Microsoft Sentinel Reviews

Sentinel gathers data from the organization's entire ecosystem, not just the local network. I like having the ability to investigate and respond quickly to threats from one place. It's fun to use. Sentinel has an intuitive, user-friendly way to visualize the data properly. It gives me a solid overview of all the logs. We get a more detailed view that I can't get from the other SIEM tools. It has some IP and URL-specific allow listing

Sentinel comes with multiple good playbooks for automation and other valuable things that we use. It automatically gives us alerts in our ticketing platform, ServiceNow. 

If you're using other Microsoft security tools, it's better to use Sentinel instead of other SIEM solutions. It reduces the time spent on threat hunting because it uses an SQL database and SQL custom query language. It helps me analyze the data properly because I can view all the events. Sentinel has helped me multitask. 

The most valuable feature is the integration with other Microsoft security tools. It's an Azure product, so it integrates seamlessly with tools like Microsoft Defender for Endpoint, Defender for Cloud Apps Security, and Defender for Identity. 

It collects all the logs from these solutions and correlates the data well. If I need to check a particular event or log, I can easily review this from one portal, which is something I can't do in another SIEM tool. Sentinel has a graphical view that shows every team the information they need. 

It will easily give us the entities, events, or accounts that are directly involved in any particular security alerts. It has good usability. Sentinel comes with multiple different connectors. We only need to select the log sources, and the connectors automatically load.

We can customize the visibility based on the organization's rules and policies. We establish the desired rules and log sources. Most of them are from Azure-based products, not firewalls or point system-based accounts. Initially, most of the security alerts are false positives, and we need to do some fine-tuning. 

Sentinel can be used in two ways. With other tools like QRadar, I don't need to run queries. Using Sentinel requires users to learn KQL to run technical queries and check things. If they don't know KQL, they can't fully utilize the solution. 

When we're dealing with freelancers and new employees, they often have problems analyzing some things. An expert can realize all of Sentinel's advantages, but most organizations are constantly hiring new staff, who need to learn KQL before they can use this. 

I have used Sentinel for the last two years. 

I've never experienced lag, but it crashes sometimes. One disadvantage is that it collects tons of logs, so when we create reports, it isn't easy to download a month of reports in one day. We have to spread it out across 15 days. 

The scalability is good. You can scale it out by adding other tools.

We haven't needed to contact Microsoft support about Sentinel because we haven't had any significant downtime. Our other SIEM tools sometimes went down and we had to contact support multiple times. Sentinel always provides solid availability, and it's ready to take our logs.

I have used IBM QRadar and Splunk. I prefer Sentinel for threat hunting because the process is more visual. QRadar and Splunk are better for user interaction. 

I rate Microsoft Sentinel eight out of 10. I think a single-vendor strategy makes sense if you're primarily using Microsoft tools. It simplifies things because you only have one support portal, and engineers are easily accessible. If I'm working with security tools from multiple vendors, it can be hectic because the tools are made differently and have different architectures. 

Log management is the primary purpose of Microsoft Sentinel to help us monitor the environment and detect threats. That way we can stop them at the first opportunity so that they do not impact the environment.

We take data from the data connectors. Some of the devices are default devices in Microsoft Sentinel, but we can easily add others. For some, we need to use an API or we need some extra help to add them into our security solution. At times, we need an agent.

It is a great tool for log management. It uses KQL (Kusto Query Language) which makes it very easy to find out anything in the environment by writing code.

If we have found some threat intel apart from Microsoft, we can add that to the watchlist category. We have a MITRE ATT&CK framework category and we can map the new threat method methodology into our environment through Microsoft Sentinel. There are multiple features in Microsoft Sentinel that help us add threats into the environment and detect threats easily and quickly.

There are multiple things integrated with it, like CrowdStrike, Carbon Black, Windows and Linux devices, and Oracle. We can see threats from all the environments. If an attack happens on the AD side, we can see that things are signed off. All those sources are integrated and that's a good thing.

On a weekly basis, it is saving us 10 hours, because we get results from the solution very fast.

There are many features, including watchlists and analytics. We can also use it to find out multiple things related to log management and heartbeat. All the features have different importance in those processes. 

The analytics have a lot of advantages because there are 300 default use cases for rules and we can modify them per our environment. We can create other rules as well. Analytics is a useful feature.

Another good feature is the data connectors, where we are collecting the logs from external devices and mapping them into the security solution. That feature is helpful.

