Microsoft Sentinel Reviews

We provide managed security services to customers in Myanmar using Microsoft Sentinel as a cloud media SIEM. Most of the use cases involve retention, and we use all the features of Microsoft Sentinel. We also use other Microsoft security products like Defender for Endpoint, and most of them are integrated with Sentinel. 

Microsoft Sentinel is a cloud-native SIEM solution, so it helped us reduce our infrastructure costs and deliver better services to our customers. We don't need to pay upfront costs because it is in the cloud. We used an open-source SIEM solution before implementing Microsoft Sentinel, but that wasn't satisfactory for our customers. Sentinel helped us provide more robust managed security services to our customers.

It consolidated multiple dashboards into one and helped us be more proactive. However, our team is still trying to mature to a level that we can adopt a more preventative approach to security. Sentinel significantly reduced our detection time. Without Microsoft Sentinel, our SOC analyst might take 30 minutes to an hour to detect an issue, but now it's practically in real-time. 

The biggest advantage of Sentinel is scalability. In addition, we don't need to worry about paying for infrastructure costs upfront. It gives us the flexibility to choose the kind of infrastructure based on each client's needs. Sentinel is also much simpler than other SIEM solutions. The UI is smoother and easier to use.

Native integration with Microsoft security products or other Microsoft software is also crucial. For example, we can integrate Sentinel with Office 365 with one click. Other integrations aren't as easy. Sometimes, we have to do it manually. 

The bi-directional sync is helpful. For example, we have one client using our managed security service, but they don't want to use Microsoft Sentinel. If those products are not syncing or if the solution is not bi-directional, some alerts may be missed. It's essential for both portals and the two folders to be in the same channel it's pushing. The UEBA features are also perfect. We don't see the same caliber of user behavior analytics in other SIEM. Microsoft's UEBA is great for our SOC analysts. 

Microsoft threat intelligence and UEBA still have some room for improvement. There are currently only two connectors available for Microsoft threat intelligence. the threat intelligence platform and the FTIA commander.
Sentinel should offer another option for a third-party threat intelligence platform. There are lots of open-source threat intelligence solutions available. 

Threat handling could be great for our team and for our SOC analyst, but some are unusable depending on our SOC analytics.

Sentinel can ingest data from most of our ecosystem, but some data cannot be called up. For example, if an SAP product is hosted, it will do a specific version, but it cannot be called back to Sentinel. It cannot be directly connected to Sentinel.

Our team has been using Microsoft Sentinel for about two and a half years.

I rate Microsoft support a seven out of ten. They take too long to respond, but sometimes they are great. 

Neutral

We previously had an open-source SIEM, but it lacked the detection and automation capabilities of Sentinel.

The initial deployment was straightforward but configuring integration for some of our projects was challenging because there are few connectors for solutions like Cisco. I rate Sentinel a five out of ten for ease of setup. 

We performed our integration in-house, but sometimes we get support from Microsoft.

Sometimes, it is hard for us to estimate the costs of Microsoft Sentinel.

I rate Microsoft Sentinel a nine out of ten. I recommend it, but it takes time to evaluate because Sentinel is unlike other cloud solutions. 

We use Microsoft Sentinel for providing managed services and for security use cases, which include detecting anomalies or security events and collecting security events from various data sources.

What is most useful, is that it has a good connection to the Microsoft ecosystem, and I think that's the key part. If you are running the Microsoft ecosystem, you are running Azure and Microsoft 365 and have all of the security providers in that environment, for example, the E5 license, then Sentinel can easily collect those events and handle them within the same Azure environment. That, I believe, is the key point here.

Multi-tenancy, in my opinion, needs to be improved. I believe it can do better as a managed service provider.

It's a fairly mature product now.

Pricing could also improve, it's a bit expensive.

I have been working with Microsoft Sentinel for approximately two years.

There are private tenants, but it is deployed in a public Cloud.

Microsoft Sentinel is a stable solution.

Microsoft Sentinel is scalable. As it is in the cloud, you simply pay more. It's expensive, but it's very easy to scale.

