Sentinel Reviews

It's our go-to choice for antivirus. I use Sentinel a lot.

In my opinion, Sentinel's best features include that it's a very easy product to use. It's very simple, and the after-sale service is very good.

They seem to be catering pretty well as they integrate into everything we need it to.

I'm not sure what the room for improvement is for Sentinel. It needs to stay current, and it does, so I suppose that's fine. I don't have a high demand for what it should do. Price is always a consideration, so the price would be nice if it were lower.

I have been using it for around five to six years.

It is stable.

As far as I know, it is a scalable solution.

I'm not sure how I would rate technical support for Sentinel on a scale of one to 10 as I'm not on the technical side. I do not have experience contacting their technical support.

Negative

The initial setup is straightforward.

You can't really calculate an ROI on an antivirus; you don't know what you would have lost if you didn't have it.

I don't have too many comments overall about pricing as we're in South Africa, so it makes more sense if it's billed in rand. They nearly always bill it in dollars, so if it can be billed in our currency, that would be helpful and fixed in our currency.

I don't really have experience working with these solutions. I promote them for our clients, but I don't work with them.

I can't share my experience with these tools as I make assumptions about that. For both Adlumin and CrowdStrike, both confirm that they're scalable and enterprise-ready and all those kinds of things. We haven't had any specific problem with either of those. We just have a preference for which one we would prefer. If somebody says they want to use a different one from the one that we prefer, then we have to find reasons why they aren't. But scalability is not one of the reasons that one is better over the other.

I don't really have advice for people that are looking into using Sentinel; just do your research across what is available.

On a scale of one to ten, I rate Sentinel a seven.

My main use case for Sentinel is that I'm a subject matter expert for Sentinel, specifically for security incident event and event management. I head the SME for SIEM in LTIMindtree for this current project.

In my current project, I use Sentinel to monitor all the devices, endpoints, firewalls, and other network devices. We onboard those into Sentinel and start monitoring the activities. For firewalls, we configure a Syslog, collect the logs, and then start monitoring the activities from Sentinel use cases that we have generated. We also create workbooks for visual management and for CIO and CEO presentations so that they can have a visual status of what we are doing and how we are flowing the data.

In the present scenario, once it happened that Cortex Data Lake subscription had expired and I was not getting Palo Alto logs. I was trying to monitor the Palo Alto logs, and then I checked whether using KQL the logs were flowing in and discovered that the Palo Alto logs flow had stopped at the Syslog level. Then, I tried to ingest directly to Syslog using some filtering techniques and started to get logs for Syslog, Palo Alto, and then I successfully monitored the logs from firewalls by forwarding that to Sentinel.

In the current project, I don't use Sentinel for GRC requirements.

I manage user roles and access controls within Sentinel, and it is straightforward.

The best features Sentinel offers, in my experience, include the filtering features and the ability to run KQL queries so that I can understand what table has what and when the last log has been monitored and reported.

Sentinel has positively impacted my organization by improving monitoring significantly. As a pay-as-you-go service, we are ingesting logs as needed. When the pay-as-you-go service is enabled, we can either ingest whenever there is a spike in the logs, and when there are fewer logs, we can reduce the ingestion. This approach is helpful for both the organization and me.

In terms of metrics showing how Sentinel has helped, as part of log filtering, we have reduced around thirty to thirty-five percent of false-positive incident creation. We have also cleared some audits by enabling log retention in Sentinel, allowing us to pull out data for audits when necessary using both hot retention and cold retention. This has helped the organization as a whole.

Sentinel needs minimal improvement, though improvements are ongoing. Everything seems to be functioning perfectly, and I don't have any specific inputs for improvements I would like to see in Sentinel.

I have been using Sentinel for the past one and a half years, and I'm engaged with Sentinel.

Sentinel is stable in my experience.

Sentinel is good in terms of scalability.

The customer support for Sentinel is very good; any tickets logged will be answered immediately within the given timeframe, and I get great support from the support team. I would rate the customer support an eight point five on a scale of one to ten.

I previously used Wazuh and Splunk before Sentinel. I switched from Wazuh to Sentinel due to a change in the client.

