Microsoft Sentinel Reviews

We provide managed security services to customers in Myanmar using Microsoft Sentinel as a cloud media SIEM. Most of the use cases involve retention, and we use all the features of Microsoft Sentinel. We also use other Microsoft security products like Defender for Endpoint, and most of them are integrated with Sentinel. 

Microsoft Sentinel is a cloud-native SIEM solution, so it helped us reduce our infrastructure costs and deliver better services to our customers. We don't need to pay upfront costs because it is in the cloud. We used an open-source SIEM solution before implementing Microsoft Sentinel, but that wasn't satisfactory for our customers. Sentinel helped us provide more robust managed security services to our customers.

It consolidated multiple dashboards into one and helped us be more proactive. However, our team is still trying to mature to a level that we can adopt a more preventative approach to security. Sentinel significantly reduced our detection time. Without Microsoft Sentinel, our SOC analyst might take 30 minutes to an hour to detect an issue, but now it's practically in real-time. 

The biggest advantage of Sentinel is scalability. In addition, we don't need to worry about paying for infrastructure costs upfront. It gives us the flexibility to choose the kind of infrastructure based on each client's needs. Sentinel is also much simpler than other SIEM solutions. The UI is smoother and easier to use.

Native integration with Microsoft security products or other Microsoft software is also crucial. For example, we can integrate Sentinel with Office 365 with one click. Other integrations aren't as easy. Sometimes, we have to do it manually. 

The bi-directional sync is helpful. For example, we have one client using our managed security service, but they don't want to use Microsoft Sentinel. If those products are not syncing or if the solution is not bi-directional, some alerts may be missed. It's essential for both portals and the two folders to be in the same channel it's pushing. The UEBA features are also perfect. We don't see the same caliber of user behavior analytics in other SIEM. Microsoft's UEBA is great for our SOC analysts. 

Microsoft threat intelligence and UEBA still have some room for improvement. There are currently only two connectors available for Microsoft threat intelligence. the threat intelligence platform and the FTIA commander.
Sentinel should offer another option for a third-party threat intelligence platform. There are lots of open-source threat intelligence solutions available. 

Threat handling could be great for our team and for our SOC analyst, but some are unusable depending on our SOC analytics.

Sentinel can ingest data from most of our ecosystem, but some data cannot be called up. For example, if an SAP product is hosted, it will do a specific version, but it cannot be called back to Sentinel. It cannot be directly connected to Sentinel.

Our team has been using Microsoft Sentinel for about two and a half years.

I rate Microsoft support a seven out of ten. They take too long to respond, but sometimes they are great. 

Neutral

We previously had an open-source SIEM, but it lacked the detection and automation capabilities of Sentinel.

The initial deployment was straightforward but configuring integration for some of our projects was challenging because there are few connectors for solutions like Cisco. I rate Sentinel a five out of ten for ease of setup. 

We performed our integration in-house, but sometimes we get support from Microsoft.

Sometimes, it is hard for us to estimate the costs of Microsoft Sentinel.

I rate Microsoft Sentinel a nine out of ten. I recommend it, but it takes time to evaluate because Sentinel is unlike other cloud solutions. 

Microsoft Sentinel is basically a major log, on top of which you can build queries that can analyze the data you get. It's used to build up security operations centers. In addition, it is a SIEM and SOAR solution.

The first benefit is that you have one place to close incidents. That's definitely an advantage. 

Another benefit is KQL, Kusto Query Language, and the analytic rules with which you can spot suspicious behavior of all kinds. It's definitely a step up when it comes to security. You see the benefits almost instantly.

In addition, automation helps prioritize what needs to be looked at, and what can just be closed and forgotten.

And when you combine the threat intelligence with Defender for Endpoint's recommendations, it's a really strong way to protect things or be proactive when it comes to security, with the CVEs, et cetera.

Overall, our Microsoft solution saves time. Without it, you might have to navigate six or seven portals, but with it, you only have to look at one place, and that saves some time. Most of the time, it eliminates having to look at multiple dashboards and gives you one XDR dashboard. Ideally, that should make working with IT security easier. It also decreases the time it takes to detect and respond.

