Microsoft Sentinel Reviews

We provide managed security services to customers in Myanmar using Microsoft Sentinel as a cloud media SIEM. Most of the use cases involve retention, and we use all the features of Microsoft Sentinel. We also use other Microsoft security products like Defender for Endpoint, and most of them are integrated with Sentinel. 

Microsoft Sentinel is a cloud-native SIEM solution, so it helped us reduce our infrastructure costs and deliver better services to our customers. We don't need to pay upfront costs because it is in the cloud. We used an open-source SIEM solution before implementing Microsoft Sentinel, but that wasn't satisfactory for our customers. Sentinel helped us provide more robust managed security services to our customers.

It consolidated multiple dashboards into one and helped us be more proactive. However, our team is still trying to mature to a level that we can adopt a more preventative approach to security. Sentinel significantly reduced our detection time. Without Microsoft Sentinel, our SOC analyst might take 30 minutes to an hour to detect an issue, but now it's practically in real-time. 

The biggest advantage of Sentinel is scalability. In addition, we don't need to worry about paying for infrastructure costs upfront. It gives us the flexibility to choose the kind of infrastructure based on each client's needs. Sentinel is also much simpler than other SIEM solutions. The UI is smoother and easier to use.

Native integration with Microsoft security products or other Microsoft software is also crucial. For example, we can integrate Sentinel with Office 365 with one click. Other integrations aren't as easy. Sometimes, we have to do it manually. 

The bi-directional sync is helpful. For example, we have one client using our managed security service, but they don't want to use Microsoft Sentinel. If those products are not syncing or if the solution is not bi-directional, some alerts may be missed. It's essential for both portals and the two folders to be in the same channel it's pushing. The UEBA features are also perfect. We don't see the same caliber of user behavior analytics in other SIEM. Microsoft's UEBA is great for our SOC analysts. 

Microsoft threat intelligence and UEBA still have some room for improvement. There are currently only two connectors available for Microsoft threat intelligence. the threat intelligence platform and the FTIA commander.
Sentinel should offer another option for a third-party threat intelligence platform. There are lots of open-source threat intelligence solutions available. 

Threat handling could be great for our team and for our SOC analyst, but some are unusable depending on our SOC analytics.

Sentinel can ingest data from most of our ecosystem, but some data cannot be called up. For example, if an SAP product is hosted, it will do a specific version, but it cannot be called back to Sentinel. It cannot be directly connected to Sentinel.

Our team has been using Microsoft Sentinel for about two and a half years.

I rate Microsoft support a seven out of ten. They take too long to respond, but sometimes they are great. 

Neutral

We previously had an open-source SIEM, but it lacked the detection and automation capabilities of Sentinel.

The initial deployment was straightforward but configuring integration for some of our projects was challenging because there are few connectors for solutions like Cisco. I rate Sentinel a five out of ten for ease of setup. 

We performed our integration in-house, but sometimes we get support from Microsoft.

Sometimes, it is hard for us to estimate the costs of Microsoft Sentinel.

I rate Microsoft Sentinel a nine out of ten. I recommend it, but it takes time to evaluate because Sentinel is unlike other cloud solutions. 

We primarily use many Microsoft products, including Microsoft 365 with a focus on the security aspect. We have Defender for endpoints and Defender for servers. We also use Azure Sentinel with these.

This product has improved the way our organization functions. I won't be able to provide exact metrics as I don't directly work with metrics, however, from an improvement perspective, it is just a more streamlined deployment. 

We also use Intune as part of the MDM. If there are any agents that need to be deployed, then we can use that or we can just configure Windows from MDM directly. A lot of things can be just set up out-of-the-box and are ready to go and it sends logs right to Azure Sentinel. Therefore, while I don't have hard numbers, it's definitely made deployments easier and is much less time-intensive for our organization.

Coming from other SIEM solutions, Sentinel seems to be pretty good. 

It's pretty powerful and its performance is good.

The most powerful aspect is the whole integration with the Microsoft ecosystem. If you have the Microsoft 365 subscription, E5, then it integrates pretty seamlessly with everything you're trying to do. 

You obviously have connectors with other third-party, non-Microsoft stuff as well. They have pretty good integration with those. 

