Microsoft Sentinel Reviews

It's mostly used for cloud-based analytics for proactive incident response. As an enterprise product, it falls under next-gen SIEM.

An advantage of Sentinel is that Microsoft has acquired RiskIQ as a threat intel platform and they've amalgamated it into the platform. When any analytical (or correlation) rule triggers, the enrichment is bundled within the solution. We don't need to input anything, it is there by default. Every rule is enriched right at the triggering or detection stage, which eases the job of the SOC analyst. The platform has become so intelligent compared to other solutions. When an alert is triggered, the enrichment happens so that we know exactly at that moment the true or false posture. This is a mature feature compared to the rest of the providers.

Most of our customers use M365 with E3 or E5 licenses, and some use Business Premium, which provides the entire bundle of M365 Security including EDR, DLP, Zero Trust, and email security. There are two native advantages for customers that use M365 Security and Sentinel. The first advantage is that the log or security-event ingestion into Sentinel is free. Cost-wise, they're saving a lot and that is a major advantage.

The other advantage is that when you use M365 Security with Sentinel, you get multi-domain visibility. That means when attacks happen with different kill-chains, in different stages through the email channel or a web channel, there is intelligence-sharing and that is a missing piece when customers integrate non-Microsoft solutions with Sentinel. With Microsoft, it is all included and the intelligence is seamlessly shared. The moment an email security issue is detected, it is sent to the Sentinel platform as well as to the M365 Defender platform. The moment it is flagged, it can trigger.

That way, if the email security missed something, the EDR will pick up a signal triggered by a payload or by a script being shared and will trigger back to the email security to put that particular email onto a blacklist. This cross-intelligence is happening without even a SIEM coming into play.

And a type of SOAR functionality is found within M365 Defender. It can run a complete, automated investigation response at the email security level, meaning the XDR platform level. When M365 Security is combined with Sentinel it gives the customer more power to remediate attacks faster. Detection and response are more powerful when M365 Defender and Sentinel are combined, compared to a customer going with a third-party solution and Sentinel.

Sentinel has an investigation pane to investigate threats and respond holistically from one place, where SOC analysts can drill down. It will gather all the artifacts so that the analysts can drill down without even leaving the page. They can see the start of the attack and the sequence of events from Sentinel. And on the investigation page, SOC analysts can create a note with their comments. They can also call for a response action from that particular page.

Also, most of the next-gen cloud analytics vendors don't provide a common MSSP platform for the service provider to operate. That means we have to build our own analytics in front of those solutions. Sentinel has something called Lighthouse where we can query and hunt and pull all the metadata into an MSSP platform. That means multi-customer threat prioritization can be done because we have complete visibility of all our customers. We can see how an attack pattern is evolving in different verticals. Our analysts can see exactly what the top-10-priority events are from all of our customers. Even if we have a targeted vertical, such as BFSI, we can create a use case around that and apply it to a customer that has not been targeted. We can leverage multiple verticals and multiple customers and see if a new pattern is emerging around it. Those processes are very easy with Sentinel as an MSSP platform.

Because we use 75 percent of the automation possible through the platform we are able to reduce MTTA. It is also helpful that we get all the security incidents including the threat, vulnerability, and security score in one place of control. We don't have to go to one place for XDR, another for email, another for EDR, and a fourth for CASB. Another time saver is the automated investigation response playbooks that are bundled with the solution. They are available for email, EDR, and CASB. As soon as a threat is detected, they will contain it and it will give you a status of partially or fully remediated. Most of our customers have gone for 100 percent automation and remediation. These features save at least 50 percent of the time it would otherwise take.

In terms of cost savings, in addition to the savings on log-ingestion, Microsoft Sentinel uses hyperscaler features with low-tier, medium-tier, and hot storage. For customers that need long-term data storage, this is the ideal platform. If you go with Securonix or Palo Alto, you won't see cost savings. But here, they can choose how long they want to keep data in a hot tier or a low or medium tier. That also helps save a lot on costs.

Our first use case is related to centralized log aggregation and security management. We have a number of servers at the user level and data center level, and I cannot use multiple tools to correlate all the information. My overall infrastructure is on Azure. We have a hybrid approach for the security environment by using Sentinel. So, hybrid security is one of the use cases, and unified security management is another use case.

It has helped us in three ways. One is IT, one is security, and one is compliance. Before Sentinel, our IT was mature, but our security and compliance were not mature enough in terms of certain controls, client requirements, and global-level regulatory compliance. By implementing the SIEM along with Security Center, we have improved security to a mature level, and we are able to meet the compliance reporting and client requirements for security within the organization.