As a consultant, none of the customers I work for has been hacked or has been close to being hacked. That would be the best way to judge if it saves money because just putting Sentinel on top of all these security products doesn't save you money. It's possible it saves you money. 

I like the unified security console. You can close incidents using Sentinel in all other Microsoft Security portals when it comes to incident response.

The solution helps prioritize threats across your enterprise and that is quite important. There is a concept called "alert fatigue," and Sentinel can also cause that because it detects so many false positives. But usually, the high and medium risks it identifies are things you need to take a look at. So prioritization is quite important.

We also use Defender for Cloud, Defender for Endpoint, and Defender for Cloud Apps. It's quite easy to integrate these Microsoft products because they can easily communicate with other Microsoft products. The tricky part is to integrate other vendors' products, like Cisco or Linux, with Microsoft Sentinel. The actual integration is easy, but they generate a lot of data. But with its entire Defender suite, Microsoft is trying to cover everything in Azure and that is a really strong point.

Sentinel enables you to ingest data from your entire ecosystem and that is vital, but sometimes it's a bit hard to figure out what data you actually need.

Also, the UEBA is a neat feature.

The built-in SOAR is not really good out-of-the-box. The SOAR relies on logic apps and you almost need to have some kind of developer background to be able to make these logic apps. Most security people cannot develop anything, but if you want to make full use of the SOAR part of Microsoft Sentinel, you need to be able to develop these logic apps. You can say, "Okay, that's simple," but it's not simple for someone who doesn't develop.

Also, the bi-directional sync in Microsoft Defender for Cloud should be enabled out-of-the-box. Otherwise, while you can close incidents in Sentinel, they will not be closed in all the other portals. That is really important.

In addition, the watch list could be improved. Microsoft could develop some analytic templates based on these watch lists, for example.

And if you don't have any KQL knowledge, Sentinel is actually quite hard to use or to get the most out of.

I have been working with Microsoft Sentinel for approximately one year.

It's a stable solution.

My clients are looking to increase their usage of Sentinel. Every time I look, there is a new data connector, so it seems like it's a product that is constantly in development.

I haven't used their technical support.

The initial deployment, for me, is not really complex. It takes one hour or less. But to be able to use Sentinel to its full capabilities, you must definitely know something.

In terms of an implementation strategy, you need to really think ahead about who should be able to do this, and who should be able to do that, and respond to that, et cetera. A proof of concept would include dealing with the architecture, gathering initial data sources and/or automation, and then learning how to navigate in Sentinel. One person can do it.

My clients are enterprise-level companies and the solution requires maintenance. It includes updating analytics, importing, and creating new analytics. It depends on the company. If you have 100 employees, one employee might be enough to maintain things, but if you have 10,000 employees and 10,000 devices, you might need more employees.

No license is required to make use of Sentinel, but you need to buy products to get the data. In general, the price of those products is comparable to similar products.

My advice is to start out with a little bit of data and build on top of that. Don't enable too many data connectors in the beginning. Get familiar with the product, and remember to work with Sentinel every day. That's the only way the product gets better.

It comes with some out-of-the-box analytics, but to get the full and best usage out of it, you have to really keep developing it with hunting queries, analytics, et cetera. The visibility provided by the built-in analytics rules, what they detect, is rather good, but Microsoft Sentinel requires ongoing work. It helps automate routine tasks as well, but that's not something that comes "for free." It also requires ongoing work.

Threat intelligence is something that you must be more than just a novice in Sentinel to make use of.

Overall, I find Sentinel to be a really strong solution. Sentinel is where you can see the overall security status of your company. I really enjoy working with Microsoft Defender and the entire suite, combined with Microsoft Sentinel.

We use it to monitor the cloud for any security issues. We are using it as a SIEM for our cloud workspace.

The most valuable feature is the UEBA. It's very easy for a security operations analyst. It has a one-touch analysis where you can search for a particular entity, and you can get a complete overview of that entity or user.

