Microsoft Sentinel Reviews

We primarily use many Microsoft products, including Microsoft 365 with a focus on the security aspect. We have Defender for endpoints and Defender for servers. We also use Azure Sentinel with these.

This product has improved the way our organization functions. I won't be able to provide exact metrics as I don't directly work with metrics, however, from an improvement perspective, it is just a more streamlined deployment. 

We also use Intune as part of the MDM. If there are any agents that need to be deployed, then we can use that or we can just configure Windows from MDM directly. A lot of things can be just set up out-of-the-box and are ready to go and it sends logs right to Azure Sentinel. Therefore, while I don't have hard numbers, it's definitely made deployments easier and is much less time-intensive for our organization.

Coming from other SIEM solutions, Sentinel seems to be pretty good. 

It's pretty powerful and its performance is good.

The most powerful aspect is the whole integration with the Microsoft ecosystem. If you have the Microsoft 365 subscription, E5, then it integrates pretty seamlessly with everything you're trying to do. 

You obviously have connectors with other third-party, non-Microsoft stuff as well. They have pretty good integration with those. 

Azure Sentinel has a lot of built-in analytics rules, that help us get started in terms of triggering anomalous activity. In terms of performance, they're pretty fast. I've used QRadar and Splunk. Compared to Azure Sentinel those are pretty slow. Some searches in Sentinel are pretty instantaneous. For bigger searches, it's a very noticeable and impressive turnaround.

There are a lot of features that I don't touch just because I'm in the SOC. That said, I know customers have deployed different items that are quite useful. 

The end-user experience is good. It's just pretty seamless. When I was onboarded, it was just a simple download and then a sign-in to my account. It'll basically configure everything for you and download the necessary stuff that the company has defined - including Defender, et cetera. 

Microsoft needs to stop renaming their stuff. A lot of their products are very confusing due to the names they choose. The first time I heard of Defender I assumed it's just their antivirus, anti-malware, or a package that covers those things. However, there's Defender, Windows Defender, and then there's Defender for Endpoint, and there's also Defender for servers, et cetera. That really needs to be streamlined. As far as Defender's concerned, they want just a protective device. The differences are confusing.

Maybe it's a transitional choice, however, they've been doing a lot of migrations to a new portal in the security center or office privacy center. There's a bunch of portals where some things are repeated or duplicated. You have the same features in the portals, yet, in some cases, there are some things that you have to go to one portal and not the other, as it hasn't been migrated or the feature is just not there.

If their UI was a bit more streamlined and easy to find when I need it, then that would be a great improvement.

I've been using the solution for one year.

The stability is pretty good. However, there is one flaw. We did have an issue where Microsoft had some issues with some components that caused issues with their cloud. It might have been an authentication issue or something like that, however, it basically took down everything. We weren't able to work. While integration is good if something comes from one vendor and if that vendor goes down, then everyone is pretty unhappy.

While at my previous organization we had about 50 or 60 users, as a small company, we had customers that could have users in the thousands.

I didn't notice any scalability issues, and therefore I assume it's quite good. With respect to Azure Sentinel, I've never had an issue.

As far as I know, we're using pretty much everything that Microsoft has from a security perspective. I don't know how we can expand anymore.

I've never had to call technical support or reach out to technical support, therefore, I can't speak to how they operate.

I've previously used SentinelOne for endpoints and antimalware, et cetera, and Splunk for the SIEM.

I was specifically working in SOC; I was more responsible for the day-to-day operations. Unfortunately, I cannot speak to the deployment so much. I would not have information on the implementation strategy, for example.

We handled the deployment internally.

I was in the SOC. I don't deal directly with that pricing. They do have multiple licensing levels. It's just about knowing what you need. One good thing about Microsoft is that they do have quite a few options depending on your needs. That said, sometimes it could be hard to pick because there are so many. 

As an organization, you need to understand the company's needs. For example, if you don't have a security team to look at your alerts or to set up all the stuff, then you probably don't need some of their most expensive services. You need to purchase the subscriptions accordingly if you're able to leverage them.

They have premium and enterprise subscription levels. I don't know what the standard would be. They have E3 and E5 level licensing. I don't know off the top of my head the differences, however, E5 likely has more security features. Companies need to be aware of all the differences.

I was not part of any evaluation process. I came to the company afterward. 

I'm not sure which version of the solution we're on. We have another team that does the deployment and they would take care of the versioning, et cetera, however, we usually run the latest.

Microsoft makes Windows. They know their stuff. Having everything streamlined can be time-saving. It's good to have an integrated system rather than using something else. You don't need to jump through a lot of hoops or install additional software in order to get everything up and running.

I'd rate the solution at an eight out of ten.

