Microsoft Sentinel Reviews

Microsoft Sentinel is basically a major log, on top of which you can build queries that can analyze the data you get. It's used to build up security operations centers. In addition, it is a SIEM and SOAR solution.

The first benefit is that you have one place to close incidents. That's definitely an advantage. 

Another benefit is KQL, Kusto Query Language, and the analytic rules with which you can spot suspicious behavior of all kinds. It's definitely a step up when it comes to security. You see the benefits almost instantly.

In addition, automation helps prioritize what needs to be looked at, and what can just be closed and forgotten.

And when you combine the threat intelligence with Defender for Endpoint's recommendations, it's a really strong way to protect things or be proactive when it comes to security, with the CVEs, et cetera.

Overall, our Microsoft solution saves time. Without it, you might have to navigate six or seven portals, but with it, you only have to look at one place, and that saves some time. Most of the time, it eliminates having to look at multiple dashboards and gives you one XDR dashboard. Ideally, that should make working with IT security easier. It also decreases the time it takes to detect and respond.

As a consultant, none of the customers I work for has been hacked or has been close to being hacked. That would be the best way to judge if it saves money because just putting Sentinel on top of all these security products doesn't save you money. It's possible it saves you money. 

I like the unified security console. You can close incidents using Sentinel in all other Microsoft Security portals when it comes to incident response.

The solution helps prioritize threats across your enterprise and that is quite important. There is a concept called "alert fatigue," and Sentinel can also cause that because it detects so many false positives. But usually, the high and medium risks it identifies are things you need to take a look at. So prioritization is quite important.

We also use Defender for Cloud, Defender for Endpoint, and Defender for Cloud Apps. It's quite easy to integrate these Microsoft products because they can easily communicate with other Microsoft products. The tricky part is to integrate other vendors' products, like Cisco or Linux, with Microsoft Sentinel. The actual integration is easy, but they generate a lot of data. But with its entire Defender suite, Microsoft is trying to cover everything in Azure and that is a really strong point.

Sentinel enables you to ingest data from your entire ecosystem and that is vital, but sometimes it's a bit hard to figure out what data you actually need.

Also, the UEBA is a neat feature.

The built-in SOAR is not really good out-of-the-box. The SOAR relies on logic apps and you almost need to have some kind of developer background to be able to make these logic apps. Most security people cannot develop anything, but if you want to make full use of the SOAR part of Microsoft Sentinel, you need to be able to develop these logic apps. You can say, "Okay, that's simple," but it's not simple for someone who doesn't develop.

Also, the bi-directional sync in Microsoft Defender for Cloud should be enabled out-of-the-box. Otherwise, while you can close incidents in Sentinel, they will not be closed in all the other portals. That is really important.

In addition, the watch list could be improved. Microsoft could develop some analytic templates based on these watch lists, for example.

And if you don't have any KQL knowledge, Sentinel is actually quite hard to use or to get the most out of.

I have been working with Microsoft Sentinel for approximately one year.

It's a stable solution.

My clients are looking to increase their usage of Sentinel. Every time I look, there is a new data connector, so it seems like it's a product that is constantly in development.

I haven't used their technical support.

The initial deployment, for me, is not really complex. It takes one hour or less. But to be able to use Sentinel to its full capabilities, you must definitely know something.

In terms of an implementation strategy, you need to really think ahead about who should be able to do this, and who should be able to do that, and respond to that, et cetera. A proof of concept would include dealing with the architecture, gathering initial data sources and/or automation, and then learning how to navigate in Sentinel. One person can do it.

My clients are enterprise-level companies and the solution requires maintenance. It includes updating analytics, importing, and creating new analytics. It depends on the company. If you have 100 employees, one employee might be enough to maintain things, but if you have 10,000 employees and 10,000 devices, you might need more employees.

No license is required to make use of Sentinel, but you need to buy products to get the data. In general, the price of those products is comparable to similar products.

My advice is to start out with a little bit of data and build on top of that. Don't enable too many data connectors in the beginning. Get familiar with the product, and remember to work with Sentinel every day. That's the only way the product gets better.

It comes with some out-of-the-box analytics, but to get the full and best usage out of it, you have to really keep developing it with hunting queries, analytics, et cetera. The visibility provided by the built-in analytics rules, what they detect, is rather good, but Microsoft Sentinel requires ongoing work. It helps automate routine tasks as well, but that's not something that comes "for free." It also requires ongoing work.

Threat intelligence is something that you must be more than just a novice in Sentinel to make use of.

Overall, I find Sentinel to be a really strong solution. Sentinel is where you can see the overall security status of your company. I really enjoy working with Microsoft Defender and the entire suite, combined with Microsoft Sentinel.