We haven't used Microsoft's technical support. We rely on the online knowledge base. Essentially, the entire internet is based on the information they have. As a result, we have never contacted technical support. It hasn't been required. I suppose it's fine. We didn't use technical support in that sense. I would say that it's good.

I am familiar with SIEM. 

We run several CM systems as well as a security operation center.

I have worked with Microsoft, IBM, and McAfee. McAfee has an older CM, and we use Elastic as well.

Within the same cloud environment, it is very simple to set up and begin collecting data.

Microsoft Sentinel is expensive.

If you have the funds, I would recommend it. I think the pricing is important; it's quite expensive, but if you have that, I think I would recommend it. The advice is to think carefully about what data you send to the platform because it is costly. The price is data-driven, so make sure you know how much data you will send and that you only send what is required. That, I believe, is the key point.

We are Microsoft partners.

I would rate Microsoft Sentinel a seven out of ten.

On Azure, we have workloads on virtual machines, Kubernetes clusters, and SQL Servers. The way Sentinel works is that logs from our Kubernetes services, virtual machines, and database servers go into what is called Log Analytics on Azure. Log Analytics connects to Azure Sentinel, then all the logs move from the resources to Log Analytics down to Sentinel. Sentinel is configured to do some form of threat detection on these logs. For example, there is a firewall log connected to Log Analytics. Sentinel looks at those firewall logs for repeated IPs that are trying to either do an attack on our system or get access into our system. There is some form of machine learning and AI implemented in it to be able to tell us which particular IP address is trying to do this. 

It is mainly used for securing our platform. As the infrastructure person who works on it, I have some automated ways of seeing threats. We have seen a few possible issues that might come up. So, our customers are safe on some level when we are using Sentinel.

It improves our security posture by using automated threat detection.

Having your logs put all in one place with machine learning working on those logs is a good feature. I don't need to start thinking, "Where are my logs?" My logs are in a centralized repository, like Log Analytics, which is why you can't use Sentinel without Log Analytics. Having all those logs in one place is an advantage. 

We have not really had any major threats. We have had alarms about four times. In the end, they were false positive alarms. Over time, the machine learning feature understands that something is a false positive, then you don't see them anymore. So, it reduces the number of false positives.

The learning curve could be improved. I am still learning it. We were able to implement the basic features to get them up and running, but there are still so many things that I don't know about all its features. They have a lot of features that we have not been able to use or apply. If they could work on reducing the solution's learning curve, that would be good. While there is a training course held by Microsoft to learn more about this solution, there is a cost associated with it. 

We have been using it in our organization for six months.

It is quite stable. It is one of the most mature SIEM solutions that I know.

Currently, I am the person maintaining the solution since we are a startup. However, it probably needs a team of four people to work on it. It needs an infrastructure person to configure it, a security analyst to tell us what they want configured, and a business person to tell us what kind of security targets are needed.

Scalability is good. We are increasing usage for different use cases. For compliance reasons, we will probably expand usage in the future.

Also, there are a lot of features that we have still not tested.

I have not had to use the technical support yet.

We were starting from scratch with Azure Sentinel.

We started using it because we were trying to get PCI certified. The updated PCI requirements requested that we have a security information and event management tool. If it wasn't for PCI compliance, then we probably would not have used Sentinel.

The initial setup was complex, not straightforward. Connecting it is easy once you have an Azure resource on the cloud. We also have on-prem resources, but we have not been able to connect those. Trying to create your on-prem resource with Azure Sentinel is not straightforward. I have not seen many implementation videos that I can watch on YouTube to learn how to do it. 

It is not just Azure. Other SIEMs solutions are a bit complex when trying to connect them. 

Deployment took no more than 10 minutes. Configuring it in our workloads was the major issue, not the deployment. The configuration timeframe depends on the number of resources that you are connected to and your prior knowledge of Sentinel before starting your configuration. 

I did the deployment.

From a cost perspective, there are certain Azure resources that we don't need to additionally pay for when using Sentinel.

When we looked at other SIEM tools, they were quite expensive. Sentinel is also expensive for a startup, but we were able to configure it so there are some logs that Azure frees up, like your firewall, Office 365, or Kubernetes logs. From a cost perspective, this works well financially for us.

Sentinel is a bit expensive. If you can figure a way of configuring it to meet your needs, then you can find a way around the cost.