It's a SIEM tool. Our process right now is to put as much data as we possibly can from all of our network devices into it. We use it as a centralized logging mechanism and the feature that is nice there is that it's agnostic against the types of devices you're using. I have firewalls that can log onto it. I have Linux boxes that can log onto it. I have Windows boxes that can log to it and I can collect a variety of logs from around the organization into it. I can analyze those logs, I can get detections against those logs and use them to take a look at the security footprint of the organization.

All of the different security centers within Microsoft are alerting systems like Azure Defender ATP, the Security Centers, and Azure. All of those products, when they generate incidents and alerts, send feedback into this tool. With this product, you get a single dashboard for managing your security footprint, both from the 365 Azure environment, as well as your on-premise environment.

From a security perspective, it has clearly improved our alerting in our incident management processes. We've also been able to improve other processes for network monitoring and for trouble remediation within the environment. Our infrastructure team and some of our application team are now plugging into the data that's in that tool as they can use it to find issues within their applications rather quickly - a lot more easily than the other tools that they've got, which has been a huge boom. 

We also see that some of our help desk processes have now been informed by it. We have queries that run against the data set that's behind that same tool and they are built specifically for the help desk. For example, if a user's account has been locked out due to the fact that we have all of the data from all the different systems plugged into that tool, we can give the help desk a complete picture of authentication failures against that device so that they can quickly identify where the problem is and resolve the issue for the user.

This system has a list of data connectors and you choose what connects to it. By default, it has access to any of the core Azure data that you have access to, however, those are due to the fact that it lives in that environment. It would naturally have access to that data. Then, you choose which data sources you want to connect to it. Many of them are very easy to set up. They're within the 365 of the Azure portion and a point and click away with a lot of the third-party services. You click a button and do authentication and things connect right up. With some of the Linux, there are setups of Syslogs.

Microsoft has pretty good documentation. It doesn't take long. It's not hard to set up.

The biggest feature we've got out of it is visibility into our environment and what's going on across our estate. Being able to see, for example, anomalous RDP logins, to be able to see deviations from our standard traffic flows on the firewalls, things like that, give us insight into when we may have potential issues or a breach type situation.

The second thing you get is when you’re managing security within the Microsoft environment with Azure 365 you're on-premise you're bouncing between three or four or five, six different tools to do that. This centralizes the management of all of those. You get one pane of glass in all of those tools that give you a very easy way to see what's going on.

It also allows you to correlate between those tools. I can see if I have, for example, a low-priority incident in one tool. If I have another low-priority incident on the other tool made against the same user, that may force me to say, “Hey, maybe those things combined generate a higher level incident that I maybe need to put up for investigation.” That's the advantage of the tool.

The solution does not have specific features that have helped improve our security posture. Rather, the whole idea of making security a little bit easier while also being able to correlate data between multiple disparate systems has, as a whole, improved our security posture overall.

We’ve got process improvement that's happened across multiple different fronts within the organization and within our IT organization based on this tool being in place.

We were tracking in the neighborhood of 20 to 30 incidents a month coming out of one or two source systems within the environment. What Sentinel has given us the ability to do is move up. We're now evaluating somewhere in the neighborhood of 10 to 12 a day.

They're much more robust as a product. What we've been able to do is tune the alerts so that the things that are common, that are false positives that we see all the time, we've been able to filter those out and give ourselves this complete picture as things change and work but we're filtering out the standard data sets. There are things we’re going to look at and walk away from as we know they're false positives.

In terms of receiving false positives, it does take some work to tune the environment, to get it to get rid of all those false positives. It's not ridiculous work, however. I didn't find it to be the hardest problem. It took us a couple of months, doing an hour or so a day to clean them up. Going through that process offered a tremendous amount of learning about the environment. In looking at those false positives, you start to learn things about how people use the environment - things that we didn't realize before. That's extremely valuable for a security team to understand how your assets are used and what your users are doing.

The end users are barely involved in the process. They see our security team more proactively reaching out to them when they may have a problem. For example, I may have a user who has got an excessive amount of login failures against their ID and it's coming from, say, a mobile phone. We'll see that in the SIEM and what we'll do is reach out to the user proactively. Maybe they've been seeing lockout events, or, most likely, they have been seeing lockout events but they haven't quite figured out what's going on and we'll be able to proactively go to them and say, “Hey, we're seeing this, here's the device it's coming from and here's the action you should take and see if we can fix the problem.” It's given us the ability to reach out to the user. In some cases, it's an incident where we want to reach out, get more information from the user to understand whether it was them or not. In other cases, we're reaching out to them proactively and helping solve problems for them that they may or may not even be aware they're having.

Microsoft has a number of detections that they bundle with the product and there's a number of detections that are out against GitHub that are available. We have more and more of those going out every day. Microsoft periodically is releasing more updates. I love the fact that they're giving it to us. They're giving us the queries so we can plug them right into Sentinel. 