The information Sentinel provides is of great use. Microsoft has its own threat intelligence team and they are mapping the threats per the IoCs. It lets us see multiple things that are happening. These things are a starting point for any type of attack and they are already in the solution's threat intelligence. Once something has been mapped, meaning whenever we get an alert from a threat actor, based on IoCs, we can analyze things and block them. There are multiple use cases and we can modify them for our environment.

We need to map things through the MITRE ATT&CK framework. Sentinel is a detection tool. Once it detects things, that is where human intervention comes in and we do an analysis. It is giving us ideas because it is generating events. We can see what events are happening, such as what packets are being analyzed, and what processes are being created. We can analyze all these aspects, including EDR cloud, because they are integrated with Microsoft Sentinel. It lets us see third-party sources. It is a very nice security monitoring tool.

The comprehensiveness of Sentinel's security protection is really great. I don't think it has SOAR capabilities, but it has UEBA.

Sentinel still has some anomalies. For example, sometimes when we write a query for log analysis with KQL, it doesn't give us the data in a proper way. We are trying to improve it and write the query in a manner that will give the desired results. We're trying to put in the conditions based on the events we want to look at, and for the log sources from which we are getting them. For that, we are working on modifications of our KQL queries. Sentinel could be improved by Microsoft because sometimes queries are not giving the desired results. This is something they should look into.

Also, the fields or columns could be improved. Sometimes, it is not giving the desired results and there is a blank field. 

In addition, while the graphical user interface of Microsoft Sentinel is good, there is some lag in the user interface.

I have been using Microsoft Sentinel for the last year. I have been more into the analysis part and the creation of use cases by using the analytics.

It's a stable solution.

The combination of the ease of accessibility and the free cost of the service is great. But we buy storage based on our events per second and on how many sources are integrated into the solution. We have to store the data in our environment to do analysis on past events or to check past threats.

Security incident and event management. Threat detection and automated response.

It is a software as a service from Microsoft.

Reduced mean time to detect and resolve

Quickly able to cover a majority of mitre att&ck techniques

Free to ingest Azure logs with E5 license

Free ingestion for Azure logs (with E5 licence)

It is easy to implement (turn on) - does need a skilled analyst to develop queries and playbooks.

It has basic out-of-the-box integrations with multiple log sources.

Add more out-of-the-box connectors with other SaaS platforms/applications.

12 months

No stability issues encountered.

It is scalable as a SaaS offering, but there is a consumption cost to consider.

Cybersecurity team uses this on a daily basis.

We work together very well with local MS Team.

The initial setup was simple. All that was needed was to put agents onto our infrastructure.

Integration more complex for non-MS SaaS and OS, but do-able using middleware.

It was done in-house.

It is an evergreen service.

What is the cost of lack of visibility?  Average cost of breach = $$$

It is a consumption-based license model. bands at 100, 200, 400 GB per day etc. Azure Sentinel Pricing | Microsoft Azure

Good monthly operational cost model for the detection and response outcomes delivered, M365 logs don't count toward the limits which is a good benefit.

Others were considered however being an E5 M365 and Azure user this was by far the preferred solution.

It is fairly new but making a charge up the market anayses.  Should be considered if you have E5 licence due to native and 'free' ingestion of M365 logs.

We haven't used all of its capability yet because we haven't had the time yet to implement it all, and it appears that the MS roadmap for Sentinel is being actively invested in.

Our use case for Microsoft Sentinel is having a more holistic view by having all security events in one place.

We were likely the first partner in New Zealand. We've been able to manage the path forward early on and have helped small businesses adopt a really scalable solution.

It's one of the key areas we've focused on. We love the ability of having reliable threat intelligence.

Microsoft Sentinel's ability to integrate with other Microsoft products has been beneficial to our team's operations. We like the best of ecosystem versus the best of breed approach. We can have everyone have the same skillsets and not have individuals specialized. It's much more holistic. 

The threat detection has been useful. We like having everything managed by one solution. It simplifies everything. 

The automation feature helps with efficiency, specifically around security. 

It has good integration with other security features. It's a great product. The ease of use and ease of management are great. 

It's allowing us to have one Microsoft security pane of glass.

Microsoft Sentinel has improved cost efficiency, which is one of the key areas we're able to win business against the ability to have threat intelligence.

To improve Microsoft Sentinel specifically, giving us different functionality to handle tasks would be really amazing. I don't have any issues with what's currently available.

It would be nice to be able to leverage more AI to handle more data and recovery aspects in the future. 

I've used the solution for the last five years. 

Regarding the stability of Microsoft Sentinel, there haven't been any significant issues. There may have been one or two minor incidents over time, yet nothing substantial.