Azure Sentinel has a lot of built-in analytics rules, that help us get started in terms of triggering anomalous activity. In terms of performance, they're pretty fast. I've used QRadar and Splunk. Compared to Azure Sentinel those are pretty slow. Some searches in Sentinel are pretty instantaneous. For bigger searches, it's a very noticeable and impressive turnaround.

There are a lot of features that I don't touch just because I'm in the SOC. That said, I know customers have deployed different items that are quite useful. 

The end-user experience is good. It's just pretty seamless. When I was onboarded, it was just a simple download and then a sign-in to my account. It'll basically configure everything for you and download the necessary stuff that the company has defined - including Defender, et cetera. 

Microsoft needs to stop renaming their stuff. A lot of their products are very confusing due to the names they choose. The first time I heard of Defender I assumed it's just their antivirus, anti-malware, or a package that covers those things. However, there's Defender, Windows Defender, and then there's Defender for Endpoint, and there's also Defender for servers, et cetera. That really needs to be streamlined. As far as Defender's concerned, they want just a protective device. The differences are confusing.

Maybe it's a transitional choice, however, they've been doing a lot of migrations to a new portal in the security center or office privacy center. There's a bunch of portals where some things are repeated or duplicated. You have the same features in the portals, yet, in some cases, there are some things that you have to go to one portal and not the other, as it hasn't been migrated or the feature is just not there.

If their UI was a bit more streamlined and easy to find when I need it, then that would be a great improvement.

I've been using the solution for one year.

The stability is pretty good. However, there is one flaw. We did have an issue where Microsoft had some issues with some components that caused issues with their cloud. It might have been an authentication issue or something like that, however, it basically took down everything. We weren't able to work. While integration is good if something comes from one vendor and if that vendor goes down, then everyone is pretty unhappy.

While at my previous organization we had about 50 or 60 users, as a small company, we had customers that could have users in the thousands.

I didn't notice any scalability issues, and therefore I assume it's quite good. With respect to Azure Sentinel, I've never had an issue.

As far as I know, we're using pretty much everything that Microsoft has from a security perspective. I don't know how we can expand anymore.

I've never had to call technical support or reach out to technical support, therefore, I can't speak to how they operate.

I've previously used SentinelOne for endpoints and antimalware, et cetera, and Splunk for the SIEM.

I was specifically working in SOC; I was more responsible for the day-to-day operations. Unfortunately, I cannot speak to the deployment so much. I would not have information on the implementation strategy, for example.

We handled the deployment internally.

I was in the SOC. I don't deal directly with that pricing. They do have multiple licensing levels. It's just about knowing what you need. One good thing about Microsoft is that they do have quite a few options depending on your needs. That said, sometimes it could be hard to pick because there are so many. 

As an organization, you need to understand the company's needs. For example, if you don't have a security team to look at your alerts or to set up all the stuff, then you probably don't need some of their most expensive services. You need to purchase the subscriptions accordingly if you're able to leverage them.

They have premium and enterprise subscription levels. I don't know what the standard would be. They have E3 and E5 level licensing. I don't know off the top of my head the differences, however, E5 likely has more security features. Companies need to be aware of all the differences.

I was not part of any evaluation process. I came to the company afterward. 

I'm not sure which version of the solution we're on. We have another team that does the deployment and they would take care of the versioning, et cetera, however, we usually run the latest.

Microsoft makes Windows. They know their stuff. Having everything streamlined can be time-saving. It's good to have an integrated system rather than using something else. You don't need to jump through a lot of hoops or install additional software in order to get everything up and running.

I'd rate the solution at an eight out of ten.

I work with Azure Sentinel from a commercial perspective. We use Azure Sentinel to provide services to our customers. We use it as a security analytics platform for our customer base.

About half of our customers that are using it have migrated from an alternative solution, and half of them are using it for the first time or using something like this for the first time. It enabled customers that previously found it difficult to justify the cost of a security-analytics platform to actually deploy one without enormous upfront costs. It’s been cost-effective and it's pay-as-you-go.

Its capability in the advanced threat-hunting area is its most valuable aspect.

The solution has features that helped improve the security posture of our clients. It provides the ability to correlate a large variety of log sources very cost-effectively, especially for Microsoft sources.