Integrating Sentinel with my existing tools and systems was really easy, though we initially had a few struggles. Once everyone had knowledge of how to integrate and connect the data and utilize the data connectors, it became easy. It is also easy to train newcomers in the field.

I don't have specific data about return on investment because I deal solely with technical aspects, not managerial concerns.

My experience with pricing, setup cost, and licensing shows that while it is a little on the higher side, since it is part of a package for all Microsoft products, I feel it is a better choice comparatively than other SIEMs in the market.

Before choosing Sentinel, I evaluated other options including SentinelOne, Splunk, and Wazuh. Due to client requirements, they had already bought the license for Defender, which led us to choose Sentinel.

I would rate Sentinel a nine on a scale of one to ten. I chose nine for my rating because while ten was always in my mind, I think Sentinel still needs some improvement here and there.

Regarding Sentinel's AI capabilities, its governance and security are really great, and it is helpful for all cyber engineers across the world. I find that we get appropriate results ninety percent of the time. Even though we cross-check for correctness, ten percent of the time it requires verification, but ninety percent of the time it is helpful.

Sentinel's alerting and notification capabilities are effective for my needs, and I have no complaints regarding those alerts and notifications.

I find Sentinel's dashboard and reporting capabilities very helpful, and I can easily create workbooks to present to my senior management. This is one of the greatest advantages comparatively.

The learning curve for new users getting started with Sentinel is manageable since it is embedded with a lot of new technologies. Given a chance, it's easy for any newcomer to gain knowledge within Sentinel.

Sentinel is a good product for both beginners and experienced users, so others should consider trying Sentinel. My overall review rating for Sentinel is nine.

I used Sentinel to collect logs from computers. We deployed Sentinel for a government department with a staff of 2,700. The IT and security teams used Sentinel. They are the only people who used the solution. We had a team of 15 to 20 people in IT. Five to six people needed to use it at most. The rest still use the Power BI dashboards because they get the alerts from Sentinel directly.

Sentinel would tell me if someone was trying to log into my tenancy and access my virtual machines, if someone was trying to hack into the network, and if there were account lockouts where accounts get logged out now and then for users. All these threats get reported by the domain controller. Once we enabled Sentinel, it picked up those logs from the domain controllers and gave me an in-depth report of where and when the accounts got locked and the reason why.

Sentinel saved us time. We only needed to know the queries if we wanted to search logs on our Windows servers. If you know how to run queries and what queries to run, it's a big time saver. It saved about 60% of our time when we needed it.

Moreover, Sentinel has decreased our time to detect and respond to threats. As it's centralized and it gets alerts very quickly. You can set up automated actions on those alerts, and once the alert is triggered, you can set up emails, where emails go out to the admins or security people, who can click on them as soon as they see them. Logs come from the servers almost in real-time within ten to 15 seconds. It saves a lot of time.

Sentinel gave us logs to tell us what's going right and wrong in your environment so we could secure the network. We also got multiple kinds of logs. By running some queries from the logs, we could find and fix the anomalies in the environment.

Sentinel's threat visibility was great at telling us if we had something going on in our environment. We had to set up alerts in our environment based on the logs. If we had the right alerts set up, we got notified about threats and where security was lacking, so we could also take care of that.

Sentinel's threat intelligence helped us prepare and take proactive steps for potential threats before they hit.

Having preparation before a threat has helped our security operations. When I was using it, I used to keep going into my dashboards and looking for any threats on a weekly basis, or maybe two or three times a week. Based on that, we would recommend certain changes to the server and infrastructure teams to block or allow some ports. Sentinel's threat intelligence helped plan security against risks.

I would like to see a better reporting work structure on the dashboard. It would be nice if Microsoft improved the workbook structure and the analytics. I had to import the Power BI and would be happy to use their transcripts.

I used Sentinel for three to four months six months ago.

Sentinel is very stable, and there has been no outage.

Scalability is not an issue because it's on the cloud and connected to the workspace and the logs. The logs could be coming from ten servers at the moment, and if we wanted ten more servers to be added, we could do that. And Sentinel doesn't care how many computers it's receiving the logs from. It is scalable.

