We provide managed security services to customers in Myanmar using Microsoft Sentinel as a cloud media SIEM. Most of the use cases involve retention, and we use all the features of Microsoft Sentinel. We also use other Microsoft security products like Defender for Endpoint, and most of them are integrated with Sentinel.
Senior Sec Engineer at a tech services company with 51-200 employees
It gives us the flexibility to choose the kind of infrastructure based on each client's needs
Pros and Cons
- "Native integration with Microsoft security products or other Microsoft software is also crucial. For example, we can integrate Sentinel with Office 365 with one click. Other integrations aren't as easy. Sometimes, we have to do it manually."
- "Sometimes, it is hard for us to estimate the costs of Microsoft Sentinel."
What is our primary use case?
How has it helped my organization?
Microsoft Sentinel is a cloud-native SIEM solution, so it helped us reduce our infrastructure costs and deliver better services to our customers. We don't need to pay upfront costs because it is in the cloud. We used an open-source SIEM solution before implementing Microsoft Sentinel, but that wasn't satisfactory for our customers. Sentinel helped us provide more robust managed security services to our customers.
It consolidated multiple dashboards into one and helped us be more proactive. However, our team is still trying to mature to a level that we can adopt a more preventative approach to security. Sentinel significantly reduced our detection time. Without Microsoft Sentinel, our SOC analyst might take 30 minutes to an hour to detect an issue, but now it's practically in real-time.
What is most valuable?
The biggest advantage of Sentinel is scalability. In addition, we don't need to worry about paying for infrastructure costs upfront. It gives us the flexibility to choose the kind of infrastructure based on each client's needs. Sentinel is also much simpler than other SIEM solutions. The UI is smoother and easier to use.
Native integration with Microsoft security products or other Microsoft software is also crucial. For example, we can integrate Sentinel with Office 365 with one click. Other integrations aren't as easy. Sometimes, we have to do it manually.
The bi-directional sync is helpful. For example, we have one client using our managed security service, but they don't want to use Microsoft Sentinel. If those products are not syncing or if the solution is not bi-directional, some alerts may be missed. It's essential for both portals and the two folders to be in the same channel it's pushing. The UEBA features are also perfect. We don't see the same caliber of user behavior analytics in other SIEM. Microsoft's UEBA is great for our SOC analysts.
What needs improvement?
Microsoft threat intelligence and UEBA still have some room for improvement. There are currently only two connectors available for Microsoft threat intelligence. the threat intelligence platform and the FTIA commander.
Sentinel should offer another option for a third-party threat intelligence platform. There are lots of open-source threat intelligence solutions available.
Threat handling could be great for our team and for our SOC analyst, but some are unusable depending on our SOC analytics.
Sentinel can ingest data from most of our ecosystem, but some data cannot be called up. For example, if an SAP product is hosted, it will do a specific version, but it cannot be called back to Sentinel. It cannot be directly connected to Sentinel.
Buyer's Guide
Microsoft Sentinel
November 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,192 professionals have used our research since 2012.
For how long have I used the solution?
Our team has been using Microsoft Sentinel for about two and a half years.
How are customer service and support?
I rate Microsoft support a seven out of ten. They take too long to respond, but sometimes they are great.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We previously had an open-source SIEM, but it lacked the detection and automation capabilities of Sentinel.
How was the initial setup?
The initial deployment was straightforward but configuring integration for some of our projects was challenging because there are few connectors for solutions like Cisco. I rate Sentinel a five out of ten for ease of setup.
What about the implementation team?
We performed our integration in-house, but sometimes we get support from Microsoft.
What's my experience with pricing, setup cost, and licensing?
Sometimes, it is hard for us to estimate the costs of Microsoft Sentinel.
What other advice do I have?
I rate Microsoft Sentinel a nine out of ten. I recommend it, but it takes time to evaluate because Sentinel is unlike other cloud solutions.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
SOC Principal Architect at Tieto Estonia
Goon online documentation, and easy to install but the price could be lower
Pros and Cons
- "What is most useful, is that it has a good connection to the Microsoft ecosystem, and I think that's the key part."
- "Multi-tenancy, in my opinion, needs to be improved. I believe it can do better as a managed service provider."
What is our primary use case?
We use Microsoft Sentinel for providing managed services and for security use cases, which include detecting anomalies or security events and collecting security events from various data sources.
What is most valuable?
What is most useful, is that it has a good connection to the Microsoft ecosystem, and I think that's the key part. If you are running the Microsoft ecosystem, you are running Azure and Microsoft 365 and have all of the security providers in that environment, for example, the E5 license, then Sentinel can easily collect those events and handle them within the same Azure environment. That, I believe, is the key point here.
What needs improvement?
Multi-tenancy, in my opinion, needs to be improved. I believe it can do better as a managed service provider.
It's a fairly mature product now.
Pricing could also improve, it's a bit expensive.
For how long have I used the solution?
I have been working with Microsoft Sentinel for approximately two years.
There are private tenants, but it is deployed in a public Cloud.
What do I think about the stability of the solution?
Microsoft Sentinel is a stable solution.
What do I think about the scalability of the solution?
