Microsoft Sentinel Reviews

We primarily use many Microsoft products, including Microsoft 365 with a focus on the security aspect. We have Defender for endpoints and Defender for servers. We also use Azure Sentinel with these.

This product has improved the way our organization functions. I won't be able to provide exact metrics as I don't directly work with metrics, however, from an improvement perspective, it is just a more streamlined deployment. 

We also use Intune as part of the MDM. If there are any agents that need to be deployed, then we can use that or we can just configure Windows from MDM directly. A lot of things can be just set up out-of-the-box and are ready to go and it sends logs right to Azure Sentinel. Therefore, while I don't have hard numbers, it's definitely made deployments easier and is much less time-intensive for our organization.

Coming from other SIEM solutions, Sentinel seems to be pretty good. 

It's pretty powerful and its performance is good.

The most powerful aspect is the whole integration with the Microsoft ecosystem. If you have the Microsoft 365 subscription, E5, then it integrates pretty seamlessly with everything you're trying to do. 

You obviously have connectors with other third-party, non-Microsoft stuff as well. They have pretty good integration with those. 

Azure Sentinel has a lot of built-in analytics rules, that help us get started in terms of triggering anomalous activity. In terms of performance, they're pretty fast. I've used QRadar and Splunk. Compared to Azure Sentinel those are pretty slow. Some searches in Sentinel are pretty instantaneous. For bigger searches, it's a very noticeable and impressive turnaround.

There are a lot of features that I don't touch just because I'm in the SOC. That said, I know customers have deployed different items that are quite useful. 

The end-user experience is good. It's just pretty seamless. When I was onboarded, it was just a simple download and then a sign-in to my account. It'll basically configure everything for you and download the necessary stuff that the company has defined - including Defender, et cetera. 

Microsoft needs to stop renaming their stuff. A lot of their products are very confusing due to the names they choose. The first time I heard of Defender I assumed it's just their antivirus, anti-malware, or a package that covers those things. However, there's Defender, Windows Defender, and then there's Defender for Endpoint, and there's also Defender for servers, et cetera. That really needs to be streamlined. As far as Defender's concerned, they want just a protective device. The differences are confusing.

Maybe it's a transitional choice, however, they've been doing a lot of migrations to a new portal in the security center or office privacy center. There's a bunch of portals where some things are repeated or duplicated. You have the same features in the portals, yet, in some cases, there are some things that you have to go to one portal and not the other, as it hasn't been migrated or the feature is just not there.

If their UI was a bit more streamlined and easy to find when I need it, then that would be a great improvement.

I've been using the solution for one year.

The stability is pretty good. However, there is one flaw. We did have an issue where Microsoft had some issues with some components that caused issues with their cloud. It might have been an authentication issue or something like that, however, it basically took down everything. We weren't able to work. While integration is good if something comes from one vendor and if that vendor goes down, then everyone is pretty unhappy.

While at my previous organization we had about 50 or 60 users, as a small company, we had customers that could have users in the thousands.

I didn't notice any scalability issues, and therefore I assume it's quite good. With respect to Azure Sentinel, I've never had an issue.

As far as I know, we're using pretty much everything that Microsoft has from a security perspective. I don't know how we can expand anymore.

I've never had to call technical support or reach out to technical support, therefore, I can't speak to how they operate.

I've previously used SentinelOne for endpoints and antimalware, et cetera, and Splunk for the SIEM.

I was specifically working in SOC; I was more responsible for the day-to-day operations. Unfortunately, I cannot speak to the deployment so much. I would not have information on the implementation strategy, for example.

We handled the deployment internally.

I was in the SOC. I don't deal directly with that pricing. They do have multiple licensing levels. It's just about knowing what you need. One good thing about Microsoft is that they do have quite a few options depending on your needs. That said, sometimes it could be hard to pick because there are so many. 

As an organization, you need to understand the company's needs. For example, if you don't have a security team to look at your alerts or to set up all the stuff, then you probably don't need some of their most expensive services. You need to purchase the subscriptions accordingly if you're able to leverage them.

