Sentinel Reviews

I used Sentinel to collect logs from computers. We deployed Sentinel for a government department with a staff of 2,700. The IT and security teams used Sentinel. They are the only people who used the solution. We had a team of 15 to 20 people in IT. Five to six people needed to use it at most. The rest still use the Power BI dashboards because they get the alerts from Sentinel directly.

Sentinel would tell me if someone was trying to log into my tenancy and access my virtual machines, if someone was trying to hack into the network, and if there were account lockouts where accounts get logged out now and then for users. All these threats get reported by the domain controller. Once we enabled Sentinel, it picked up those logs from the domain controllers and gave me an in-depth report of where and when the accounts got locked and the reason why.

Sentinel saved us time. We only needed to know the queries if we wanted to search logs on our Windows servers. If you know how to run queries and what queries to run, it's a big time saver. It saved about 60% of our time when we needed it.

Moreover, Sentinel has decreased our time to detect and respond to threats. As it's centralized and it gets alerts very quickly. You can set up automated actions on those alerts, and once the alert is triggered, you can set up emails, where emails go out to the admins or security people, who can click on them as soon as they see them. Logs come from the servers almost in real-time within ten to 15 seconds. It saves a lot of time.

As you know, in SOC or GSoft operations, there are different verticals. We have different SMR teams who take care of 24/7 monitoring. 

They have some use cases in place, and they are also using Microsoft Defender for Endpoint, which is the latest endpoint detection tool from Microsoft. Sentinel has the ability to do everything when used, along with Microsoft Defender for Endpoint. 

We can do advanced hunting from the two portals themselves, and it has inbuilt features that allow 24/7 proactive threat detection. Sentinel has capabilities like traditional SIEMs, along with advanced SQL queries that analysts can modify for specific needs. This allows us to face any malicious attempt from any client with tailored queries.

If I compare it with traditional SIEMs, it is much better because traditional SIEMs have their limitations and are more graphical user interface-based. The ability to do advanced hunting queries allows us to extract data in a more efficient way based on behavior in the organization or client network. The scope of querying, log retention, and investigating facts is much better with Sentinel.

We use Sentinel to make managing security events a breeze. It helps us oversee alarms from various platforms in one central hub, all handled through our NOC in the cloud. It is like having a smart assistant that simplifies keeping our digital space safe and sound.

The most valuable features are its smart analysis that spots potential issues, smooth connections with Microsoft tools, and the way it uses cloud and machine learning to amp up threat detection. It also makes everything easier by automating some tasks and growing with our needs.

There are a lot of use cases of this solution. For a customer of ours, we connected it to both their active directory and their entrance system: the key card swipe application database. We set up a rule where, when people do not enter the building using their key card and they try to authenticate locally to the active directory, it is considered strange behavior—their account is immediately locked and a message is sent to security. 

We set up the business intelligence engine with a university in Belgium, and the artificial intelligence part of the solution figured out that something strange was happening. What happened was that a professor changed grades for all of his students, which is not strange at all. He authenticated it with the right username and password, but, as far as the artificial intelligence engine was concerned, it was suspicious because he never did that on Tuesday nights at 11:30-ish. Also, when he did authenticate it and change grades, it was usually for a couple of students for the same test, and not for one student for some of his tests. So it was these students who had obtained the username and password combination for the professor and sat outside of the university building, connecting to the wifi and changing his grades. Sentinel caught that, and we were able to prove what happened. 

We have this solution deployed on-prem. 

One of the most valuable features is the business intelligence engine. It's very important because it keeps track of everything that's happening and alerts us if something is different than expected. The first time I used it, I was shocked at how well it performed. 

Another valuable feature that I think makes this product worth the price you pay for it is that it connects to basically every system that provides some form of logging, and it's very easy to set up what triggers this. 

We use the solution to monitor the integration. We can monitor end-to-end from source to destination.

It is a good product. The tool is simple to use.

Our company uses the solution's management stack which has good integration with Sentinel. 

We have not necessarily realized the power of the solution but find integrations with other products to be valuable. We are able to understand how access management applications are being used for multifactor authentication and password management. We can see user behavior and prevent malicious use. 

For example, we can look at a user resetting a password at 3am to determine if this is abnormal behavior or if the two-factor authentication is attempting SMS when the user is enrolled in fingerprint authentication. This information helps us to identify patterns of abuse and opportunities for security improvement. 

NetIQ Sentinel is a security information and event management tool that makes up part of our security solution. We are in the process of migrating to a new solution.

The use cases that it was made for, such as server monitoring, worked very well.

Primarily, I used a NetIQ Sentinel when I worked as a Security Analyst as a tool to collecting and filtering-out logs in order to investigating whether there's something "interesting" i.e. samples of real attack or malware activities. Sentinel is tool that if it's well configured, it remove from view all unnecessary information like logs about that the user opened a window in the system and shows you only needful entries. It removes data that can obscure your perspective and mislead in investigation.

Later, I used a NetIQ Sentinel more "administratively", which means that I created/remove/change a new event source and/or also investigate why they hasn't sent anything to log collector. I can tell that from administration perspective the interface of Sentinel is also very simple to operate and navigate. When interface is intuitive as in case of Sentinel, there's no need a special effort to done your job faster, convenient and with high performance.

Anomaly dashboards, search/filters features.

Anomaly dashboard provides possibility to find 0-day attacks. This feature is built based on the second-search/filters. It's great and very useful, because I would first find out if search/filter can give me the data that I needed. If not, I have possibility to change it, e.g. using regex or do search/filter fine-tuning. And when I have search/filter tested and know that it will catch information that I want see on chart, then I implement search/filter in new Anomaly dashboard.

The great idea is also fact that I can receive anomaly alerts via email. I don't need to watch charts all the time.