Microsoft support is amazing. Sometimes it's very good and very quick. And sometimes, we struggle. In the last one or two years, whatever I have logged with Microsoft, it's resolved 99% of the time. Sometimes there is a function or new feature to be added to the solution. I like their support.

Positive

The initial setup was easy, but I had already done it a couple of times. There's just the component in Azure. If you have already configured login into your workspace, it's not difficult.

Deployment doesn't take more than an hour. It's less than an hour if you know what you're doing, and it hardly takes a few minutes. And if the monitoring agent is installed on all the servers, the data starts flowing in within ten to 15 minutes, and it's ready to go. Deploying the solution is a very small task, and one person can do it easily. It's a component added to the cloud, and once it's added, it starts working straight away.

Sentinel's slightly on the expensive side. You're paying quite a bit if you enable it for your whole network. And then, it stores lots of data in the logs. It's suitable for large organizations but not very small organizations. However, there are no additional costs apart from the licensing fees.

We have used a Microsoft security product in addition to Sentinel, Defender for Identity. We also get all the security scores, threats, alerts, and incidents in Defender for Endpoint. I did not have to integrate the products since my organization had already started using them before I joined. Still, it's not very difficult to integrate them into the environment with the Active Directory, with some basic technical knowledge required.

Sentinel was of some help in automating the finding of high-value alerts. I set up some alerts on my tenancy, tracking if someone was trying to log into my tenancy from anywhere outside my environment, and I was alerted as soon as they tried to log in. But since there was already automation in Azure, I did not use automation in Sentinel. Azure's automation is just like another older function we had in Defender. We could create a playbook with incident triggers. For example, I had alerts set up that if any account tries to log in more than five times, to send an email to the help desk or the IT team. Once the alerts are triggered, I could create custom actions based on them, similar to any other alerting system. However, I did not specifically use that since we already had an Azure alerting system.

Though I never explored the XDR dashboard, I connected it. Going back to log analytics and Sentinel, they both provide you with workbooks, but I'm not very happy with them. I have connected Log Analytics to the latest Power BI in my environment and run multiple queries from there. Based on that, we get everything in Power BI. We don't use the XDR dashboard for reporting because reporting in Azure or Sentinel is very basic. You can't customize much, and I don't like the uses related to workbooks.

Sentinel enabled us to ingest data from our entire ecosystem because we had connected Azure Log Analytics with Sentinel, and our Log Analytics workspace was getting data from all the servers, not only computers. But collecting data also involves a cost, where the more data you get, the more you pay. We had to maintain a balance there.

Sentinel helped us track threats, but not as an all-in-one solution. Defender is better in that regard because it can access all the environments and respond holistically from one place.

Given Sentinel's built-in SOAR, UEBA, and threat intelligence capabilities, Sentinel gives us value for money. It gives us a wide range of threat protection and connects to various data connectors as well.

Comparing Sentinel's cost and ease of use against stand-alone SIEM and SOAR solutions, Sentinel is cheaper because it's on the cloud, with data from Azure Log Analytics being the only thing we were paying for. The cloud version was cost-effective as compared to on-premise solutions.

Sentinel requires no maintenance as long as Microsoft doesn't change anything. They keep turning off legacy features, so you never know. They could send a message on Sentinel tomorrow, such as, "This feature is going to be turned off by March 2024." We had to move to something else.

Sentinel is nice to have. It's a good choice if you don't have any other solution. I recommend this solution because it alerts you to all the threats and problems in the network. It didn't save us money because enabling it is an additional cost because you're getting and storing more logs in the cloud. It's an additional feature.

I rate Sentinel a nine out of ten.

It's difficult to say whether to go for a best-of-breed or a best-of-suite strategy because everyone has a different approach. Some might want more than one vendor to make sure their environment is safe. At one point, you could go with about ten, but you don't know how many more you are going with. If I had to choose, I would stick to one.

As you know, in SOC or GSoft operations, there are different verticals. We have different SMR teams who take care of 24/7 monitoring. 

They have some use cases in place, and they are also using Microsoft Defender for Endpoint, which is the latest endpoint detection tool from Microsoft. Sentinel has the ability to do everything when used, along with Microsoft Defender for Endpoint. 