It has an in-depth defense strategy. It is not limited to giving an alert; it also does correlation. There are three things involved when it comes to a SIEM solution: threats, alerts, and incidents. Sentinel gives you granular and concise information in the UI format about where the log has been generated. It doesn't only not give the timestamp, etc. This information is useful for the L1 and L2 SOC managers.

It has good built-in threat intelligence tools. You can configure a policy set and connectors, and you don't need to have any extra tools to investigate a particular platform. We can directly use the built-in threat intelligence tools and investigate a particular threat and get the answers from that.

We are using Microsoft stack. We use SharePoint. We use OneDrive for cloud storage. We use Teams for our internal productivity and communication, and we use Outlook for emails. For us, it provides 100% visibility because our infrastructure is on Microsoft stack. That's the reason why I'm very comfortable with Sentinel and its security. However, that might not be the case if we were not in Microsoft's ecosystem.

We are using Microsoft Defender. The integration with Microsoft Defender takes a few seconds. In the connector, you just need to click a button, and it will automatically connect. However, for data ingestion, it will take some time to configure the backend log, workspaces, etc.

It is useful for comprehensive reporting. We need to prepare RFPs for our clients. We need to do reporting on particular threats and their resolution. So, it is useful for our RFPs and our internal security enhancements.

It is helpful for security posture management. It has good threat intelligence, and it provides deep analysis. The security engine of Microsoft Sentinel takes the raw data of the logs and correlates and analyses them based on the security rules that we have created. It uses threat-intelligence algorithms to map what's happening within a particular log. For example, if somebody is trying to log into an MS Office account, it will try to see what logs are available for this particular user and whether there is any anomaly or unwanted access. It gives you all that information, which is very important from the compliance perspective. It is mandatory to have such information if you have ISO 27001, HIPAA, or other compliances.

It enables us to investigate threats and respond holistically from one place. It is not only about detecting threats. It is also all about investigating and responding to threats. I can specify how the alerts should be sent for immediate response. Microsoft Sentinel provides a lot of automation capabilities around reporting.

With the help of incidents that we are observing and doing the analysis of the threats, we are able to better tune our infrastructure. When we come across an incident or a loophole, we can quickly go ahead and review that particular loophole and take action, such as closing the ports. A common issue is management ports being open to the public.

It saves time and reduces the response time to incidents. We have all the information on the dashboard. We don't need to go ahead and download the reports.

There are a lot of dashboards available out of the box, and we can also create custom dashboards based on our requirements. There is also one dashboard where we can see the summary of all incidents and alerts. Everything can be correlated with the main dashboard.

We can use playbooks and data analytics. We have one system called pre-policy definitions where our internal team can work on the usability of a particular product. We get a risk-based ranking. Based on this risk-based ranking, we will create policies and incorporate data analytics to get the threats and alerts. We are almost 100% comfortable with Sentinel in terms of the rules and threat detections.

It improves our time to detect and respond. On detecting a threat, it alerts us within seconds.

We needed a SIEM solution that could integrate with our Microsoft 365 stack. Being a Microsoft product, that was the first SIEM we looked at, and we haven't looked back. We're still growing with the product over the last couple of years. It is phenomenal.

We're mainly focused on the cloud, but one of our selling points is that you can integrate with on-prem. We push to get the Azure Arc implementation done on top of Sentinel so that we can ingest data from your on-prem environment into Azure Monitor, which is then exposed to Sentinel. That's how we drive that integration, but we mainly have the cloud. We have 80% cloud and 20% on-prem.

The specific focus on entity behavior is where the gold is within Sentinel. The machine learning and AI capabilities that Microsoft already provides within their toolset are exposed through entity behavior analytics. That really is magic. It is something we don't live without. We have specific key metrics we measure against, and this information is very relevant information to our security approach. That's because not everything is an alert and not everything is a threat. In some cases, the anomalous sign or the anomalous behavior is more important than the actual alert coming up and saying that something has been infected. It could be those sign-ins a week before or a month before into a database that you don't always look into that end up being the actual threat. The entity behavior or the overall feature that Sentinel has is absolute gold for us.

In terms of the visibility into threats, because I set up the product, I'm very much aware of the fact that you see what you configure. That's probably a plus in terms of if you have an appetite only for product one, you ingest and you consume only product one. In our company, we have the full E5 solution, and we tend to have a lot of endpoints or metrics that we can pull into one space. So, each and every sub-component, such as Defender for Endpoint, Defender for Identity, and all the incidents end up within Sentinel. It is one spot from where we can manage everything. That works very well for us. We do have small customers with one or two Microsoft solutions, and even third-party solutions, and we can still integrate or expose those product-specific incidents within Sentinel. For me, that's a big plus.