Microsoft Sentinel is scalable. As it is in the cloud, you simply pay more. It's expensive, but it's very easy to scale.
How are customer service and support?
We haven't used Microsoft's technical support. We rely on the online knowledge base. Essentially, the entire internet is based on the information they have. As a result, we have never contacted technical support. It hasn't been required. I suppose it's fine. We didn't use technical support in that sense. I would say that it's good.
Which solution did I use previously and why did I switch?
I am familiar with SIEM.
We run several CM systems as well as a security operation center.
I have worked with Microsoft, IBM, and McAfee. McAfee has an older CM, and we use Elastic as well.
How was the initial setup?
Within the same cloud environment, it is very simple to set up and begin collecting data.
What's my experience with pricing, setup cost, and licensing?
Microsoft Sentinel is expensive.
What other advice do I have?
If you have the funds, I would recommend it. I think the pricing is important; it's quite expensive, but if you have that, I think I would recommend it. The advice is to think carefully about what data you send to the platform because it is costly. The price is data-driven, so make sure you know how much data you will send and that you only send what is required. That, I believe, is the key point.
We are Microsoft partners.
I would rate Microsoft Sentinel a seven out of ten.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
Buyer's Guide
Microsoft Sentinel
November 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,192 professionals have used our research since 2012.
Cloud and DevOps Architect at a financial services firm with 11-50 employees
Improves our security posture by using automated threat detection, but the learning curve needs to be faster
Pros and Cons
- "Having your logs put all in one place with machine learning working on those logs is a good feature. I don't need to start thinking, "Where are my logs?" My logs are in a centralized repository, like Log Analytics, which is why you can't use Sentinel without Log Analytics. Having all those logs in one place is an advantage."
- "The learning curve could be improved. I am still learning it. We were able to implement the basic features to get them up and running, but there are still so many things that I don't know about all its features. They have a lot of features that we have not been able to use or apply. If they could work on reducing the solution's learning curve, that would be good. While there is a training course held by Microsoft to learn more about this solution, there is a cost associated with it."
What is our primary use case?
On Azure, we have workloads on virtual machines, Kubernetes clusters, and SQL Servers. The way Sentinel works is that logs from our Kubernetes services, virtual machines, and database servers go into what is called Log Analytics on Azure. Log Analytics connects to Azure Sentinel, then all the logs move from the resources to Log Analytics down to Sentinel. Sentinel is configured to do some form of threat detection on these logs. For example, there is a firewall log connected to Log Analytics. Sentinel looks at those firewall logs for repeated IPs that are trying to either do an attack on our system or get access into our system. There is some form of machine learning and AI implemented in it to be able to tell us which particular IP address is trying to do this.
How has it helped my organization?
It is mainly used for securing our platform. As the infrastructure person who works on it, I have some automated ways of seeing threats. We have seen a few possible issues that might come up. So, our customers are safe on some level when we are using Sentinel.
What is most valuable?
It improves our security posture by using automated threat detection.
Having your logs put all in one place with machine learning working on those logs is a good feature. I don't need to start thinking, "Where are my logs?" My logs are in a centralized repository, like Log Analytics, which is why you can't use Sentinel without Log Analytics. Having all those logs in one place is an advantage.
We have not really had any major threats. We have had alarms about four times. In the end, they were false positive alarms. Over time, the machine learning feature understands that something is a false positive, then you don't see them anymore. So, it reduces the number of false positives.
What needs improvement?
The learning curve could be improved. I am still learning it. We were able to implement the basic features to get them up and running, but there are still so many things that I don't know about all its features. They have a lot of features that we have not been able to use or apply. If they could work on reducing the solution's learning curve, that would be good. While there is a training course held by Microsoft to learn more about this solution, there is a cost associated with it.
For how long have I used the solution?
We have been using it in our organization for six months.
What do I think about the stability of the solution?
It is quite stable. It is one of the most mature SIEM solutions that I know.
Currently, I am the person maintaining the solution since we are a startup. However, it probably needs a team of four people to work on it. It needs an infrastructure person to configure it, a security analyst to tell us what they want configured, and a business person to tell us what kind of security targets are needed.
What do I think about the scalability of the solution?
Scalability is good. We are increasing usage for different use cases. For compliance reasons, we will probably expand usage in the future.
Also, there are a lot of features that we have still not tested.
How are customer service and support?
I have not had to use the technical support yet.
Which solution did I use previously and why did I switch?
We were starting from scratch with Azure Sentinel.
We started using it because we were trying to get PCI certified. The updated PCI requirements requested that we have a security information and event management tool. If it wasn't for PCI compliance, then we probably would not have used Sentinel.
How was the initial setup?
The initial setup was complex, not straightforward. Connecting it is easy once you have an Azure resource on the cloud. We also have on-prem resources, but we have not been able to connect those. Trying to create your on-prem resource with Azure Sentinel is not straightforward. I have not seen many implementation videos that I can watch on YouTube to learn how to do it.
It is not just Azure. Other SIEMs solutions are a bit complex when trying to connect them.
Deployment took no more than 10 minutes. Configuring it in our workloads was the major issue, not the deployment. The configuration timeframe depends on the number of resources that you are connected to and your prior knowledge of Sentinel before starting your configuration.