While the solution has affected our client’s security posture, it’s difficult to give a concise answer to how. All customers that have deployed our Azure-Sentinel-based services have quickly found situations that they weren't already aware of and therefore have been able to take appropriate action. They feel much more confident that potential threats will be discovered in a more timely fashion.

Sentinel affected the end-user experience, in that we get visibility of much more useful data in an easy-to-digest format that provides easy-to-understand value.

It is difficult for me to give a straight answer as to what needs improvement, being that I'm not one of the hands-on users. What we do find is that Microsoft is continuously introducing improvements to the platform. We do see continuous improvement all the time, however, I haven't got a specific feature that is lacking or not well designed.

I've been using the solution for about one year.

I've not been aware of any issues or outages that we've experienced with it. We've been very pleased in that respect. There is nothing negative to report in that area.

Scalability is one of the product's big strengths and one of the reasons that we are migrating. One of the issues with traditional platforms is that generally speaking, you have to be very careful sizing them, otherwise, if you undersize it, you're going to have expensive upgrade requirements, particularly if it's an on-premise solution. On the other hand, if you oversize it, you'll be paying too much. Whereas, with Azure Sentinel, it's pay-as-you-go. You don't really concern yourself too much with sizing, apart from budgeting for it. If you just size it for what you need today, and tomorrow, if you need more, it scales at cloud scale. It's one of its big strengths.

Dealing with technical support is not something I do directly. I don't know specifically anything about it, although it's likely that our team has dealt with them in the past.

The solutions that I've had personal experience with are AlienVault, Splunk, LogRhythm, and QRadar. I'm sure there's at least one other main one, however, they're the main ones I'm familiar with. We've seen migrations from quite a lot of different traditional platforms.

The initial setup is reasonably straightforward, however, previous experience is very useful, which is why we offer to assist with setup. If customers are looking to do it themselves, it would probably be sensible to work with a partner who has previous experience to be able to deliver the value quickly and not waste time going down a dead end. That said, it's reasonably easy. I don't consider it a difficult platform to deploy.

We usually follow a specific implementation or deployment strategy. The first steps would include a thorough analysis of the clients' environment, understanding from them where the valuable log sources are, and making sure that we fine-tune the system to, again, only be including valuable, relevant information, not a whole load of noise. 

There isn't really much maintenance required. Microsoft maintains the platform. What we do, or what a customer will do if they're managing it themselves, is just manage it for their requirements. Maintenance is not an issue, as Microsoft provides that as part of the platform.

We offer a range of services around Azure Sentinel. There are two main ones. Either we help a customer deploy and configure Azure Sentinel, which they then might manage themselves. However, for most of our customers, we actually provide a complete 24/7 managed service for it. This is due to the fact that the market that we target, which is typically medium-size organizations, would find it difficult to be able to justify the cost of setting up a 24/7 operation for this. We do the 24/7 bit and work as a partner providing the security services.

I don't have any specific numbers, however, we've seen customers that have switched from previous solutions have said that the ROI on this has been much quicker, within a couple of months, basically, due to the fact that there is no massive upfront investment. It's pay-as-you-go. We've seen a quick and impressive ROI.

I haven't personally evaluated any other solution, although chances are members of my team have.

We are independent, however, we are a Microsoft gold partner. They supply us with the technology and we help customers use it. There's a relationship. That said, our company is not part of Microsoft or anything like that.

I would not necessarily call Azure Sentinel a SaaS solution, however, I suppose it is in a way as it's all provided as a service by Microsoft. PaaS might be the best way of describing it. 

The one thing I would advise new users is to make sure that Azure Sentinel is on the list of platforms to evaluate, and particularly if they are heavy Microsoft users. By that, I mean, Azure and Microsoft 365. Obviously, pretty much everyone's on Microsoft 365, however, particularly if a user is a heavy Azure user, then they should find the proposition pretty compelling. 

I'd rate the solution at a nine out of ten. We've been very impressed with it, and customers that have gone in this direction have been as well.

Microsoft Sentinel is basically a major log, on top of which you can build queries that can analyze the data you get. It's used to build up security operations centers. In addition, it is a SIEM and SOAR solution.

The first benefit is that you have one place to close incidents. That's definitely an advantage. 

Another benefit is KQL, Kusto Query Language, and the analytic rules with which you can spot suspicious behavior of all kinds. It's definitely a step up when it comes to security. You see the benefits almost instantly.

