Microsoft Sentinel Reviews

We use this solution for analyzing Microsoft cloud-based log services and for security data. The services include Microsoft 365, Azure Security Center logs and Microsoft cache logs. We are gold security partners with Azure. 

The UI-based analytics are excellent, it's something I haven't seen with any other SIEM products. Microsoft has excellent tools for cleaning data, sorting out irrelevant log data and even fixing log data.

There's not much that needs improvement but the on-prem log sources still require a lot of development. It's clear that there are limitations there. I also think that the implementation and on-prem data sources could be done in a better way. We've used some functions with Python and whole scripting on FortiSIEM, which is something that Microsoft could easily provide, but so far hasn't.

The product has been very reliable. I don't know that there have been any service outbreaks. We haven't had any problems. 

We have 700 users and from our perspective, it has unlimited processing power, but this is quite common for cloud services. I think the scalability has to be some kind of ABM and feeding all of the log stats, which could possibly have limits, but Azure has huge computing power behind it.

The support is good, the only issue is getting past the level one people who ask if you've tried rebooting. If you have Microsoft's Unified Support, the most expensive support, then you'll be very happy. It's not the best support in the industry, but it's pretty good and they also support Sentinel. 

The initial setup was extremely straightforward. It was the easiest I have seen because it's an SaaS service. I think anybody can do it by just clicking and clicking and saying yes. Straight out of the box and that's the strength of the SaaS service because there's no installation, you just use it. 

We compared Azure to Splunk and to our current mainstream implementation, FortiSIEM. If you have a lot of security data, then you feel that Azure is quite expensive but it's nowhere near as costly as Splunk which is four or five times more expensive. FortiSIEM wasn't good enough and Splunk was way to expensive. 

I would definitely recommend this solution. If you have cloud-based workloads and different cloud or cloud lookalike services that require security data, or if you are looking for SOAR functionalities, then it's a no brainer. It's the best in that market. On the other hand, if you are mainly working and operating with on-prem stuff then there's no advantage over FortiSIEM or other solutions. 

I rate this solution a nine out of 10. 

Security incident and event management. Threat detection and automated response.

It is a software as a service from Microsoft.

Reduced mean time to detect and resolve

Quickly able to cover a majority of mitre att&ck techniques

Free to ingest Azure logs with E5 license

Free ingestion for Azure logs (with E5 licence)

It is easy to implement (turn on) - does need a skilled analyst to develop queries and playbooks.

It has basic out-of-the-box integrations with multiple log sources.

Add more out-of-the-box connectors with other SaaS platforms/applications.

12 months

No stability issues encountered.

It is scalable as a SaaS offering, but there is a consumption cost to consider.

Cybersecurity team uses this on a daily basis.

We work together very well with local MS Team.

The initial setup was simple. All that was needed was to put agents onto our infrastructure.

Integration more complex for non-MS SaaS and OS, but do-able using middleware.

It was done in-house.

It is an evergreen service.

What is the cost of lack of visibility?  Average cost of breach = $$$

It is a consumption-based license model. bands at 100, 200, 400 GB per day etc. Azure Sentinel Pricing | Microsoft Azure

Good monthly operational cost model for the detection and response outcomes delivered, M365 logs don't count toward the limits which is a good benefit.

Others were considered however being an E5 M365 and Azure user this was by far the preferred solution.

It is fairly new but making a charge up the market anayses.  Should be considered if you have E5 licence due to native and 'free' ingestion of M365 logs.

We haven't used all of its capability yet because we haven't had the time yet to implement it all, and it appears that the MS roadmap for Sentinel is being actively invested in.

The primary use case is the same use case as Splunk.

Requirements differ. We're still doing fine-tuning. However, lots of users are added to its security group to note activities.

So far, the solution has been perfect. 

The pricing of the product is excellent.

So far, we have found the stability to be very good.

The solution, as a SIEM tool, has very good integration capabilities, at least, according to our needs.

We have just recently migrated to this product. We haven't used it long enough to note all of the features. Therefore, it would be impossible to note what is lacking just yet.

The interface could be more user-friendly. It''s a small improvement that they could make if they wanted to.

We've recently migrated to this solution. We've only been using it for a month.

The stability of the product is very good. It doesn't have bugs. It's not glitchy. It doesn't crash or freeze. It's been reliable so far.

As a Microsoft product, customers get scalability and elasticity. We have policies in place, and, based on them, we can upgrade if we need to. A company shouldn't have issues scaling should they have the need to expand. 

Only the security team uses this product. It's not accessible for every user. We have a team of about 20.

We have just invested in the solution, and therefore we have plans to use it for the foreseeable future.

We do have access to support, and if we need them, we can call on them. However, the solution is so new, we have yet to need their services. Therefore, I can't speak to their level of responsiveness or knowledgeability just yet.