We looked at so many tools, like Elastic Search and IBM. We went with Sentinel because the majority of our workloads were on Azure already, so the integration was easier rather than going with something external and integrating it. 

If you are purely on Azure, Sentinel is the way to go. Also, it easily works with on-premise workloads from what I have been able to determine. When I look at connectors, it integrates with other cloud providers. I see it integrates with GCP. 

I would rate Sentinel as seven out of 10.

Microsoft Sentinel is basically a major log, on top of which you can build queries that can analyze the data you get. It's used to build up security operations centers. In addition, it is a SIEM and SOAR solution.

The first benefit is that you have one place to close incidents. That's definitely an advantage. 

Another benefit is KQL, Kusto Query Language, and the analytic rules with which you can spot suspicious behavior of all kinds. It's definitely a step up when it comes to security. You see the benefits almost instantly.

In addition, automation helps prioritize what needs to be looked at, and what can just be closed and forgotten.

And when you combine the threat intelligence with Defender for Endpoint's recommendations, it's a really strong way to protect things or be proactive when it comes to security, with the CVEs, et cetera.

Overall, our Microsoft solution saves time. Without it, you might have to navigate six or seven portals, but with it, you only have to look at one place, and that saves some time. Most of the time, it eliminates having to look at multiple dashboards and gives you one XDR dashboard. Ideally, that should make working with IT security easier. It also decreases the time it takes to detect and respond.

As a consultant, none of the customers I work for has been hacked or has been close to being hacked. That would be the best way to judge if it saves money because just putting Sentinel on top of all these security products doesn't save you money. It's possible it saves you money. 

I like the unified security console. You can close incidents using Sentinel in all other Microsoft Security portals when it comes to incident response.

The solution helps prioritize threats across your enterprise and that is quite important. There is a concept called "alert fatigue," and Sentinel can also cause that because it detects so many false positives. But usually, the high and medium risks it identifies are things you need to take a look at. So prioritization is quite important.

We also use Defender for Cloud, Defender for Endpoint, and Defender for Cloud Apps. It's quite easy to integrate these Microsoft products because they can easily communicate with other Microsoft products. The tricky part is to integrate other vendors' products, like Cisco or Linux, with Microsoft Sentinel. The actual integration is easy, but they generate a lot of data. But with its entire Defender suite, Microsoft is trying to cover everything in Azure and that is a really strong point.

Sentinel enables you to ingest data from your entire ecosystem and that is vital, but sometimes it's a bit hard to figure out what data you actually need.

Also, the UEBA is a neat feature.

The built-in SOAR is not really good out-of-the-box. The SOAR relies on logic apps and you almost need to have some kind of developer background to be able to make these logic apps. Most security people cannot develop anything, but if you want to make full use of the SOAR part of Microsoft Sentinel, you need to be able to develop these logic apps. You can say, "Okay, that's simple," but it's not simple for someone who doesn't develop.

Also, the bi-directional sync in Microsoft Defender for Cloud should be enabled out-of-the-box. Otherwise, while you can close incidents in Sentinel, they will not be closed in all the other portals. That is really important.

In addition, the watch list could be improved. Microsoft could develop some analytic templates based on these watch lists, for example.

And if you don't have any KQL knowledge, Sentinel is actually quite hard to use or to get the most out of.

I have been working with Microsoft Sentinel for approximately one year.

It's a stable solution.

My clients are looking to increase their usage of Sentinel. Every time I look, there is a new data connector, so it seems like it's a product that is constantly in development.

I haven't used their technical support.

The initial deployment, for me, is not really complex. It takes one hour or less. But to be able to use Sentinel to its full capabilities, you must definitely know something.

In terms of an implementation strategy, you need to really think ahead about who should be able to do this, and who should be able to do that, and respond to that, et cetera. A proof of concept would include dealing with the architecture, gathering initial data sources and/or automation, and then learning how to navigate in Sentinel. One person can do it.

My clients are enterprise-level companies and the solution requires maintenance. It includes updating analytics, importing, and creating new analytics. It depends on the company. If you have 100 employees, one employee might be enough to maintain things, but if you have 10,000 employees and 10,000 devices, you might need more employees.