In addition, automation helps prioritize what needs to be looked at, and what can just be closed and forgotten.

And when you combine the threat intelligence with Defender for Endpoint's recommendations, it's a really strong way to protect things or be proactive when it comes to security, with the CVEs, et cetera.

Overall, our Microsoft solution saves time. Without it, you might have to navigate six or seven portals, but with it, you only have to look at one place, and that saves some time. Most of the time, it eliminates having to look at multiple dashboards and gives you one XDR dashboard. Ideally, that should make working with IT security easier. It also decreases the time it takes to detect and respond.

As a consultant, none of the customers I work for has been hacked or has been close to being hacked. That would be the best way to judge if it saves money because just putting Sentinel on top of all these security products doesn't save you money. It's possible it saves you money. 

I like the unified security console. You can close incidents using Sentinel in all other Microsoft Security portals when it comes to incident response.

The solution helps prioritize threats across your enterprise and that is quite important. There is a concept called "alert fatigue," and Sentinel can also cause that because it detects so many false positives. But usually, the high and medium risks it identifies are things you need to take a look at. So prioritization is quite important.

We also use Defender for Cloud, Defender for Endpoint, and Defender for Cloud Apps. It's quite easy to integrate these Microsoft products because they can easily communicate with other Microsoft products. The tricky part is to integrate other vendors' products, like Cisco or Linux, with Microsoft Sentinel. The actual integration is easy, but they generate a lot of data. But with its entire Defender suite, Microsoft is trying to cover everything in Azure and that is a really strong point.

Sentinel enables you to ingest data from your entire ecosystem and that is vital, but sometimes it's a bit hard to figure out what data you actually need.

Also, the UEBA is a neat feature.

The built-in SOAR is not really good out-of-the-box. The SOAR relies on logic apps and you almost need to have some kind of developer background to be able to make these logic apps. Most security people cannot develop anything, but if you want to make full use of the SOAR part of Microsoft Sentinel, you need to be able to develop these logic apps. You can say, "Okay, that's simple," but it's not simple for someone who doesn't develop.

Also, the bi-directional sync in Microsoft Defender for Cloud should be enabled out-of-the-box. Otherwise, while you can close incidents in Sentinel, they will not be closed in all the other portals. That is really important.

In addition, the watch list could be improved. Microsoft could develop some analytic templates based on these watch lists, for example.

And if you don't have any KQL knowledge, Sentinel is actually quite hard to use or to get the most out of.

I have been working with Microsoft Sentinel for approximately one year.

It's a stable solution.

My clients are looking to increase their usage of Sentinel. Every time I look, there is a new data connector, so it seems like it's a product that is constantly in development.

I haven't used their technical support.

The initial deployment, for me, is not really complex. It takes one hour or less. But to be able to use Sentinel to its full capabilities, you must definitely know something.

In terms of an implementation strategy, you need to really think ahead about who should be able to do this, and who should be able to do that, and respond to that, et cetera. A proof of concept would include dealing with the architecture, gathering initial data sources and/or automation, and then learning how to navigate in Sentinel. One person can do it.

My clients are enterprise-level companies and the solution requires maintenance. It includes updating analytics, importing, and creating new analytics. It depends on the company. If you have 100 employees, one employee might be enough to maintain things, but if you have 10,000 employees and 10,000 devices, you might need more employees.

No license is required to make use of Sentinel, but you need to buy products to get the data. In general, the price of those products is comparable to similar products.

My advice is to start out with a little bit of data and build on top of that. Don't enable too many data connectors in the beginning. Get familiar with the product, and remember to work with Sentinel every day. That's the only way the product gets better.

It comes with some out-of-the-box analytics, but to get the full and best usage out of it, you have to really keep developing it with hunting queries, analytics, et cetera. The visibility provided by the built-in analytics rules, what they detect, is rather good, but Microsoft Sentinel requires ongoing work. It helps automate routine tasks as well, but that's not something that comes "for free." It also requires ongoing work.

Threat intelligence is something that you must be more than just a novice in Sentinel to make use of.

Overall, I find Sentinel to be a really strong solution. Sentinel is where you can see the overall security status of your company. I really enjoy working with Microsoft Defender and the entire suite, combined with Microsoft Sentinel.