We use it to monitor the cloud for any security issues. We are using it as a SIEM for our cloud workspace.

The most valuable feature is the UEBA. It's very easy for a security operations analyst. It has a one-touch analysis where you can search for a particular entity, and you can get a complete overview of that entity or user.

There is also something called workbooks in Sentinel that help us to monitor the complete cloud data and it gives knowledge about, and visibility into, our security posture.

It integrates seamlessly with Microsoft products, especially Office 365 and our Azure workspace, whether it's the Application Gateway or Azure DDoS or Azure Firewall. It has native integration that works very well.

You can also monitor Zero Trust security from Microsoft Sentinel.

There are a number of points they can improve. For example, if I see an alert and I want to drill down and get more details about the alert, it's not just one click. In other SIEM tools, you just have to click the IP address of the entity and they give you the complete picture. In Sentinel, you have to write queries or use saved queries to get details. For a security analyst, when there is an incident, it takes a lot of time to write queries, investigate, and then execute.

For example, if you want to search a particular entity or an IP address, or search the complete log instead of just the security alerts, it takes time to write a query for that. The MTTR is a little high, as is the mean time to investigate, compared to other SIEM tools.

I would also like to have more resources on KQL queries.

And using the data connectors is not straightforward when you want to create a use case that is not out-of-the-box. Creating a custom use case is a challenging process. You need to understand KQL queries and the support for regex is limited.

I've been using Microsoft Sentinel for between six months and a year.

The availability is good. But when you compare the stability with Splunk or ELK or QRadar, it still needs to be more reliable and stable, not from an installation or administration perspective, but when it comes to security operations.

We collect data from between 3,000 and 4,000 users, and our cloud workspace is somewhere around 100 or 200 servers.

The scalability is good because it has Azure in the back end.

We are still deciding whether to migrate completely to Sentinel or not. We are using two SIEM solutions in parallel. The other solution is LogRhythm. From an analyst perspective, Sentinel has to evolve more. Once it does, we can think of migrating to it fully.

The installation was straightforward and easy. With Azure Resource Manager, it was easy to deploy, and it was a straightforward integration, in terms of configuration, to connect the Log Analytics workspace with Sentinel and the solutions that Sentinel has.

Deploying the solution hardly took four hours, and the initial configuration took a single person one day, meaning eight hours.

We used to have an on-prem solution and we moved our workload to the cloud. Our users did not face any challenges or difficulties as a result.

We are still in the process of getting our ROI. We are waiting for the solution to improve and mature.

Sentinel is pretty competitive. The pricing is at the level of other SIEM solutions.

I have experience with Splunk and QRadar and they are the best. They are equivalent, one with the other. Both the solutions are mature enough, having been in the market for quite some time. They know what they're doing and are easy to use from an analyst's perspective. Both are scalable solutions as well.

The drawback of these two solutions is that it takes a little bit of time to do integrations, especially for Azure workloads, as they're not in-built in Azure.

Always record your KQL queries and stick to the basics.

Azure Sentinel is a next-generation SIEM, which is purely cloud-based. There is no on-premises deployment. We primarily use it to leverage the machine learning and AI capabilities that are embedded in the solution.

This solution has helped to improve our security posture in several ways. It includes machine learning and AI capabilities, but it's also got the functionality to ingest threat intelligence into the platform. Doing so can further enrich the events and the data that's in the backend, stored in the Sentinel database. Not only does that improve your detection capability, but also when it comes to threat hunting, you can leverage that threat intelligence and it gives you a much wider scope to be able to threat hunt against.

The fact that this is a next-generation SIEM is important because everybody's going through a digital transformation at the moment, and there is actually only one true next-generation SIEM. That is Azure Sentinel. There are no competing products at the moment.

The main benefit is that as companies migrate their systems and services into the Cloud, especially if they're migrating into Azure, they've got a native SIEM available to them immediately. With the market being predominately Microsoft, where perhaps 90% of the market uses Microsoft products, there are a lot of Microsoft houses out there and migration to Azure is common.

Legacy SIEMs used to take time in planning and looking at the specifications that were required from the hardware. It could be the case that to get an on-premises SIEM in place could take a month, whereas, with Azure Sentinel, you can have that available within two minutes. 

This product improves our end-user experience because of the enhanced ability to detect problems. What you've got is Microsoft Defender installed on all of the Windows devices, for instance, and the telemetry from Defender is sent to the Azure Defender portal. All of that analysis in Defender, including the alerts and incidents, can be forwarded into Sentinel. This improves the detection methods for the security monitoring team to be able to detect where a user has got malicious software or files or whatever it may be on their laptop, for instance.

