Microsoft Sentinel Reviews

Microsoft Defender for Cloud's bi-directional sync capabilities are important in the following way. If you have an issue that shows in Defender for Cloud, an incident on your dashboard, and you look into Sentinel and see the same alert has been triggered, after someone on your team looks into it and fixes it, if bi-directional is not enabled, you will still have the alert showing. If someone is looking at the Defender for Cloud dashboard, that alert will still show as active. That's why it's important to have bi-directional sync. It helps make sure that people work on the right cases.

Sentinel enables you to investigate threats and respond holistically in one place. It gives you a central repository where you can have a historical view and see the access point where something started, where it went, and how things were accessed. For instance, if someone was anomalously accessing keywords, with everything in one place you can see where it started, where it went, who was involved in it, what kind of endpoints were involved, what IP address was involved, and what devices were involved. In this way, you have complete historical data to investigate the root cause.

Previously, I worked with a number of different tools to pull the data. But having one pane of glass has obviously helped. When you consider the time it takes to go into each and every dashboard and look into alerts, and take the necessary actions, Sentinel saves me a minimum of 15 minutes for each dashboard. If you have three to four dashboards altogether, it saves you around one hour.

And when it comes to automating routine tasks, if you want to notify the right people so that they can look into a P-1 incident, for example, Sentinel can automatically tag the respective SOC or security incident teams through a team chart and they can directly jump into a call.

Another point to consider is multi-stage attack detection. We have a granular view into the incident. We can investigate which IPs, user entities, and endpoints are involved in the alert. If you have to look at multiple, separate points, it could take one hour to see what happened at a particular point in time. With Sentinel, we can directly look into a certain person and points and that saves a lot of time. And then we can take action on the incident.

Among the valuable features of Sentinel are that it 

• has seamless integration with Azure native tools 
• has out-of-the-box data connectors available
• is user-friendly
• is being expanded with more updates.

The visibility into threats that the solution provides is pretty good. We can see a live attack if something is going wrong; we can see the live data in Sentinel.

I work on the complete Azure/Microsoft stack. With Azure native, we can integrate the various products in a few clicks. It doesn't require configuring a server, pulling of logs, or other heavy work. It's very easy, plug-and-play. The data collectors are available with Azure native so you can deploy policies or it will take care of everything in the backend. If various tools have different priorities for issues, monitoring everything is a hectic task. You have to go into each tool and look into the alerts that have been triggered. It's a big task. If you can integrate them into a single pane of glass, that helps you to find out everything you need to know.

And in terms of the comprehensiveness of the threat protection that these products provide, I would give it a 10 out of 10.

Microsoft Sentinel enables you to ingest data from the entire ecosystem and that connection of data helps you to monitor critical resources and to know what's happening in the environment. At a minimum, we should monitor the servers that are critical in the environment.

It also has hunting capabilities so that you can proactively hunt for things, but a different team looks after that in our organization.

In terms of features I would like to see in future releases, I'm interested in a few more use cases around automation. I do believe a lot of automation is available, and more is in progress, but that would be my area of interest.

I have been using Microsoft Sentinel for more than two and a half years.

It's a stable solution.

It's a scalable model but as you scale up you pay for it.

Microsoft technical support is responsive and helpful. And their technical documents are pretty detailed and well-explained.

The initial deployment was pretty straightforward.

The number of people involved in the deployment is completely dependent upon the environment and the access we have. If there's something to be done with a third-party application—for instance, Cisco Meraki or ASA—for those, we require support from the networking team to open up ports and forwarding of logs from the firewalls to Sentinel. If it is a native Azure environment, we don't need any support.

As for maintenance, if there are any updates they will pop up in your alerts and you can then upgrade to the latest version. It doesn't take much effort and there is no downtime. You simply update and it takes a few seconds. If someone is experienced, that person can handle the maintenance. If the environment is very big and it requires injecting more logs, then it requires some helping hands.

The pricing is fair.

With a traditional SIEM, people are required for SOC operations and investigations and they require licenses. With Sentinel, people in SOC operations are still required to investigate, but we don't need any licenses for them. With a traditional SIEM, you pay a lump sum for licenses. But with Sentinel, it's pay-as-you-go according to the amount of data you inject.

