Microsoft Sentinel Reviews

Name: Microsoft Sentinel
Brand: Microsoft
Rating: 4 (89 reviews)

Vendor: Microsoft

4.1 out of 5

89 reviews
93% willing to recommend

303 followers

Post review

What is Microsoft Sentinel?

Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution that lets you see and stop threats before they cause harm. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs. With Microsoft Sentinel, you can:

Get the Microsoft Sentinel Buyer's Guide and find out what your peers are saying about Microsoft Sentinel, Microsoft Intune, Microsoft Defender for Endpoint and more!

Microsoft Sentinel is the #1 ranked solution in SOAR tools, #2 ranked solution in top Security Information and Event Management (SIEM) solutions, and #5 ranked solution in top Microsoft Security Suite solutions. PeerSpot users give Microsoft Sentinel an average rating of 8.2 out of 10. Based on the analysis of the 89 most recent Microsoft Sentinel reviews, the overall sentiment is positive, with a sentiment score of 7.1. (Among the highest in the category). Microsoft Sentinel is most commonly compared to Microsoft Intune: Microsoft Sentinel vs Microsoft Intune. Microsoft Sentinel is popular among the large enterprise segment, accounting for 58% of users researching this solution on PeerSpot. The top industry researching this solution are professionals from a computer software company, accounting for 16% of all views.

Helped 814,763 peers since 2012

Featured reviews

Nitin Arora

Security Delivery Senior Analyst at Accenture

The most amazing aspect of Microsoft Sentinel is the daily upgrading of the product. They have third-party connectors that their people are enhancing on a daily basis. That is what I like about the product. Their people are not sitting idly and saying, "Okay, we have created the product, now just use it." It's nothing like that. They are continuously working on it to make it number one in the market. It also has a playbook feature so that we can do automation in Sentinel itself, based on the data sources and the logs that we are receiving. That means we don't need to do manual stuff again and again. Using Sentinel, we can collect all the logs of third-party vendors and use them to analyze what kinds of scenarios are going on in the environment. On top of that, we can create analytics rules to monitor the environment and take action accordingly if there is a suspicious or malicious event. Something else that is great is the visibility into threats. We have an AI feature enabled in Sentinel and that gives us great visibility into the data sources we have integrated. And for data sources that we don't have integrated, we have a Zero Trust feature and we get great visibility into the threat log. Visibility-wise, Sentinel is fantastic. The ingestion of data from our entire environment is very important to our security operations. We have clients in insurance and multiple firms that deal with taxation, and we need to do an audit yearly. To do that, we need the data from the whole environment to be ingested into the workspace.

Read full review

Jalan Cruz

Cyber Security Analyst at CoinFlip

In terms of visibility, Microsoft Sentinel captures a lot of useful data. Microsoft Sentinel helps us prioritize threats across our enterprise. It shows us the most vulnerable assets, and because we have agents on every machine, we know exactly where to go to investigate. This is important for staying secure as a company. It allows us to cover our own bases by seeing what is happening in real-time and taking proactive steps to address threats, rather than reacting to them after they have already occurred. We can stay up-to-date with security measures and ensure that we follow through and execute our security plan. We integrated Microsoft Sentinel with Defender for Cloud, Endpoint, and Defender Vulnerability Management. Microsoft is not the most vendor-friendly company in terms of integrations and connections, but we were able to get it working in the end, so we cannot really complain. Microsoft's security tools work natively together to deliver coordinated detection responses across our environment. The comprehensive threat protection that Microsoft Sentinel provides is good. They provide really good information. We are able to create documents, perform root cause analysis, and analyze anything we need to. Log integration is also key. We are able to find potentially malicious files, correlate events to alerts, and then take action on alerts. So, the comprehensiveness is pretty straightforward. We use Cloud and Endpoint security. We have our Defender cloud, and then Defender agents on each endpoint. The bidirectional sync capability is important, and it is a work in progress. We are in the process of off-boarding our contract with CrowdStrike. We are moving all of our cybersecurity needs to Microsoft Defender, which is included in our existing Microsoft licenses. This makes financial sense, and CrowdStrike was not providing us with much value. The system allows us to ingest data from our entire ecosystem, which is very important. This is our main source of correlation of logs to alerts. Therefore, we definitely need to get every single log source, and possibly a few more. The system allows us to investigate and respond holistically from one place. It is a very comprehensive tool to use. However, the supporting documentation is limited to initial troubleshooting. This is where I find the most difficulty in explaining how good the tool is. Other than that, the tool is pretty straightforward. There is enough documentation to get us started. However, beyond that, we will need to rely on online forums and other open-source resources to learn more about the tool. When comparing Microsoft Sentinel to other SIEMs in terms of cost, we are saving money because it is included with our Microsoft 365 E5 licenses. This also helps us to reduce the number of different types of software that we need to use. We do like redundancy in terms of coverage, but the cost of multiple solutions adds up. We want to be able to use one central location for all of our security software. This is one of the reasons why we choose Microsoft Sentinel over third-party solutions. As we move into larger projects, we need to have a centralized place for all of our security policies and procedures. Microsoft Sentinel helps us automate routine tasks and find high-value alerts. We also use Sentinel as a store for our alerts. This allows us to automate most of our responses if not all of them. We also tailored our alerts to specific events that occur in our environment. Microsoft Sentinel helps eliminate the need to use multiple dashboards by providing a single XDR dashboard. We currently use Sentinel's workbooks, which provide a dashboard that we can use for metrics, reporting, and other purposes. This makes it easier to relay information upwards, as it is presented in a more visually appealing and easy-to-understand manner. For example, we can use pie charts, bar charts, and line charts to represent data in a way that is easy to understand. This makes it easier to convey information to upper management, such as where we are most vulnerable and what steps we need to take to improve our security. Microsoft Sentinel helps us prepare for potential threats before they hit by taking proactive steps. We can also detect ongoing incidents. For example, if we receive a ticket or alert that is ongoing and will not go away, we can automate a response to it and add it to our playbook. This way, if a similar incident occurs in the future, we will know what to do to respond immediately. In terms of automation, I believe we save about 20 to 22 hours per week by closing tickets. We receive about 50 to 100 tickets per day, and we automated about 80 percent of those. This means that we can now close tickets without having to manually review them. This saved us a significant amount of time, which we can now use on other tasks. We are on the smaller side in terms of the number of logs that come in. So, I don't think it's necessary to compare at this level of data ingestion. However, I can definitely see that if we scale and grow in the future, it will save us a lot of money, especially in terms of manpower and hours that we have to dedicate to automation or non-automated tasks. For example, in the six months that we've had Sentinel up and running, we've saved 755 hours in automation alone. We currently meet all of our service level agreements in terms of incident response. This definitely saved us time, and we also receive email alerts directly so that we know as soon as something happens.