What about the implementation team?
I did the deployment.
What's my experience with pricing, setup cost, and licensing?
From a cost perspective, there are certain Azure resources that we don't need to additionally pay for when using Sentinel.
When we looked at other SIEM tools, they were quite expensive. Sentinel is also expensive for a startup, but we were able to configure it so there are some logs that Azure frees up, like your firewall, Office 365, or Kubernetes logs. From a cost perspective, this works well financially for us.
Sentinel is a bit expensive. If you can figure a way of configuring it to meet your needs, then you can find a way around the cost.
Which other solutions did I evaluate?
We looked at so many tools, like Elastic Search and IBM. We went with Sentinel because the majority of our workloads were on Azure already, so the integration was easier rather than going with something external and integrating it.
What other advice do I have?
If you are purely on Azure, Sentinel is the way to go. Also, it easily works with on-premise workloads from what I have been able to determine. When I look at connectors, it integrates with other cloud providers. I see it integrates with GCP.
I would rate Sentinel as seven out of 10.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
POD Lead Security at a tech services company with 10,001+ employees
Allows us to investigate and respond to threats holistically from a single platform
Pros and Cons
- "I believe one of the main advantages is Microsoft Sentinel's seamless integration with other Microsoft products."
- "Currently, the watchlist feature is being utilized, and although there have been improvements, it is still not fully optimized."
What is our primary use case?
I work as a security team leader and consultant in the Netherlands. Additionally, I am the main architect for my organization. Our current focus is on building our own Security Operations Center for media entities, and we offer this service to our customers as well. Our solution ensures zero bypasses and integrates the XDR suite of our clients. Therefore, any customer looking for the same solution can benefit from our expertise.
How has it helped my organization?
Microsoft Sentinel has the potential to assist us in prioritizing threats across our entire enterprise. However, its effectiveness relies heavily on the quality of our analytics roles. If we have appropriate alerts in place, we can avoid unnecessary noise. If we can accurately prioritize incidents and assign the appropriate level, it will significantly aid us. Additionally, automation can help analysts make informed decisions by consolidating incidents and alerts.
I have completed many customer integrations. Currently, I am working with one of the largest healthcare retailers and a very large insurance company. They have a variety of other products, such as effective AI, Infoblocks, and Akamai as a last resort. Our goal is to consolidate all the alerts from these products into Sentinel, which sometimes requires processing or editing. We refer to this as social editing, which essentially means fixing issues. Ultimately, our objective is to have a comprehensive overview of everything in a single dashboard.
The effectiveness of the integrated solutions that work together natively varies. At times, a data connector may work well, while at other times, it may not. I have noticed that Sentinel has significant potential for the development of data connectors and passes. This observation is due to one of my customers requiring a considerable amount of additional processing for data connectors, which prompted us to make a request to Microsoft. Currently, we are pleased to see that Microsoft is integrating this functionality. On the other hand, we also have plans to work with a local collector that involves parsing logs and collecting log data using custom parsing services.
The effectiveness of integrated security products in providing comprehensive threat protection is improving. However, there is a risk of overlap in the functionalities of Microsoft's various products, leading to duplicate alerts or unwanted charges. Nonetheless, compliance is improving. Additionally, the endpoint portal is starting to function more like an application portal for multiple products. Using only the Defender portal instead of Sentinel would benefit many customers at present, though additional sources may provide added value. There are also many developments in this area worth exploring.
Microsoft Sentinel has the capability to collect data from our entire ecosystem, but it comes with a cost. As the head of IT, I would have the ability to obtain any sensitive data that I need. If there is a substantial amount of data, I can handle it. However, we need to establish a use case for the data before proceeding, as it could become too expensive for us to handle. Therefore, we will not be ingesting all the data available.
Microsoft Sentinel allows us to investigate and respond to threats holistically from a single platform. This capability is powerful because we can create our own queries, and the language used is user-friendly. However, we must ensure that the data in Sentinel is properly structured. This means ensuring that our timestamps are consistent and accurate and that the quality of our data is high. By doing so, querying becomes easy and effective.
If we have a background in Azure, then it's relatively easy to understand the SOAR capabilities since it's built on Azure foundations and logic apps. This makes it more powerful.
The cost of Microsoft Sentinel is reasonable when compared to other SIEM and SOAR solutions. While the cost of ingestion may be high, the platform offers numerous capabilities for automation, alerting, monitoring, and operations. Therefore, we are receiving good value for our investment, even though it may not be the cheapest option on the market. Microsoft Sentinel's ongoing development of new features justifies the price point. For example, I compared it to a customer who used Splunk last year, and Splunk was more expensive and had fewer features.
Sentinel assists in automating routine tasks and identifying high-value alerts. For instance, we can configure it to automatically detect risks on specific accounts and receive notifications through an automatic inbox. While we exercise caution in implementing automation, we can leverage it during hours when staffing is limited to ensure timely and appropriate actions.