I would recommend Microsoft Sentinel.

It's always good to compare against other tools when it comes to the value, to get an idea of what you are paying for. Compare the market strategies and the new capabilities that are coming out and whether you're able to unlock the full capabilities or not. Double-check that. As for best-of-breed versus one vendor, you should stick with one vendor only and take whatever they gave.

Microsoft Sentinel is basically a major log, on top of which you can build queries that can analyze the data you get. It's used to build up security operations centers. In addition, it is a SIEM and SOAR solution.

The first benefit is that you have one place to close incidents. That's definitely an advantage. 

Another benefit is KQL, Kusto Query Language, and the analytic rules with which you can spot suspicious behavior of all kinds. It's definitely a step up when it comes to security. You see the benefits almost instantly.

In addition, automation helps prioritize what needs to be looked at, and what can just be closed and forgotten.

And when you combine the threat intelligence with Defender for Endpoint's recommendations, it's a really strong way to protect things or be proactive when it comes to security, with the CVEs, et cetera.

Overall, our Microsoft solution saves time. Without it, you might have to navigate six or seven portals, but with it, you only have to look at one place, and that saves some time. Most of the time, it eliminates having to look at multiple dashboards and gives you one XDR dashboard. Ideally, that should make working with IT security easier. It also decreases the time it takes to detect and respond.

As a consultant, none of the customers I work for has been hacked or has been close to being hacked. That would be the best way to judge if it saves money because just putting Sentinel on top of all these security products doesn't save you money. It's possible it saves you money. 

I like the unified security console. You can close incidents using Sentinel in all other Microsoft Security portals when it comes to incident response.

The solution helps prioritize threats across your enterprise and that is quite important. There is a concept called "alert fatigue," and Sentinel can also cause that because it detects so many false positives. But usually, the high and medium risks it identifies are things you need to take a look at. So prioritization is quite important.

We also use Defender for Cloud, Defender for Endpoint, and Defender for Cloud Apps. It's quite easy to integrate these Microsoft products because they can easily communicate with other Microsoft products. The tricky part is to integrate other vendors' products, like Cisco or Linux, with Microsoft Sentinel. The actual integration is easy, but they generate a lot of data. But with its entire Defender suite, Microsoft is trying to cover everything in Azure and that is a really strong point.

Sentinel enables you to ingest data from your entire ecosystem and that is vital, but sometimes it's a bit hard to figure out what data you actually need.

Also, the UEBA is a neat feature.

The built-in SOAR is not really good out-of-the-box. The SOAR relies on logic apps and you almost need to have some kind of developer background to be able to make these logic apps. Most security people cannot develop anything, but if you want to make full use of the SOAR part of Microsoft Sentinel, you need to be able to develop these logic apps. You can say, "Okay, that's simple," but it's not simple for someone who doesn't develop.

Also, the bi-directional sync in Microsoft Defender for Cloud should be enabled out-of-the-box. Otherwise, while you can close incidents in Sentinel, they will not be closed in all the other portals. That is really important.

In addition, the watch list could be improved. Microsoft could develop some analytic templates based on these watch lists, for example.

And if you don't have any KQL knowledge, Sentinel is actually quite hard to use or to get the most out of.

I have been working with Microsoft Sentinel for approximately one year.

It's a stable solution.

My clients are looking to increase their usage of Sentinel. Every time I look, there is a new data connector, so it seems like it's a product that is constantly in development.

I haven't used their technical support.

The initial deployment, for me, is not really complex. It takes one hour or less. But to be able to use Sentinel to its full capabilities, you must definitely know something.

In terms of an implementation strategy, you need to really think ahead about who should be able to do this, and who should be able to do that, and respond to that, et cetera. A proof of concept would include dealing with the architecture, gathering initial data sources and/or automation, and then learning how to navigate in Sentinel. One person can do it.

My clients are enterprise-level companies and the solution requires maintenance. It includes updating analytics, importing, and creating new analytics. It depends on the company. If you have 100 employees, one employee might be enough to maintain things, but if you have 10,000 employees and 10,000 devices, you might need more employees.

No license is required to make use of Sentinel, but you need to buy products to get the data. In general, the price of those products is comparable to similar products.