They have premium and enterprise subscription levels. I don't know what the standard would be. They have E3 and E5 level licensing. I don't know off the top of my head the differences, however, E5 likely has more security features. Companies need to be aware of all the differences.

I was not part of any evaluation process. I came to the company afterward. 

I'm not sure which version of the solution we're on. We have another team that does the deployment and they would take care of the versioning, et cetera, however, we usually run the latest.

Microsoft makes Windows. They know their stuff. Having everything streamlined can be time-saving. It's good to have an integrated system rather than using something else. You don't need to jump through a lot of hoops or install additional software in order to get everything up and running.

I'd rate the solution at an eight out of ten.

I work with Azure Sentinel from a commercial perspective. We use Azure Sentinel to provide services to our customers. We use it as a security analytics platform for our customer base.

About half of our customers that are using it have migrated from an alternative solution, and half of them are using it for the first time or using something like this for the first time. It enabled customers that previously found it difficult to justify the cost of a security-analytics platform to actually deploy one without enormous upfront costs. It’s been cost-effective and it's pay-as-you-go.

Its capability in the advanced threat-hunting area is its most valuable aspect.

The solution has features that helped improve the security posture of our clients. It provides the ability to correlate a large variety of log sources very cost-effectively, especially for Microsoft sources.

While the solution has affected our client’s security posture, it’s difficult to give a concise answer to how. All customers that have deployed our Azure-Sentinel-based services have quickly found situations that they weren't already aware of and therefore have been able to take appropriate action. They feel much more confident that potential threats will be discovered in a more timely fashion.

Sentinel affected the end-user experience, in that we get visibility of much more useful data in an easy-to-digest format that provides easy-to-understand value.

It is difficult for me to give a straight answer as to what needs improvement, being that I'm not one of the hands-on users. What we do find is that Microsoft is continuously introducing improvements to the platform. We do see continuous improvement all the time, however, I haven't got a specific feature that is lacking or not well designed.

I've been using the solution for about one year.

I've not been aware of any issues or outages that we've experienced with it. We've been very pleased in that respect. There is nothing negative to report in that area.

Scalability is one of the product's big strengths and one of the reasons that we are migrating. One of the issues with traditional platforms is that generally speaking, you have to be very careful sizing them, otherwise, if you undersize it, you're going to have expensive upgrade requirements, particularly if it's an on-premise solution. On the other hand, if you oversize it, you'll be paying too much. Whereas, with Azure Sentinel, it's pay-as-you-go. You don't really concern yourself too much with sizing, apart from budgeting for it. If you just size it for what you need today, and tomorrow, if you need more, it scales at cloud scale. It's one of its big strengths.

Dealing with technical support is not something I do directly. I don't know specifically anything about it, although it's likely that our team has dealt with them in the past.

The solutions that I've had personal experience with are AlienVault, Splunk, LogRhythm, and QRadar. I'm sure there's at least one other main one, however, they're the main ones I'm familiar with. We've seen migrations from quite a lot of different traditional platforms.

The initial setup is reasonably straightforward, however, previous experience is very useful, which is why we offer to assist with setup. If customers are looking to do it themselves, it would probably be sensible to work with a partner who has previous experience to be able to deliver the value quickly and not waste time going down a dead end. That said, it's reasonably easy. I don't consider it a difficult platform to deploy.

We usually follow a specific implementation or deployment strategy. The first steps would include a thorough analysis of the clients' environment, understanding from them where the valuable log sources are, and making sure that we fine-tune the system to, again, only be including valuable, relevant information, not a whole load of noise. 

There isn't really much maintenance required. Microsoft maintains the platform. What we do, or what a customer will do if they're managing it themselves, is just manage it for their requirements. Maintenance is not an issue, as Microsoft provides that as part of the platform.