We primarily use the solution for the surrounding management. 

The correlation is very useful.

We like that it is an integrated platform. 

It's very much an agile product.

Everything works very well across the product.

The initial setup is very simple and straightforward. 

It is a scalable solution. 

The performance has been good.

We'd like to see more connectors.

The solution needs to offer a bit more advancement, enhancement, and scalability with other products as well, including the market competitors.

The solution is stable. The performance is good. There are no bugs or glitches. 

The server is scalable.

We haven't really used support all that much. That said, we haven't really had issues with them.

Positive

I've worked with other solutions, including, for example, Splunk. For me, each solution has a limitation when it comes to some use cases. It all depends upon the business strategies. 

The initial implementation is very easy. It's straightforward. It's not complex or difficult at all. A company shouldn't have any problems executing a setup.

The deployment process itself is very quick. It only takes maybe 30 to 40 minutes. 

We don't really need any maintenance on the solution. We're usually required to do maintenance when the agent determines it.

We did not require any third parties when it came to setting it up. We didn't use any integrators or consultants. The implementation was handled by in-house personnel. 

There is a community version. Whether or not the pricing is expensive depends on what a company needs and if it covers its requirements. I've been satisfied with the pricing so far. I don't find it overly expensive. 

You do pay a subscription fee for the service if you aren't using the community version. 

We're always happy to evaluate any other products on the market.

We are a gold customer.

I would recommend the product if it made sense for an individual company's use case. 

For the people who are on the cloud, I would suggest they go for Sentinel regardless of any other SIEM. It will do a good integration with other solutions, and with other cloud providers while providing a holistic view as well.

I'd rate the solution an eight out of ten.

We use the solution as more of a security management tool. It's a combination of monitoring and security management.

The most valuable features of this solution are the analysis and the automation. The security automation and orchestrations are great. Other tools, which I can't really name right now, don't have the potential automation this has. They do to a certain extent, however, we have to go ahead and integrate other different solutions on top. On the other hand, with Azure Sentinel, we have out-of-box solutions within Azure using Azure playbooks, where we can automate, filter, and complete tasks that reduce the manual effort. That comes under security automation and orchestration. An incident or an alert can be generated, a playbook can be triggered and completed. The manual effort can be reduced via automation.

The analysis is an important feature. It gives us a deep analysis of not just the alert, but also checks on the dependent resources or to ensure dependency matching is correctly done. We can see, with any issue, how deep it's affecting us, for example.

Sentinel has features that have helped improve our security poster. It helped us in going ahead and identifying the gaps via analysis and focusing on the key elements.

Sentinel has not affected the end-user experience in any way. These are basically integrated with solutions from Microsoft or vendor solutions. Therefore, the end-user experience doesn’t change.

The solution could improve the playbooks. As of now, we are customizing those playbooks for our needs. However, if there were out-of-box solutions available, which could automate a few tasks by default, that would really be of great help.

I've used the solution for over two years.

Performance is not something that we need to worry about as this is a service from Microsoft, and the underlying infrastructure of Sentinel is fully managed by Microsoft. All we need to do is go ahead and get started with the service. Once we have enabled Sentinel, it's all about integrating it with other logs. That's it. 

Scalability is something that's pretty easy in terms of integrating it with other log workspaces. I know there is a cost involved, however, in terms of scaling, it's pretty easy.

We have huge applications with a user base of about 10,000 to 25,000 users for this application. In terms of the end-users who have resources like VDI solutions or other solutions, there are about 5,000 to 7,000. Therefore, end-users and application users are different. 

Technical support is pretty straightforward. It's a no-brainer around that. They have standard SOPs they follow. There's nothing out-of-box that they provide as a solution as such as that is something that needs to be customized. If there is any customization, support, they would not be able to help us. It's all about going ahead and following the standard SOP.

They know what they're doing. However, when it comes to Sentinel, a lot of customizations are required, which support doesn't provide any assistance around.

I've worked with various other SIM solutions. There are only a few other competitors or SIM tools, which also have AI-based analysis.

With Microsoft, the advantage is that it can correlate with a lot of other solutions as Azure itself is a cloud provider and they have a lot of environments that they go ahead and manage in terms of the SIM. They can go ahead and have correlation on alerts. The AI can go and learn from other infrastructure and can also analyze everything in a better way. That's not the same case with other vendors or other competing SIM tools.