My advice is to start out with a little bit of data and build on top of that. Don't enable too many data connectors in the beginning. Get familiar with the product, and remember to work with Sentinel every day. That's the only way the product gets better.

It comes with some out-of-the-box analytics, but to get the full and best usage out of it, you have to really keep developing it with hunting queries, analytics, et cetera. The visibility provided by the built-in analytics rules, what they detect, is rather good, but Microsoft Sentinel requires ongoing work. It helps automate routine tasks as well, but that's not something that comes "for free." It also requires ongoing work.

Threat intelligence is something that you must be more than just a novice in Sentinel to make use of.

Overall, I find Sentinel to be a really strong solution. Sentinel is where you can see the overall security status of your company. I really enjoy working with Microsoft Defender and the entire suite, combined with Microsoft Sentinel.

We use it to protect our Office 365 environment. We can also deploy it for the entire infrastructure, including on-premises, firewalls, and also users' devices.

I'm a partner with many customers using Sentinel. Some are small companies but I also have many banks that have implemented the solution.

It has helped to improve security posture because it's based on machine learning. You can protect the whole environment. While other solutions are based on rules, and you have to put rules in place to protect things, Sentinel is smarter because of the machine learning.

For example, one of my customers is a bank that was attacked by ransomware. They were using Symantec and it could not detect the attack. When we put in Sentinel, within 15 minutes it detected the malware and stopped the attack.

The most valuable features are its threat handling and detection. It's a powerful tool because it's based on machine learning and on the behavior of malware.

I have been using Microsoft Sentinel for one and a half years.

It's a stable solution.

It's a cloud solution so Microsoft handles the scaling. We haven't had a problem with performance because Microsoft is in charge. It's done automatically.

It's definitely the best technical support. When you open a new ticket you get a response within a maximum of one hour. You can open a case with Microsoft 24/7.

Positive

I used QRadar. I switched because QRadar is not smart and there was too much manual work.

It's easy to implement and not very hard to put it into production.

The deployment time depends on the customer's needs. It can be deployed in one hour. But if they have many end users and many servers, it can take one week. After that, you have to wait for the machine learning to learn the environment and start the detection.

The implementation strategy also depends on the environment. If it is an Office 365 environment, we can start by protecting email, the shares, and the docs. After that, we can move to the end-user machines. But it depends on the project.

Deployment and maintenance requires a maximum of three people. One would be an admin, one would be a security leader to maintain the solution, and the third would be a project manager. It also depends on the project, but in general, there will be two or three people involved.

It is certainly the most expensive solution. The cost is very high. We need to do an assessment using the one-month trial so that we can study the cost side. Before implementing it, we must do a careful calculation.

Something that could be improved is the documentation of the cost because there is none. All the other features are documented, but the pricing is not very clear.

The Office 365 connectors to Sentinel are free, as is the support.

Sentinel is generally the last option we go with because of the cost. Customers have their solutions but they contact us and say, "Okay, we have our solution but it's not smart. Can we move to Sentinel?"

I recommend implementing Sentinel because it's certainly the most powerful SIEM tool. It detects all malware based on the behavior of many things, including the files and anomalies. It detects things automatically.

We use it to monitor the cloud for any security issues. We are using it as a SIEM for our cloud workspace.

The most valuable feature is the UEBA. It's very easy for a security operations analyst. It has a one-touch analysis where you can search for a particular entity, and you can get a complete overview of that entity or user.

There is also something called workbooks in Sentinel that help us to monitor the complete cloud data and it gives knowledge about, and visibility into, our security posture.

It integrates seamlessly with Microsoft products, especially Office 365 and our Azure workspace, whether it's the Application Gateway or Azure DDoS or Azure Firewall. It has native integration that works very well.

You can also monitor Zero Trust security from Microsoft Sentinel.

There are a number of points they can improve. For example, if I see an alert and I want to drill down and get more details about the alert, it's not just one click. In other SIEM tools, you just have to click the IP address of the entity and they give you the complete picture. In Sentinel, you have to write queries or use saved queries to get details. For a security analyst, when there is an incident, it takes a lot of time to write queries, investigate, and then execute.

For example, if you want to search a particular entity or an IP address, or search the complete log instead of just the security alerts, it takes time to write a query for that. The MTTR is a little high, as is the mean time to investigate, compared to other SIEM tools.