No license is required to make use of Sentinel, but you need to buy products to get the data. In general, the price of those products is comparable to similar products.

My advice is to start out with a little bit of data and build on top of that. Don't enable too many data connectors in the beginning. Get familiar with the product, and remember to work with Sentinel every day. That's the only way the product gets better.

It comes with some out-of-the-box analytics, but to get the full and best usage out of it, you have to really keep developing it with hunting queries, analytics, et cetera. The visibility provided by the built-in analytics rules, what they detect, is rather good, but Microsoft Sentinel requires ongoing work. It helps automate routine tasks as well, but that's not something that comes "for free." It also requires ongoing work.

Threat intelligence is something that you must be more than just a novice in Sentinel to make use of.

Overall, I find Sentinel to be a really strong solution. Sentinel is where you can see the overall security status of your company. I really enjoy working with Microsoft Defender and the entire suite, combined with Microsoft Sentinel.

Azure Sentinel is a SIEM solution. It offers security information on an event management solution and also security orchestration automation response. It actually looks into events coming into your environment and events from a lot of sources, or whatever you might have in your network.

There are a lot of events and logs generated by all of these resources - sometimes in the thousands or millions. Azure Sentinel helps you investigate a lot of these logs faster. It uses artificial intelligence, called threat intelligence, to look into all the events that might be coming into your environment.

For example, on a daily basis, you might be receiving two million events coming from all the resources you have, including your users. If you're a very big enterprise and you have thousands of users, there are logs coming in from each of these users. You also have some resources, such as your web application, virtual machine, and a lot of your resources that span across both Azure AWS, GCP, and other solution providers like Sophos, Fortinet, Cisco, and your on-premise environment. You can get all these logs together with this.

The solution is still new, and there are a lot of new things coming out each and every day. Microsoft is trying to improve the solution constantly. In the last two weeks, there was a section of the Azure Sentinel code solutions that was integrated. It's something organizations could explore. Recently, they just included automation rules that you can use with Logic Apps to automate threat responses.

Azure Sentinel works with artificial intelligence. With AI by your side, you are able to investigate everything very fast. Within a blink of an eye, it's going to help you look into all these things. Before it can do that, however, you need to set up some form of analytics rules to help you look into all the events that might be coming into your environment.

There's also a security orchestration and automation response. Sentinel is able to identify and spot threats in our environment. We can also set up some automation rules to be able to automate when there is any form of an incident in our environment. For example, if there is a brute force attack on a user account, we can automate a response such that we can block the user account for a time while an investigation is done on that account. There are automation rules that can help to automate responses as well.

There are a lot of things you can explore as a user. You can even go and actively hunt for threats. You can be on the offensive rather than on the defensive.

It's quite different from a traditional SIEM solution whereby you need to have a couple of security analysts to be able to help you manage it. All of these traditional SIEM solutions don't have the capability to look into threats as fast. For instance, if a DDoS attack was placed on our web application hosted with a cloud solution provider and we hosted this web application on our virtual machine, if we have a DDoS attack (a denial-of-service attack), we can spot the threats very quickly. AI will also help to stop these attacks before they can do damage.

You can bring in your own machine learning algorithms to help you look into the threats community environment. If you are someone who's very fast at developing AI, you can have your own custom machine learning set up to help you look into any form of threat. It’s a very powerful tool.

Recently, I deployed Azure Sentinel for a client. I could tell immediately it was able to spot a lot of threats. Just within an hour, it was able to spot about five to ten threats. Also, at that very moment, Sentinel recorded around 500,000 events coming into the log analytics workspace. Typically, if you have something like 500,000 events coming into your environment and you have to involve the physical human efforts to be able to look into 500,000 events, it's going to be a lot of work - too much for one person.

The product has a lot of built-in features. There is a lot that it adds, and there is a lot it can do. It's the kind of solution that you can even bring in your own model.

We have a machine learning model that we train. Apart from it having some kind of already made solution, you can even create your own custom rules and custom machine learning.

Having to analyze threats every day, as a person, can be stressful. However, when you have something like Sentinel, which uses threat intelligence to be able to help you respond and remediate against threats at scale, it takes the pressure off.