Read full review

Arun-Raj

Associate Consultant, SIEM Engineer at a tech services company with 501-1,000 employees

The best feature is that onboarding to the SIM solution is quite easy. If you use cloud-based solutions, it's just a few clicks to migrate it. The console is user-friendly. We have almost 120 different types of data, so the solution helps us to onboard different types of third-party services to the SIM solution. We have UB features, and the SOAR capability in the Sentinel server is also a good feature. Sentinel's visibility into threats is very good. We have an investigation graph that allows us to see the correlation between the incident and the users. We can see if there are multiple incidents with the same IP address and if there are multiple breaches. We can correlate with the rules and check if any inside threat activities are going on with the malicious site or the malicious URL link that we have onboarded. The threat view provides good visibility. We can prioritize threats based on our investigation assets. It's very fast. We're able to see the rest of the threat activities and how impactful they are. Based on the AML algorithm, we can get all the stages of the attack as well. Sentinel enables us to ingest data from our entire ecosystem. The importance of this ingestion of data to our security operations depends on the data and the type of solutions we have to onboard. We onboard our critical servers and assets to the same solution so we'll have good visibility. We're able to investigate threats and respond holistically from one place. We can validate the logs from where the logs have been received. By doing the log analysis, we'll be able to find them. It's a straightforward function and isn't very hard. There's an incident pane in Sentinel. We have a query package, and we can have a deep dive alert through that, or we can have a deep look into the log. From the console itself, we have a great view of our threats and the current phase we're in. We have multiple source features. There are between 20 to 30 in addition to data. Microsoft provides custom features through which we can connect with third-party solutions and correlate the incident. For example, if we have multiple incidents, we can use the SOAR capabilities and correlate them with multiple third-party threats. It's an easier way of understanding whether or not we have a malicious bug. We can see how much time our analysts have taken to raise the ticket and how much time they have taken to resolve the issue assets. We can create a dashboard for that. They're able to notify us within five or ten minutes for high priorities. For the medium priorities, it is 10 to 12 minutes. Our detection time for low priorities is within three hours, but our team still performs under 15 to 18 minutes.

Read full review

Microsoft Sentinel mindshare

Product category:

As of November 2024, the mindshare of Microsoft Sentinel in the Security Information and Event Management (SIEM) category stands at 10.8%, down from 12.8% compared to the previous year, according to calculations based on PeerSpot user engagement data.

Security Information and Event Management (SIEM)

Key learnings from peers

Last updated Oct 23, 2024

Valuable Features

Microsoft Sentinel's most valuable features include strong integration with Microsoft products, AI and automation capabilities, advanced threat detection, and a single pane of glass view for security incidents. It supports seamless data ingestion from various sources, offers powerful analytics via Kusto Query Language, and enhances security through built-in playbooks and automation. Users appreciate fast deployment, scalability, and efficient threat prioritization, benefiting from its cost-effective pricing and user-friendly interface.

"The query language of Microsoft Sentinel is easy to understand and use."
"Sentinel has reduced the work involved in the event investigation by quite a lot."
"Microsoft Sentinel stands out among SIEM tools for its user-friendliness and powerful built-in query language."