Sentinel's threat intelligence helps us prepare for potential threats and take action before they can impact us. Obtaining threat intelligence feeds from Microsoft would also be beneficial. We may eventually need to acquire an Excel feed, either from Microsoft or another source, but we must ensure that these expenses provide tangible value. I believe that the machine learning used by Microsoft Infusionsoft provides valuable threat intelligence with reliable patterns.
I've noticed that some customers are using on-premises environments such as Oxite for this particular task. However, since we're on a cloud platform, we don't have to handle and operate the systems as much because they are cloud services. This allows us to focus on the platform, the content, and making it work. The integration with Microsoft works well, and we can use similar queries in Sentinel as we do in Defender for Endpoint, which saves us time.
If we compare the current situation to that of five years ago, we can see that every company was spending less on this type of product because the threat wasn't as significant. However, over time, we have witnessed a significant increase in cyberattacks. As a result, every budget has been increased to address this issue. Therefore, in my opinion, Sentinel is not merely saving money; rather, we are utilizing our resources more efficiently.
What is most valuable?
I believe one of the main advantages is Microsoft Sentinel's seamless integration with other Microsoft products. This means that if we need to work with customers who already use the entire defense suite, we can easily collaborate with them. Additionally, the KQL language created is very robust and has a manageable learning curve for those who already have some experience. Furthermore, we can use KQL in other Microsoft platforms, making it a versatile tool. The AI aspect is also noteworthy, as it utilizes existing resources in Azure. For instance, if we have previous experience building Azure functions or using wireless technology, we can incorporate these skills into our playbook development in Sentinel.
What needs improvement?
Microsoft Sentinel provides visibility into threats, and the incident alert display has improved. However, I don't believe it is efficient or pleasant to work with, especially for specialists who work with it all day. We are considering putting our incident alerts into ServiceNow first, which would improve instant handling, logging, and monitoring, and streamline the investigation process. This is a potential area for improvement, but currently, the system is workable and easy to use. I understand that improvements are in progress, and I expect the system to get even better with time.
When we look at external SOAR and orchestration platforms, we have a better overview of all the rules, their behavior, and the correlation between them. From a technical perspective, it works well, but from a functional overview, there's room for improvement. For example, we need a clear understanding of what playbooks we have in our SOAR capabilities. Currently, we have a long list, and we need to know what each playbook does. If we want to add some playbooks in Azure, we need to consider the playbooks that we have in Azure that are not related to any schedule. This can make the environment a bit messy. While building them ourselves, we can have a clear understanding of the why, what, and how, but it can be complicated to know which playbook does what at a given moment or what role it best fits.
Currently, the watchlist feature is being utilized, and although there have been improvements, it is still not fully optimized. When examining the watchlist, it appears that it is not adequately supported in Sentinel's repository feature. As a result, we are constantly having to find workarounds, which is functional but require more effort. It is possible for Microsoft to improve efficiency, but they have not done so yet.
For how long have I used the solution?
I have been using Microsoft Sentinel for three years.
What do I think about the stability of the solution?
Last year, there were some issues with Azure Sentinel, which is a specific service within the Azure platform. These issues affected the performance of Sentinel and caused some concerns. While the situation has improved, there may be further challenges as the platform continues to grow. As a cloud service, there is a risk of outages, which can be difficult to address. Overall, there are currently no complaints about the stability of Azure Sentinel, but it is important to stay vigilant about potential issues that may arise.
What do I think about the scalability of the solution?
Sentinel's scalability is impressive. Currently, we have not encountered any limitations. While there may be a limit on the number of rules with a large amount of data, we have not reached that point. The system performs well, aided by the basic and archive loss features. In the event that those features are insufficient, we still have additional options available. Overall, I believe that Sentinel is highly scalable.
Which solution did I use previously and why did I switch?
We used to utilize ArcSight Interset, an outdated on-premises product that wasn't suitable for our move to the cloud or offering services to our customers. Since we mainly use Microsoft products, we switched to Sentinel enthusiastically. Sentinel is a perfect fit for our organization.
How was the initial setup?
The initial setup was straightforward and adoption was fast. Currently, our approach within the organization is, to begin with a simple implementation and ensure it is functional before incorporating more complex integrations. We started with basic tasks such as editing data files and integrating on-premises data responses. Once we have established a solid foundation, we will build upon it to create a more advanced version.
If we take all areas into account, we would need a considerable number of people for deployment. I believe we would need around 15 to 20 individuals, including engineering consultants, ServiceNow personnel, and others.
What other advice do I have?
I give Microsoft Sentinel an eight out of ten.
We use the entire range of security measures except for Defender for IP. This is similar to how we use Defender for servers. In Azure, these measures are used on the front-end point, server, and callbacks. As for our customer implementations, I am responsible for carrying them out. For our own laptops, we have a strategy where we use Carbon Black instead of Defender for Endpoint. However, we still use Defender AV, and for other cloud applications, we use Defender for Office 365. The reason we continue to use Carbon Black is due to its legacy status.
Sentinel is a cloud service platform that is particularly useful for those who require sizable, scalable, and high-performing solutions.
Sentinel always requires some maintenance, which includes examining the ingested data to determine if it is being used for a specific purpose. It is important to evaluate the amount of data being stored and ensure that we are paying the correct price. Additionally, any necessary updates should be made to patch up any queries. These actions will result in improved efficiency and effectiveness.