We can do advanced hunting from the two portals themselves, and it has inbuilt features that allow 24/7 proactive threat detection. Sentinel has capabilities like traditional SIEMs, along with advanced SQL queries that analysts can modify for specific needs. This allows us to face any malicious attempt from any client with tailored queries.

If I compare it with traditional SIEMs, it is much better because traditional SIEMs have their limitations and are more graphical user interface-based. The ability to do advanced hunting queries allows us to extract data in a more efficient way based on behavior in the organization or client network. The scope of querying, log retention, and investigating facts is much better with Sentinel.

We can do advanced hunting queries and modify SQL queries to get desired results based on the rules triggering over the console. This feature enhances our capability to respond to any malicious attempt tailored to our needs.

There are still a few vendor-specific devices for which Sentinel needs to work on integration, such as Netskope devices. Also, we often face region-wise outages during operation due to product team fixes, which hampers daily operations and leads to outages and log loss.

I've used the solution since the very beginning, from the launch of this product itself in the market. My organization has partnered with Microsoft from the initial launch of Microsoft Sentinel. It has been about around four years now.

There are region-wise outages we often face during operation due to product team fixes, which are sometimes not thoroughly tested. This hampers our daily operation because the portal gets slow or unresponsive, leading to log loss.

Sentinel is highly scalable as it is a fully cloud-based module. We support over 120 member firms through the India GSoft operation center. We have integrated various devices, including firewalls and Windows native devices, making it easy to deploy and scale. However, Sentinel still needs to work on a few vendor-specific devices.

For higher severity, their support team is working absolutely fine and responding in a timely manner. However, for less priority cases, they take their own time to investigate and respond back.

Positive

Previously, I have worked with RSA NetWitness, RSA Log Analytics, and Micro Focus HP ArcSight. They are more graphical user interface-based and have their limitations compared to Microsoft Sentinel, which offers advanced hunting query capabilities.

There are competitors in the market, such as Google Chronicle and Amazon's SIM tool.

Globally, it is already being used in all the major big four-member firms. Despite some competitors, Sentinel is still the market leader and performing differently. I'd rate the solution eight out of ten.

We use Sentinel to make managing security events a breeze. It helps us oversee alarms from various platforms in one central hub, all handled through our NOC in the cloud. It is like having a smart assistant that simplifies keeping our digital space safe and sound.

The most valuable features are its smart analysis that spots potential issues, smooth connections with Microsoft tools, and the way it uses cloud and machine learning to amp up threat detection. It also makes everything easier by automating some tasks and growing with our needs.

While it is great with Microsoft, there is a need for more flexibility in customization, especially when working with different vendors and platforms. Also, it would be helpful if we could easily switch between on-site and cloud hosting, as some customers require the platform to be physically located in their country due to regulations. Right now, this can be a bit challenging because we primarily develop in the cloud. Having more options for a mix of on-premise and cloud configurations would be a big improvement, ensuring we meet regulatory needs and customer demands more effectively.

I have been working with Sentinel for six years.

I would rate the stability of the solution as a nine out of ten.

I would rate the scalability of the solution as a nine out of ten. Our clients are mostly enterprise businesses.

The initial setup is not too difficult.

Our clients have seen a positive return on investment from this solution, typically realized within a lease-based timeframe. The return is usually expected to be achieved in less than three years.

I would rate the costliness of Sentinel as a seven out of ten.

Overall, I would rate Sentinel as a nine out of ten.

We use the solution to monitor the integration. We can monitor end-to-end from source to destination.

It is a good product. The tool is simple to use.

It is an ancient product. It is not new. It is not aligned with the times. It has to be renewed. The solution is not usable. We have to do too many tasks to create a user-friendly and simple user interface to find information faster in a complex environment. We have a complex environment.

I am using the solution in my organization.

The tool is robust and stable. Though it doesn’t have enormous functionalities, it's very stable. I rate the stability a nine out of ten.

The product can be scaled well. I rate the scalability an eight out of ten.

The initial setup is straightforward. It is simple to start, but when we arrive at the limit of the product, it is very difficult to improve.

I have seen an ROI on the product due to its integration capabilities.

The solution’s pricing is aligned with its competitors.