I would also like to have more resources on KQL queries.

And using the data connectors is not straightforward when you want to create a use case that is not out-of-the-box. Creating a custom use case is a challenging process. You need to understand KQL queries and the support for regex is limited.

I've been using Microsoft Sentinel for between six months and a year.

The availability is good. But when you compare the stability with Splunk or ELK or QRadar, it still needs to be more reliable and stable, not from an installation or administration perspective, but when it comes to security operations.

We collect data from between 3,000 and 4,000 users, and our cloud workspace is somewhere around 100 or 200 servers.

The scalability is good because it has Azure in the back end.

We are still deciding whether to migrate completely to Sentinel or not. We are using two SIEM solutions in parallel. The other solution is LogRhythm. From an analyst perspective, Sentinel has to evolve more. Once it does, we can think of migrating to it fully.

The installation was straightforward and easy. With Azure Resource Manager, it was easy to deploy, and it was a straightforward integration, in terms of configuration, to connect the Log Analytics workspace with Sentinel and the solutions that Sentinel has.

Deploying the solution hardly took four hours, and the initial configuration took a single person one day, meaning eight hours.

We used to have an on-prem solution and we moved our workload to the cloud. Our users did not face any challenges or difficulties as a result.

We are still in the process of getting our ROI. We are waiting for the solution to improve and mature.

Sentinel is pretty competitive. The pricing is at the level of other SIEM solutions.

I have experience with Splunk and QRadar and they are the best. They are equivalent, one with the other. Both the solutions are mature enough, having been in the market for quite some time. They know what they're doing and are easy to use from an analyst's perspective. Both are scalable solutions as well.

The drawback of these two solutions is that it takes a little bit of time to do integrations, especially for Azure workloads, as they're not in-built in Azure.

Always record your KQL queries and stick to the basics.

The primary use case of Microsoft Sentinel is for user and entity behaviors, detecting unauthorized access to services, identifying malicious IP addresses, and preventing brute force attacks on services. These are generic security use cases.

The AI-driven analytics of Microsoft Sentinel have significantly improved our customers' incident detection and response. It reduces the workload and decreases the number of tickets and incidents to triage.

The query language of Microsoft Sentinel is easy to understand and use. It allows querying across numerous agents quickly and efficiently. Being cloud-based, it does not require much hardware to utilize.

While I have not used Microsoft Sentinel extensively to suggest specific improvements, there is always room for improvement. The pricing could be improved, as it is considered quite expensive, especially considering the costs for workspace, Sentinel, and storage.

I have been working with Microsoft Sentinel for a good three years.

The stability of Microsoft Sentinel is rated ten out of ten. It is considered highly stable.

Microsoft Sentinel is very scalable because it is a cloud service and does not rely on our own resources. It depends on the payment capacity, however, it is considered very scalable overall.

The customer service and support for Microsoft Sentinel are quite good. They provide numerous articles and training materials and are quick to respond, usually within an SLA of two to three hours.

Neutral

The initial setup of Microsoft Sentinel can be challenging, with a learning curve. Configuring a workspace and adding connectors can be complex, especially for those not familiar with Azure or Microsoft. I would rate the setup around five or six out of ten.

The pricing of Microsoft Sentinel is considered expensive, particularly due to the cloud-related costs for workspace, Sentinel, and storage.

I am still quite new to Microsoft Sentinel, so I can't provide specific advice or recommendations. It is a good product with capabilities that might not be found in other SIEM solutions.

I'd rate the solution eight out of ten.

I use Microsoft Sentinel in my work as an MSSP and as a threat detection engineer.

One of the most valuable features of Microsoft Sentinel is that it's cloud-based. I previously worked for a very long time with AXA since 2006, but Microsoft Sentinel's ability to scale virtually and budget-dependent is a huge advantage. Before that, everything was on-premise and required some forklift upgrades, and it was a bit of a nightmare.

Microsoft Sentinel is relatively expensive, and its cost should be improved. Although Microsoft has been working on providing additional discounts based on commitment tiers, it's still in the top three most expensive products out there. They are certainly trying to compete with the likes of Splunk.