We offer a range of services around Azure Sentinel. There are two main ones. Either we help a customer deploy and configure Azure Sentinel, which they then might manage themselves. However, for most of our customers, we actually provide a complete 24/7 managed service for it. This is due to the fact that the market that we target, which is typically medium-size organizations, would find it difficult to be able to justify the cost of setting up a 24/7 operation for this. We do the 24/7 bit and work as a partner providing the security services.

I don't have any specific numbers, however, we've seen customers that have switched from previous solutions have said that the ROI on this has been much quicker, within a couple of months, basically, due to the fact that there is no massive upfront investment. It's pay-as-you-go. We've seen a quick and impressive ROI.

I haven't personally evaluated any other solution, although chances are members of my team have.

We are independent, however, we are a Microsoft gold partner. They supply us with the technology and we help customers use it. There's a relationship. That said, our company is not part of Microsoft or anything like that.

I would not necessarily call Azure Sentinel a SaaS solution, however, I suppose it is in a way as it's all provided as a service by Microsoft. PaaS might be the best way of describing it. 

The one thing I would advise new users is to make sure that Azure Sentinel is on the list of platforms to evaluate, and particularly if they are heavy Microsoft users. By that, I mean, Azure and Microsoft 365. Obviously, pretty much everyone's on Microsoft 365, however, particularly if a user is a heavy Azure user, then they should find the proposition pretty compelling. 

I'd rate the solution at a nine out of ten. We've been very impressed with it, and customers that have gone in this direction have been as well.

Microsoft Sentinel is basically a major log, on top of which you can build queries that can analyze the data you get. It's used to build up security operations centers. In addition, it is a SIEM and SOAR solution.

The first benefit is that you have one place to close incidents. That's definitely an advantage. 

Another benefit is KQL, Kusto Query Language, and the analytic rules with which you can spot suspicious behavior of all kinds. It's definitely a step up when it comes to security. You see the benefits almost instantly.

In addition, automation helps prioritize what needs to be looked at, and what can just be closed and forgotten.

And when you combine the threat intelligence with Defender for Endpoint's recommendations, it's a really strong way to protect things or be proactive when it comes to security, with the CVEs, et cetera.

Overall, our Microsoft solution saves time. Without it, you might have to navigate six or seven portals, but with it, you only have to look at one place, and that saves some time. Most of the time, it eliminates having to look at multiple dashboards and gives you one XDR dashboard. Ideally, that should make working with IT security easier. It also decreases the time it takes to detect and respond.

As a consultant, none of the customers I work for has been hacked or has been close to being hacked. That would be the best way to judge if it saves money because just putting Sentinel on top of all these security products doesn't save you money. It's possible it saves you money. 

I like the unified security console. You can close incidents using Sentinel in all other Microsoft Security portals when it comes to incident response.

The solution helps prioritize threats across your enterprise and that is quite important. There is a concept called "alert fatigue," and Sentinel can also cause that because it detects so many false positives. But usually, the high and medium risks it identifies are things you need to take a look at. So prioritization is quite important.

We also use Defender for Cloud, Defender for Endpoint, and Defender for Cloud Apps. It's quite easy to integrate these Microsoft products because they can easily communicate with other Microsoft products. The tricky part is to integrate other vendors' products, like Cisco or Linux, with Microsoft Sentinel. The actual integration is easy, but they generate a lot of data. But with its entire Defender suite, Microsoft is trying to cover everything in Azure and that is a really strong point.

Sentinel enables you to ingest data from your entire ecosystem and that is vital, but sometimes it's a bit hard to figure out what data you actually need.

Also, the UEBA is a neat feature.

The built-in SOAR is not really good out-of-the-box. The SOAR relies on logic apps and you almost need to have some kind of developer background to be able to make these logic apps. Most security people cannot develop anything, but if you want to make full use of the SOAR part of Microsoft Sentinel, you need to be able to develop these logic apps. You can say, "Okay, that's simple," but it's not simple for someone who doesn't develop.

Also, the bi-directional sync in Microsoft Defender for Cloud should be enabled out-of-the-box. Otherwise, while you can close incidents in Sentinel, they will not be closed in all the other portals. That is really important.