It definitely helps us to prioritize threats across our enterprise. There is not just a clear classification of severity but also the ability to team certain alerts together. It can chain events and bring you a bigger picture to tell you this is something that you need to take care of or look at because it is tied or chained to multiple events or alerts. That ability is again a big plus.

We probably use all of the Microsoft products. We use Azure Active Directory, and we use Defender for pretty much everything, such as Defender for Identity, Defender for Endpoint, Defender for Cloud, and Defender for Cloud Apps. As a senior cloud infrastructure consultant, it is a part of my role to provide or customize and configure these products on behalf of our customers. We have integrated these products for multiple customers. One of my favorite benefits of Sentinel is its integration with the entire stack. I am yet to find a Microsoft product with which it does not integrate well. All of the Microsoft products are fairly simple to integrate with it. Anyone can set up their own environment. It is only third-party products where you tend to have a bit of technicality to configure, but even that is not a difficult process. It is fairly straightforward and easy to follow.

All these solutions work natively together to deliver coordinated detection and response across our environment. Microsoft Defender stack does that quite well. One of the reasons why Microsoft personally favors the Microsoft Defender stack is because of the integration with the rest of the products.

I'm a big fan of the layered approach, and it should be in every environment. Microsoft does a good job of providing you with that layered approach without too much of an oversight or a combination of a bunch of products. They work well individually, and they stack together quite well based on the individual requirements or the needs of each.

We use Microsoft Defender for Cloud. Our footprint in the cloud is limited. We only have two or three customers that fully make use of the product, but it is something that I do make use of and will. We do make use of its bi-directional sync capabilities. Especially within the organization, we have a very small team dedicated to assisting in our cloud-managed servers. If one person has to run around and duplicate these efforts in multiple portals, that wouldn't be an effective use of their time. So, the simple ability to just be in one portal or one place and apply the remediation or the management of an item is a big plus for us.

It allows us to ingest data from our ecosystem. I have found only one or two third-party antivirus products that still don't integrate fully with Sentinel, but for my use case within my own environment, as well as the environments we manage through our inSOC offering, there hasn't been any case or instance I know of where we could not find a solution to ingest necessary logs.

I work with security, and I also work with compliance. On the compliance side, the ability to have an audit trail and all your logs in one central location is important. The data is queryable. The KQL language is not a difficult language to get under. So, for me, having it all in one place and being able to query it and slice the data to what I need to provide or expose is a key feature of a SIEM solution.

It enables us to investigate threats and respond holistically from one place. It is very important, and bidirectional ties into this. We have a small team. So, the following capabilities are critical to our managed solution:

• The ability to hunt from one location or one stream.
• The ability to integrate with multiple sources and data tables for ingestion.
• The ability to expose information from those tables from one stream or portal.

We probably would end up having to hire twice as many people to accomplish what we can do simply by integrating Sentinel with the rest of our product stack.

It helps automate routine tasks and the finding of high-value alerts. Being able to automate routine tasks or routine alerts is a big save for us because our analysts are not bogged down trying to just close alerts in a portal. This freeing up of time alone is a big save for us.

It helps eliminate having to look at multiple dashboards and gives us one XDR dashboard. The workbooks already integrate well with Azure Lighthouse. So, right out the bat, we had that multitenant capability from one dashboard or one screen. It is just absolutely brilliant.

It saves time on a daily basis. For example, as a desktop engineer, if I have to go through 20,000 devices, it would take a long time to go one device at a time. To make sure everything is fine, if I have to log in, upload some logs, do some metrics, log off, and go to the next office, it would take us a good part of a year to be able to work on each of these devices. With Sentinel, once your logs are configured and analytics rules are in place, a simple hunting query could accomplish exactly the same in a month.

Previously, four hours of my day were spent on just dashboards here and there, logging into tenants one time to the next, running the same view in the same portals, and looking through, for example, the alerts for the day or the threats for the day. With Sentinel, all that is in one place. I can just log on with my company-provided credentials, do MFA once, and through a portal with multiple links, seamlessly go through entity after entity. My whole exercise of four hours per day is now probably down to half an hour just because everything is in one place.

It has decreased our time to detection and time to respond. In the past, we would have to get someone to physically log onto a portal once there is an alert, and if that alert was in multiple places or multiple customers, it would mean multiple portals and multiple logins. The ability to manage from one screen and run an effective service has alone saved us 60% of our day.

We started using Microsoft Sentinel one year ago. We are still piloting the environment because we are transitioning towards cloud solutions with Microsoft Intune. 