The installation is very straightforward and easy. It's not complex. It's a cloud deployment, and therefore, it is very quick. You just connect the APIs to the data center.

The product is extremely cost-effective and affordable for customers.

I'm more on the technical side. Therefore, I don't have any insights into the actual cost or the structure of the license.

We looked at Splunk as well and compared to that solution, this one is less expensive.

We're using the latest version of the solution.

Choosing this solution was a management decision. Due to cost-effectiveness, they opted for Azure Sentinel.

Whether this product would work for another organization or not depends on the company's requirements.

As it is still very early in terms of our experience with the solution, I would rate the product at a six out of ten.

It is for tracking the logs. I'm working on automation. So, the use case basically includes logs, incidents, automation, UEBA, and endpoint integration with Office 365 Defender.

We didn't have anything similar. So, it really provides value from the incidents and automation point of view. The overview of the security fabric is most valuable.

Its implementation could be simpler. It is not really simple or straightforward. It is in the middle. Sometimes, connectors are a little bit complex. 

I just started using it. I have just set it up.

It is stable.

It is scalable.

I haven't dealt with Microsoft's tech support. I haven't reached out to them.

It was of medium complexity. It wasn't too bad, but it can be complex because of the connectors.

I don't know yet because they gave us a 30-day test window for free. 

Because it is mainly artificial intelligence and machine learning, you would need some time to learn it. It is a good solution, and it is straightforward.

I would rate it a six out of 10. I haven't really dealt with other ones.

It is a tool for compliance for us. Every department and agency in the government is trying to get to the cloud as fast as they can. Because of that, there's a lot of SA&A work—service authorization and accreditation. In that, you're assessing the environment against a set of controls. We use Sentinel to provide us with a core piece of evidence that ensures these environments are compliant.

If you know how to do KQL (kusto query language) queries, which are how you query the log data inside Sentinel, the information is pretty rich. You can get down to a good level of detail regarding event information or notifications. It's all about how detailed and accurate your queries need to be and what log sources you are actually ingesting log information from. Sentinel is that central piece that allows you to correlate security events across your Azure environment. It's a pretty critical piece of the puzzle.

You can create both custom connectors as well as use the canned connectors that Sentinel ships with. When you start the service, those connectors will look at on-prem log sources and ingest them. So Sentinel works both in the cloud and on-prem.

There is some relatively advanced knowledge that you have to have to properly leverage Sentinel's full capabilities. I'm thinking about things like the creation of workbooks, how you do threat-hunting, and the kinds of notifications you're getting. There are a lot of pieces in motion with Sentinel to use it effectively. It takes time for people to ramp up on that and develop a familiarity or expertise with it.

Does it need to be simplified? There is that old saying: "The simpler the front end, the more complex the back end." A novice would probably not be able to effectively use Sentinel unless they were able to ramp up pretty quickly on a lot of its functionality. You need to understand the interfaces and all the components that are part and parcel of the service.

I've been involved with Sentinel since early 2018. Sentinel was only acquired by Microsoft four or five years ago.

I own a professional services company and I do a lot of government consulting and engineering work for clients. I've had good exposure to Microsoft technology, whether through their support services, or through Azure, or through a myriad of on-prem solutions as well. My partnership efforts have really been around AWS because, outside of government, AWS has a far larger footprint than Microsoft, as far as the cloud is concerned.

The stability of Sentinel is fine, as long as those who are configuring the service and using it have a good grasp of its operational nature. It takes time to develop that knowledge, but it's a pretty stable service.

Microsoft has a service called FastTrack, which basically pairs my clients up with a local Microsoft partner. That FastTrack partner is the intermediary between the client and Microsoft. If there's a problem or a support issue, that partner will typically be the client-facing entity.

Larger departments will purchase Premium Support and that provides them with a more face-to-face support experience with Microsoft personnel, specifically. Many of my clients are larger departments and, generally speaking, there is pretty good support in place for them from Microsoft.

Most clients are looking at getting E5 licensing, which opens up a whole bunch of security features and support services. But E5 licensing is pretty darn expensive. So bigger departments with bigger pockets have a very good support experience with Microsoft. The smaller departments, which may need to take advantage of services like FastTrack, assuming that the Microsoft partner has good resources available, may not have a problem at all. But I have heard some feedback that FastTrack is not a great program. Support is only as good as the weakest link in the chain.

My job as a consultant is to work with many different departments and agencies, whether it's on their architecture or assessing their environments, as they all move to the cloud. I've seen many different environments and a lot of them have some common overlaps in terms of security services. Sentinel can be expensive. When you ingest data from sources that are outside of the cloud, you're paying a fair amount for that data ingestion. When you're ingesting data sources from within the cloud, depending on what your retention periods are, it's not that expensive. For certain customers, depending on the requirements, it can be a pricey service.

