Microsoft Sentinel Reviews

We are using mixed solutions. We are currently working with IBM solutions and Azure system services. We are using two SIEM solutions: Azure Sentinel and QRadar. Azure Sentinel is covering our cloud-based solutions, and QRadar is covering our on-premise solutions.

The best functionality that you can get from Azure Sentinel is the SOAR capability. So, you can estimate any type of activity, such as when an alert was triggered or an incident was found.

It integrates with Azure AD, Power BI, and other Microsoft solutions. It is very good in our view.

It would be good to have some connectors for third-party SIEM solutions. Many customers are struggling with the integration of Azure Sentinel with their on-premise SIEM. Microsoft is changing the log structure many times a year, which can corrupt a custom integration. It would be good to have some connectors developed by Microsoft or supply vendors, but they are not providing such functionality or tools.

It can be expensive for customers. Currently, we are not using Sentinel to collect logs from on-premise devices. The main reason for that is the budget because you need to pay for the internet traffic. You also need to calculate how much you can upload to the Azure site. 

I have been using this solution for one year.

It is stable, but it is also related to your country. I'm working in Kazakhstan, and sometimes, we have some problems with the internet connection at the government level. Sometimes, for some reason, which could also be political, they disable the internet connection, and we lose the connection to the Azure environment. It might be good for our country to have a private link to the Azure cloud environment to avoid such cases.

We have a lot of Microsoft partners who are helping us. Therefore, support is not a problem for us.

We have QRadar for our on-premise solutions. QRadar has a lot of connectors out of the box. It has a lot of predefined and pre-deployed connectors that you can use. 

QRadar also has a lot of good correlation rules. From a customer's point of view, it is one of the best solutions because you don't need to create correlation rules from scratch. You just review them and customize them as you want.

QRadar supports using SQL queries. Sentinel uses KQL, but you need to learn it from scratch.

QRadar doesn't have a SOAR system by default. You need to purchase it additionally, which is the main problem with QRadar.

It was easy.

We had some introduction to the system from a Microsoft Partner, but most of the analytics and playbooks were created by us.

For us, it is not expensive at this time, but if we start to collect all logs from our on-premise SIEM solutions, it will cost more than QRadar. If we calculate its cost over the next five or ten years, it will cost more than what we paid for QRadar.

Microsoft is proposing an identity management solution for Azure Active Directory systems and the Azure Cloud system, but we need an on-premise solution that can help us achieve the same with, for example, IBM. I know that Microsoft has a cloud-based solution, and previously, Microsoft provided an on-premise solution, but it is deprecated or no longer supported. It will be good to have such a service on-premises.

I would rate it an eight out of ten.

We internally do not use this solution. We provide advisory for Azure Sentinel because we are Microsoft's partner.

Our clients use it for Security Operations Centers. Some of the clients wish to build a Security Operation Center. They want to perform threat analysis and see that the environment is secure and monitor it. That's why we deploy SIEM solutions.

In terms of deployment, what we see here in Asia, specifically in Malaysia, are hybrid and public cloud deployments.

It helps our clients in enhancing their security. 

It is quite efficient. It helps our clients in identifying their security issues and respond quickly. Our clients want to automate incident response and all those things.

Its documentation is not so simple. It is easy for somebody who is Microsoft certified or more closely attached to Microsoft solutions. It is not easy for those who are working on open-source platforms. There isn't a central point where everything is documented, and there is no specific training or certification.

It has been almost three years.

It is stable. Those who have adopted it are okay with it.

It is a cloud solution, so it is scalable.

Most of us know how Microsoft operates. They are quite good at that.

Its setup is of moderate complexity for me, but I have heard it is complex for others because of the query language and other things.

There is documentation, but I don't think Microsoft is providing a central point where everything is documented. In fact, there is no specific training or certification. There is Microsoft Secure training, but it is not so dedicated. All these things make it moderate.

I have had mixed feedback. At one point, I heard a client say that it sometimes seems more expensive. Most of the clients are on Office 365 or M365, and they are forced to take Azure SIEM because of the integration.

We see that a lot of clients are trying to explore more apart from Azure. Some of the clients are interested in Splunk. Some of the clients are interested in seeing what's available from AWS. This year is quite different in Malaysia because the government has opened up the adoption of public cloud in all sectors, especially in the financial sector. So, we are seeing new requirements coming up. 

I would rate Azure Sentinel a seven out of 10.

We use it to protect our Office 365 environment. We can also deploy it for the entire infrastructure, including on-premises, firewalls, and also users' devices.

I'm a partner with many customers using Sentinel. Some are small companies but I also have many banks that have implemented the solution.

It has helped to improve security posture because it's based on machine learning. You can protect the whole environment. While other solutions are based on rules, and you have to put rules in place to protect things, Sentinel is smarter because of the machine learning.