It can span across your on-premise resources. If you have your own data center, you can deploy Azure Sentinel in the cloud, and you can have it monitor your data center. You can have it working as a solution to your data center.

As a user, you are able to integrate your on-premise with the data center to Azure Sentinel, in just a few clicks. It’s very simple to use. In just a few clicks, you'll be able to connect Azure Sentinel with your on-premise resources, web server, or SQL server - anything you can think of.

It can help you investigate threats coming into your laptop. You can connect Azure Sentinel to your personal computer.

It doesn't affect end users. They don't have access to Sentinel. They don't even see what is happening. They don't know what is happening.  

A lot of organizations have lost a lot of money due to a loss of virtual information. With this kind of strong security system and some strong security protocols, they are well protected.

New things are already being incorporated just to improve on the already existing solution.

There is a GitHub community for this solution. There are a lot of contributors worldwide and a lot of people building playbooks and building machine learning models. Someone can just build a machine learning model and say, "Okay, just mention in the model, 'Do this,' and it does this." There is room for improvement. However, things are improving in Sentinel with the help of this community.

I've seen playbooks where people have pushed to the GitHub repository, and I've been able to make use of one or two of these solutions on GitHub. That said, it may not be possible to eradicate all of the cyber threats.

There are webinars going on almost every week. Last week I attended a couple of webinars on Azure security. When you are doing things, you also need to be thinking about the security aspect. You have to be thinking about the security aspect of a cloud. You need to enforce a zero-trust model. You can't assume something cannot harm you, as everybody is a threat to your security.

The only issue is that sometimes you can have a false positive alert. For example, sometimes it detects something is happening, however, you're actually the one doing that thing. If someone is trying to sign into their environment and provide an incorrect password, they will try it a few times. The system will look at that event and think it's an attacker and it might be an indication of a threat. However, it's just a user that got the password wrong. I consider that a false positive alert. 

I have been using this solution for about a year now.

The stability seems to be fine for now. It's not an issue. 

I have not really used technical support. That said, on the first day when I was starting with Sentinel, I used technical support for some free advice.

In the past, I've worked as a Microsoft technical support engineer. I was very good at what I did then. The support person that I spoke with when I needed free advice on that first day was helpful. When I raised a support request to ask a few questions, the support engineer was able to do justice to all those questions and shared some things to put me in the right direction. I appreciated their helpfulness as I used to be that helpful as well.

There are a lot of solutions Microsoft has that have to do with security. However, they are not what I would describe Sentinel to be. Nothing I have used in the past has been similar to Sentinel.

For every project, you need to have your functional requirements. Once you have that in place, the initial setup depends on the number of things you want to bring into Azure Sentinel. It's a powerful tool.

You can set it to AWS, GCP, DigitalOcean, Sophos, Fortinet, Cisco - even your PC. You can set it up for everything and there is no lagging. It just takes just a few clicks to connect these things. For instance, if you need to get the logs of a user, you just go to the data connector. Once you are in the data connector, you click on Connect. Once you click on Connect, a lot from that environment just comes into Sentinel. Once it's coming into Sentinel, you can create various analytics rules.

I don't know of similar solutions or if any really exist.

The company I work with now is a Microsoft partner.

It's a very, very powerful tool that I recommend to my customers. I work as a consultant. I advise customers. I do not sell it directly.

It's something that organizations should use. I would advise people to use it. It doesn't look into only your Azure environment. It spans other cloud solution providers.

I'd rate the solution at a ten out of ten.

Our clients use it for just an overall health check and security check for their deployments, whether it's on-prem or in Azure. Azure Sentinel basically collects the data from any kind of endpoint or server that is enrolled in the service, irrespective of whether they are on-prem or in the cloud. It can be laptop servers, virtual machines. It is a cloud solution, but it does extend to on-prem deployment.

I have been using the most up-to-date version. 

One of the most valuable features is that it creates a kind of a single pane of glass for organizations that already use Microsoft software. So, when they have things like Microsoft 365, it is very easy for them to kind of plug in or enroll those endpoints into the Azure Sentinel service.