The choice of the best-of-breed solution depends on the company's specific needs, but given the shortage of skilled personnel in many organizations, managing multiple products can be challenging. If we opt for a best-of-breed solution, we may end up having to maintain expertise in several different areas. On the other hand, choosing a single vendor, such as Microsoft, can be advantageous in terms of discounts, support, and skill maintenance. Our experience suggests that when evaluating a solution, it's essential to know the requirements, risks, and desired outcomes beforehand, rather than trying to ingest all available data, which can be costly and inefficient.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Gives you one place to close incidents, and KQL is definitely a step up when it comes to security
Pros and Cons
- "I like the unified security console. You can close incidents using Sentinel in all other Microsoft Security portals, when it comes to incident response."
- "The built-in SOAR is not really good out-of-the-box. The SOAR relies on logic apps and you almost need to have some kind of developer background to be able to make these logic apps. Most security people cannot develop anything..."
What is our primary use case?
Microsoft Sentinel is basically a major log, on top of which you can build queries that can analyze the data you get. It's used to build up security operations centers. In addition, it is a SIEM and SOAR solution.
How has it helped my organization?
The first benefit is that you have one place to close incidents. That's definitely an advantage.
Another benefit is KQL, Kusto Query Language, and the analytic rules with which you can spot suspicious behavior of all kinds. It's definitely a step up when it comes to security. You see the benefits almost instantly.
In addition, automation helps prioritize what needs to be looked at, and what can just be closed and forgotten.
And when you combine the threat intelligence with Defender for Endpoint's recommendations, it's a really strong way to protect things or be proactive when it comes to security, with the CVEs, et cetera.
Overall, our Microsoft solution saves time. Without it, you might have to navigate six or seven portals, but with it, you only have to look at one place, and that saves some time. Most of the time, it eliminates having to look at multiple dashboards and gives you one XDR dashboard. Ideally, that should make working with IT security easier. It also decreases the time it takes to detect and respond.
As a consultant, none of the customers I work for has been hacked or has been close to being hacked. That would be the best way to judge if it saves money because just putting Sentinel on top of all these security products doesn't save you money. It's possible it saves you money.
What is most valuable?
I like the unified security console. You can close incidents using Sentinel in all other Microsoft Security portals when it comes to incident response.
The solution helps prioritize threats across your enterprise and that is quite important. There is a concept called "alert fatigue," and Sentinel can also cause that because it detects so many false positives. But usually, the high and medium risks it identifies are things you need to take a look at. So prioritization is quite important.
We also use Defender for Cloud, Defender for Endpoint, and Defender for Cloud Apps. It's quite easy to integrate these Microsoft products because they can easily communicate with other Microsoft products. The tricky part is to integrate other vendors' products, like Cisco or Linux, with Microsoft Sentinel. The actual integration is easy, but they generate a lot of data. But with its entire Defender suite, Microsoft is trying to cover everything in Azure and that is a really strong point.
Sentinel enables you to ingest data from your entire ecosystem and that is vital, but sometimes it's a bit hard to figure out what data you actually need.
Also, the UEBA is a neat feature.
What needs improvement?
The built-in SOAR is not really good out-of-the-box. The SOAR relies on logic apps and you almost need to have some kind of developer background to be able to make these logic apps. Most security people cannot develop anything, but if you want to make full use of the SOAR part of Microsoft Sentinel, you need to be able to develop these logic apps. You can say, "Okay, that's simple," but it's not simple for someone who doesn't develop.
Also, the bi-directional sync in Microsoft Defender for Cloud should be enabled out-of-the-box. Otherwise, while you can close incidents in Sentinel, they will not be closed in all the other portals. That is really important.
In addition, the watch list could be improved. Microsoft could develop some analytic templates based on these watch lists, for example.
And if you don't have any KQL knowledge, Sentinel is actually quite hard to use or to get the most out of.
For how long have I used the solution?
I have been working with Microsoft Sentinel for approximately one year.
What do I think about the stability of the solution?
It's a stable solution.
What do I think about the scalability of the solution?
My clients are looking to increase their usage of Sentinel. Every time I look, there is a new data connector, so it seems like it's a product that is constantly in development.
How are customer service and support?
I haven't used their technical support.
How was the initial setup?
The initial deployment, for me, is not really complex. It takes one hour or less. But to be able to use Sentinel to its full capabilities, you must definitely know something.
In terms of an implementation strategy, you need to really think ahead about who should be able to do this, and who should be able to do that, and respond to that, et cetera. A proof of concept would include dealing with the architecture, gathering initial data sources and/or automation, and then learning how to navigate in Sentinel. One person can do it.
My clients are enterprise-level companies and the solution requires maintenance. It includes updating analytics, importing, and creating new analytics. It depends on the company. If you have 100 employees, one employee might be enough to maintain things, but if you have 10,000 employees and 10,000 devices, you might need more employees.
What's my experience with pricing, setup cost, and licensing?
No license is required to make use of Sentinel, but you need to buy products to get the data. In general, the price of those products is comparable to similar products.