For example, one of my customers is a bank that was attacked by ransomware. They were using Symantec and it could not detect the attack. When we put in Sentinel, within 15 minutes it detected the malware and stopped the attack.

The most valuable features are its threat handling and detection. It's a powerful tool because it's based on machine learning and on the behavior of malware.

I have been using Microsoft Sentinel for one and a half years.

It's a stable solution.

It's a cloud solution so Microsoft handles the scaling. We haven't had a problem with performance because Microsoft is in charge. It's done automatically.

It's definitely the best technical support. When you open a new ticket you get a response within a maximum of one hour. You can open a case with Microsoft 24/7.

Positive

I used QRadar. I switched because QRadar is not smart and there was too much manual work.

It's easy to implement and not very hard to put it into production.

The deployment time depends on the customer's needs. It can be deployed in one hour. But if they have many end users and many servers, it can take one week. After that, you have to wait for the machine learning to learn the environment and start the detection.

The implementation strategy also depends on the environment. If it is an Office 365 environment, we can start by protecting email, the shares, and the docs. After that, we can move to the end-user machines. But it depends on the project.

Deployment and maintenance requires a maximum of three people. One would be an admin, one would be a security leader to maintain the solution, and the third would be a project manager. It also depends on the project, but in general, there will be two or three people involved.

It is certainly the most expensive solution. The cost is very high. We need to do an assessment using the one-month trial so that we can study the cost side. Before implementing it, we must do a careful calculation.

Something that could be improved is the documentation of the cost because there is none. All the other features are documented, but the pricing is not very clear.

The Office 365 connectors to Sentinel are free, as is the support.

Sentinel is generally the last option we go with because of the cost. Customers have their solutions but they contact us and say, "Okay, we have our solution but it's not smart. Can we move to Sentinel?"

I recommend implementing Sentinel because it's certainly the most powerful SIEM tool. It detects all malware based on the behavior of many things, including the files and anomalies. It detects things automatically.

We use Microsoft Sentinel for providing managed services and for security use cases, which include detecting anomalies or security events and collecting security events from various data sources.

What is most useful, is that it has a good connection to the Microsoft ecosystem, and I think that's the key part. If you are running the Microsoft ecosystem, you are running Azure and Microsoft 365 and have all of the security providers in that environment, for example, the E5 license, then Sentinel can easily collect those events and handle them within the same Azure environment. That, I believe, is the key point here.

Multi-tenancy, in my opinion, needs to be improved. I believe it can do better as a managed service provider.

It's a fairly mature product now.

Pricing could also improve, it's a bit expensive.

I have been working with Microsoft Sentinel for approximately two years.

There are private tenants, but it is deployed in a public Cloud.

Microsoft Sentinel is a stable solution.

Microsoft Sentinel is scalable. As it is in the cloud, you simply pay more. It's expensive, but it's very easy to scale.

We haven't used Microsoft's technical support. We rely on the online knowledge base. Essentially, the entire internet is based on the information they have. As a result, we have never contacted technical support. It hasn't been required. I suppose it's fine. We didn't use technical support in that sense. I would say that it's good.

I am familiar with SIEM. 

We run several CM systems as well as a security operation center.

I have worked with Microsoft, IBM, and McAfee. McAfee has an older CM, and we use Elastic as well.

Within the same cloud environment, it is very simple to set up and begin collecting data.

Microsoft Sentinel is expensive.

If you have the funds, I would recommend it. I think the pricing is important; it's quite expensive, but if you have that, I think I would recommend it. The advice is to think carefully about what data you send to the platform because it is costly. The price is data-driven, so make sure you know how much data you will send and that you only send what is required. That, I believe, is the key point.

We are Microsoft partners.

I would rate Microsoft Sentinel a seven out of ten.

We actually use it for queuing logs and checking log systems that we have downloading from other devices to see if there are any issues. For example, if we get an alert, then we triage it and query the logs and the devices that we're looking for.

Microsoft Sentinel has greatly increased our security. We can quickly complete our investigation by using Sentinel and get to the results and escalation points.

The log query feature has been the most valuable because it's very good. You can put your data on the cloud and run queues from Sentinel. It will do it all very fast. I love that I don't have to upload it to an Excel file and then manually look for a piece of information. Sentinel is much faster and is good for big databases.

Microsoft Sentinel is able to figure out what type of attack is occurring. It will tell you whether it is a DDoS attack, whether someone's trying to scam the site, or if someone is doing a group force attack. That is, Microsoft Sentinel will actually tell you what it is based on the type of activities it's seeing on the web server. It's a smart tool.

If I'm typing queries, it knows what I'm looking for.

If I can use Sentinel offline at home and use it on a local network, it would be great. I'm not sure if I can use Sentinel offline versus the tools I have.