I can't think of anything other than just getting the name out there. I think a lot of customers don't fully understand the full capabilities of Azure Sentinel yet. It is kind of like when they're first starting to use Azure, it might not be something they first think about. So, they should just kind of get to the point where it is more widely used.

I have been using Azure Sentinel since it came out, so it has been at least a couple of years.

It is very stable. It has been around for a while, and it is a Microsoft product. So, it is pretty secure and pretty stable.

Like all Azure services, it is definitely very scalable. You can very easily and very quickly enroll devices and other data points into Azure. 

Microsoft tech support is pretty good when it comes to Azure. It is really easy to open a ticket because you can do that right through the Azure portal. In addition, my company and other companies that kind of resell Azure services, oftentimes have our own help desk included with the consumption of Azure services. So, we have a 24/7 help desk that works on top of that. There are many managed services partners, like my company, that provide additional services in tech support on top of what Microsoft already has.

It is very straightforward.

It is kind of like a sliding scale. There are different tiers of pricing that go from $100 per day up to $3,500 per day. So, it just kind of depends on how much data is being stored. There can be additional costs to the standard license other than the additional data. It just kind of depends on what other services you're spinning up in Azure, or if you're using something like Azure log analytics.

For any customers who are either looking at Azure or already have Azure or Microsoft 365, this is a great service to look at because it does provide an additional layer of protection and security for all of their data points, whether they are on-prem or in the cloud.

I would rate Azure Sentinel a nine out of 10.

We use Sentinel to monitor events and incidents that occur on our tenant. It covers all the servers and applications in the cloud, too. 

We can use Sentinel's playbook to block threats. It covers all of the environment, giving us great visibility.  

If Sentinel had a graphical user interface, it would be easier to use. I would also like it to be more customizable. 

We've been using Microsoft Sentinel for nearly 20 years. 

Sentinel isn't very easy to set up, especially when we're trying to connect to a server at the entry point. We run into some configuration issues when connecting. 

I rate Microsoft Sentinel eight out of 10. 

We actually use it for queuing logs and checking log systems that we have downloading from other devices to see if there are any issues. For example, if we get an alert, then we triage it and query the logs and the devices that we're looking for.

Microsoft Sentinel has greatly increased our security. We can quickly complete our investigation by using Sentinel and get to the results and escalation points.

The log query feature has been the most valuable because it's very good. You can put your data on the cloud and run queues from Sentinel. It will do it all very fast. I love that I don't have to upload it to an Excel file and then manually look for a piece of information. Sentinel is much faster and is good for big databases.

Microsoft Sentinel is able to figure out what type of attack is occurring. It will tell you whether it is a DDoS attack, whether someone's trying to scam the site, or if someone is doing a group force attack. That is, Microsoft Sentinel will actually tell you what it is based on the type of activities it's seeing on the web server. It's a smart tool.

If I'm typing queries, it knows what I'm looking for.

If I can use Sentinel offline at home and use it on a local network, it would be great. I'm not sure if I can use Sentinel offline versus the tools I have.

I just started using Microsoft Sentinel and have used it for two months.

As for availability, I haven't seen any downtime or any issues with the services yet. The stability looks like it's 99.9% and is great.

I believe that Sentinel is good at scaling up their database or services. We are a large company with big data and have thousands of users.

I have used Splunk, which has similar log type of queries. I feel that Sentinel is smarter. It is able to detect what type of attacks are occurring, unlike Splunk, which is just a query log tool.

There's Elastic ELK, which is similar to Splunk, but it isn't a smart tool like Sentinel is. 

Sentinel is at the top of the tools that I've used so far in terms of smart tools.

Pricing is pay-as-you-go with Sentinel, which is good because it all depends on the number of users and the number of devices to which you connect.

If you're using the cloud and Azure, I would really recommend Sentinel as it will keep making sure that the devices that you have in your environment are safe. Sentinel is very smart at detecting what type of attack is occurring and is actually able to detect and tell us the type of hash file. It is is able to go on the internet, look at the virus total, and see if this is a virus, scam, or phishing. I like how it's able to detect it and how we can make it learn what type of spam or email issue query it is. So, it's a very adaptive type of tool.

I would rate Microsoft Sentinel at ten on a scale from one to ten.