I have been using Microsoft Sentinel since April 2020.

Since the time that I've been using Microsoft Sentinel, I've seen five or six serious outages. That's not uncommon with cloud providers. Generally, when it's a major outage, it's pretty catastrophic.

The scalability of Microsoft Sentinel is pretty good.

I have contacted Microsoft Sentinel's technical support a number of times, and my experience with them has been pretty good.

Neutral

Before we started using Microsoft Sentinel, we previously used Splunk and ArcSight. Having a brand name like Microsoft was one of the reasons we decided to switch to Microsoft Sentinel. I was working for an MSSP at the time, and at the start of the service, they decided to run their MSSP based on Microsoft Sentinel. So it was more of an environmental thing than a conscious decision to switch to Microsoft Sentinel.

The deployment of Microsoft Sentinel is relatively simple, but the data onboarding is the complicated part.

Two people are required for the deployment of Microsoft Sentinel.

Microsoft Sentinel's evolution, use of CI/CD, and automation capabilities have helped us see a return on investment.

Microsoft Sentinel's pricing is relatively expensive and extremely confusing. I have raised this issue with Microsoft directly. It's not an easy thing to do, especially when you consider commitment tiers, discounts, and several variables that go along with it. It would be very difficult for the uninitiated to get a true reflection because you'd need to know about the product to get a cost. Suppose I go with the online pricing calculator. In that case, I need to know the difference between analytics and basic logs. I also need to understand the implications and limitations of selecting a particular option. And that's not clear from the pricing tool. So I think from that perspective, they should democratize it and make it a lot simpler and easier to do.

The visibility that Microsoft Sentinel provides into threats is great. They got a lot of content out of the box and have an active community. I absolutely love the cluster functionality and the cluster query language. I definitely wouldn't want to go back to anything else. It's an incredible query language.

Microsoft Sentinel helps us to prioritize threats across our entire enterprise. The out-of-the-box content and behavior-analytic functionality that Microsoft Sentinel provides certainly help a lot.

There's a whole cloud stack like Defender for Endpoint, Defender for Cloud, and Defender for Cloud Apps that we interface with. I am not directly responsible for configuring and managing those different products within my company. However, we interface with each of them because we take their log data.

It was very easy to integrate other Microsoft security products with Microsoft Sentinel. The other Microsoft products I mentioned have done a great job of making it very simple to integrate. It's probably easier than all the other services. Being Microsoft products, there's a very tight integration, which is great.

I don't have any direct involvement with configuring Defender for Cloud. However, we take the logs from all the Defender suites like Defender for Identity, Defender for Cloud, Defender for Cloud Apps, Defender for Endpoint, etc.

Microsoft Sentinel enables us to ingest data from our entire ecosystem. It is more challenging regarding the on-premise stuff and unsupported SaaS services. You could leverage the available functionality, but it's certainly not as easy as the native Microsoft Cloud products it integrates with. There's a lot more to it in terms of being able to ingest data from an on-premise data source. This data is very important to our security operations.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place.

The comprehensiveness of Microsoft Sentinel security protection is good. It is constantly evolving. I would like to see Microsoft add more automation, but they're on a journey to expanding their capability. I expect to see a change in that space. Since I started using the product, it has evolved, and the evolution of the product from two years ago or three years ago has been huge.

The cost and ease of use of Microsoft Sentinel against standalone SIEM and SOAR solutions are on par with Splunk in terms of costs. It's on par with what Splunk costs or slightly cheaper. It depends on how you set it up, but it's not always evident. Microsoft would prefer you to pay more than less. Certainly, from their perspective, it could probably put out more guidance on the optimization of cost. In terms of its use and functionality, it's definitely on its way to becoming a market leader. I can see that through the evolution that occurred in the last three years. There's always more and more functionality being added. I would like to see more expansion in terms of the provision of functionality in the dashboarding and work booking component. They could spend more time on expanding our capabilities. Splunk can easily plug into D3 libraries to create really good visualizations. The visualization capability within Microsoft Sentinel at the moment is somewhat rudimentary. You can always plug Power BI into it, but it's not a native product feature, and you need to buy and pay for Power BI.