What other advice do I have?
My advice is to start out with a little bit of data and build on top of that. Don't enable too many data connectors in the beginning. Get familiar with the product, and remember to work with Sentinel every day. That's the only way the product gets better.
It comes with some out-of-the-box analytics, but to get the full and best usage out of it, you have to really keep developing it with hunting queries, analytics, et cetera. The visibility provided by the built-in analytics rules, what they detect, is rather good, but Microsoft Sentinel requires ongoing work. It helps automate routine tasks as well, but that's not something that comes "for free." It also requires ongoing work.
Threat intelligence is something that you must be more than just a novice in Sentinel to make use of.
Overall, I find Sentinel to be a really strong solution. Sentinel is where you can see the overall security status of your company. I really enjoy working with Microsoft Defender and the entire suite, combined with Microsoft Sentinel.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Cloud Infrastructure and Security Consultant
Good security orchestration and automation response with very useful AI functionality
Pros and Cons
- "There are a lot of things you can explore as a user. You can even go and actively hunt for threats. You can go on the offensive rather than on the defensive."
- "The only thing is sometimes you can have a false positive."
What is our primary use case?
Azure Sentinel is a SIEM solution. It offers security information on an event management solution and also security orchestration automation response. It actually looks into events coming into your environment and events from a lot of sources, or whatever you might have in your network.
There are a lot of events and logs generated by all of these resources - sometimes in the thousands or millions. Azure Sentinel helps you investigate a lot of these logs faster. It uses artificial intelligence, called threat intelligence, to look into all the events that might be coming into your environment.
For example, on a daily basis, you might be receiving two million events coming from all the resources you have, including your users. If you're a very big enterprise and you have thousands of users, there are logs coming in from each of these users. You also have some resources, such as your web application, virtual machine, and a lot of your resources that span across both Azure AWS, GCP, and other solution providers like Sophos, Fortinet, Cisco, and your on-premise environment. You can get all these logs together with this.
What is most valuable?
The solution is still new, and there are a lot of new things coming out each and every day. Microsoft is trying to improve the solution constantly. In the last two weeks, there was a section of the Azure Sentinel code solutions that was integrated. It's something organizations could explore. Recently, they just included automation rules that you can use with Logic Apps to automate threat responses.
Azure Sentinel works with artificial intelligence. With AI by your side, you are able to investigate everything very fast. Within a blink of an eye, it's going to help you look into all these things. Before it can do that, however, you need to set up some form of analytics rules to help you look into all the events that might be coming into your environment.
There's also a security orchestration and automation response. Sentinel is able to identify and spot threats in our environment. We can also set up some automation rules to be able to automate when there is any form of an incident in our environment. For example, if there is a brute force attack on a user account, we can automate a response such that we can block the user account for a time while an investigation is done on that account. There are automation rules that can help to automate responses as well.
There are a lot of things you can explore as a user. You can even go and actively hunt for threats. You can be on the offensive rather than on the defensive.
It's quite different from a traditional SIEM solution whereby you need to have a couple of security analysts to be able to help you manage it. All of these traditional SIEM solutions don't have the capability to look into threats as fast. For instance, if a DDoS attack was placed on our web application hosted with a cloud solution provider and we hosted this web application on our virtual machine, if we have a DDoS attack (a denial-of-service attack), we can spot the threats very quickly. AI will also help to stop these attacks before they can do damage.
You can bring in your own machine learning algorithms to help you look into the threats community environment. If you are someone who's very fast at developing AI, you can have your own custom machine learning set up to help you look into any form of threat. It’s a very powerful tool.
Recently, I deployed Azure Sentinel for a client. I could tell immediately it was able to spot a lot of threats. Just within an hour, it was able to spot about five to ten threats. Also, at that very moment, Sentinel recorded around 500,000 events coming into the log analytics workspace. Typically, if you have something like 500,000 events coming into your environment and you have to involve the physical human efforts to be able to look into 500,000 events, it's going to be a lot of work - too much for one person.
The product has a lot of built-in features. There is a lot that it adds, and there is a lot it can do. It's the kind of solution that you can even bring in your own model.
We have a machine learning model that we train. Apart from it having some kind of already made solution, you can even create your own custom rules and custom machine learning.
Having to analyze threats every day, as a person, can be stressful. However, when you have something like Sentinel, which uses threat intelligence to be able to help you respond and remediate against threats at scale, it takes the pressure off.
It can span across your on-premise resources. If you have your own data center, you can deploy Azure Sentinel in the cloud, and you can have it monitor your data center. You can have it working as a solution to your data center.
As a user, you are able to integrate your on-premise with the data center to Azure Sentinel, in just a few clicks. It’s very simple to use. In just a few clicks, you'll be able to connect Azure Sentinel with your on-premise resources, web server, or SQL server - anything you can think of.
It can help you investigate threats coming into your laptop. You can connect Azure Sentinel to your personal computer.
It doesn't affect end users. They don't have access to Sentinel. They don't even see what is happening. They don't know what is happening.
A lot of organizations have lost a lot of money due to a loss of virtual information. With this kind of strong security system and some strong security protocols, they are well protected.