Our business needs integration. We have created some tools using Elasticsearch to improve the usability of Sentinel. The product must be modernized. Overall, I rate the tool an eight out of ten.

Our company uses the solution's management stack which has good integration with Sentinel. 

We have not necessarily realized the power of the solution but find integrations with other products to be valuable. We are able to understand how access management applications are being used for multifactor authentication and password management. We can see user behavior and prevent malicious use. 

For example, we can look at a user resetting a password at 3am to determine if this is abnormal behavior or if the two-factor authentication is attempting SMS when the user is enrolled in fingerprint authentication. This information helps us to identify patterns of abuse and opportunities for security improvement. 

The native integration with out-of-the box format is hassle free and allows data to be used advantageously. 

Transactional user information improves security, prevents fraud, and promotes best practices. 

Documentation for security aspects could be improved. It is difficult to find clear information about encryption or risks that are addressed. 

The solution does not allow outsourced authorizations which is frustrating for enterprises because users need to be created manually. 

User interfaces should be aggregated to include the control center rather than it being a separate Java app. 

I have been using the solution for five years. 

The solution is stable and we architect for 5,000 events per second with no issues. 

The solution is scalable. 

We have an enterprise agreement that includes a dedicated support engineer who provides what we require. Detailed questions are relayed to the product team for follow up. 

Support is rated an eight out of ten. 

Positive

Our partnership with Micro Focus requires use of the solution. 

The initial setup and installation is standard with no complaints. 

We have five team members who implement the solution in-house.

We are in the process of making our deployments enterprise-ready to take them to the next level and ensure we have high availability, redundancy, and backups. This is not related to the solution itself, but rather our approach to setup. 

We currently have an installation in Sentinel that is not highly available and we are rearchitecting it to retain data for a set number of years and with the necessary security zoning.

The ROI is realized through tracking user behavior to prevent malicious activity or abuse that would require additional security costs or improvements. 

We receive a pricing discount because of our ongoing partnership with Micro Focus. 

I am familiar with other products but find the solution's out-of-the-box, native integration with NetIQ and the management product stack to be very valuable. 

I would have to build connectors and correlation rules myself if the company moved to products such as Splunk or ArcSight. 

I rate the solution an eight out of ten based on current deployments. 

My rating will change to a nine when my company deploys its own enterprise-ready versions because they will harness the solution's full capabilities. 

There are a lot of use cases of this solution. For a customer of ours, we connected it to both their active directory and their entrance system: the key card swipe application database. We set up a rule where, when people do not enter the building using their key card and they try to authenticate locally to the active directory, it is considered strange behavior—their account is immediately locked and a message is sent to security. 

We set up the business intelligence engine with a university in Belgium, and the artificial intelligence part of the solution figured out that something strange was happening. What happened was that a professor changed grades for all of his students, which is not strange at all. He authenticated it with the right username and password, but, as far as the artificial intelligence engine was concerned, it was suspicious because he never did that on Tuesday nights at 11:30-ish. Also, when he did authenticate it and change grades, it was usually for a couple of students for the same test, and not for one student for some of his tests. So it was these students who had obtained the username and password combination for the professor and sat outside of the university building, connecting to the wifi and changing his grades. Sentinel caught that, and we were able to prove what happened. 

We have this solution deployed on-prem. 

One of the most valuable features is the business intelligence engine. It's very important because it keeps track of everything that's happening and alerts us if something is different than expected. The first time I used it, I was shocked at how well it performed. 

Another valuable feature that I think makes this product worth the price you pay for it is that it connects to basically every system that provides some form of logging, and it's very easy to set up what triggers this. 

This product's connection to certain types of cloud systems could be improved. We can do Microsoft, Google, and Amazon, but there are a lot of other things happening in the cloud that we do not connect well enough to. This product could be improved with better connection to cloud-based solutions. 

As for additional features, even when I compare it to other systems, like Splunk, I think we've covered most things. 

I have been working with NetIQ Sentinel since 1997. We are a Micro Focus NetIQ partner, and I do their advanced technical trainings on Sentinel for them. 

This product is very reliable and trustworthy. 