From an overall management capability, Microsoft Sentinel has certainly made life easier. The introduction and addition of the CRC process are great. Historically, many SIMS haven't had that capability or ability to be integrated with the CRC system. So the automation component of that has allowed the deployment of infrastructure's code to speed up the process of the actual deployment massively in the MSSP environment. Historically, when it was on-premise, it would take two weeks to two months to get that all done. Whereas now, you can spin up a new instance and onboard all the cloud stack within a few days, which is huge.

Microsoft Sentinel has the hunting functionality. From that perspective, you could run a whole number of queries at the same time.

Microsoft Sentinel has not helped eliminate having to look at multiple dashboards. They need to expand that functionality.

Microsoft Sentinel’s threat intelligence helps us prepare for potential threats before they hit and to take proactive steps. They’ve recently introduced the Microsoft Defender Threat Intelligence feed, which is a good step forward. It’s come out of the RiskIQ acquisition, which is great. However, I would like to see more native integrations with threat intelligence feeds from financial services, local country threat intelligence feeds, and CSC feeds from government institutions. They work quite closely with the government in many places already, and it would be a huge advantage to have really simple and easy integrations. They could do more in that space in terms of providing alternative threat intelligence with the ability to integrate seamlessly and easily with threat intelligence from other sources. They do already provide connectors, but it isn’t easy. In my experience working in the industry, I’ve seen a company that effectively had a threat intelligence marketplace built into it. So you could very easily and quickly select threat intelligence providers through a number of clicks and then onboard that data very quickly.

Microsoft Sentinel has helped us save time as opposed to our previous solution. Microsoft needs to add even more automation. If you look at their competitors like Palo Alto Cortex, they already have a lot more capability out of the box. Microsoft needs to expand further that out-of-the-box automation capability.

Based on previous experience, Microsoft Sentinel has decreased our time to detection or our time to respond.

Microsoft Sentinel does not need any maintenance because Microsoft does that. However, I have monitoring rules set in place to watch what's going on. For example, we've seen outages in the past, which caused delays in incident creation. There's very little out-of-the-box content to help monitor Microsoft Sentinel.

I would always go with a best-of-breed strategy rather than a single vendor’s security suite. The evolution of Microsoft Sentinel itself has been quite amazing to see. The solution has become more feature-rich in the last two years. I hope this evolution continues and will likely leave the others behind.

I suggest to those evaluating Microsoft Sentinel to do a proof of concept.

Overall, I rate Microsoft Sentinel a seven out of ten.

We are using Microsoft Sentinel for our traditional SOC. So previously, we had multiple products, like VM products, log analytics products, and analysts. We are making so much effort to analyze incidents and events in the security operation center., after which we decide whether it's an incident or an event, and we take action. After Sentinel's implementation, it would be much better and much simpler. For instance, we can now save much more time since in Sentinel, there is artificial intelligence, so the system will decide for you instead of a human. The system will learn what kind of thing you should take action on, and it will save some time since you do not need much human power. In traditional SOC systems, there were three or four people. But in Sentinel, it's much easier, and you do not need so many people in the SOC. So you will save time and keep it cost-effective.

Previously, we were incurring a huge cost being paid to a person. But in Sentinel, you do not hire anyone because the system provides system insights through the cloud applications. So you do not need to put effort, or you don't need to hire either of the senior people. So in, in your SOC team, would be mid-level people, and it would be fine. Also, you do not need so many people. So, one or two people left the organization after the central implementation. So we just have an agreement with one company at a professional level since they're also managing Sentinel. We do not need to pay for the maintenance of applications. So that's also a benefit for us. So, in this case, we are only paying Sentinel yearly or annual costs.

Previously, we could not do some automation. So in Sentinel, we create some playbooks, and with some features in the playbooks, we have some capabilities. For example, when a virus enters the system, we will take action to keep the system safe. So, the machine with the virus can be automatically isolated from the network, and this might be a pretty cool feature in the solution currently.

Microsoft Sentinel has improved our entire SOC, like our log system and incident response. So we are able to quickly respond to incidents and take action. Even though Microsoft Sentinel has already improved our system, it should further improve for on-premises systems or traditional systems, especially to get or collect logs from the legacy systems. Also, Microsoft should improve Sentinel, considering that from the legacy systems, it cannot collect logs.