There is also something called workbooks in Sentinel that help us to monitor the complete cloud data and it gives knowledge about, and visibility into, our security posture.

It integrates seamlessly with Microsoft products, especially Office 365 and our Azure workspace, whether it's the Application Gateway or Azure DDoS or Azure Firewall. It has native integration that works very well.

You can also monitor Zero Trust security from Microsoft Sentinel.

There are a number of points they can improve. For example, if I see an alert and I want to drill down and get more details about the alert, it's not just one click. In other SIEM tools, you just have to click the IP address of the entity and they give you the complete picture. In Sentinel, you have to write queries or use saved queries to get details. For a security analyst, when there is an incident, it takes a lot of time to write queries, investigate, and then execute.

For example, if you want to search a particular entity or an IP address, or search the complete log instead of just the security alerts, it takes time to write a query for that. The MTTR is a little high, as is the mean time to investigate, compared to other SIEM tools.

I would also like to have more resources on KQL queries.

And using the data connectors is not straightforward when you want to create a use case that is not out-of-the-box. Creating a custom use case is a challenging process. You need to understand KQL queries and the support for regex is limited.

I've been using Microsoft Sentinel for between six months and a year.

The availability is good. But when you compare the stability with Splunk or ELK or QRadar, it still needs to be more reliable and stable, not from an installation or administration perspective, but when it comes to security operations.

We collect data from between 3,000 and 4,000 users, and our cloud workspace is somewhere around 100 or 200 servers.

The scalability is good because it has Azure in the back end.

We are still deciding whether to migrate completely to Sentinel or not. We are using two SIEM solutions in parallel. The other solution is LogRhythm. From an analyst perspective, Sentinel has to evolve more. Once it does, we can think of migrating to it fully.

The installation was straightforward and easy. With Azure Resource Manager, it was easy to deploy, and it was a straightforward integration, in terms of configuration, to connect the Log Analytics workspace with Sentinel and the solutions that Sentinel has.

Deploying the solution hardly took four hours, and the initial configuration took a single person one day, meaning eight hours.

We used to have an on-prem solution and we moved our workload to the cloud. Our users did not face any challenges or difficulties as a result.

We are still in the process of getting our ROI. We are waiting for the solution to improve and mature.

Sentinel is pretty competitive. The pricing is at the level of other SIEM solutions.

I have experience with Splunk and QRadar and they are the best. They are equivalent, one with the other. Both the solutions are mature enough, having been in the market for quite some time. They know what they're doing and are easy to use from an analyst's perspective. Both are scalable solutions as well.

The drawback of these two solutions is that it takes a little bit of time to do integrations, especially for Azure workloads, as they're not in-built in Azure.

Always record your KQL queries and stick to the basics.

We use Microsoft Sentinel for providing managed services and for security use cases, which include detecting anomalies or security events and collecting security events from various data sources.

What is most useful, is that it has a good connection to the Microsoft ecosystem, and I think that's the key part. If you are running the Microsoft ecosystem, you are running Azure and Microsoft 365 and have all of the security providers in that environment, for example, the E5 license, then Sentinel can easily collect those events and handle them within the same Azure environment. That, I believe, is the key point here.

Multi-tenancy, in my opinion, needs to be improved. I believe it can do better as a managed service provider.

It's a fairly mature product now.

Pricing could also improve, it's a bit expensive.

I have been working with Microsoft Sentinel for approximately two years.

There are private tenants, but it is deployed in a public Cloud.

Microsoft Sentinel is a stable solution.

Microsoft Sentinel is scalable. As it is in the cloud, you simply pay more. It's expensive, but it's very easy to scale.

We haven't used Microsoft's technical support. We rely on the online knowledge base. Essentially, the entire internet is based on the information they have. As a result, we have never contacted technical support. It hasn't been required. I suppose it's fine. We didn't use technical support in that sense. I would say that it's good.

I am familiar with SIEM. 

We run several CM systems as well as a security operation center.

I have worked with Microsoft, IBM, and McAfee. McAfee has an older CM, and we use Elastic as well.