It gives you that single pane of glass view for all of your security incidents, whether they're coming from Azure, AWS, or even GCP. You can actually expand the toolset from Azure Sentinel out to other Azure services as well.

The most valuable feature is the performance because unlike legacy SIEMs that were on-premises, it does not require as much maintenance. With an on-premises SIEM, you needed to maintain the hardware and you needed to upgrade the hardware, whereas, with Azure Sentinel, it's auto-scaling. This means that there is no need to worry about any performance impact. You can send very large volumes of data to Azure Sentinel and still have the performance that you need.

When you ingest data into Azure Sentinel, not all of the events are received. The way it works is that they're written to a native Sentinel table, but some events haven't got a native table available to them. In this case, what happens is that anything Sentinel doesn't recognize, it puts it into a custom table. This is something that you need to create. What would be good is the extension of the Azure Sentinel schema to cover a lot more technologies, so that you don't have to have custom tables.

If Azure Sentinel had the ability to ingest Azure services from different tenants into another tenant that was hosting Azure Sentinel, and not lose any metadata, that would be a huge benefit to a lot of companies.

I have been using Azure Sentinel for between 18 months and two years.

I work in the UK South region and it very rarely has not been available. I'd say its availability is probably 99.9%.

This is an extremely scalable product and you don't have to worry about that because as a SaaS, it auto-scales.

We have been 20 and 30 people who use it. I lead the delivery team, who are the engineers, and we've got some KQL programmers for developing the use cases. Then, we hand that over to the security monitoring team, who actually use the tool and monitor it. They deal with the alerts and incidents, as well as doing threat hunting and related tasks.

We use this solution extensively and our usage will only increase.

I would rate the Microsoft technical support a nine out of ten.

Support is very good but there is always room for improvement.

I have personally used ArcSight, Splunk, and LogRythm.

Comparing Azure Sentinel with these other solutions, the first thing to consider is scalability. That is something that you don't have to worry about anymore. It's excellent.

ArcSight was very good, although it had its problems the way all SIEMs do.

Azure Sentinel is very good but as it matures, I think it will probably be one of the best SIEMs that we've had available to us. There are too many pros and cons to adequately compare all of these products.

The actual standard Azure Sentinel setup is very easy. It is just a case where you create a log analytics workspace and then you enable Azure Sentinel to sit over the top. It's very easy except the challenge is actually getting the events into Azure Sentinel. That's the tricky part.

If you are talking about the actual platform itself, the initial setup is really simple. Onboarding is where the challenge is. Then, once you've onboarded, the other challenge is that you need to develop your use cases using KQL as the query language. You need to have expertise in KQL, which is a very new language.

The actual platform will take approximately 10 minutes to deploy. The onboarding, however, is something that we're still doing now. It's use case development and it's an ongoing process that never ends. You are always onboarding.

It's a little bit like setting up a configuration management platform and you're only using one push-up configuration.

We are getting to the point where we see a return on our investment. We're not 100% yet but getting there.

Azure Sentinel is very costly, or at least it appears to be very costly. The costs vary based on your ingestion and your retention charges. Although it's very costly to ingest and store data, what you've got to remember is that you don't have on-premises maintenance, you don't have hardware replacement, you don't have the software licensing that goes with that, you don't have the configuration management, and you don't have the licensing management. All of these costs that you incur with an on-premises deployment are taken away.

This is not to mention running data centers and the associated costs, including powering them and cooling them. All of those expenses are removed. So, when you consider those costs and you compare them to Azure Sentinel, you can see that it's comparative, or if not, Azure Sentinel offers better value for money.

All things considered, it really depends on how much you ingest into the solution and how much you retain.

There are no competitors. Azure Sentinel is the only next-generation SIEM.

This is a product that I highly recommend, for all of the positives that I've mentioned. The transition from an on-premises to a cloud-based SIEM is something that I've actually done, and it's not overly complicated. It doesn't have to be a complex migration, which is something that a lot of companies may be reluctant about.

Overall, this is a good product but there are parts of Sentinel that need improvement. There are some things that need to be more adaptable and more versatile.

I would rate this solution a nine out of ten.

I use Microsoft Sentinel in my work as an MSSP and as a threat detection engineer.

One of the most valuable features of Microsoft Sentinel is that it's cloud-based. I previously worked for a very long time with AXA since 2006, but Microsoft Sentinel's ability to scale virtually and budget-dependent is a huge advantage. Before that, everything was on-premise and required some forklift upgrades, and it was a bit of a nightmare.