I have been using Microsoft Sentinel for about six months. My company has a partnership with Microsoft.

I have not contacted technical support.

We are using Microsoft Intune. From the mobile device management point of view, it makes work very easy. We are just planning that with Microsoft Intune, we can easily export some logs to Sentinel to analyze them. We are not using this feature right now, but we are planning. If you are using Microsoft applications, it's very easy to integrate them with other Microsoft products.

Defender is something that we are using as an antivirus for Android applications, but we are not using it on the cloud.

From a cost point of view, it is not a cheap product. It's, like, an enterprise-level application. So if you compare it with a low-level application, it's expensive, but if you compare it with the same-level application, it's pretty much cost-effective, I think. Because for other products, you need to purchase them by paying thousands of dollars. In Sentinel, you pay for how much you use, or you just pay for how much you consume storage, log interface, or system. It will not be a one-time cost, but it will be like a continuous rental system, where you subscribe to an application, and then you use it. That's very easy. I think the company got the solution for a long time. If you purchase some products, you need to invest in something, and it increases your investment budgeting. Many enterprises do not like investments. But this is not a one-time cost, to be honest, since continuously, we will pay. This is maybe a negative point of view, but considering from company to company, it entirely depends on a company's strategy.

Previously, it was a little bit difficult to find where an incident came from, including which IP address and which country. So in Sentinel, it's very easy to find where the incident came from since we can easily get the information from the dashboard, after which we take action quickly.

Sentinel does provide me with the ability to set priorities on all the threats across your entire enterprise. So, it is very important because we were previously getting the service from the outside. It would be yes. Sentinel is a next-generation SOC. So, Sentinel also still develops some applications on Sentinel's site, so maybe in the next release, they will introduce a much more effective version for the company. I'm not sure how many companies use it right now. Maybe in the future, more companies will use Sentinel because its features are such that compared to the traditional SOC systems, they are not affected since the system is a cloud-based system. So it's easy to manage. Also, you don't need to care about it from an infrastructure point of view. Additionally, we don't need to take care of products, and we don't need to take care of maintenance. From a product point of view, we do not need to manage since we just need to focus on the incident event.

Right now, we are using very traditional applications, so there is no use of native Microsoft applications right now.

Sentinel enables me to ingest or collect data from my entire ecosystem, but not all of them, because some traditional applications cannot provide some data needed for export. It cannot allow you to get reports or logs from outside. It's a challenging point, so this might be an opportunity for us to change the traditional application. In traditional applications, and sometimes in IT systems, it might be very difficult to get data insight. In some cases, we need to change the application since, in traditional applications, you cannot get support. To fix it, you need to decide something, or maybe you need to decide on the application change. It might be an opportunity for you. But in the next-generation application, there is no problem. With a new application, you can easily integrate with Sentinel. In Sentinel, the negative point is just related to cloud applications. With cloud applications, maybe sometimes you cannot get data from the on-prem application. So if you use a cloud system, like Sentinel, which is a cloud system, then it's very easy. If you are using an on-prem system, Microsoft Sentinel sometimes may not be easy to integrate.

Sentinel allows me to investigate threats and respond quickly and thoroughly from just one place. It accelerates our investigation, especially our event investigation and incident investigation. Using Sentinel, we take quick actions and get quick insights after its standard implementation. So it is time-efficient.

Previously, we had no SOAR applications. In Sentinel, if you want to take action quickly, you need to create playbooks so that if something happens, you can just develop an application like a playbook in Sentinel so that if something happens, you can tell Sentinel to take action. You can freely create your own playbooks since it's very easy. In my opinion, this is the best feature of one product. Normally, you need to purchase two applications or two products. But in Sentinel, they combine everything together. This is the most beautiful feature for me.

Sentinel helps automate routine tasks and help automate the finding of high-value alerts. We do not need to create manual operations like when our system engineers see the incident and they do a system analysis. So after Sentinel, the system analysis is not done by anyone since Sentinel can already make decisions and then take action by itself. So at this point, there's no human power. Sometimes human power is needed, but maybe eighty percent or ninety percent of the time, there is no human power needed. So, it has caused significant improvements in our entire company.