In addition, the watch list could be improved. Microsoft could develop some analytic templates based on these watch lists, for example.

And if you don't have any KQL knowledge, Sentinel is actually quite hard to use or to get the most out of.

I have been working with Microsoft Sentinel for approximately one year.

It's a stable solution.

My clients are looking to increase their usage of Sentinel. Every time I look, there is a new data connector, so it seems like it's a product that is constantly in development.

I haven't used their technical support.

The initial deployment, for me, is not really complex. It takes one hour or less. But to be able to use Sentinel to its full capabilities, you must definitely know something.

In terms of an implementation strategy, you need to really think ahead about who should be able to do this, and who should be able to do that, and respond to that, et cetera. A proof of concept would include dealing with the architecture, gathering initial data sources and/or automation, and then learning how to navigate in Sentinel. One person can do it.

My clients are enterprise-level companies and the solution requires maintenance. It includes updating analytics, importing, and creating new analytics. It depends on the company. If you have 100 employees, one employee might be enough to maintain things, but if you have 10,000 employees and 10,000 devices, you might need more employees.

No license is required to make use of Sentinel, but you need to buy products to get the data. In general, the price of those products is comparable to similar products.

My advice is to start out with a little bit of data and build on top of that. Don't enable too many data connectors in the beginning. Get familiar with the product, and remember to work with Sentinel every day. That's the only way the product gets better.

It comes with some out-of-the-box analytics, but to get the full and best usage out of it, you have to really keep developing it with hunting queries, analytics, et cetera. The visibility provided by the built-in analytics rules, what they detect, is rather good, but Microsoft Sentinel requires ongoing work. It helps automate routine tasks as well, but that's not something that comes "for free." It also requires ongoing work.

Threat intelligence is something that you must be more than just a novice in Sentinel to make use of.

Overall, I find Sentinel to be a really strong solution. Sentinel is where you can see the overall security status of your company. I really enjoy working with Microsoft Defender and the entire suite, combined with Microsoft Sentinel.

We primarily use the solution for the surrounding management. 

The correlation is very useful.

We like that it is an integrated platform. 

It's very much an agile product.

Everything works very well across the product.

The initial setup is very simple and straightforward. 

It is a scalable solution. 

The performance has been good.

We'd like to see more connectors.

The solution needs to offer a bit more advancement, enhancement, and scalability with other products as well, including the market competitors.

The solution is stable. The performance is good. There are no bugs or glitches. 

The server is scalable.

We haven't really used support all that much. That said, we haven't really had issues with them.

Positive

I've worked with other solutions, including, for example, Splunk. For me, each solution has a limitation when it comes to some use cases. It all depends upon the business strategies. 

The initial implementation is very easy. It's straightforward. It's not complex or difficult at all. A company shouldn't have any problems executing a setup.

The deployment process itself is very quick. It only takes maybe 30 to 40 minutes. 

We don't really need any maintenance on the solution. We're usually required to do maintenance when the agent determines it.

We did not require any third parties when it came to setting it up. We didn't use any integrators or consultants. The implementation was handled by in-house personnel. 

There is a community version. Whether or not the pricing is expensive depends on what a company needs and if it covers its requirements. I've been satisfied with the pricing so far. I don't find it overly expensive. 

You do pay a subscription fee for the service if you aren't using the community version. 

We're always happy to evaluate any other products on the market.

We are a gold customer.

I would recommend the product if it made sense for an individual company's use case. 

For the people who are on the cloud, I would suggest they go for Sentinel regardless of any other SIEM. It will do a good integration with other solutions, and with other cloud providers while providing a holistic view as well.

I'd rate the solution an eight out of ten.

Our organization is a service company, therefore, we are proposing Microsoft Sentinel as an MSSP solution to our clients. Additionally, we are offering other solutions with Microsoft Sentinel. We have integrated Microsoft Sentinel with MISP, an open source intelligence trading platform, to create a deluxe solution. Furthermore, we use the five-year tool in conjunction with Microsoft Sentinel.