Personally, I like the tool. From a SOC perspective, the visibility into government operations in particular is key, and I'm seeing a lot of advanced usage of it for some of my clients.

The federal government, here in Canada, has primarily centralized on Azure as opposed to AWS. That's because most of these departments also have SaaS environments that are M365-centric. As a result, because they are already Microsoft on the SaaS side, a lot of departments maintain that Microsoft synergy, even if, in my opinion, AWS is a better platform.

As a cloud SIEM, I would rate Sentinel at an eight out of 10. The only reason I'm not ranking it higher is that, as I said, there is some complexity with it. You have to tweak the service to get the outputs you want, by doing things like creating workbooks or rules for Sentinel, doing the threat-hunting, setting up the connectors, the log analytics, and workspaces. There's a lot of "heavy lifting" done to get Sentinel into a state where you can effectively use it. But as far as the actual outputs are concerned, if you know what you're doing with the queries, Sentinel is a great tool.

Microsoft offers training around Sentinel. In our region, among the support guys that deal with the government departments and agencies, there are some Sentinel subject matter experts available. And when more advanced knowledge is needed, Microsoft can provide what are called "support ninjas." They have more advanced knowledge and can be flown in from wherever. There are a lot of opportunities to learn how to properly use Sentinel's tools. Once you get that familiarity, Sentinel is a valuable tool for your cloud security posture.

We primarily use the solution for security operations. 

It has a lot of great features. 

The integrations on offer are very good. They have a lot of frequent updates on the integrations as well. 

We also use other Microsoft products with it, such as Active Directory and Defender for Endpoint and Identity. Everything is well integrated together. The integration itself is seamless.

Its connectors are helpful.

We get good logs from the solution.

Threat visibility is good so far. We are able to prioritize threats based on many factors.

The comprehensiveness of the solution is good. 

The alert response could be better. We'd also like a better ticketing system, which is older.

I've been using the solution for two years.

I'd rate the solution nine out of ten.

For users that have been observing some malicious actions with their product and getting malicious mail, Azure Sentinel allows them to create a rule, which will show who exactly among their users is exposed to phishing attacks so that they can make some mitigation on that particular account.

There are about five people using this solution in my organization.

It helps to implement connectors for Microsoft solutions, available out of the box and providing real-time integration, including Microsoft 365 Defender (formerly Microsoft Threat Protection) solutions, and Microsoft 365 sources, including Office 365, Azure AD, Microsoft Defender for Identity (formerly Azure ATP), and Microsoft Defender for Cloud Apps, and more. In addition, there are built-in connectors to the broader security ecosystem for non-Microsoft solutions

The most valuable feature is the onboarding of the workloads. You can see all that has been onboarded in your account on the dashboards.

It has been a challenge with Azure Sentinel to onboard the Syslog server from FortiGate. Azure Sentinel can work better on that shift between the Syslog server and a firewall.

I have been using this solution for three years.

It's quite stable compared to other automation SIEM and SOAR solutions.

It's very scalable.

Technical support is good. Microsoft has engineers that are readily available to help you with a challenge.

Initial setup was user friendly. I would rate it a 4 out of 5. 

It's deployed by you onboarding your deliverables on the workload. For example, if you're using Office 365 or another third-party solution, you're going to upload those onto the server and have it protected with your Azure Sentinel.

It will draw logs from those your activities, and then bring it up as a workbook, where you can see into the actions on those programs you have onboarded on the Azure Sentinel.

We use a third-party for implementation.

For ROI, I would rate it 4 out of 5.

It's costly to maintain and renew.

It depends on how you want to pay for the solution. You can pay it on an annual basis or pay as you go, but I feel it's better to just keep it running as a product on your Azure subscription. If you have a $500 subscription, it will take part of your subscription.

I would rate this solution 7 out of 10.

We are security system integrators. 

We have no complaints about the features or functionality.

Azure Sentinel, the Microsoft Azure product is, from what I understand, used for the Microsoft applications. I don't know if it works outside of the Microsoft Azure cloud.

I would like to be able to monitor applications outside of the Azure Cloud. That is one of the reasons one of the customers has multiple tools.

I have been using Azure Sentinel for approximately one year.

It's free. It comes with a Microsoft subscription which the customer has, so they don't have to invest somewhere else. That'd be great if it was supporting other things.

If it's a security integrator like us, quite often people push the client into buying different vendors' products and the client already has the tool in-house. Microsoft is one of those tools that most clients already have.

Many vendors, or integrators, that we know of, are not familiar with Microsoft Sentinel product classification security. So that's one thing I would encourage both potential customers, and users, to look into what suite of products do they have with existing Microsoft accounts that they have. 

Also, the integrators should be quite familiar with all the things that are available to their clients, so they don't have to invest tons of money in other tools.

Based on having no complaints, I would rate Azure Sentinel an eight out of ten.