI-based analytics are excellent, it's something I haven't seen with any other SIEM products. Microsoft has excellent tools for cleaning data, sorting out irrelevant log data and even fixing log data.

What needs improvement?

There's not much that needs improvement but the on-prem log sources still require a lot of development. It's clear that there are limitations there. I also think that the implementation and on-prem data sources could be done in a better way. We've used some functions with Python and whole scripting on FortiSIEM, which is something that Microsoft could easily provide, but so far hasn't.

What do I think about the stability of the solution?

The product has been very reliable. I don't know that there have been any service outbreaks. We haven't had any problems. 

What do I think about the scalability of the solution?

We have 700 users and from our perspective, it has unlimited processing power, but this is quite common for cloud services. I think the scalability has to be some kind of ABM and feeding all of the log stats, which could possibly have limits, but Azure has huge computing power behind it.

How are customer service and technical support?

The support is good, the only issue is getting past the level one people who ask if you've tried rebooting. If you have Microsoft's Unified Support, the most expensive support, then you'll be very happy. It's not the best support in the industry, but it's pretty good and they also support Sentinel. 

How was the initial setup?

The initial setup was extremely straightforward. It was the easiest I have seen because it's an SaaS service. I think anybody can do it by just clicking and clicking and saying yes. Straight out of the box and that's the strength of the SaaS service because there's no installation, you just use it. 

Which other solutions did I evaluate?

We compared Azure to Splunk and to our current mainstream implementation, FortiSIEM. If you have a lot of security data, then you feel that Azure is quite expensive but it's nowhere near as costly as Splunk which is four or five times more expensive. FortiSIEM wasn't good enough and Splunk was way to expensive. 

What other advice do I have?

I would definitely recommend this solution. If you have cloud-based workloads and different cloud or cloud lookalike services that require security data, or if you are looking for SOAR functionalities, then it's a no brainer. It's the best in that market. On the other hand, if you are mainly working and operating with on-prem stuff then there's no advantage over FortiSIEM or other solutions. 

I rate this solution a nine out of 10. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
MikaelFryksten - PeerSpot reviewer
SOC Principal Architect at Tieto Estonia
Real User
Goon online documentation, and easy to install but the price could be lower
Pros and Cons
  • "What is most useful, is that it has a good connection to the Microsoft ecosystem, and I think that's the key part."
  • "Multi-tenancy, in my opinion, needs to be improved. I believe it can do better as a managed service provider."

What is our primary use case?

We use Microsoft Sentinel for providing managed services and for security use cases, which include detecting anomalies or security events and collecting security events from various data sources.

What is most valuable?

What is most useful, is that it has a good connection to the Microsoft ecosystem, and I think that's the key part. If you are running the Microsoft ecosystem, you are running Azure and Microsoft 365 and have all of the security providers in that environment, for example, the E5 license, then Sentinel can easily collect those events and handle them within the same Azure environment. That, I believe, is the key point here.

What needs improvement?

Multi-tenancy, in my opinion, needs to be improved. I believe it can do better as a managed service provider.

It's a fairly mature product now.

Pricing could also improve, it's a bit expensive.

For how long have I used the solution?

I have been working with Microsoft Sentinel for approximately two years.

There are private tenants, but it is deployed in a public Cloud.

What do I think about the stability of the solution?

Microsoft Sentinel is a stable solution.

What do I think about the scalability of the solution?

Microsoft Sentinel is scalable. As it is in the cloud, you simply pay more. It's expensive, but it's very easy to scale.

How are customer service and support?

We haven't used Microsoft's technical support. We rely on the online knowledge base. Essentially, the entire internet is based on the information they have. As a result, we have never contacted technical support. It hasn't been required. I suppose it's fine. We didn't use technical support in that sense. I would say that it's good.

Which solution did I use previously and why did I switch?

I am familiar with SIEM. 

We run several CM systems as well as a security operation center.

I have worked with Microsoft, IBM, and McAfee. McAfee has an older CM, and we use Elastic as well.

How was the initial setup?

Within the same cloud environment, it is very simple to set up and begin collecting data.

What's my experience with pricing, setup cost, and licensing?

Microsoft Sentinel is expensive.

What other advice do I have?

If you have the funds, I would recommend it. I think the pricing is important; it's quite expensive, but if you have that, I think I would recommend it. The advice is to think carefully about what data you send to the platform because it is costly. The price is data-driven, so make sure you know how much data you will send and that you only send what is required. That, I believe, is the key point.

We are Microsoft partners.

I would rate Microsoft Sentinel a seven out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
PeerSpot user
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.
Updated: May 2024
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.