What needs improvement?
New things are already being incorporated just to improve on the already existing solution.
There is a GitHub community for this solution. There are a lot of contributors worldwide and a lot of people building playbooks and building machine learning models. Someone can just build a machine learning model and say, "Okay, just mention in the model, 'Do this,' and it does this." There is room for improvement. However, things are improving in Sentinel with the help of this community.
I've seen playbooks where people have pushed to the GitHub repository, and I've been able to make use of one or two of these solutions on GitHub. That said, it may not be possible to eradicate all of the cyber threats.
There are webinars going on almost every week. Last week I attended a couple of webinars on Azure security. When you are doing things, you also need to be thinking about the security aspect. You have to be thinking about the security aspect of a cloud. You need to enforce a zero-trust model. You can't assume something cannot harm you, as everybody is a threat to your security.
The only issue is that sometimes you can have a false positive alert. For example, sometimes it detects something is happening, however, you're actually the one doing that thing. If someone is trying to sign into their environment and provide an incorrect password, they will try it a few times. The system will look at that event and think it's an attacker and it might be an indication of a threat. However, it's just a user that got the password wrong. I consider that a false positive alert.
For how long have I used the solution?
I have been using this solution for about a year now.
What do I think about the stability of the solution?
The stability seems to be fine for now. It's not an issue.
How are customer service and support?
I have not really used technical support. That said, on the first day when I was starting with Sentinel, I used technical support for some free advice.
In the past, I've worked as a Microsoft technical support engineer. I was very good at what I did then. The support person that I spoke with when I needed free advice on that first day was helpful. When I raised a support request to ask a few questions, the support engineer was able to do justice to all those questions and shared some things to put me in the right direction. I appreciated their helpfulness as I used to be that helpful as well.
Which solution did I use previously and why did I switch?
There are a lot of solutions Microsoft has that have to do with security. However, they are not what I would describe Sentinel to be. Nothing I have used in the past has been similar to Sentinel.
How was the initial setup?
For every project, you need to have your functional requirements. Once you have that in place, the initial setup depends on the number of things you want to bring into Azure Sentinel. It's a powerful tool.
You can set it to AWS, GCP, DigitalOcean, Sophos, Fortinet, Cisco - even your PC. You can set it up for everything and there is no lagging. It just takes just a few clicks to connect these things. For instance, if you need to get the logs of a user, you just go to the data connector. Once you are in the data connector, you click on Connect. Once you click on Connect, a lot from that environment just comes into Sentinel. Once it's coming into Sentinel, you can create various analytics rules.
Which other solutions did I evaluate?
I don't know of similar solutions or if any really exist.
What other advice do I have?
The company I work with now is a Microsoft partner.
It's a very, very powerful tool that I recommend to my customers. I work as a consultant. I advise customers. I do not sell it directly.
It's something that organizations should use. I would advise people to use it. It doesn't look into only your Azure environment. It spans other cloud solution providers.
I'd rate the solution at a ten out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Lead Consultant at Trustsec Inc.
KQL queries provide rich detail to help correlate security events across the Azure environment
Pros and Cons
- "If you know how to do KQL (kusto query language) queries, which are how you query the log data inside Sentinel, the information is pretty rich. You can get down to a good level of detail regarding event information or notifications."
- "There is some relatively advanced knowledge that you have to have to properly leverage Sentinel's full capabilities. I'm thinking about things like the creation of workbooks, how you do threat-hunting, and the kinds of notifications you're getting... It takes time for people to ramp up on that and develop a familiarity or expertise with it."
What is our primary use case?
It is a tool for compliance for us. Every department and agency in the government is trying to get to the cloud as fast as they can. Because of that, there's a lot of SA&A work—service authorization and accreditation. In that, you're assessing the environment against a set of controls. We use Sentinel to provide us with a core piece of evidence that ensures these environments are compliant.
What is most valuable?
If you know how to do KQL (kusto query language) queries, which are how you query the log data inside Sentinel, the information is pretty rich. You can get down to a good level of detail regarding event information or notifications. It's all about how detailed and accurate your queries need to be and what log sources you are actually ingesting log information from. Sentinel is that central piece that allows you to correlate security events across your Azure environment. It's a pretty critical piece of the puzzle.
You can create both custom connectors as well as use the canned connectors that Sentinel ships with. When you start the service, those connectors will look at on-prem log sources and ingest them. So Sentinel works both in the cloud and on-prem.
What needs improvement?
There is some relatively advanced knowledge that you have to have to properly leverage Sentinel's full capabilities. I'm thinking about things like the creation of workbooks, how you do threat-hunting, and the kinds of notifications you're getting. There are a lot of pieces in motion with Sentinel to use it effectively. It takes time for people to ramp up on that and develop a familiarity or expertise with it.
Does it need to be simplified? There is that old saying: "The simpler the front end, the more complex the back end." A novice would probably not be able to effectively use Sentinel unless they were able to ramp up pretty quickly on a lot of its functionality. You need to understand the interfaces and all the components that are part and parcel of the service.
For how long have I used the solution?
I've been involved with Sentinel since early 2018. Sentinel was only acquired by Microsoft four or five years ago.
