Try our new research platform with insights from 80,000+ expert users
Microsoft Sentinel Logo

Microsoft Sentinel pros and cons

Vendor: Microsoft
4.1 out of 5
Badge Ranked 1
306 followers
Post review

Pros & Cons summary

Buyer's Guide

Get pricing advice, tips, use cases and valuable features from real users of this product.
Get the report

Prominent pros & cons

PROS

Microsoft Sentinel offers excellent integration with Microsoft security products and other data sources, enhancing threat detection and response capabilities.
Azure Sentinel's automation features, including SOAR capabilities, significantly streamline incident response and reduce manual workload.
Its AI and machine learning capabilities provide valuable insights for identifying security gaps and improving security posture.
The pricing of Microsoft Sentinel is seen as a positive, providing cost-effective options for various log ingestions and analysis features.
Sentinel's support for Kusto Query Language (KQL) makes it easier for users to extract detailed log information and perform rich data analysis.

CONS

Users desire more integrations with third-party SaaS providers to avoid the need for manual log normalization.
There is a need for improved documentation, particularly for non-Microsoft users and for Kusto Query Language.
Cost improvements are needed, as the pricing model can be inconsistent and confusing for users.
More out-of-the-box analytics rules, ideally tailored to specific industries, could enhance usability.
The learning curve is steep, and reducing it would benefit users unfamiliar with Sentinel.
 

Microsoft Sentinel Pros review quotes

AG
Jul 18, 2023
It is able to connect to an ever-growing number of platforms and systems within the Microsoft ecosystem, such as Azure Active Directory and Microsoft 365 or Office 365, as well as to external services and systems that can be brought in and managed. We can manage on-premises infrastructure. We can manage not just the things that are running in Azure in the public cloud, but through Azure Arc and the hybrid capabilities, we can monitor on-premises servers and endpoints. We can monitor VMware infrastructure, for instance, running as part of a hybrid environment.
reviewer6632 - PeerSpot reviewer
Oct 19, 2022
Investigations are something really remarkable. We can drill down right to the raw logs by running different queries and getting those on the console itself.
reviewer1954005 - PeerSpot reviewer
Sep 3, 2022
The part that was very unexpected was Sentinel's ability to integrate with Azure Lighthouse, which, as a managed services solution provider, gives us the ability to also manage our customers' Sentinel environments or Sentinel workspaces. It is a big plus for us. With its integration with Lighthouse, we get the ability to monitor multiple workspaces from one portal. A lot of the Microsoft Sentinel workbooks already integrate with that capability, and we save countless amounts of money by simply being able to almost immediately realize multitenant capabilities. That alone is a big plus for us.
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,129 professionals have used our research since 2012.
KrishnanKartik - PeerSpot reviewer
Aug 17, 2022
You can fine-tune the SOAR and you'll be charged only when your playbooks are triggered. That is the beauty of the solution because the SOAR is the costliest component in the market today... but with Sentinel it is upside-down: the SOAR is the lowest-hanging fruit. It's the least costly and it delivers more value to the customer.
reviewer2269308 - PeerSpot reviewer
Sep 1, 2023
The automation feature is valuable.
Lowie Daniels - PeerSpot reviewer
May 9, 2023
It's easy to use. It's a very good product. It can easily ingest data from anywhere. It has an easily understandable language to perform actions.
reviewer2034450 - PeerSpot reviewer
Jan 25, 2023
Sentinel enables us to ingest data from our entire ecosystem. In addition to integrating our Cisco ASA Firewall logs, we get our Palo Alto proxy logs and some on-premises data coming from our hardware devices... That is very important and is one way Sentinel is playing a wider role in our environment.
FA
Nov 13, 2022
I've worked on most of the top SIEM solutions, and Sentinel has an edge in most areas. For example, it has built-in SOAR capabilities, allowing you to run playbooks automatically. Other vendors typically offer SOAR as a separate licensed solution or module, but you get it free with Sentinel. In-depth incident integration is available out of the box.
Nitin Arora - PeerSpot reviewer
Nov 2, 2022
Another area where it is helping us is in creating a single dashboard for our environment. We can collect all the logs into a log analytics workset and run queries on top of it. We get all the results in the dashboard. Even a layman can understand this stuff. The way Microsoft presents it is really incredible.
AidanMcLaughlin - PeerSpot reviewer
Aug 8, 2022
The automation rules and playbooks are the most useful that I've seen. A number of other places segregate the automation and playbook as separate tools, whereas Microsoft is a SIEM and SOAR tool in one.
 

Microsoft Sentinel Cons review quotes

AG
Jul 18, 2023
Everyone has their favorites. There is always room for improvement, and everybody will say, "I wish you could do this for me or that for me." It is a personal thing based on how you use the tool. I do not necessarily have those thoughts, and they are probably not really valuable because they are unique to the context of the user, but broadly, where it can continue to improve is by adding more connectors to more systems.
reviewer6632 - PeerSpot reviewer
Oct 19, 2022
I think the number one area of improvement for Sentinel would be the cost.
reviewer1954005 - PeerSpot reviewer
Sep 3, 2022
Improvement-wise, I would like to see more integration with third-party solutions or old-school antivirus products that have some kind of logging capability. I wouldn't mind having that exposed within Sentinel. We do have situations where certain companies have bought licensing or have made an investment in a product, and that product will be there for the next two or three years. To be able to view information from those legacy products would be great. We can then better leverage the Sentinel solution and its capabilities.
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,129 professionals have used our research since 2012.
KrishnanKartik - PeerSpot reviewer
Aug 17, 2022
Only one thing is missing: NDR is not available out-of-the-box. The competitive cloud-native SIEM providers have the NDR component. Currently, Sentinel needs NDR to be powered from either Corelight or some other NDR provider.
reviewer2269308 - PeerSpot reviewer
Sep 1, 2023
The playbook is a bit difficult and could be improved.
Lowie Daniels - PeerSpot reviewer
May 9, 2023
It could have a better API to be able to automate many things more extensively and get more extensive data and more expensive deployment possibilities. It can gain some points on the automation part and the integration part. The API is very limited, and I would like to see it extended a bit more.
reviewer2034450 - PeerSpot reviewer
Jan 25, 2023
The following would be a challenge for any product in the market, but we have some in-house apps in our environment... our apps were built with different parameters and the APIs for them are not present in Sentinel. We are working with Microsoft to build those custom APIs that we require. That is currently in progress.
FA
Nov 13, 2022
We have been working with multiple customers, and every time we onboard a customer, we are missing an essential feature that surprisingly doesn't exist in Sentinel. We searched the forums and knowledge bases but couldn't find a solution. When you onboard new customers, you need to enable the data connectors. That part is easy, but you must create rules from scratch for every associated connector. You click "next," "next," "next," and it requires five clicks for each analytical rule. Imagine we have a customer with 150 rules.
Nitin Arora - PeerSpot reviewer
Nov 2, 2022
They can work on the EDR side of things... Every time we need to onboard these kinds of machines into the EDR, we need to do it with the help of Intune, to sync up the devices, and do the configuration. I'm looking for something on the EDR side that will reduce this kind of work.
AidanMcLaughlin - PeerSpot reviewer
Aug 8, 2022
Documentation is the main thing that could be improved. In terms of product usage, the documentation is pretty good, but I'd like a lot more documentation on Kusto Query Language.