In terms of the automation part, for other vendor SIM tools, we'll have to go ahead and integrate it with a third-party provider and basically build a custom script for automation. With Sentinel, we have out-of-box solutions for automation where Azure playbooks really come in handy.

It's a service from Microsoft, so there is nothing else that needs to be deployed. We just go ahead and enable it. It hardly takes five minutes to get started by enabling Sentinel.

Sentinel is a pretty straightforward product. In terms of the advanced configurations, security automation and orchestration, that's a bit complex. That said, getting started with Sentinel is an easy process.

I would say that there's definitely a Return of Value. I can't really comment on Return on Investment yet.

We have seen a lot of manual codes being reduced and a focus on real issues, which are really impactful rather than going ahead and analyzing or monitoring each and every alert. With our Sentinel AI-based analysis, we can go ahead and focus on the critical issues rather than monitoring each and every alert or incident.

Licenses won't work as this is a pay-as-you-go model. Companies pay in terms of the number of logs being integrated within Sentinel, and the price is quoted that way. Sentinel is pretty pricey compared to the other competitors where they have licenses. For Sentinel, it's a bit pricey when it comes to big environments.

For those who want to adopt Sentinel, I'd advise that it's a really one-stop solution for all the security needs. It can be integrated with all solutions out there. It can be one single control where you can go ahead and manage the security from. You don't have to go ahead and log into different endpoint portals, or threat-protection portals, or any third-party vendor solutions as such. 

I would rate the solution at about a nine out of ten. There is definitely a scope of improvement in terms of the feature sets or the possibilities that we could go ahead and unlock.

Our organization is a service company, therefore, we are proposing Microsoft Sentinel as an MSSP solution to our clients. Additionally, we are offering other solutions with Microsoft Sentinel. We have integrated Microsoft Sentinel with MISP, an open source intelligence trading platform, to create a deluxe solution. Furthermore, we use the five-year tool in conjunction with Microsoft Sentinel.

We pitched the solution for BFSI, healthcare, and ONG sectors.

The solution can be deployed based on the client's requirements.

Microsoft Sentinel provides visibility into threats by creating alerts, which will generate an instance and notify us. We can also view files and prioritize alerts using Microsoft Sentinel. Additionally, there is a tool with Sentinel that allows us to check alerts, which will help us identify false positives and false negatives, which is very beneficial for analysts.

Microsoft Sentinel helps us prioritize threats across our enterprise.

Microsoft Sentinel's ability to help us prioritize threats is a very important must-have feature for our organization.

Integrating Microsoft Sentinel with additional Microsoft solutions such as Microsoft Security Center is easy because we use a Microsoft agent. There is a default integration available with multiple connectors and we can use the agent to install data into Microsoft Sentinel.

The integrated solutions work natively together to deliver a coordinated detection and response across our environment. We use a playbook for the response process. We also integrated ServiceNow tools and Sentinel for ITSM. We are also designing the playbooks to meet our requirements.

Having the ability to integrate solutions with Microsoft Sentinel is an important feature.

Microsoft Sentinel provides comprehensive protection. 

Our organization has a strong partnership with Microsoft. Most of the services we receive are quite cost-effective. Microsoft provides market listings, allowing us to design our solution and place it on Microsoft's market listings, resulting in mutual benefits for both Microsoft and our organization.

We used Microsoft Defender for Cloud to get to the Azure security center for Sentinel. We wanted to work with a particular server but at the time the requirement was in order to use Defender we had to enable the solution across the subscription and not on one particular server.

Microsoft Sentinel enables us to ingest data from our entire system if we want.

Microsoft Sentinel enables us to investigate and respond to threats from one place. We can control everything from a single pane of glass.

Microsoft's built-in UEBA and threat intelligence capabilities play a major role in our security.

We can automate routine tasks, prioritize alerts using the playbook, and use the analytical rule's default settings when creating an alert. This helps to reduce false positives so that we only receive one alert for each issue.

Microsoft's XDR enabled us to avoid having to view multiple dashboards. We can integrate a variety of tools with Sentinel, allowing us to monitor all relevant information from a single screen.