The scalability is very good. Our largest customer has 55,000 seats. Others have 100 to 200 seats. 

We've had a good experience with Microsoft support.

We decided early on we weren't going to partner with a lot of vendors. We liked what Microsoft was going to do with a best-of-ecosystem approach instead of best of breed. 

The initial setup is pretty easy. 

I have definitely seen a return on investment in the past five years. We attribute our growth to Sentinel. It became a product that everyone suddenly wanted. 

My experience with the pricing setup has been positive.

There were a couple of other products available, however, we were quite certain we were going to go with Microsoft Sentinel.

The reason why having a best-of-ecosystem is crucial for our customers is that it eliminates the need to set up multiple different products, so it was really attractive to have everything in one place.

I'd rate the solution ten out of ten. 

The primary use case of Microsoft Sentinel is for user and entity behaviors, detecting unauthorized access to services, identifying malicious IP addresses, and preventing brute force attacks on services. These are generic security use cases.

The AI-driven analytics of Microsoft Sentinel have significantly improved our customers' incident detection and response. It reduces the workload and decreases the number of tickets and incidents to triage.

The query language of Microsoft Sentinel is easy to understand and use. It allows querying across numerous agents quickly and efficiently. Being cloud-based, it does not require much hardware to utilize.

While I have not used Microsoft Sentinel extensively to suggest specific improvements, there is always room for improvement. The pricing could be improved, as it is considered quite expensive, especially considering the costs for workspace, Sentinel, and storage.

I have been working with Microsoft Sentinel for a good three years.

The stability of Microsoft Sentinel is rated ten out of ten. It is considered highly stable.

Microsoft Sentinel is very scalable because it is a cloud service and does not rely on our own resources. It depends on the payment capacity, however, it is considered very scalable overall.

The customer service and support for Microsoft Sentinel are quite good. They provide numerous articles and training materials and are quick to respond, usually within an SLA of two to three hours.

Neutral

The initial setup of Microsoft Sentinel can be challenging, with a learning curve. Configuring a workspace and adding connectors can be complex, especially for those not familiar with Azure or Microsoft. I would rate the setup around five or six out of ten.

The pricing of Microsoft Sentinel is considered expensive, particularly due to the cloud-related costs for workspace, Sentinel, and storage.

I am still quite new to Microsoft Sentinel, so I can't provide specific advice or recommendations. It is a good product with capabilities that might not be found in other SIEM solutions.

I'd rate the solution eight out of ten.

We are using mixed solutions. We are currently working with IBM solutions and Azure system services. We are using two SIEM solutions: Azure Sentinel and QRadar. Azure Sentinel is covering our cloud-based solutions, and QRadar is covering our on-premise solutions.

The best functionality that you can get from Azure Sentinel is the SOAR capability. So, you can estimate any type of activity, such as when an alert was triggered or an incident was found.

It integrates with Azure AD, Power BI, and other Microsoft solutions. It is very good in our view.

It would be good to have some connectors for third-party SIEM solutions. Many customers are struggling with the integration of Azure Sentinel with their on-premise SIEM. Microsoft is changing the log structure many times a year, which can corrupt a custom integration. It would be good to have some connectors developed by Microsoft or supply vendors, but they are not providing such functionality or tools.

It can be expensive for customers. Currently, we are not using Sentinel to collect logs from on-premise devices. The main reason for that is the budget because you need to pay for the internet traffic. You also need to calculate how much you can upload to the Azure site. 

I have been using this solution for one year.

It is stable, but it is also related to your country. I'm working in Kazakhstan, and sometimes, we have some problems with the internet connection at the government level. Sometimes, for some reason, which could also be political, they disable the internet connection, and we lose the connection to the Azure environment. It might be good for our country to have a private link to the Azure cloud environment to avoid such cases.

We have a lot of Microsoft partners who are helping us. Therefore, support is not a problem for us.

We have QRadar for our on-premise solutions. QRadar has a lot of connectors out of the box. It has a lot of predefined and pre-deployed connectors that you can use. 

QRadar also has a lot of good correlation rules. From a customer's point of view, it is one of the best solutions because you don't need to create correlation rules from scratch. You just review them and customize them as you want.

QRadar supports using SQL queries. Sentinel uses KQL, but you need to learn it from scratch.

QRadar doesn't have a SOAR system by default. You need to purchase it additionally, which is the main problem with QRadar.

It was easy.

We had some introduction to the system from a Microsoft Partner, but most of the analytics and playbooks were created by us.

For us, it is not expensive at this time, but if we start to collect all logs from our on-premise SIEM solutions, it will cost more than QRadar. If we calculate its cost over the next five or ten years, it will cost more than what we paid for QRadar.