Within the same cloud environment, it is very simple to set up and begin collecting data.

Microsoft Sentinel is expensive.

If you have the funds, I would recommend it. I think the pricing is important; it's quite expensive, but if you have that, I think I would recommend it. The advice is to think carefully about what data you send to the platform because it is costly. The price is data-driven, so make sure you know how much data you will send and that you only send what is required. That, I believe, is the key point.

We are Microsoft partners.

I would rate Microsoft Sentinel a seven out of ten.

For users that have been observing some malicious actions with their product and getting malicious mail, Azure Sentinel allows them to create a rule, which will show who exactly among their users is exposed to phishing attacks so that they can make some mitigation on that particular account.

There are about five people using this solution in my organization.

It helps to implement connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, and Microsoft 365 sources, including Office 365, Azure AD, Microsoft Defender for Identity (formerly Azure ATP), and Microsoft Defender for Cloud Apps, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions

The most valuable feature is the onboarding of the workloads. You can see all that has been onboarded in your account on the dashboards.

It has been a challenge with Azure Sentinel to onboard the Syslog server from FortiGate. Azure Sentinel can work better on that shift between the Syslog server and a firewall.

I have been using this solution for three years.

It's quite stable compared to other automation SIEM and SOAR solutions.

It's very scalable.

Technical support is good. Microsoft has engineers that are readily available to help you with a challenge.

Initial setup was user friendly. I would rate it a 4 out of 5. 

It's deployed by you onboarding your deliverables on the workload. For example, if you're using Office 365 or another third-party solution, you're going to upload those onto the server and have it protected with your Azure Sentinel.

It will draw logs from those your activities, and then bring it up as a workbook, where you can see into the actions on those programs you have onboarded on the Azure Sentinel.

We use a third-party for implementation.

For ROI, I would rate it 4 out of 5.

It's costly to maintain and renew.

It depends on how you want to pay for the solution. You can pay it on an annual basis or pay as you go, but I feel it's better to just keep it running as a product on your Azure subscription. If you have a $500 subscription, it will take part of your subscription.

I would rate this solution 7 out of 10.

We primarily use the solution for the surrounding management. 

The correlation is very useful.

We like that it is an integrated platform. 

It's very much an agile product.

Everything works very well across the product.

The initial setup is very simple and straightforward. 

It is a scalable solution. 

The performance has been good.

We'd like to see more connectors.

The solution needs to offer a bit more advancement, enhancement, and scalability with other products as well, including the market competitors.

The solution is stable. The performance is good. There are no bugs or glitches. 

The server is scalable.

We haven't really used support all that much. That said, we haven't really had issues with them.

Positive

I've worked with other solutions, including, for example, Splunk. For me, each solution has a limitation when it comes to some use cases. It all depends upon the business strategies. 

The initial implementation is very easy. It's straightforward. It's not complex or difficult at all. A company shouldn't have any problems executing a setup.

The deployment process itself is very quick. It only takes maybe 30 to 40 minutes. 

We don't really need any maintenance on the solution. We're usually required to do maintenance when the agent determines it.

We did not require any third parties when it came to setting it up. We didn't use any integrators or consultants. The implementation was handled by in-house personnel. 

There is a community version. Whether or not the pricing is expensive depends on what a company needs and if it covers its requirements. I've been satisfied with the pricing so far. I don't find it overly expensive. 

You do pay a subscription fee for the service if you aren't using the community version. 

We're always happy to evaluate any other products on the market.

We are a gold customer.

I would recommend the product if it made sense for an individual company's use case. 

For the people who are on the cloud, I would suggest they go for Sentinel regardless of any other SIEM. It will do a good integration with other solutions, and with other cloud providers while providing a holistic view as well.

I'd rate the solution an eight out of ten.

We work as a managed security services provider (MSSP). We have different clients who have their own security team. 

One company that I worked for recently had a security team of three people, then they hired us for 24/7 analysis and monitoring. For that, I solely worked on building this product, then there are the eight to nine people who do 24/7 monitoring and analysis.