Until now, we have been using third-party products, but due to requirements to have stronger security in the cloud, not only on the client endpoint side, we are moving to Microsoft Sentinel. Our focus is on strengthening cloud security as well as client endpoints. Microsoft Sentinel is used to substitute our Splunk solution, covering the security of main Azure services such as Entra ID and automating threat protection for client sites and endpoints.

The automation feature affects our team's efficiency in handling security incidents. It helps us to auto-isolate or auto-react to defined issues or activities. We do not need a lot of manpower.

We are now seeing many more incidents. Previously, we were not aware of them. We are able to close those security gaps. It helps us protect our environment better. We feel safe knowing that we have a solution that we can use to react in case of an emergency.

We now have Office 365, Exchange, and other solutions included in there. We are now also onboarding clients. We will be able to track the threat workflow better and see if it is coming through the email or getting exploited from the network share. We will be able to find the source of the issues and prevent them in the future. We are still at the beginning and have not discovered any issues yet.

Microsoft Sentinel is a monitoring tool. It is a SIEM solution and is used to gather logs. It allows us to analyze and understand the flow of information based on the events that happen and the systems we connect it to. 

I explain it to my customers as being almost like an octopus. It sits in the middle of a tank, and it has all these tentacles that connect to different systems. We bring that information in via those connections, and then we query them. We can centrally analyze, examine, and understand the data that comes in through the analytics or the capabilities that Azure links to Microsoft Sentinel, which is Azure Log Analytics Workspace. We then use queries to help us understand or make sense of the data. We can have dashboards and visualize them. 

We use it to set up monitoring for cloud infrastructure and we use it as part of a larger monitoring capability around setting up a SOC capability. We are then able to keep track of infrastructure and mitigate risks.

Microsoft Sentinel gives visibility to some degree to all of the customers that I work with. It has given us more visibility into the accurate state of the endpoints being monitored in near real-time. 

With the solution, we are now able to respond to incidents in a more timely fashion, which helps us. It helped us to understand what is happening and make informed decisions as a result. It has given us a more comprehensive and holistic view of the ecosystem that exists, and not just an individual piece of that ecosystem. It does not give a view of just one server. It also gives a view of the supporting infrastructure around it. It has given us a lot more visibility, and it has made us smarter in terms of being able to defend ourselves against bad threat actors and the harm they look to do. It made us better armed and more informed, and therefore we can offer a better defense that will hopefully ward off some of those bad actions.

Microsoft Sentinel helps to prioritize threats across the enterprise in several ways. This capability is linked to other technology elements that make up the overall security posture of the Microsoft offering. Microsoft Sentinel, in particular, allows us to look at the flow of information coming through the connectors from various systems. This helps us create alerts and analyze that data so that we can bubble up and see what is happening. We can tie that into the Microsoft Defender stack or the products in the Microsoft Defender ecosystem, and we can take action and monitor. 

Whether it is being alerted, manually choosing to do something, or automating through the broader security capabilities of the platform, we can take action. When we tie in the broader security capabilities that involve governance, risk management, and compliance (GRC), and we have all the tools at our disposal to do that, Microsoft Sentinel becomes a huge ingestion engine that brings in signals. The telemetry and data from all the monitored endpoints allow other capabilities to access that data so that we can monitor it. We are then not only well-informed, but we can also choose how to respond. We can respond through a combination of automation and manual actions. If something occurs, we can then kick off an incident response to deal with it. If needed, we can quarantine and mitigate it. We have a rich set of capabilities but also a very flexible set of opportunities to respond because we are given near real-time information. We can analyze that information in near real-time to make informed choices when it comes to threat intelligence, threat mitigation, and threat assessment.

I use all of the products that Microsoft has in the market in various architectures or configurations with different customers, and I have used them for many years. Various customers use the entire suite of offerings that Microsoft has in the security space in terms of governance, risk management, and compliance, such as Microsoft Sentinel and Microsoft Defender. There are also solutions like Privileged Identity Management (PIM), which is now a part of Microsoft Entra, which has been renamed. I have integrated these products and set up the architectures or designs for customers. The setup depends on the size of the customer and some smaller businesses do not use all of them. They license at lower levels and do not have the business case, the resources, or the need to use them all. Larger companies tend to utilize more of them. Because I work with different-sized companies, I set the solutions up and have used them in a variety of circumstances across the board for different companies. 

In the beginning, like any technology, it was a little harder to integrate when the products were new. As they matured and went through iterations, they became easier to work with. Utilizing a new product is more painful than using a product that has perhaps been out for a year or two, that has been vetted and maybe has gone through one major update or release. The integration has gotten better over time, and the product lines continue to mature and become more powerful as a result.