Microsoft Sentinel is relatively expensive, and its cost should be improved. Although Microsoft has been working on providing additional discounts based on commitment tiers, it's still in the top three most expensive products out there. They are certainly trying to compete with the likes of Splunk.

I have been using Microsoft Sentinel since April 2020.

Since the time that I've been using Microsoft Sentinel, I've seen five or six serious outages. That's not uncommon with cloud providers. Generally, when it's a major outage, it's pretty catastrophic.

The scalability of Microsoft Sentinel is pretty good.

I have contacted Microsoft Sentinel's technical support a number of times, and my experience with them has been pretty good.

Neutral

Before we started using Microsoft Sentinel, we previously used Splunk and ArcSight. Having a brand name like Microsoft was one of the reasons we decided to switch to Microsoft Sentinel. I was working for an MSSP at the time, and at the start of the service, they decided to run their MSSP based on Microsoft Sentinel. So it was more of an environmental thing than a conscious decision to switch to Microsoft Sentinel.

The deployment of Microsoft Sentinel is relatively simple, but the data onboarding is the complicated part.

Two people are required for the deployment of Microsoft Sentinel.

Microsoft Sentinel's evolution, use of CI/CD, and automation capabilities have helped us see a return on investment.

Microsoft Sentinel's pricing is relatively expensive and extremely confusing. I have raised this issue with Microsoft directly. It's not an easy thing to do, especially when you consider commitment tiers, discounts, and several variables that go along with it. It would be very difficult for the uninitiated to get a true reflection because you'd need to know about the product to get a cost. Suppose I go with the online pricing calculator. In that case, I need to know the difference between analytics and basic logs. I also need to understand the implications and limitations of selecting a particular option. And that's not clear from the pricing tool. So I think from that perspective, they should democratize it and make it a lot simpler and easier to do.

The visibility that Microsoft Sentinel provides into threats is great. They got a lot of content out of the box and have an active community. I absolutely love the cluster functionality and the cluster query language. I definitely wouldn't want to go back to anything else. It's an incredible query language.

Microsoft Sentinel helps us to prioritize threats across our entire enterprise. The out-of-the-box content and behavior-analytic functionality that Microsoft Sentinel provides certainly help a lot.

There's a whole cloud stack like Defender for Endpoint, Defender for Cloud, and Defender for Cloud Apps that we interface with. I am not directly responsible for configuring and managing those different products within my company. However, we interface with each of them because we take their log data.

It was very easy to integrate other Microsoft security products with Microsoft Sentinel. The other Microsoft products I mentioned have done a great job of making it very simple to integrate. It's probably easier than all the other services. Being Microsoft products, there's a very tight integration, which is great.

I don't have any direct involvement with configuring Defender for Cloud. However, we take the logs from all the Defender suites like Defender for Identity, Defender for Cloud, Defender for Cloud Apps, Defender for Endpoint, etc.

Microsoft Sentinel enables us to ingest data from our entire ecosystem. It is more challenging regarding the on-premise stuff and unsupported SaaS services. You could leverage the available functionality, but it's certainly not as easy as the native Microsoft Cloud products it integrates with. There's a lot more to it in terms of being able to ingest data from an on-premise data source. This data is very important to our security operations.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place.

The comprehensiveness of Microsoft Sentinel security protection is good. It is constantly evolving. I would like to see Microsoft add more automation, but they're on a journey to expanding their capability. I expect to see a change in that space. Since I started using the product, it has evolved, and the evolution of the product from two years ago or three years ago has been huge.

The cost and ease of use of Microsoft Sentinel against standalone SIEM and SOAR solutions are on par with Splunk in terms of costs. It's on par with what Splunk costs or slightly cheaper. It depends on how you set it up, but it's not always evident. Microsoft would prefer you to pay more than less. Certainly, from their perspective, it could probably put out more guidance on the optimization of cost. In terms of its use and functionality, it's definitely on its way to becoming a market leader. I can see that through the evolution that occurred in the last three years. There's always more and more functionality being added. I would like to see more expansion in terms of the provision of functionality in the dashboarding and work booking component. They could spend more time on expanding our capabilities. Splunk can easily plug into D3 libraries to create really good visualizations. The visualization capability within Microsoft Sentinel at the moment is somewhat rudimentary. You can always plug Power BI into it, but it's not a native product feature, and you need to buy and pay for Power BI.

From an overall management capability, Microsoft Sentinel has certainly made life easier. The introduction and addition of the CRC process are great. Historically, many SIMS haven't had that capability or ability to be integrated with the CRC system. So the automation component of that has allowed the deployment of infrastructure's code to speed up the process of the actual deployment massively in the MSSP environment. Historically, when it was on-premise, it would take two weeks to two months to get that all done. Whereas now, you can spin up a new instance and onboard all the cloud stack within a few days, which is huge.