Sentinel is a full-fledged SIEM and SOAR solution. It is made to enhance your security posture and entirely centered around enhancing security. Every feature that is built into Azure Sentinel is for enhancing security posture.

It has increased our security posture a lot because there are a lot of services natively integrated to Azure Sentinel from Microsoft, e.g., Microsoft Defender for Endpoint and Defender for Office 365. 

From an analyst's point of view, we have created a lot of automation. This has affected the productivity of analysts because we have automated a lot of tasks that we used to do manually. From an end user's perspective, they don't even notice most of the time because most of our end users are mostly non-technical. They don't feel the difference. It is all about the security and operations teams who have felt the difference after moving from LogRhythm to Azure Sentinel.

It is cloud-based, so there isn't an accessibility issue. You don't have to worry about dialing a VPN to access it. Azure does require that for an on-prem solution that the security part is entirely on Microsoft's and Azure's sign-in and login processes.

Because it is a cloud-based deployment, we don't need to worry about hardware infrastructure. That is taken care of by Microsoft.

Azure Application Gateway makes things a lot easier. You can create dashboards, alert rules, hunting and custom queries, and functions with it.

Its integration capabilities are great. We have integrated everything from on-prem to the cloud.

There are certain delays. For example, if an alert has been rated on Microsoft Defender for Endpoint, it might take up to an hour for that alert to reach Sentinel. This should ideally take no more than one or two seconds.

There are a couple of delays with the service-to-service integration with Azure Sentinel as well as the tracking point.

I have been using it for 14 to 15 months.

Azure Sentinel is pretty stable. Sometimes, the agents installed on endpoints go down for a bit. Also, we have faced a lot of issues with its correctors in particular. However, the platform is highly stable, and there have been no issues with that.

For operations, one to two people are actively using the solution. For analysis, there are eight to 10 people who are actively using it.

Sentinel is scalable. If you want, you can hook up a lower balance security corrector. So, there are no issues with scalability.

We have coverage for around 60% to 70% of our environment. While this is not an ideal state, it has the capability to go to an ideal state, if needed.

I have worked with Azure Sentinel for four clients. With only one of those clients, the support was great. For the last three clients, there were a lot of delays. For example, the issues that could have been resolved within one or two hours did not get resolved for a month or two. So, it depends on your support plan. It depends on the networking connections that you have with Microsoft. If you are on your own with a lower priority plan, it will take a lot of time to resolve minor issues. Therefore, Microsoft support is not that great. They are highly understaffed. I would rate them as six or seven out of 10.

Neutral

We had a full-fledged SIEM, LogRhythm, already working, but we wanted to migrate towards something that was cloud-based and more inclusive of all technologies. So, we shifted to Azure Sentinel and migrated all our log sources onto Azure Sentinel. We also added a lot of log sources besides those that were reporting to LogRhythm.

We have used a lot of SIEMs. We have used Wazuh, QRadar, Rapid7's SIEM, EventLog Analyzer (ELA), and Splunk. We used Wazuh with ELK Stack, then we shifted to Azure Sentinel because of client requirements.

The initial setup was really straightforward because I had already worked with FireEye Security Orchestrator, so the automation parts were not that difficult. There were a couple of things that got me confused, but it was pretty straightforward overall.

Initially, the deployment took seven and a half months.

We used a lot of forums. We used Microsoft support and online help. We used a lot of things to get everything into one picture. There is plenty of help available online for any log sources that you want to move to Azure Sentinel.

I have worked with a lot of SIEMs. We are using Sentinel three to four times more than other SIEMs that we have used. Azure Sentinel's only limitation is its price point. Sentinel costs a lot if your ingestion goes up to a certain point.

Initially, you should create cost alerts in the cost management of Azure. With one of my clients, we deployed the solution. We estimated that the ingestion would be up to this particular mark, but that ingestion somehow got way beyond that. Within a month to a month and a half, they got charged 35,000 CAD, which was a huge turn off for us. So, at the very beginning, do your cost estimation, then apply a cost alert in the cost management of Azure. You will then get notified if anything goes out of bounds or unexpected happens. After that, start building your entire security operation center on Sentinel.