Microsoft security products work natively together to deliver coordinated detection and response across the environment. For this, you need to use the appropriate connectors to bring in the information from both Microsoft-centric and third-party systems that you want to incorporate and monitor. It is bounded by the vision of the architecture that allows you to connect those systems and the availability of those connectors. Assuming those systems are connected properly, brought online, and are reporting, it gives you the depth of visibility that you need to manage both Microsoft and non-Microsoft systems.

Microsoft security products provide a very thorough set of security. Microsoft is looking at billions, perhaps a trillion, individual data points a day at this point across the Microsoft ecosystem, which includes everything Microsoft does, all customers, and all interactions. They take all that information and analyze it with dedicated security teams, machine learning and artificial intelligence, business analytics, etc. They turn that information around and make it available for customers who are consuming the threat analysis and threat intelligence capabilities on the platform. Some of the solutions are available for free to everybody regardless of licensing. For others, you need enhanced licensing to take advantage of it fully. The threat intelligence feeds, the live analysis, and the security posture that Microsoft provides to its customers globally as part of the shared responsibility model have matured tremendously. They are the best. You get incredible value for the amount of work that goes into providing that. The customers I work with are very happy with the work that Microsoft does and continues to do in that space.

We use the bi-directional sync capabilities of Microsoft Defender for Cloud in some cases. It is a very useful feature for myself and my customers. It is very important because it allows us to use the Defender product, which is made up of maybe 20 individual offerings at this point. There are a lot of different sub-areas that you have that you can attach the Defender product to. This concept allows us to be able to have the endpoints monitored, whether they are the servers or the service that Defender would monitor and protect. It allows us to understand what is happening with them and to have near real-time updates about their status. We can see the impact of potential threats that are attaching and risks that may become apparent, and we can see the impact of remediation or the things that are being done to stop those things or perhaps forestall them, hopefully, to prevent them from harming. This capability is very important, and it is one of the secrets that allow that platform to not only be very flexible but also very impactful in terms of monitoring the bulk of the infrastructure and services that most customers would have running in a public cloud, whether it is Microsoft or any other public cloud, such as Amazon, Google, etc. We can monitor any infrastructure and understand it, especially customers' environments that are hybrid where they have on-premises as well as cloud or multi-cloud infrastructure with more than one cloud. To be able to monitor both on-premises and multi-cloud environments is a requirement today, and Microsoft provides those capabilities but not all other providers do. 

It enables us to ingest data from the entire ecosystem as long as we are using a connector to link to the infrastructure that we need to monitor and as long as there is a connector for monitoring that infrastructure. So, as long as the pipe exists, we connect the pipe, and we can monitor the infrastructure. For a majority of mainline infrastructure or a majority of third-party vendor systems today, there are connectors. For some smaller systems or proprietary or custom systems that some companies run, there might not be connectors, but for mainline systems that you would buy, acquire, or use from large-scale SaaS vendors, connectors have been there for a while. As long as we are running connectors to that infrastructure, we can monitor almost anything that we have.

Sentinel enables us to investigate threats and respond holistically from one place. We have a central dashboard that we can use to monitor and then from there, do the analysis and also create the remediation if necessary. This functionality is very important. The biggest mistake vendors make in tool design from a UI/UX or user interface/user experience perspective is that they do not make things centrally available and obvious for the administrator or the end user who is going to run or use that system. Generally, if something is overly complicated and not very intuitive, it is hard to get people to buy into using something. With Microsoft Sentinel, you can have everything in one place and visualize the impact of the threats, the risks, the incoming data, and the number of incidents, events, or alerts that are happening. All those things are visually represented in the opening part of the dashboard. You could drill down from there with a navigation area that is intuitive and easily understood. That makes it very easy for different users, such as administrators and managers, and other user profiles that have different reasons for being in the tool, and that is the hallmark of a good design.

When you look at it holistically and look at what it is linked to in terms of the broader security platform that Microsoft provides, it is very strong, and it continues to get better. When you ask anyone about their thoughts about a product and how it works for their customers, the mistake that people often make in describing something is that they say, "I think it is great, and it is great for us. It does everything we need." That is good, and it should be. I can say that for the majority of my customers without any ambiguity or concern about being accurate, but the thing you have to add is that there are always things that we do not know that we need to do until they occur. We might not have seen that threat before. Maybe there is a new advanced persistent threat or zero-day exploit that we have to contend with, which we have not been aware of until now. The hallmark of a really good tool is its ability to integrate that new information in a timely fashion and have the flexibility to mature the tool over time based on feedback and iterative use. The strength that Microsoft has brought to the platform over time is the ability to listen to its customers and make sure they are offering based on that feedback. It is good, and it continues to get better. Today, it is good, and tomorrow, it will be better because of that thought process in the way they engineer over time.