Microsoft Sentinel has the hunting functionality. From that perspective, you could run a whole number of queries at the same time.

Microsoft Sentinel has not helped eliminate having to look at multiple dashboards. They need to expand that functionality.

Microsoft Sentinel’s threat intelligence helps us prepare for potential threats before they hit and to take proactive steps. They’ve recently introduced the Microsoft Defender Threat Intelligence feed, which is a good step forward. It’s come out of the RiskIQ acquisition, which is great. However, I would like to see more native integrations with threat intelligence feeds from financial services, local country threat intelligence feeds, and CSC feeds from government institutions. They work quite closely with the government in many places already, and it would be a huge advantage to have really simple and easy integrations. They could do more in that space in terms of providing alternative threat intelligence with the ability to integrate seamlessly and easily with threat intelligence from other sources. They do already provide connectors, but it isn’t easy. In my experience working in the industry, I’ve seen a company that effectively had a threat intelligence marketplace built into it. So you could very easily and quickly select threat intelligence providers through a number of clicks and then onboard that data very quickly.

Microsoft Sentinel has helped us save time as opposed to our previous solution. Microsoft needs to add even more automation. If you look at their competitors like Palo Alto Cortex, they already have a lot more capability out of the box. Microsoft needs to expand further that out-of-the-box automation capability.

Based on previous experience, Microsoft Sentinel has decreased our time to detection or our time to respond.

Microsoft Sentinel does not need any maintenance because Microsoft does that. However, I have monitoring rules set in place to watch what's going on. For example, we've seen outages in the past, which caused delays in incident creation. There's very little out-of-the-box content to help monitor Microsoft Sentinel.

I would always go with a best-of-breed strategy rather than a single vendor’s security suite. The evolution of Microsoft Sentinel itself has been quite amazing to see. The solution has become more feature-rich in the last two years. I hope this evolution continues and will likely leave the others behind.

I suggest to those evaluating Microsoft Sentinel to do a proof of concept.

Overall, I rate Microsoft Sentinel a seven out of ten.

We provide managed security services to customers in Myanmar using Microsoft Sentinel as a cloud media SIEM. Most of the use cases involve retention, and we use all the features of Microsoft Sentinel. We also use other Microsoft security products like Defender for Endpoint, and most of them are integrated with Sentinel. 

Microsoft Sentinel is a cloud-native SIEM solution, so it helped us reduce our infrastructure costs and deliver better services to our customers. We don't need to pay upfront costs because it is in the cloud. We used an open-source SIEM solution before implementing Microsoft Sentinel, but that wasn't satisfactory for our customers. Sentinel helped us provide more robust managed security services to our customers.

It consolidated multiple dashboards into one and helped us be more proactive. However, our team is still trying to mature to a level that we can adopt a more preventative approach to security. Sentinel significantly reduced our detection time. Without Microsoft Sentinel, our SOC analyst might take 30 minutes to an hour to detect an issue, but now it's practically in real-time. 

The biggest advantage of Sentinel is scalability. In addition, we don't need to worry about paying for infrastructure costs upfront. It gives us the flexibility to choose the kind of infrastructure based on each client's needs. Sentinel is also much simpler than other SIEM solutions. The UI is smoother and easier to use.

Native integration with Microsoft security products or other Microsoft software is also crucial. For example, we can integrate Sentinel with Office 365 with one click. Other integrations aren't as easy. Sometimes, we have to do it manually. 

The bi-directional sync is helpful. For example, we have one client using our managed security service, but they don't want to use Microsoft Sentinel. If those products are not syncing or if the solution is not bi-directional, some alerts may be missed. It's essential for both portals and the two folders to be in the same channel it's pushing. The UEBA features are also perfect. We don't see the same caliber of user behavior analytics in other SIEM. Microsoft's UEBA is great for our SOC analysts. 

Microsoft threat intelligence and UEBA still have some room for improvement. There are currently only two connectors available for Microsoft threat intelligence. the threat intelligence platform and the FTIA commander.
Sentinel should offer another option for a third-party threat intelligence platform. There are lots of open-source threat intelligence solutions available. 

Threat handling could be great for our team and for our SOC analyst, but some are unusable depending on our SOC analytics.

Sentinel can ingest data from most of our ecosystem, but some data cannot be called up. For example, if an SAP product is hosted, it will do a specific version, but it cannot be called back to Sentinel. It cannot be directly connected to Sentinel.

Our team has been using Microsoft Sentinel for about two and a half years.