The SOAR capabilities of Azure Sentinel are great. FireEye Security Orchestrator looks like an infant in front of Azure Sentinel's SOAR capabilities, which is great.

The solution is great. As far as the product itself is concerned, not the pricing, I would rate it as nine out of 10. Including pricing, I would rate the product as five to six out of 10.

It's a SIEM tool. Our process right now is to put as much data as we possibly can from all of our network devices into it. We use it as a centralized logging mechanism and the feature that is nice there is that it's agnostic against the types of devices you're using. I have firewalls that can log onto it. I have Linux boxes that can log onto it. I have Windows boxes that can log to it and I can collect a variety of logs from around the organization into it. I can analyze those logs, I can get detections against those logs and use them to take a look at the security footprint of the organization.

All of the different security centers within Microsoft are alerting systems like Azure Defender ATP, the Security Centers, and Azure. All of those products, when they generate incidents and alerts, send feedback into this tool. With this product, you get a single dashboard for managing your security footprint, both from the 365 Azure environment, as well as your on-premise environment.

From a security perspective, it has clearly improved our alerting in our incident management processes. We've also been able to improve other processes for network monitoring and for trouble remediation within the environment. Our infrastructure team and some of our application team are now plugging into the data that's in that tool as they can use it to find issues within their applications rather quickly - a lot more easily than the other tools that they've got, which has been a huge boom. 

We also see that some of our help desk processes have now been informed by it. We have queries that run against the data set that's behind that same tool and they are built specifically for the help desk. For example, if a user's account has been locked out due to the fact that we have all of the data from all the different systems plugged into that tool, we can give the help desk a complete picture of authentication failures against that device so that they can quickly identify where the problem is and resolve the issue for the user.

This system has a list of data connectors and you choose what connects to it. By default, it has access to any of the core Azure data that you have access to, however, those are due to the fact that it lives in that environment. It would naturally have access to that data. Then, you choose which data sources you want to connect to it. Many of them are very easy to set up. They're within the 365 of the Azure portion and a point and click away with a lot of the third-party services. You click a button and do authentication and things connect right up. With some of the Linux, there are setups of Syslogs.

Microsoft has pretty good documentation. It doesn't take long. It's not hard to set up.

The biggest feature we've got out of it is visibility into our environment and what's going on across our estate. Being able to see, for example, anomalous RDP logins, to be able to see deviations from our standard traffic flows on the firewalls, things like that, give us insight into when we may have potential issues or a breach type situation.

The second thing you get is when you’re managing security within the Microsoft environment with Azure 365 you're on-premise you're bouncing between three or four or five, six different tools to do that. This centralizes the management of all of those. You get one pane of glass in all of those tools that give you a very easy way to see what's going on.

It also allows you to correlate between those tools. I can see if I have, for example, a low-priority incident in one tool. If I have another low-priority incident on the other tool made against the same user, that may force me to say, “Hey, maybe those things combined generate a higher level incident that I maybe need to put up for investigation.” That's the advantage of the tool.

The solution does not have specific features that have helped improve our security posture. Rather, the whole idea of making security a little bit easier while also being able to correlate data between multiple disparate systems has, as a whole, improved our security posture overall.

We’ve got process improvement that's happened across multiple different fronts within the organization and within our IT organization based on this tool being in place.

We were tracking in the neighborhood of 20 to 30 incidents a month coming out of one or two source systems within the environment. What Sentinel has given us the ability to do is move up. We're now evaluating somewhere in the neighborhood of 10 to 12 a day.

They're much more robust as a product. What we've been able to do is tune the alerts so that the things that are common, that are false positives that we see all the time, we've been able to filter those out and give ourselves this complete picture as things change and work but we're filtering out the standard data sets. There are things we’re going to look at and walk away from as we know they're false positives.