We pitched the solution for BFSI, healthcare, and ONG sectors.

The solution can be deployed based on the client's requirements.

Microsoft Sentinel provides visibility into threats by creating alerts, which will generate an instance and notify us. We can also view files and prioritize alerts using Microsoft Sentinel. Additionally, there is a tool with Sentinel that allows us to check alerts, which will help us identify false positives and false negatives, which is very beneficial for analysts.

Microsoft Sentinel helps us prioritize threats across our enterprise.

Microsoft Sentinel's ability to help us prioritize threats is a very important must-have feature for our organization.

Integrating Microsoft Sentinel with additional Microsoft solutions such as Microsoft Security Center is easy because we use a Microsoft agent. There is a default integration available with multiple connectors and we can use the agent to install data into Microsoft Sentinel.

The integrated solutions work natively together to deliver a coordinated detection and response across our environment. We use a playbook for the response process. We also integrated ServiceNow tools and Sentinel for ITSM. We are also designing the playbooks to meet our requirements.

Having the ability to integrate solutions with Microsoft Sentinel is an important feature.

Microsoft Sentinel provides comprehensive protection. 

Our organization has a strong partnership with Microsoft. Most of the services we receive are quite cost-effective. Microsoft provides market listings, allowing us to design our solution and place it on Microsoft's market listings, resulting in mutual benefits for both Microsoft and our organization.

We used Microsoft Defender for Cloud to get to the Azure security center for Sentinel. We wanted to work with a particular server but at the time the requirement was in order to use Defender we had to enable the solution across the subscription and not on one particular server.

Microsoft Sentinel enables us to ingest data from our entire system if we want.

Microsoft Sentinel enables us to investigate and respond to threats from one place. We can control everything from a single pane of glass.

Microsoft's built-in UEBA and threat intelligence capabilities play a major role in our security.

We can automate routine tasks, prioritize alerts using the playbook, and use the analytical rule's default settings when creating an alert. This helps to reduce false positives so that we only receive one alert for each issue.

Microsoft's XDR enabled us to avoid having to view multiple dashboards. We can integrate a variety of tools with Sentinel, allowing us to monitor all relevant information from a single screen.

The integration into one dashboard reduced our analytical work because it reduces the time required to review and respond to threats. 

The solution helped us prepare for potential threats proactively. Microsoft Sentinel helped our organization save money by preventing attacks. The solution helped reduce the threat detection time by up to 40 percent.

The data connectors that Microsoft Sentinel provides are easy to integrate when we work with a Microsoft agent.

The UI design for the investigation portion of Microsoft Sentinel is great.

The alerting of the queries works great and it is easy to develop a query around our requirements using Microsoft Sentinel.

The GUI functionality has room for improvement.

The playbook can sometimes be hefty and has room for improvement.

The troubleshooting has room for improvement.

I have been using the solution for three years.

The solution is stable.

The solution is scalable.

The technical support depends on if we have upgraded our support or not. The basic support has a wait time but the premium support is great.

Positive

We previously used IBM Security QRadar. The data connectors are more complicated and there are more configurations required with IBM Security QRadar compared to Microsoft Sentinel. The alerts are much better with Microsoft Sentinel.

The initial setup is straightforward.

The implementation is completed in-house with Microsoft documentation.

In comparison to other security solutions, Microsoft Sentinel offers a reasonable price for the features included.

I give the solution an eight out of ten.

The maintenance is completed by Microsoft.

I recommend Microsoft Sentinel to others.

We use the solution as more of a security management tool. It's a combination of monitoring and security management.

The most valuable features of this solution are the analysis and the automation. The security automation and orchestrations are great. Other tools, which I can't really name right now, don't have the potential automation this has. They do to a certain extent, however, we have to go ahead and integrate other different solutions on top. On the other hand, with Azure Sentinel, we have out-of-box solutions within Azure using Azure playbooks, where we can automate, filter, and complete tasks that reduce the manual effort. That comes under security automation and orchestration. An incident or an alert can be generated, a playbook can be triggered and completed. The manual effort can be reduced via automation.