Microsoft is proposing an identity management solution for Azure Active Directory systems and the Azure Cloud system, but we need an on-premise solution that can help us achieve the same with, for example, IBM. I know that Microsoft has a cloud-based solution, and previously, Microsoft provided an on-premise solution, but it is deprecated or no longer supported. It will be good to have such a service on-premises.

I would rate it an eight out of ten.

We internally do not use this solution. We provide advisory for Azure Sentinel because we are Microsoft's partner.

Our clients use it for Security Operations Centers. Some of the clients wish to build a Security Operation Center. They want to perform threat analysis and see that the environment is secure and monitor it. That's why we deploy SIEM solutions.

In terms of deployment, what we see here in Asia, specifically in Malaysia, are hybrid and public cloud deployments.

It helps our clients in enhancing their security. 

It is quite efficient. It helps our clients in identifying their security issues and respond quickly. Our clients want to automate incident response and all those things.

Its documentation is not so simple. It is easy for somebody who is Microsoft certified or more closely attached to Microsoft solutions. It is not easy for those who are working on open-source platforms. There isn't a central point where everything is documented, and there is no specific training or certification.

It has been almost three years.

It is stable. Those who have adopted it are okay with it.

It is a cloud solution, so it is scalable.

Most of us know how Microsoft operates. They are quite good at that.

Its setup is of moderate complexity for me, but I have heard it is complex for others because of the query language and other things.

There is documentation, but I don't think Microsoft is providing a central point where everything is documented. In fact, there is no specific training or certification. There is Microsoft Secure training, but it is not so dedicated. All these things make it moderate.

I have had mixed feedback. At one point, I heard a client say that it sometimes seems more expensive. Most of the clients are on Office 365 or M365, and they are forced to take Azure SIEM because of the integration.

We see that a lot of clients are trying to explore more apart from Azure. Some of the clients are interested in Splunk. Some of the clients are interested in seeing what's available from AWS. This year is quite different in Malaysia because the government has opened up the adoption of public cloud in all sectors, especially in the financial sector. So, we are seeing new requirements coming up. 

I would rate Azure Sentinel a seven out of 10.

We use it to protect our Office 365 environment. We can also deploy it for the entire infrastructure, including on-premises, firewalls, and also users' devices.

I'm a partner with many customers using Sentinel. Some are small companies but I also have many banks that have implemented the solution.

It has helped to improve security posture because it's based on machine learning. You can protect the whole environment. While other solutions are based on rules, and you have to put rules in place to protect things, Sentinel is smarter because of the machine learning.

For example, one of my customers is a bank that was attacked by ransomware. They were using Symantec and it could not detect the attack. When we put in Sentinel, within 15 minutes it detected the malware and stopped the attack.

The most valuable features are its threat handling and detection. It's a powerful tool because it's based on machine learning and on the behavior of malware.

I have been using Microsoft Sentinel for one and a half years.

It's a stable solution.

It's a cloud solution so Microsoft handles the scaling. We haven't had a problem with performance because Microsoft is in charge. It's done automatically.

It's definitely the best technical support. When you open a new ticket you get a response within a maximum of one hour. You can open a case with Microsoft 24/7.

Positive

I used QRadar. I switched because QRadar is not smart and there was too much manual work.

It's easy to implement and not very hard to put it into production.

The deployment time depends on the customer's needs. It can be deployed in one hour. But if they have many end users and many servers, it can take one week. After that, you have to wait for the machine learning to learn the environment and start the detection.

The implementation strategy also depends on the environment. If it is an Office 365 environment, we can start by protecting email, the shares, and the docs. After that, we can move to the end-user machines. But it depends on the project.

Deployment and maintenance requires a maximum of three people. One would be an admin, one would be a security leader to maintain the solution, and the third would be a project manager. It also depends on the project, but in general, there will be two or three people involved.

It is certainly the most expensive solution. The cost is very high. We need to do an assessment using the one-month trial so that we can study the cost side. Before implementing it, we must do a careful calculation.

Something that could be improved is the documentation of the cost because there is none. All the other features are documented, but the pricing is not very clear.

The Office 365 connectors to Sentinel are free, as is the support.

Sentinel is generally the last option we go with because of the cost. Customers have their solutions but they contact us and say, "Okay, we have our solution but it's not smart. Can we move to Sentinel?"

I recommend implementing Sentinel because it's certainly the most powerful SIEM tool. It detects all malware based on the behavior of many things, including the files and anomalies. It detects things automatically.