The integration into one dashboard reduced our analytical work because it reduces the time required to review and respond to threats. 

The solution helped us prepare for potential threats proactively. Microsoft Sentinel helped our organization save money by preventing attacks. The solution helped reduce the threat detection time by up to 40 percent.

The data connectors that Microsoft Sentinel provides are easy to integrate when we work with a Microsoft agent.

The UI design for the investigation portion of Microsoft Sentinel is great.

The alerting of the queries works great and it is easy to develop a query around our requirements using Microsoft Sentinel.

The GUI functionality has room for improvement.

The playbook can sometimes be hefty and has room for improvement.

The troubleshooting has room for improvement.

I have been using the solution for three years.

The solution is stable.

The solution is scalable.

The technical support depends on if we have upgraded our support or not. The basic support has a wait time but the premium support is great.

Positive

We previously used IBM Security QRadar. The data connectors are more complicated and there are more configurations required with IBM Security QRadar compared to Microsoft Sentinel. The alerts are much better with Microsoft Sentinel.

The initial setup is straightforward.

The implementation is completed in-house with Microsoft documentation.

In comparison to other security solutions, Microsoft Sentinel offers a reasonable price for the features included.

I give the solution an eight out of ten.

The maintenance is completed by Microsoft.

I recommend Microsoft Sentinel to others.

We use it to monitor the cloud for any security issues. We are using it as a SIEM for our cloud workspace.

The most valuable feature is the UEBA. It's very easy for a security operations analyst. It has a one-touch analysis where you can search for a particular entity, and you can get a complete overview of that entity or user.

There is also something called workbooks in Sentinel that help us to monitor the complete cloud data and it gives knowledge about, and visibility into, our security posture.

It integrates seamlessly with Microsoft products, especially Office 365 and our Azure workspace, whether it's the Application Gateway or Azure DDoS or Azure Firewall. It has native integration that works very well.

You can also monitor Zero Trust security from Microsoft Sentinel.

There are a number of points they can improve. For example, if I see an alert and I want to drill down and get more details about the alert, it's not just one click. In other SIEM tools, you just have to click the IP address of the entity and they give you the complete picture. In Sentinel, you have to write queries or use saved queries to get details. For a security analyst, when there is an incident, it takes a lot of time to write queries, investigate, and then execute.

For example, if you want to search a particular entity or an IP address, or search the complete log instead of just the security alerts, it takes time to write a query for that. The MTTR is a little high, as is the mean time to investigate, compared to other SIEM tools.

I would also like to have more resources on KQL queries.

And using the data connectors is not straightforward when you want to create a use case that is not out-of-the-box. Creating a custom use case is a challenging process. You need to understand KQL queries and the support for regex is limited.

I've been using Microsoft Sentinel for between six months and a year.

The availability is good. But when you compare the stability with Splunk or ELK or QRadar, it still needs to be more reliable and stable, not from an installation or administration perspective, but when it comes to security operations.

We collect data from between 3,000 and 4,000 users, and our cloud workspace is somewhere around 100 or 200 servers.

The scalability is good because it has Azure in the back end.

We are still deciding whether to migrate completely to Sentinel or not. We are using two SIEM solutions in parallel. The other solution is LogRhythm. From an analyst perspective, Sentinel has to evolve more. Once it does, we can think of migrating to it fully.

The installation was straightforward and easy. With Azure Resource Manager, it was easy to deploy, and it was a straightforward integration, in terms of configuration, to connect the Log Analytics workspace with Sentinel and the solutions that Sentinel has.

Deploying the solution hardly took four hours, and the initial configuration took a single person one day, meaning eight hours.

We used to have an on-prem solution and we moved our workload to the cloud. Our users did not face any challenges or difficulties as a result.

We are still in the process of getting our ROI. We are waiting for the solution to improve and mature.

Sentinel is pretty competitive. The pricing is at the level of other SIEM solutions.

I have experience with Splunk and QRadar and they are the best. They are equivalent, one with the other. Both the solutions are mature enough, having been in the market for quite some time. They know what they're doing and are easy to use from an analyst's perspective. Both are scalable solutions as well.

The drawback of these two solutions is that it takes a little bit of time to do integrations, especially for Azure workloads, as they're not in-built in Azure.

Always record your KQL queries and stick to the basics.