The analysis is an important feature. It gives us a deep analysis of not just the alert, but also checks on the dependent resources or to ensure dependency matching is correctly done. We can see, with any issue, how deep it's affecting us, for example.

Sentinel has features that have helped improve our security poster. It helped us in going ahead and identifying the gaps via analysis and focusing on the key elements.

Sentinel has not affected the end-user experience in any way. These are basically integrated with solutions from Microsoft or vendor solutions. Therefore, the end-user experience doesn’t change.

The solution could improve the playbooks. As of now, we are customizing those playbooks for our needs. However, if there were out-of-box solutions available, which could automate a few tasks by default, that would really be of great help.

I've used the solution for over two years.

Performance is not something that we need to worry about as this is a service from Microsoft, and the underlying infrastructure of Sentinel is fully managed by Microsoft. All we need to do is go ahead and get started with the service. Once we have enabled Sentinel, it's all about integrating it with other logs. That's it. 

Scalability is something that's pretty easy in terms of integrating it with other log workspaces. I know there is a cost involved, however, in terms of scaling, it's pretty easy.

We have huge applications with a user base of about 10,000 to 25,000 users for this application. In terms of the end-users who have resources like VDI solutions or other solutions, there are about 5,000 to 7,000. Therefore, end-users and application users are different. 

Technical support is pretty straightforward. It's a no-brainer around that. They have standard SOPs they follow. There's nothing out-of-box that they provide as a solution as such as that is something that needs to be customized. If there is any customization, support, they would not be able to help us. It's all about going ahead and following the standard SOP.

They know what they're doing. However, when it comes to Sentinel, a lot of customizations are required, which support doesn't provide any assistance around.

I've worked with various other SIM solutions. There are only a few other competitors or SIM tools, which also have AI-based analysis.

With Microsoft, the advantage is that it can correlate with a lot of other solutions as Azure itself is a cloud provider and they have a lot of environments that they go ahead and manage in terms of the SIM. They can go ahead and have correlation on alerts. The AI can go and learn from other infrastructure and can also analyze everything in a better way. That's not the same case with other vendors or other competing SIM tools.

In terms of the automation part, for other vendor SIM tools, we'll have to go ahead and integrate it with a third-party provider and basically build a custom script for automation. With Sentinel, we have out-of-box solutions for automation where Azure playbooks really come in handy.

It's a service from Microsoft, so there is nothing else that needs to be deployed. We just go ahead and enable it. It hardly takes five minutes to get started by enabling Sentinel.

Sentinel is a pretty straightforward product. In terms of the advanced configurations, security automation and orchestration, that's a bit complex. That said, getting started with Sentinel is an easy process.

I would say that there's definitely a Return of Value. I can't really comment on Return on Investment yet.

We have seen a lot of manual codes being reduced and a focus on real issues, which are really impactful rather than going ahead and analyzing or monitoring each and every alert. With our Sentinel AI-based analysis, we can go ahead and focus on the critical issues rather than monitoring each and every alert or incident.

Licenses won't work as this is a pay-as-you-go model. Companies pay in terms of the number of logs being integrated within Sentinel, and the price is quoted that way. Sentinel is pretty pricey compared to the other competitors where they have licenses. For Sentinel, it's a bit pricey when it comes to big environments.

For those who want to adopt Sentinel, I'd advise that it's a really one-stop solution for all the security needs. It can be integrated with all solutions out there. It can be one single control where you can go ahead and manage the security from. You don't have to go ahead and log into different endpoint portals, or threat-protection portals, or any third-party vendor solutions as such. 

I would rate the solution at about a nine out of ten. There is definitely a scope of improvement in terms of the feature sets or the possibilities that we could go ahead and unlock.

We are running an MDR service for our customers and use Azure Sentinel as the SIEM product to allow us to have an overview of all our customers, but also to easily push configurations to different customers.