I rate Microsoft support a seven out of ten. They take too long to respond, but sometimes they are great. 

Neutral

We previously had an open-source SIEM, but it lacked the detection and automation capabilities of Sentinel.

The initial deployment was straightforward but configuring integration for some of our projects was challenging because there are few connectors for solutions like Cisco. I rate Sentinel a five out of ten for ease of setup. 

We performed our integration in-house, but sometimes we get support from Microsoft.

Sometimes, it is hard for us to estimate the costs of Microsoft Sentinel.

I rate Microsoft Sentinel a nine out of ten. I recommend it, but it takes time to evaluate because Sentinel is unlike other cloud solutions. 

Log management is the primary purpose of Microsoft Sentinel to help us monitor the environment and detect threats. That way we can stop them at the first opportunity so that they do not impact the environment.

We take data from the data connectors. Some of the devices are default devices in Microsoft Sentinel, but we can easily add others. For some, we need to use an API or we need some extra help to add them into our security solution. At times, we need an agent.

It is a great tool for log management. It uses KQL (Kusto Query Language) which makes it very easy to find out anything in the environment by writing code.

If we have found some threat intel apart from Microsoft, we can add that to the watchlist category. We have a MITRE ATT&CK framework category and we can map the new threat method methodology into our environment through Microsoft Sentinel. There are multiple features in Microsoft Sentinel that help us add threats into the environment and detect threats easily and quickly.

There are multiple things integrated with it, like CrowdStrike, Carbon Black, Windows and Linux devices, and Oracle. We can see threats from all the environments. If an attack happens on the AD side, we can see that things are signed off. All those sources are integrated and that's a good thing.

On a weekly basis, it is saving us 10 hours, because we get results from the solution very fast.

There are many features, including watchlists and analytics. We can also use it to find out multiple things related to log management and heartbeat. All the features have different importance in those processes. 

The analytics have a lot of advantages because there are 300 default use cases for rules and we can modify them per our environment. We can create other rules as well. Analytics is a useful feature.

Another good feature is the data connectors, where we are collecting the logs from external devices and mapping them into the security solution. That feature is helpful.

The information Sentinel provides is of great use. Microsoft has its own threat intelligence team and they are mapping the threats per the IoCs. It lets us see multiple things that are happening. These things are a starting point for any type of attack and they are already in the solution's threat intelligence. Once something has been mapped, meaning whenever we get an alert from a threat actor, based on IoCs, we can analyze things and block them. There are multiple use cases and we can modify them for our environment.

We need to map things through the MITRE ATT&CK framework. Sentinel is a detection tool. Once it detects things, that is where human intervention comes in and we do an analysis. It is giving us ideas because it is generating events. We can see what events are happening, such as what packets are being analyzed, and what processes are being created. We can analyze all these aspects, including EDR cloud, because they are integrated with Microsoft Sentinel. It lets us see third-party sources. It is a very nice security monitoring tool.

The comprehensiveness of Sentinel's security protection is really great. I don't think it has SOAR capabilities, but it has UEBA.

Sentinel still has some anomalies. For example, sometimes when we write a query for log analysis with KQL, it doesn't give us the data in a proper way. We are trying to improve it and write the query in a manner that will give the desired results. We're trying to put in the conditions based on the events we want to look at, and for the log sources from which we are getting them. For that, we are working on modifications of our KQL queries. Sentinel could be improved by Microsoft because sometimes queries are not giving the desired results. This is something they should look into.

Also, the fields or columns could be improved. Sometimes, it is not giving the desired results and there is a blank field. 

In addition, while the graphical user interface of Microsoft Sentinel is good, there is some lag in the user interface.

I have been using Microsoft Sentinel for the last year. I have been more into the analysis part and the creation of use cases by using the analytics.

It's a stable solution.

The combination of the ease of accessibility and the free cost of the service is great. But we buy storage based on our events per second and on how many sources are integrated into the solution. We have to store the data in our environment to do analysis on past events or to check past threats.

We work as a managed security services provider (MSSP). We have different clients who have their own security team. 

One company that I worked for recently had a security team of three people, then they hired us for 24/7 analysis and monitoring. For that, I solely worked on building this product, then there are the eight to nine people who do 24/7 monitoring and analysis.

Sentinel is a full-fledged SIEM and SOAR solution. It is made to enhance your security posture and entirely centered around enhancing security. Every feature that is built into Azure Sentinel is for enhancing security posture.

It has increased our security posture a lot because there are a lot of services natively integrated to Azure Sentinel from Microsoft, e.g., Microsoft Defender for Endpoint and Defender for Office 365. 