I own a professional services company and I do a lot of government consulting and engineering work for clients. I've had good exposure to Microsoft technology, whether through their support services, or through Azure, or through a myriad of on-prem solutions as well. My partnership efforts have really been around AWS because, outside of government, AWS has a far larger footprint than Microsoft, as far as the cloud is concerned.
What do I think about the stability of the solution?
The stability of Sentinel is fine, as long as those who are configuring the service and using it have a good grasp of its operational nature. It takes time to develop that knowledge, but it's a pretty stable service.
How are customer service and support?
Microsoft has a service called FastTrack, which basically pairs my clients up with a local Microsoft partner. That FastTrack partner is the intermediary between the client and Microsoft. If there's a problem or a support issue, that partner will typically be the client-facing entity.
Larger departments will purchase Premium Support and that provides them with a more face-to-face support experience with Microsoft personnel, specifically. Many of my clients are larger departments and, generally speaking, there is pretty good support in place for them from Microsoft.
Most clients are looking at getting E5 licensing, which opens up a whole bunch of security features and support services. But E5 licensing is pretty darn expensive. So bigger departments with bigger pockets have a very good support experience with Microsoft. The smaller departments, which may need to take advantage of services like FastTrack, assuming that the Microsoft partner has good resources available, may not have a problem at all. But I have heard some feedback that FastTrack is not a great program. Support is only as good as the weakest link in the chain.
What's my experience with pricing, setup cost, and licensing?
My job as a consultant is to work with many different departments and agencies, whether it's on their architecture or assessing their environments, as they all move to the cloud. I've seen many different environments and a lot of them have some common overlaps in terms of security services. Sentinel can be expensive. When you ingest data from sources that are outside of the cloud, you're paying a fair amount for that data ingestion. When you're ingesting data sources from within the cloud, depending on what your retention periods are, it's not that expensive. For certain customers, depending on the requirements, it can be a pricey service.
What other advice do I have?
Personally, I like the tool. From a SOC perspective, the visibility into government operations in particular is key, and I'm seeing a lot of advanced usage of it for some of my clients.
The federal government, here in Canada, has primarily centralized on Azure as opposed to AWS. That's because most of these departments also have SaaS environments that are M365-centric. As a result, because they are already Microsoft on the SaaS side, a lot of departments maintain that Microsoft synergy, even if, in my opinion, AWS is a better platform.
As a cloud SIEM, I would rate Sentinel at an eight out of 10. The only reason I'm not ranking it higher is that, as I said, there is some complexity with it. You have to tweak the service to get the outputs you want, by doing things like creating workbooks or rules for Sentinel, doing the threat-hunting, setting up the connectors, the log analytics, and workspaces. There's a lot of "heavy lifting" done to get Sentinel into a state where you can effectively use it. But as far as the actual outputs are concerned, if you know what you're doing with the queries, Sentinel is a great tool.
Microsoft offers training around Sentinel. In our region, among the support guys that deal with the government departments and agencies, there are some Sentinel subject matter experts available. And when more advanced knowledge is needed, Microsoft can provide what are called "support ninjas." They have more advanced knowledge and can be flown in from wherever. There are a lot of opportunities to learn how to properly use Sentinel's tools. Once you get that familiarity, Sentinel is a valuable tool for your cloud security posture.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Information Security Officer at a computer software company with 11-50 employees
Good integrations, comprehensive and offers good visibility
Pros and Cons
- "It has a lot of great features."
- "We'd like also a better ticketing system, which is older."
What is our primary use case?
We primarily use the solution for security operations.
What is most valuable?
It has a lot of great features.
The integrations on offer are very good. They have a lot of frequent updates on the integrations as well.
We also use other Microsoft products with it, such as Active Directory and Defender for Endpoint and Identity. Everything is well integrated together. The integration itself is seamless.
Its connectors are helpful.
We get good logs from the solution.
Threat visibility is good so far. We are able to prioritize threats based on many factors.
The comprehensiveness of the solution is good.
What needs improvement?
The alert response could be better. We'd also like a better ticketing system, which is older.
For how long have I used the solution?
I've been using the solution for two years.
What other advice do I have?
I'd rate the solution nine out of ten.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Security Information and Event Management (SIEM) Security Orchestration Automation and Response (SOAR) Microsoft Security Suite AI-Powered Cybersecurity PlatformsPopular Comparisons
Splunk Enterprise Security
IBM Security QRadar
Elastic Security
LogRhythm SIEM
Sumo Logic Security
Rapid7 InsightIDR
Fortinet FortiSIEM
AlienVault OSSIM
Securonix Next-Gen SIEM
Cortex XSIAM
USM Anywhere
ManageEngine Log360
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What are your approaches on Azure Sentinel content deployment automation?
- Which is better - Azure Sentinel or AWS Security Hub?
- What is a better choice, Splunk or Azure Sentinel?
- Which solution do you prefer: Microsoft Sentinel or Palo Alto Networks Cortex XSOAR?
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- Which is the best SIEM solution for a government organization?
- What is the difference between IT event correlation and aggregation?
- What Is SIEM Used For?