Microsoft Sentinel helps automate routine tasks and the finding of high standards. If you set it up the right way, it does that as one of the key things that it is designed to do. It has streamlined our ability to respond, so response time has gone down. It has enhanced our understanding because automation is managing some of the remediation and the menial, repetitive ongoing tasks of:

• Paying attention to information flows.

• Picking out the most important elements.

• Prioritizing them and bubbling them up.

• Creating alerts around them and then telling people that these things are happening. 

Automation lets you do that without having to spend human or people cycles to do that. The automation never gets tired and it never gets bored. It never needs to take a break. It never gets distracted. Because of that, we find not only more things we need to react to, but we react to the things that we truly should be chasing. We are not distracted as much by things that seem to be important, but we find out that they are just ghosts. They are false flags. The ability to bring machine learning, artificial intelligence, business analytics, and data visualization as a part of automation has filtered out a lot of the background noise that distracts. It has allowed us to hone in and refine our activity cycles around the most important things that we have to pay attention to.

Microsoft Sentinel helps eliminate having to look at multiple dashboards and gives one XDR dashboard if you set it up the right way. I have seen it set up in ways where it does not do that because it is not optimized, but if you are using it the right way, if you understand the tool and how to integrate it properly, then it gives you that single dashboard where you can directly find the information or link through a smaller visual tile that will take you to that information that you need if you need to drill down in a deeper, more meaningful way.

Its threat intelligence helps to prepare for potential threats before they hit and take proactive steps. If you are integrating the threat intelligence feeds from Microsoft and looking at them, everything is relative. They are there if you are smart enough to consume them and understand what you are looking at. In other words, people who are paying attention to them and are using them properly are getting tremendous value out of them. Microsoft globally examines billions, if not a trillion, of individual telemetry data points every day and incorporates that into their threat analysis feeds, so no individual company, irrespective of how big they are and how much money they have, can bring that kind of at-scale analysis to that problem. As a result, you are getting a tremendous amount of data that is being vetted, analyzed, and distilled down to meaningful actionable intelligence. It is consumable because it is presented in a very summarized and succinct way. It is very valuable, but you have to be able to understand that and utilize that to draw value from it.

We have saved me time with Sentinel. The ability to have the power of Microsoft as a global scanning organization service provider at my disposal is helping me to better understand the environment I operate in through threat intelligence and threat analysis. In addition, the ability to automate at scale across the platform and to have the research and design that is being done to continuously upgrade and add features to those platforms has made me a much more capable and therefore, more successful security practitioner. It is hard to quantify the time saved. It would probably be a very extreme exercise to go back and do that, but it is fair to say that over a year, we have probably saved a thousand or more human hours. I look across a team for one of the customers that I work with, it is fair to say that we have saved at least a thousand human hours for a year by relying more on the automation toolsets. That is about ninety hours a month on average. We can break it down to 15 or 20 hours a week or something like that, but the reality is that it is about a thousand or more hours that we have saved in a year.

Time to detection has decreased, and the time to respond has gone. They both have decreased. That has been an outcome that we have seen and is measurable. It goes back to the investments you make in building out that architecture in terms of:

• How many systems are you monitoring or how many are you connecting?

• How much data do you have coming in? 

• What are you doing with that data and how are you using it? 

If you are building out a full SOC analysis capability or a full monitoring solution, and you are typing this into incident response and alerting and event continuous monitoring through automation, time to respond and time to solution is going to decrease as a result.

We use Microsoft Sentinel for log aggregation, data connectors, and alerts.

In terms of visibility, Microsoft Sentinel captures a lot of useful data.

Microsoft Sentinel helps us prioritize threats across our enterprise. It shows us the most vulnerable assets, and because we have agents on every machine, we know exactly where to go to investigate. This is important for staying secure as a company. It allows us to cover our own bases by seeing what is happening in real-time and taking proactive steps to address threats, rather than reacting to them after they have already occurred. We can stay up-to-date with security measures and ensure that we follow through and execute our security plan.

We integrated Microsoft Sentinel with Defender for Cloud, Endpoint, and Defender Vulnerability Management. 

Microsoft is not the most vendor-friendly company in terms of integrations and connections, but we were able to get it working in the end, so we cannot really complain.

Microsoft's security tools work natively together to deliver coordinated detection responses across our environment.