From an analyst's point of view, we have created a lot of automation. This has affected the productivity of analysts because we have automated a lot of tasks that we used to do manually. From an end user's perspective, they don't even notice most of the time because most of our end users are mostly non-technical. They don't feel the difference. It is all about the security and operations teams who have felt the difference after moving from LogRhythm to Azure Sentinel.

It is cloud-based, so there isn't an accessibility issue. You don't have to worry about dialing a VPN to access it. Azure does require that for an on-prem solution that the security part is entirely on Microsoft's and Azure's sign-in and login processes.

Because it is a cloud-based deployment, we don't need to worry about hardware infrastructure. That is taken care of by Microsoft.

Azure Application Gateway makes things a lot easier. You can create dashboards, alert rules, hunting and custom queries, and functions with it.

Its integration capabilities are great. We have integrated everything from on-prem to the cloud.

There are certain delays. For example, if an alert has been rated on Microsoft Defender for Endpoint, it might take up to an hour for that alert to reach Sentinel. This should ideally take no more than one or two seconds.

There are a couple of delays with the service-to-service integration with Azure Sentinel as well as the tracking point.

I have been using it for 14 to 15 months.

Azure Sentinel is pretty stable. Sometimes, the agents installed on endpoints go down for a bit. Also, we have faced a lot of issues with its correctors in particular. However, the platform is highly stable, and there have been no issues with that.

For operations, one to two people are actively using the solution. For analysis, there are eight to 10 people who are actively using it.

Sentinel is scalable. If you want, you can hook up a lower balance security corrector. So, there are no issues with scalability.

We have coverage for around 60% to 70% of our environment. While this is not an ideal state, it has the capability to go to an ideal state, if needed.

I have worked with Azure Sentinel for four clients. With only one of those clients, the support was great. For the last three clients, there were a lot of delays. For example, the issues that could have been resolved within one or two hours did not get resolved for a month or two. So, it depends on your support plan. It depends on the networking connections that you have with Microsoft. If you are on your own with a lower priority plan, it will take a lot of time to resolve minor issues. Therefore, Microsoft support is not that great. They are highly understaffed. I would rate them as six or seven out of 10.

Neutral

We had a full-fledged SIEM, LogRhythm, already working, but we wanted to migrate towards something that was cloud-based and more inclusive of all technologies. So, we shifted to Azure Sentinel and migrated all our log sources onto Azure Sentinel. We also added a lot of log sources besides those that were reporting to LogRhythm.

We have used a lot of SIEMs. We have used Wazuh, QRadar, Rapid7's SIEM, EventLog Analyzer (ELA), and Splunk. We used Wazuh with ELK Stack, then we shifted to Azure Sentinel because of client requirements.

The initial setup was really straightforward because I had already worked with FireEye Security Orchestrator, so the automation parts were not that difficult. There were a couple of things that got me confused, but it was pretty straightforward overall.

Initially, the deployment took seven and a half months.

We used a lot of forums. We used Microsoft support and online help. We used a lot of things to get everything into one picture. There is plenty of help available online for any log sources that you want to move to Azure Sentinel.

I have worked with a lot of SIEMs. We are using Sentinel three to four times more than other SIEMs that we have used. Azure Sentinel's only limitation is its price point. Sentinel costs a lot if your ingestion goes up to a certain point.

Initially, you should create cost alerts in the cost management of Azure. With one of my clients, we deployed the solution. We estimated that the ingestion would be up to this particular mark, but that ingestion somehow got way beyond that. Within a month to a month and a half, they got charged 35,000 CAD, which was a huge turn off for us. So, at the very beginning, do your cost estimation, then apply a cost alert in the cost management of Azure. You will then get notified if anything goes out of bounds or unexpected happens. After that, start building your entire security operation center on Sentinel.

The SOAR capabilities of Azure Sentinel are great. FireEye Security Orchestrator looks like an infant in front of Azure Sentinel's SOAR capabilities, which is great.

The solution is great. As far as the product itself is concerned, not the pricing, I would rate it as nine out of 10. Including pricing, I would rate the product as five to six out of 10.

We are using Microsoft Office 365 E5 license right now, which means we are using Windows Defender ATP because of its cloud application security platform. We also have Exchange Online Protection. The main thing is we are replacing all of our on-prem solutions with Microsoft Office 365 and Azure solutions.

Our use case is for Azure Active Directory, Advanced Threat Protection, Windows Defender ATP, Microsoft cloud applications, Security as a Platform, Azure Firewall, and Azure Front Door. All of the Azure Front Doors logs are coming to Azure Sentinel and correlating. However, for our correlation rules that exist on the QRadar, we are still implementing these rules in Azure Sentinel because we have more than 300 different correlation rules that exist from the QRadar.  