We use Azure Sentinel as an alert aggregator to import all of the incidents/alerts from the different (Microsoft) security products in order to have a single pane of glass. On top of that, we create our own custom Analytics Rule that can be used to add our own added value. This enables us to create our own IP to protect customers. 

It's really convenient for us to aggregate the logs/alerts from all our customers into a single pane of glass. By using the automation capabilities, it's relatively easy to sync all incidents to our ITSM tool which we can use to follow up on incidents. As it's based on the Microsoft stack, it's convenient for our engineers to learn the product. As Azure Sentinel is also a big focus for Microsoft, we have the ability to work with them on certain products. This creates visibility within the community and for new customers.

There are three valuable aspects of the solution: MSSP support, integration with Microsoft, and Automation. By using Azure Lighthouse, an MSSP can easily integrate their applications into their own baseline of policies/configurations.

Because Sentinel is built as an MS-first product, it integrates natively with other Microsoft products, which is really convenient as we are standardized on it. Without much work, you can connect any Microsoft product to it. 

Last, but not least, Sentinel uses Azure Logic Apps for automation, which is really powerful. This allows us to easily automate responses to incidents.

Azure Sentinel is constantly growing. Throughout the two years we have been using it, we have seen it expand tremendously. A lot of the limitations we had originally seen have already been mitigated. A couple of potential improvements could be: allow for a streamlined CI/CD procedure. Now it's a combination of using API/Powershell and ARM which is not ideal. Also, it should allow us to ingest on-prem logs by using a SaaS platform to ingest CEF/Syslog logs that also allow for prefiltering. This would allow us to minimize the cost of the solution.

I've been using the solution for 1.5 years.

We didn't use another SIEM product before Azure Sentinel. 

The cost can be a little confusing at first, but the Azure calculator is a great place to start. I would advise to start with integrating Microsoft products first, as this is the most convenient way forward and allows you to learn the product as you go.

In general, Azure Sentinel can be set up really quickly.

We use this solution for analyzing Microsoft cloud-based log services and for security data. The services include Microsoft 365, Azure Security Center logs and Microsoft cache logs. We are gold security partners with Azure. 

The UI-based analytics are excellent, it's something I haven't seen with any other SIEM products. Microsoft has excellent tools for cleaning data, sorting out irrelevant log data and even fixing log data.

There's not much that needs improvement but the on-prem log sources still require a lot of development. It's clear that there are limitations there. I also think that the implementation and on-prem data sources could be done in a better way. We've used some functions with Python and whole scripting on FortiSIEM, which is something that Microsoft could easily provide, but so far hasn't.

The product has been very reliable. I don't know that there have been any service outbreaks. We haven't had any problems. 

We have 700 users and from our perspective, it has unlimited processing power, but this is quite common for cloud services. I think the scalability has to be some kind of ABM and feeding all of the log stats, which could possibly have limits, but Azure has huge computing power behind it.

The support is good, the only issue is getting past the level one people who ask if you've tried rebooting. If you have Microsoft's Unified Support, the most expensive support, then you'll be very happy. It's not the best support in the industry, but it's pretty good and they also support Sentinel. 

The initial setup was extremely straightforward. It was the easiest I have seen because it's an SaaS service. I think anybody can do it by just clicking and clicking and saying yes. Straight out of the box and that's the strength of the SaaS service because there's no installation, you just use it. 

We compared Azure to Splunk and to our current mainstream implementation, FortiSIEM. If you have a lot of security data, then you feel that Azure is quite expensive but it's nowhere near as costly as Splunk which is four or five times more expensive. FortiSIEM wasn't good enough and Splunk was way to expensive. 

I would definitely recommend this solution. If you have cloud-based workloads and different cloud or cloud lookalike services that require security data, or if you are looking for SOAR functionalities, then it's a no brainer. It's the best in that market. On the other hand, if you are mainly working and operating with on-prem stuff then there's no advantage over FortiSIEM or other solutions. 

I rate this solution a nine out of 10.