Sentinel has helped eliminate having to look at multiple dashboards and giving us just one XDR dashboard. Previously, we had to check multiple dashboards, especially in relation to whether logs were coming and other things, like incidents and events. In Sentinel, you do not need to check many dashboards. So you are just designing one dashboard, and then, on the entire dashboard, you will see everything. So, it now saves time since previously there were multiple dashboards causing our engineers and our analysts to get confused at times. So they used to ask our managers to understand better. Currently, it is very easy to understand since one needs to check in on one dashboard, and there's no confusion among the engineers. But they do not need to ask anyone to understand. Apart from better understanding, it has improved our systems.

From a security point of view, you need to go with multiple vendors, but this is a traditional system. But right now, if you want to create a good security system, you need to implement each product with one vendor. Because vendors currently state that, if you want to have a high-level security system. You need to implement each product on a security level from one vendor. Microsoft-level vendors offer many features, but people only just purchase or use one product, and that's all. It's not good for security infrastructure. So, you need to implement all security products from just one vendor. I think one vendor and the needed security products will be enough for a company. Sentinel is our next-generation SOC. Currently, I don't see any competitors at this level.

I rate the overall solution a nine out of ten.

We provide managed security services to customers in Myanmar using Microsoft Sentinel as a cloud media SIEM. Most of the use cases involve retention, and we use all the features of Microsoft Sentinel. We also use other Microsoft security products like Defender for Endpoint, and most of them are integrated with Sentinel. 

Microsoft Sentinel is a cloud-native SIEM solution, so it helped us reduce our infrastructure costs and deliver better services to our customers. We don't need to pay upfront costs because it is in the cloud. We used an open-source SIEM solution before implementing Microsoft Sentinel, but that wasn't satisfactory for our customers. Sentinel helped us provide more robust managed security services to our customers.

It consolidated multiple dashboards into one and helped us be more proactive. However, our team is still trying to mature to a level that we can adopt a more preventative approach to security. Sentinel significantly reduced our detection time. Without Microsoft Sentinel, our SOC analyst might take 30 minutes to an hour to detect an issue, but now it's practically in real-time. 

The biggest advantage of Sentinel is scalability. In addition, we don't need to worry about paying for infrastructure costs upfront. It gives us the flexibility to choose the kind of infrastructure based on each client's needs. Sentinel is also much simpler than other SIEM solutions. The UI is smoother and easier to use.

Native integration with Microsoft security products or other Microsoft software is also crucial. For example, we can integrate Sentinel with Office 365 with one click. Other integrations aren't as easy. Sometimes, we have to do it manually. 

The bi-directional sync is helpful. For example, we have one client using our managed security service, but they don't want to use Microsoft Sentinel. If those products are not syncing or if the solution is not bi-directional, some alerts may be missed. It's essential for both portals and the two folders to be in the same channel it's pushing. The UEBA features are also perfect. We don't see the same caliber of user behavior analytics in other SIEM. Microsoft's UEBA is great for our SOC analysts. 

Microsoft threat intelligence and UEBA still have some room for improvement. There are currently only two connectors available for Microsoft threat intelligence. the threat intelligence platform and the FTIA commander.
Sentinel should offer another option for a third-party threat intelligence platform. There are lots of open-source threat intelligence solutions available. 

Threat handling could be great for our team and for our SOC analyst, but some are unusable depending on our SOC analytics.

Sentinel can ingest data from most of our ecosystem, but some data cannot be called up. For example, if an SAP product is hosted, it will do a specific version, but it cannot be called back to Sentinel. It cannot be directly connected to Sentinel.

Our team has been using Microsoft Sentinel for about two and a half years.

I rate Microsoft support a seven out of ten. They take too long to respond, but sometimes they are great. 

Neutral

We previously had an open-source SIEM, but it lacked the detection and automation capabilities of Sentinel.

The initial deployment was straightforward but configuring integration for some of our projects was challenging because there are few connectors for solutions like Cisco. I rate Sentinel a five out of ten for ease of setup. 

We performed our integration in-house, but sometimes we get support from Microsoft.

Sometimes, it is hard for us to estimate the costs of Microsoft Sentinel.

I rate Microsoft Sentinel a nine out of ten. I recommend it, but it takes time to evaluate because Sentinel is unlike other cloud solutions.