In terms of receiving false positives, it does take some work to tune the environment, to get it to get rid of all those false positives. It's not ridiculous work, however. I didn't find it to be the hardest problem. It took us a couple of months, doing an hour or so a day to clean them up. Going through that process offered a tremendous amount of learning about the environment. In looking at those false positives, you start to learn things about how people use the environment - things that we didn't realize before. That's extremely valuable for a security team to understand how your assets are used and what your users are doing.

The end users are barely involved in the process. They see our security team more proactively reaching out to them when they may have a problem. For example, I may have a user who has got an excessive amount of login failures against their ID and it's coming from, say, a mobile phone. We'll see that in the SIEM and what we'll do is reach out to the user proactively. Maybe they've been seeing lockout events, or, most likely, they have been seeing lockout events but they haven't quite figured out what's going on and we'll be able to proactively go to them and say, “Hey, we're seeing this, here's the device it's coming from and here's the action you should take and see if we can fix the problem.” It's given us the ability to reach out to the user. In some cases, it's an incident where we want to reach out, get more information from the user to understand whether it was them or not. In other cases, we're reaching out to them proactively and helping solve problems for them that they may or may not even be aware they're having.

Microsoft has a number of detections that they bundle with the product and there's a number of detections that are out against GitHub that are available. We have more and more of those going out every day. Microsoft periodically is releasing more updates. I love the fact that they're giving it to us. They're giving us the queries so we can plug them right into Sentinel. 

We have to do very little editing of the plugins, however, I would love to see the ability to have those queries immediately, as Microsoft updates them. They need to have a streamlined process for updating them in the tool and knowing when things are updated and knowing when there are new detections available from Microsoft.

I've used the solution for two years.

The solution has been extremely stable. We haven't had any downtime that I can recall.

The scalability is great. It's all backed by the log analytics infrastructure. All of the data that we stuff in it is stuck with the log analytics retention times and data storage capabilities which scale wonderfully.

We are using it pretty heavily. At this point, we're plumbing pieces of data from all of our systems into it. We're actively in it every day.

We're constantly adding new data sets too.

I haven't used technical support yet.

In general, the Microsoft technical support unit is okay. There are times when you get help and it's wonderful and there are times when things are not as good. It's not what I would consider the best support I've ever received. That said, they're trying. They could work on their response times.

We did not previously use a different solution. We did a little bit of data consolidation, however, nothing at this level.

We adopted Sentinel as we were looking to mature our security footprint. We started looking at tools that could help us do that, and Sentinel was very easy to dig into, primarily due to the fact that you could bite little pieces off at a time. I didn't have to consume a massive cost. I could throw a little bit of data and consume at a pretty minor cost and prove its value before I started increasing my cost.

The initial setup is very easy.

It's a point-and-click Azure environment. You just click the button and say "yep, I want this."

The solution does not need a lot of maintenance. Once you have the log analytics infrastructure configured, as in your retention times, et cetera, there's your maintenance of the systems that becomes the analytics that you're using. There's a little bit of work that needs to be done there. That was the part that needed some streamlining, however, that's about it. It's managing your rules and your playbooks, et cetera, that needs to be handled.

It's hard to measure ROI on these types of processes. I can't give hard numbers on what the return is. What I can say is that the organization is much better off having this tool in place than not having it in place. The fact is we are improving processes around the organization and the visibility. We recently had some huge vulnerabilities in Exchange that were being breached, and knowing that we have tools like this in place that have detections to help us establish whether we were having an issue or not was useful. The product helps to make us aware of issues and we're not guessing and not spending too much time digging.

We did evaluate other options. Most had a larger acquisition cost associated with them. That was obviously a big factor. The other thing that helped the decision was that we live in a Microsoft-centric environment and most of the Microsoft tools were prebuilt and correctly connected very easily.

The product is part of the Azure platform - now the Microsoft platform. It's all fully managed by Microsoft at that level. We're using it as a SAFe solution.

I'd advise potential users to take a good look at your analytical rules and feed it with data. The more data you give it, the more valuable it becomes.

I'd rate the solution at an eight out of ten.