The comprehensive threat protection that Microsoft Sentinel provides is good. They provide really good information. We are able to create documents, perform root cause analysis, and analyze anything we need to. Log integration is also key. We are able to find potentially malicious files, correlate events to alerts, and then take action on alerts. So, the comprehensiveness is pretty straightforward.

We use Cloud and Endpoint security. We have our Defender cloud, and then Defender agents on each endpoint. The bidirectional sync capability is important, and it is a work in progress. We are in the process of off-boarding our contract with CrowdStrike. We are moving all of our cybersecurity needs to Microsoft Defender, which is included in our existing Microsoft licenses. This makes financial sense, and CrowdStrike was not providing us with much value.

The system allows us to ingest data from our entire ecosystem, which is very important. This is our main source of correlation of logs to alerts. Therefore, we definitely need to get every single log source, and possibly a few more.

The system allows us to investigate and respond holistically from one place.

It is a very comprehensive tool to use. However, the supporting documentation is limited to initial troubleshooting. This is where I find the most difficulty in explaining how good the tool is. Other than that, the tool is pretty straightforward. There is enough documentation to get us started. However, beyond that, we will need to rely on online forums and other open-source resources to learn more about the tool.

When comparing Microsoft Sentinel to other SIEMs in terms of cost, we are saving money because it is included with our Microsoft 365 E5 licenses. This also helps us to reduce the number of different types of software that we need to use. We do like redundancy in terms of coverage, but the cost of multiple solutions adds up. We want to be able to use one central location for all of our security software. This is one of the reasons why we choose Microsoft Sentinel over third-party solutions. As we move into larger projects, we need to have a centralized place for all of our security policies and procedures.

Microsoft Sentinel helps us automate routine tasks and find high-value alerts. We also use Sentinel as a store for our alerts. This allows us to automate most of our responses if not all of them. We also tailored our alerts to specific events that occur in our environment.

Microsoft Sentinel helps eliminate the need to use multiple dashboards by providing a single XDR dashboard. We currently use Sentinel's workbooks, which provide a dashboard that we can use for metrics, reporting, and other purposes. This makes it easier to relay information upwards, as it is presented in a more visually appealing and easy-to-understand manner. For example, we can use pie charts, bar charts, and line charts to represent data in a way that is easy to understand. This makes it easier to convey information to upper management, such as where we are most vulnerable and what steps we need to take to improve our security.

Microsoft Sentinel helps us prepare for potential threats before they hit by taking proactive steps. We can also detect ongoing incidents. For example, if we receive a ticket or alert that is ongoing and will not go away, we can automate a response to it and add it to our playbook. This way, if a similar incident occurs in the future, we will know what to do to respond immediately.

In terms of automation, I believe we save about 20 to 22 hours per week by closing tickets. We receive about 50 to 100 tickets per day, and we automated about 80 percent of those. This means that we can now close tickets without having to manually review them. This saved us a significant amount of time, which we can now use on other tasks.

We are on the smaller side in terms of the number of logs that come in. So, I don't think it's necessary to compare at this level of data ingestion. However, I can definitely see that if we scale and grow in the future, it will save us a lot of money, especially in terms of manpower and hours that we have to dedicate to automation or non-automated tasks. For example, in the six months that we've had Sentinel up and running, we've saved 755 hours in automation alone.

We currently meet all of our service level agreements in terms of incident response. This definitely saved us time, and we also receive email alerts directly so that we know as soon as something happens.

I'm using it as a SIEM solution. If I consider the leading clouds, especially Google and Amazon, so we don't have a dedicated SIEM solution available in either and we have to create a SIEM solution by using the native services of those clouds. But Microsoft Sentinel gives us an opportunity to use a direct SIEM solution. 

I have clients from different regions and they already have environments on the cloud with various vendors, as well as on-prem. The problem they came to me with was that they wanted to secure their environments. They wanted to monitor all the vulnerability management, patches, and vulnerability scans in a single place. They have third-party data sources that they wanted to monitor things in a single dashboard. I suggested they use Microsoft Sentinel because it can integrate many third-party vendors into a single picture.

Those are the kinds of scenarios in which I suggest that my clients use Microsoft Sentinel.

One thing that makes our work easier is that Sentinel enables you to investigate threats and respond from one place. We don't need to jump into different portals. We configure the rules there and we have the response plans as well as the recommendations from the Sentinel itself and, from there, we can take action. It saves time. That is a good and really important feature.