I just started using Microsoft Sentinel and have used it for two months.

As for availability, I haven't seen any downtime or any issues with the services yet. The stability looks like it's 99.9% and is great.

I believe that Sentinel is good at scaling up their database or services. We are a large company with big data and have thousands of users.

I have used Splunk, which has similar log type of queries. I feel that Sentinel is smarter. It is able to detect what type of attacks are occurring, unlike Splunk, which is just a query log tool.

There's Elastic ELK, which is similar to Splunk, but it isn't a smart tool like Sentinel is. 

Sentinel is at the top of the tools that I've used so far in terms of smart tools.

Pricing is pay-as-you-go with Sentinel, which is good because it all depends on the number of users and the number of devices to which you connect.

If you're using the cloud and Azure, I would really recommend Sentinel as it will keep making sure that the devices that you have in your environment are safe. Sentinel is very smart at detecting what type of attack is occurring and is actually able to detect and tell us the type of hash file. It is is able to go on the internet, look at the virus total, and see if this is a virus, scam, or phishing. I like how it's able to detect it and how we can make it learn what type of spam or email issue query it is. So, it's a very adaptive type of tool.

I would rate Microsoft Sentinel at ten on a scale from one to ten.

Our clients use it for just an overall health check and security check for their deployments, whether it's on-prem or in Azure. Azure Sentinel basically collects the data from any kind of endpoint or server that is enrolled in the service, irrespective of whether they are on-prem or in the cloud. It can be laptop servers, virtual machines. It is a cloud solution, but it does extend to on-prem deployment.

I have been using the most up-to-date version. 

One of the most valuable features is that it creates a kind of a single pane of glass for organizations that already use Microsoft software. So, when they have things like Microsoft 365, it is very easy for them to kind of plug in or enroll those endpoints into the Azure Sentinel service.

I can't think of anything other than just getting the name out there. I think a lot of customers don't fully understand the full capabilities of Azure Sentinel yet. It is kind of like when they're first starting to use Azure, it might not be something they first think about. So, they should just kind of get to the point where it is more widely used.

I have been using Azure Sentinel since it came out, so it has been at least a couple of years.

It is very stable. It has been around for a while, and it is a Microsoft product. So, it is pretty secure and pretty stable.

Like all Azure services, it is definitely very scalable. You can very easily and very quickly enroll devices and other data points into Azure. 

Microsoft tech support is pretty good when it comes to Azure. It is really easy to open a ticket because you can do that right through the Azure portal. In addition, my company and other companies that kind of resell Azure services, oftentimes have our own help desk included with the consumption of Azure services. So, we have a 24/7 help desk that works on top of that. There are many managed services partners, like my company, that provide additional services in tech support on top of what Microsoft already has.

It is very straightforward.

It is kind of like a sliding scale. There are different tiers of pricing that go from $100 per day up to $3,500 per day. So, it just kind of depends on how much data is being stored. There can be additional costs to the standard license other than the additional data. It just kind of depends on what other services you're spinning up in Azure, or if you're using something like Azure log analytics.

For any customers who are either looking at Azure or already have Azure or Microsoft 365, this is a great service to look at because it does provide an additional layer of protection and security for all of their data points, whether they are on-prem or in the cloud.

I would rate Azure Sentinel a nine out of 10.

We primarily use many Microsoft products, including Microsoft 365 with a focus on the security aspect. We have Defender for endpoints and Defender for servers. We also use Azure Sentinel with these.

This product has improved the way our organization functions. I won't be able to provide exact metrics as I don't directly work with metrics, however, from an improvement perspective, it is just a more streamlined deployment. 

We also use Intune as part of the MDM. If there are any agents that need to be deployed, then we can use that or we can just configure Windows from MDM directly. A lot of things can be just set up out-of-the-box and are ready to go and it sends logs right to Azure Sentinel. Therefore, while I don't have hard numbers, it's definitely made deployments easier and is much less time-intensive for our organization.

Coming from other SIEM solutions, Sentinel seems to be pretty good. 

It's pretty powerful and its performance is good.

The most powerful aspect is the whole integration with the Microsoft ecosystem. If you have the Microsoft 365 subscription, E5, then it integrates pretty seamlessly with everything you're trying to do. 

You obviously have connectors with other third-party, non-Microsoft stuff as well. They have pretty good integration with those. 

Azure Sentinel has a lot of built-in analytics rules, that help us get started in terms of triggering anomalous activity. In terms of performance, they're pretty fast. I've used QRadar and Splunk. Compared to Azure Sentinel those are pretty slow. Some searches in Sentinel are pretty instantaneous. For bigger searches, it's a very noticeable and impressive turnaround.

There are a lot of features that I don't touch just because I'm in the SOC. That said, I know customers have deployed different items that are quite useful. 