Room for Improvement

Microsoft Sentinel requires improvement in ease of integration with non-Microsoft tools and better support for on-premises systems. Users find the learning curve steep, the user interface complex, and documentation lacking. High costs and complicated pricing models are a concern. There is a need for more native connectors, flexible log ingestion, and enhanced reporting capabilities. Efficiency issues such as alert delays and frequent false positives are problematic. Users advocate for expanded AI features and better training materials.

"The pricing could be improved."
"From a client perspective, they'd like to see more cost savings."
"Microsoft Sentinel's search efficiency can be improved, especially for queries spanning large datasets or long timeframes like 90 days compared to competitors like Splunk."

ROI

Organizations experience mixed results with Microsoft Sentinel's ROI. Some note increased costs, yet many find efficiency gains through automation and integration ease. Several report early cost recovery, improved security, and reduced staffing needs. Quick initial returns, improved security posture, and compliance achievements translate to financial benefits. While some struggle with exact ROI quantification, others observe noticeable cost savings over time. Microsoft's integration strength and ongoing enhancements contribute positively to perceived value.

Pricing

Microsoft Sentinel's pricing can be complex, operating on a consumption-based model. Costs vary based on data ingestion and retention, with pay-as-you-go options starting from a baseline of 100 GB/day. Users note the importance of estimating data requirements to manage costs. While integration with Microsoft products may reduce the total expense significantly, Microsoft Sentinel is often perceived as costly relative to other SIEM solutions, especially when additional fees for log management and premium features come into play.

"We only pay for the amount of data we bring in, which is fair."
"It is consumption-based pricing. It is an affordable solution."
"I am not involved on the financial side, but from an enterprise-wide use perspective, I think the price is good enough."

Popular Use Cases

The primary use case for Microsoft Sentinel is centralized security management for cloud and hybrid environments, enhanced by its integration with Azure. It provides threat detection, automated response, and analysis of security logs from various sources, including Microsoft 365 and Azure services. Organizations use Sentinel as a SIEM tool, facilitating threat hunting, incident management, and monitoring. Its AI capabilities offer proactive threat identification, making it essential for security operations centers.

Service and Support

Microsoft Sentinel customer service is generally effective, with quick response times, especially for those with higher-tier support plans. Larger organizations often receive better assistance, while smaller ones may face delays. Technical support is accessible, with many users finding solutions via community forums. Some users experience inconsistency in service, with delays and less knowledgeable staff. However, users appreciate having a responsive and guided experience, with many rating Microsoft support highly.

Deployment

Many users find deploying Microsoft Sentinel straightforward and quick, leveraging cloud capabilities for easy integration. The process often involves minimal time, typically requiring one or few personnel. However, complexity increases when integrating non-Microsoft or on-prem resources. Users need expertise in KQL query language for custom configurations. Maintenance is usually minimal as the platform is cloud-based. Some find documentation lacking, which could pose challenges for new users.

Scalability

Microsoft Sentinel offers impressive scalability, easily adjusting to organizational needs. As a cloud service, it automatically handles scaling without user intervention. Many teams report seamless integration of extensive data volumes and increased usage, driven by Sentinel's capability to manage high data ingestion. While users must consider consumption costs, the system's scalability remains its strength, accommodating thousands of endpoints and supporting large, multi-region environments, enhancing operational efficiency for organizations across various industries.

Stability

Microsoft Sentinel demonstrates excellent stability, with minimal downtime and reliable performance. Users report it as dependable, handling large-scale deployments effectively. Some note occasional issues with specific integrations or automation components, but these are rare. The managed cloud service by Microsoft ensures high availability, often rated nearly flawless by its users. Regional factors or misconfigurations may affect individual experiences, but Sentinel remains a highly trusted and stable security information and event management platform.

These insights are based on the in-depth reviews provided by peers to help you make a better buying decision.

Download our Microsoft Sentinel Buyer's Guide for additional reliable information.

Review data by company size

By reviewers

By visitors reading reviews

Top industries

By visitors reading reviews

Computer Software Company

16%

Financial Services Firm

10%

Government

Manufacturing Company

University

Retailer

Comms Service Provider

Educational Organization

Energy/Utilities Company

Healthcare Company

Insurance Company

Construction Company

Real Estate/Law Firm

Media Company

Non Profit

Legal Firm

Wholesaler/Distributor

Transportation Company

Hospitality Company

Outsourcing Company

Performing Arts

Recreational Facilities/Services Company

Consumer Goods Company

Logistics Company

Pharma/Biotech Company

Marketing Services Firm

Aerospace/Defense Firm

Compare Microsoft Sentinel with alternative products

Learn more about Microsoft Sentinel

- Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds

- Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence from Microsoft

- Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft

- Respond to incidents rapidly with built-in orchestration and automation of common tasks

To learn more about our solution, ask questions, and share feedback, join our Microsoft Security, Compliance and Identity Community.

Microsoft Sentinel was previously known as Azure Sentinel.