Working with Sentinel, trust is something we have gained. My company is a consulting firm and we have multiple clients in different regions. We have Australian clients and have to deal with Australian policies, as well as in India where there are different kinds of government policies. With all these policies that our clients have to accommodate, when we deploy Sentinel, the trust we are gaining from them is good.

We are also able to optimize costs, have stability, and an improved work culture by using Sentinel.

Another benefit is the automation of routine functions, like the creation of incidents. Our SOC doesn't need to create incidents manually. We have playbooks to automate things. That saves time on a daily basis.

A monotonous job was the need to send an email to an affected user to tell them to take an action because their third-party tool was something we didn't have access to. For example, we do not have visibility into the portal of Palo Alto, CyberArk, or Zscaler. My team's job in that situation was to send an email for every alert to tell someone to take action. Now, they don't need to waste their time. With automation, we can create a playbook for that. When an alert is generated, it automatically triggers the affected user to take action accordingly. In the time we have saved, my team has been able to learn and customize KQL queries and enhance their KQL skills.

Another area where it is helping us is in creating a single dashboard for our environment. We can collect all the logs into a log analytics workset and run queries on top of it. We get all the results in the dashboard. Even a layman can understand this stuff. The way Microsoft presents it is really incredible. We can download that dashboard or a report from the dashboard and present it in a team meeting. That is really useful.

Overall, per week, Sentinel saves us 40 to 45 hours, per person. We have a team of 20 people who log in to Sentinel and each of those people is saving something like 40 to 45 hours by using it. In that time we can work on different technologies. It has also definitely decreased our time to detection by 80 percent.

Sentinel is Microsoft's SIEM solution, similar to QRadar, Splunk, etc. It is the primary tool used by our Security Operations Center.

Sentinel enhances our visibility by integrating with on-prem and cloud log sources. It provides visibility into any cloud environment, including GCP and AWS, not just Azure. With Sentinel, we get end-to-end coverage of all types of infrastructure. Last week, I was talking to a client who already had a SIEM solution, and they had just deployed Sentinel through us. I asked them why they wanted Sentinel when they already have an MSP. They told me their SIEM solution doesn't cover the cloud, so there's clearly a gap. Sentinel covers on-premise and all the cloud providers. It has a highly flexible ingestion method. There are seven or eight ways to ingest.

A lack of total visibility is a significant pain point for security analysts working on a SIEM solution. Furthermore, even if they have visibility, they might not be able to take remedial action because the company lacks a license or a separate SOAR solution. In that case, you need to have integration for each playbook. Sentinel addresses all of these issues out of the box. 

The SOAR component of Sentinel can automate some routine tasks. Sentinel comes with around 180 different playbooks you can execute with one click. If you face a type of incident, you can run a specific playbook or automate it to run each time the incident is triggered. These automation features make our lives easier. Analysts have to do the same tasks over and over again. It's a nightmare that makes you want to give up sometimes. You are dealing with the same incidents many times daily for many MSPs and customers. The playbook is incredibly beneficial.

It also reduces the number of dashboards we need to check, and you can create a custom dashboard. There are also several preset dashboards from Microsoft that are solution-specific. For example, if I'm using Defender for Office, it has a separate dashboard for Office that I can customize. I can also see everything from one console if I want. It's highly flexible.

Sentinel saves time because you don't need to look at multiple SIEM solutions, like IBM, Splunk, AlienVault, McAfee, etc. You need to spend time deploying those solutions, and there's a learning curve, whereas Sentinel is cloud-native. You click "next," "next," and "next," and the whole solution is deployed in the cloud in five minutes. Other parts, like integration, are native. It takes only a click to integrate all the services. Sentinel has its own agent, so it's easy to deploy the agent and start collecting logs. Overall, Sentinel requires less effort than other solutions.

It also saves us money because deployment costs less. Many SIEM solutions charge for the log forwarders deployed in the client's system. Sentinel is free. You have a VM in the cloud or on the client infrastructure, and there is just a script to turn that server into a log forwarder. 

Sentinel speeds up our response, but I don't have any hard numbers. It depends on how well you have configured it. You can go to an incident and then click on each playbook in sequence, or it can be automated to run a playbook when an incident is triggered. You don't need to go into the interface and do anything.

Sentinel proactively responds by detecting IOCs in our environment and automatically triggering an incident. The threat intelligence feed is typically based on IOCs, like malicious IP, UR, hostname, file hash, etc. However, real proactive response requires you to buy threat intel from different providers. Those companies provide you with information before an attack occurs anywhere. For example, there could be dark web forums where attackers discuss an attack on organization XYZ, and the threat intel provider informs us about that. That's an entirely different thing, but Microsoft has built-in rules for any threat intelligence matches.