The end-user experience is good. It's just pretty seamless. When I was onboarded, it was just a simple download and then a sign-in to my account. It'll basically configure everything for you and download the necessary stuff that the company has defined - including Defender, et cetera. 

Microsoft needs to stop renaming their stuff. A lot of their products are very confusing due to the names they choose. The first time I heard of Defender I assumed it's just their antivirus, anti-malware, or a package that covers those things. However, there's Defender, Windows Defender, and then there's Defender for Endpoint, and there's also Defender for servers, et cetera. That really needs to be streamlined. As far as Defender's concerned, they want just a protective device. The differences are confusing.

Maybe it's a transitional choice, however, they've been doing a lot of migrations to a new portal in the security center or office privacy center. There's a bunch of portals where some things are repeated or duplicated. You have the same features in the portals, yet, in some cases, there are some things that you have to go to one portal and not the other, as it hasn't been migrated or the feature is just not there.

If their UI was a bit more streamlined and easy to find when I need it, then that would be a great improvement.

I've been using the solution for one year.

The stability is pretty good. However, there is one flaw. We did have an issue where Microsoft had some issues with some components that caused issues with their cloud. It might have been an authentication issue or something like that, however, it basically took down everything. We weren't able to work. While integration is good if something comes from one vendor and if that vendor goes down, then everyone is pretty unhappy.

While at my previous organization we had about 50 or 60 users, as a small company, we had customers that could have users in the thousands.

I didn't notice any scalability issues, and therefore I assume it's quite good. With respect to Azure Sentinel, I've never had an issue.

As far as I know, we're using pretty much everything that Microsoft has from a security perspective. I don't know how we can expand anymore.

I've never had to call technical support or reach out to technical support, therefore, I can't speak to how they operate.

I've previously used SentinelOne for endpoints and antimalware, et cetera, and Splunk for the SIEM.

I was specifically working in SOC; I was more responsible for the day-to-day operations. Unfortunately, I cannot speak to the deployment so much. I would not have information on the implementation strategy, for example.

We handled the deployment internally.

I was in the SOC. I don't deal directly with that pricing. They do have multiple licensing levels. It's just about knowing what you need. One good thing about Microsoft is that they do have quite a few options depending on your needs. That said, sometimes it could be hard to pick because there are so many. 

As an organization, you need to understand the company's needs. For example, if you don't have a security team to look at your alerts or to set up all the stuff, then you probably don't need some of their most expensive services. You need to purchase the subscriptions accordingly if you're able to leverage them.

They have premium and enterprise subscription levels. I don't know what the standard would be. They have E3 and E5 level licensing. I don't know off the top of my head the differences, however, E5 likely has more security features. Companies need to be aware of all the differences.

I was not part of any evaluation process. I came to the company afterward. 

I'm not sure which version of the solution we're on. We have another team that does the deployment and they would take care of the versioning, et cetera, however, we usually run the latest.

Microsoft makes Windows. They know their stuff. Having everything streamlined can be time-saving. It's good to have an integrated system rather than using something else. You don't need to jump through a lot of hoops or install additional software in order to get everything up and running.

I'd rate the solution at an eight out of ten.

For users that have been observing some malicious actions with their product and getting malicious mail, Azure Sentinel allows them to create a rule, which will show who exactly among their users is exposed to phishing attacks so that they can make some mitigation on that particular account.

There are about five people using this solution in my organization.

It helps to implement connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, and Microsoft 365 sources, including Office 365, Azure AD, Microsoft Defender for Identity (formerly Azure ATP), and Microsoft Defender for Cloud Apps, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions

The most valuable feature is the onboarding of the workloads. You can see all that has been onboarded in your account on the dashboards.

It has been a challenge with Azure Sentinel to onboard the Syslog server from FortiGate. Azure Sentinel can work better on that shift between the Syslog server and a firewall.

I have been using this solution for three years.

It's quite stable compared to other automation SIEM and SOAR solutions.

It's very scalable.

Technical support is good. Microsoft has engineers that are readily available to help you with a challenge.

Initial setup was user friendly. I would rate it a 4 out of 5. 

It's deployed by you onboarding your deliverables on the workload. For example, if you're using Office 365 or another third-party solution, you're going to upload those onto the server and have it protected with your Azure Sentinel.

It will draw logs from those your activities, and then bring it up as a workbook, where you can see into the actions on those programs you have onboarded on the Azure Sentinel.

We use a third-party for implementation.

For ROI, I would rate it 4 out of 5.

It's costly to maintain and renew.

It depends on how you want to pay for the solution. You can pay it on an annual basis or pay as you go, but I feel it's better to just keep it running as a product on your Azure subscription. If you have a $500 subscription, it will take part of your subscription.

I would rate this solution 7 out of 10.