It is always correlating to IOCs for normal attacks, using Azure-related resources. For example, if any illegitimate IP starts unusual activity on our Azure firewall, then it automatically generates an alarm for us. 

We do not get so many attacks, but if any attacks occur on our Azure Firewall site, then we are able to understand where the attack came from. Sentinel lets us know who introduced it.

It is perfect for Azure-native solutions. With just one click, integrations are complete. It also works great with some software platforms, such as Cloudflare and vScaler. 

The rule sets of Azure Sentinel work perfectly with our cloud resources. They have 200 to 300 rule sets, which is perfect for cloud resources.

They need to work with other security vendors. For example, we replaced our email gateway with Symantec, but we couldn't collect these logs with Azure Sentinel. Instead of collecting these logs with Azure Sentinel, we are collecting them on Qradar. We couldn't do it with Sentinel, which is a problem for us.

It is difficult right now because there are not so many consultants who exist for Azure Sentinel, like there are for QRadar. We are not able to find a Sentinel consultant right now.

In Turkey, we are the biggest energy generation company for the public sector. We head more than 20 power plants right now and have more than 1,000 people working in the energy sector. Two years ago, we started to work with Microsoft to shift our infrastructure and workloads to the Azure and Office 365 platforms. So, our story starts two years ago.

It is stable. We have had one or two issues, but those are related to QRadar. We are creating and pushing logs all the time to QRadar, because the Microsoft security API does not send these logs to QRadar.

One resource is enough for day-to-day maintenance of our environment, which has 1,000 clients and 200 or 300 servers. However, our servers are not integrated with Azure Sentinel, because most of our servers are still on-prem.

For Azure- and Office 365-related products, it is perfectly fine. It is scalable. However, if you want to integrate your on-prem sources with Azure Sentinel, then Azure will need to improve the solution. 

We are using Microsoft support for other Microsoft-related issues. They have been okay. They always respond to our issues on time. They know what to do. They solve our issues quickly, finding solutions for our problems.

Positive

Right now, we are using QRadar for on-prem devices. On the other hand, we have Azure Sentinel for log collecting in the cloud products. All of the Microsoft components give logs to Azure Sentinel, but all of the on-premises resources are being collected on IBM QRadar. So, Sentinel has been helping us because this is causing complications for us. While it is possible to collect logs from QRadar to Sentinel to QRadar, it is difficult to do. So, we are collecting incidents from our QRadar, then our associates monitor Azure Sentinel-related incidents from QRadar.

We have been starting to use Azure Kubernetes Service. However, our developers are afraid of shifting our production environment to the Azure Kubernetes so this whole process can continue. At the end of the day, our main goal is still completely replacing our on-premises sources with serverless architecture. 

We also started to use Azure Firewall and Azure Front Door as our web application firewall solutions. So, we are still replacing our on-prem sources. Azure Sentinel works perfectly in this case because we are using Microsoft resources. We have replaced half of our on-premises with Azure Firewalls. The other half exists in our physical data centers in Istanbul.

The initial setup is getting more complex since we are using two different solutions: One is located on-prem and the other one is Azure Sentinel. This means Azure Sentinel needs to inspect both SIEMs and correlate them. This increased our environment's complexity. So, our end goal is to have one SIEM solution and eliminate QRadar.

The initial setup process takes only one or two weeks. For the Azure-related and Office 365-related log sources, they were enabled for Azure Sentinel using drag and drop, which was easy. However, if you need to get some logs from Azure Sentinel to your on-prem or integrate your on-prem resources with Azure Sentinel, then it gets messy. 

This is still an ongoing process. We are still trying to improve our Azure Sentinel environment right now, but the initial process was so easy.

We had two three guys on our security team do the initial setup, which took one or two weeks. 

We are not seeing cost savings right now, because using Azure Sentinel tools has increased our costs.

Pricing and licensing are okay. On the E5 license, many components exist for this license, e.g., Azure Sentinel and Azure AD.

I am just paying for the log space with Azure Sentinel. It costs us about $2,000 a month. Most of the logs are free. We are only paying money for Azure Firewall logs because email logs or Azure AD logs are free to use for us.

In Turkey, Microsoft is more powerful than other vendors. There are not so many partners who exist for AWS or G Cloud. This is the reason why we have been proceeding with Microsoft.

QRadar rules are easier to create than on the Azure Sentinel. It is possible to create rules with Sentinel, but it is very difficult.

There have been no negative effects on our end users.

I would rate Azure Sentinel as seven out of 10.