This solution is easy to scale up until about 24,000 events per second. After that, if you require more—which is an unbelievably large amount of events happening every second—you can change portions of the system to include things like Hadoop technology, and then it will scale to whatever. So it's pretty easy to scale, up until 24,000 events per second, and after that, installing Cloudera and Hadoop and all the other stuff is a bit challenging, but I've only seen one customer reach that amount of events per second. 

It's usually large companies that go for this solution. This technology is frequently used by credit card companies, school districts, and universities. This is because there is a special price—solutions like this are usually pretty expensive and can easily run into 200,000 euros a year, but school districts get it for something like four euros per employee, with the same functionality. For them, it's a very cheap way to get an enterprise-level solution, but apart from that special price, it's usually the large companies that invest in something like this. Small- to medium-sized companies sometimes have a requirement for this because of regulations concerning credit card transactions, so we offer to host that for them and they use our shared installation. 

Technical support for Micro Focus/NetIQ has always been very good. Maybe it's not the easiest to obtain, but if you have a developer's license and a support contract with them, they have 24-hour, worldwide support people who can do a dial-in if necessary. I'm always able to speak to a support engineer with knowledge about the products within hours when I need it.  

The deployment process is pretty straightforward. Micro Focus/NetIQ provides you with a virtual appliance, so if you run it on any virtual platform, you just deploy that, start it up, and it guides you through the process, asking for things like the IP address, passwords, time zone, and stuff like that. The setup process takes about 45 minutes, and then you have a running system. It's pretty easy to set up. 

Our company provides implementation services to customers. 

You need a support contract with NetIQ for maintenance. You can download the updates for the underlying operating system, which is a secured and drilled-down version of SUSE Linux. For the product itself, you basically upgrade it every time there is a new version coming out, which is usually once or twice a year. 

I rate NetIQ a nine out of ten. 

My advice to someone looking into implementing NetIQ is to just try it and see it for yourself. It's pretty easy to set up a test environment because of the virtual machine that you can deploy. Also, you have a six-day trial license with that, so there's absolutely no reason not to just set it up and start playing around with it and see how well it performs and what it's able to tell you about what's happening on your network. 

Sentinel has improved the user experience inside. It is easier to create queries. 

The most valuable feature is the flexible log for identifying security threats inside an application. Sentinel is very good at this. 

The dashboard and customer view should be improved

In the next release, I would like for there to be monitoring inside the sentinel.

I have used NetIQ for 18 months.

Stability is very good.

Scalability is very good.

Their customer support is very good. 

The initial setup was very easy. It took around one or two weeks.

I would rate NetIQ a ten out of ten. 

NetIQ Sentinel is a security information and event management tool that makes up part of our security solution. We are in the process of migrating to a new solution.

The use cases that it was made for, such as server monitoring, worked very well.

Frankly speaking, we did not find this product to be valuable, at all.

You need a lot of Unix scripting knowledge in order to manage the tool, which is one of the main issues that we faced.

When we integrated with other log management solutions, the password was not there. We also found it very difficult to create a custom password and in the end, we didn't succeed.

Trying to do something new, outside of use cases like server monitoring, was difficult and we could not do much.

I have been working with NetIQ Sentinel for almost two years.

The stability is phenomenal and we never had any issues with downtime or even had to restart.

This product did not scale for us. I'm not saying that it was a problem with the product but we had trouble finding the skills and knowledge required for this tool. As our environment started growing, we had to buy new tools.

We have had a lot of problems and Micro Focus technical support was not able to help us. They may have different levels of support packages available, but in our experience, we had to write two or three emails back and forth before we got anything reasonable in response. With other vendors, we have a technical account manager that we can reach out to when we are having problems. This is completely missing in NetIQ Sentinel.

We are currently in the process of migrating from NetIQ Sentinel to IBM QRadar.

This product had been implemented by somebody else a few years ago, before I joined the company.

We are a small company with an in-house technical services team.

We inquired about getting support from the vendor, Micro Focus, but the cost was very high.

Whether I would recommend this solution to anyone would depend on their environment. Maybe if they have a hybrid cloud environment then they would not have faced the challenges that we did. As it was on-premises and completely owned by us, we had a lot of trouble with managing the tool. Once it is running, it runs well, but when it comes to adding new devices to it, we always faced issues.

I would rate this solution a six out of ten.