We have to do very little editing of the plugins, however, I would love to see the ability to have those queries immediately, as Microsoft updates them. They need to have a streamlined process for updating them in the tool and knowing when things are updated and knowing when there are new detections available from Microsoft.

I've used the solution for two years.

The solution has been extremely stable. We haven't had any downtime that I can recall.

The scalability is great. It's all backed by the log analytics infrastructure. All of the data that we stuff in it is stuck with the log analytics retention times and data storage capabilities which scale wonderfully.

We are using it pretty heavily. At this point, we're plumbing pieces of data from all of our systems into it. We're actively in it every day.

We're constantly adding new data sets too.

I haven't used technical support yet.

In general, the Microsoft technical support unit is okay. There are times when you get help and it's wonderful and there are times when things are not as good. It's not what I would consider the best support I've ever received. That said, they're trying. They could work on their response times.

We did not previously use a different solution. We did a little bit of data consolidation, however, nothing at this level.

We adopted Sentinel as we were looking to mature our security footprint. We started looking at tools that could help us do that, and Sentinel was very easy to dig into, primarily due to the fact that you could bite little pieces off at a time. I didn't have to consume a massive cost. I could throw a little bit of data and consume at a pretty minor cost and prove its value before I started increasing my cost.

The initial setup is very easy.

It's a point-and-click Azure environment. You just click the button and say "yep, I want this."

The solution does not need a lot of maintenance. Once you have the log analytics infrastructure configured, as in your retention times, et cetera, there's your maintenance of the systems that becomes the analytics that you're using. There's a little bit of work that needs to be done there. That was the part that needed some streamlining, however, that's about it. It's managing your rules and your playbooks, et cetera, that needs to be handled.

It's hard to measure ROI on these types of processes. I can't give hard numbers on what the return is. What I can say is that the organization is much better off having this tool in place than not having it in place. The fact is we are improving processes around the organization and the visibility. We recently had some huge vulnerabilities in Exchange that were being breached, and knowing that we have tools like this in place that have detections to help us establish whether we were having an issue or not was useful. The product helps to make us aware of issues and we're not guessing and not spending too much time digging.

We did evaluate other options. Most had a larger acquisition cost associated with them. That was obviously a big factor. The other thing that helped the decision was that we live in a Microsoft-centric environment and most of the Microsoft tools were prebuilt and correctly connected very easily.

The product is part of the Azure platform - now the Microsoft platform. It's all fully managed by Microsoft at that level. We're using it as a SAFe solution.

I'd advise potential users to take a good look at your analytical rules and feed it with data. The more data you give it, the more valuable it becomes.

I'd rate the solution at an eight out of ten.

Sentinel is a solution called SIEM - security information event management. It's for monitoring an entire organization from a security point of view. Along with the monitoring, what happens in the SIEM is you have to raise incidents. If there are any kind of security issues or breaches or people are trying to get into the system, you have to raise an incident ticket. You collect the event information from the systems. You'll be able to see if it's, for example, a machine or account, or an active directory outage. You can process that information using machine learning AI, and then raise incidents. It's basically helping a security operations center team (SOC). With the help of Azure Sentinel, we can build a SOC.

There are plenty of use cases. You have to cover your entire security environment. For example, a brute force attack against your Azure Portal. If someone is trying to guess your password, you will see the incident. When somebody puts four, five wrong passwords, and then a correct password, it could mean someone is trying to guess your password and you would see that. Basically, there are a lot of use cases, however, all of them revolve around monitoring security. Whenever something happens, we should get alerted or we can proactively assess our environment.

With Sentinel, you can also do the hunting. It'll try to identify if your environment is compromised with any kind of attack. In most cases, it'll try to protect your organization before this attack can happen. If somebody is trying to snoop in your environment, we can track him. Or if somebody is trying to guess your password, we can protect the password. If somebody is injecting the malware, we can identify and protect the organization.

The solution has improved functionality as most of the organization will be in the cloud. If an organization is already on the Azure cloud, then they don't have to go for any other solution for the SIEM. They can easily integrate Sentinel. Most of us are on the Microsoft products, so it's very easy to deploy this with the Microsoft products as well as to the other products. 

In terms of Sentinel, it's a best-in-class solution. The SIEM solution is hosted in the cloud. When you compare it with the other tools, the on-premises tools may not be that great.

The best piece about it is when it comes to the traditional SIEM solutions, it's very hard to manage them. First of all, licensing will be there. Then you need to manage underlying infrastructure as well. You also need a big setup. All these things aren't necessary with Sentinel due to the fact that it's on the cloud. You just get a cloud subscription and do a pay-as-you-go model.

The machine learning and artificial intelligence on offer are great. These are the things that happen in the background that we do not see. Whenever you have an incident, it will provide you with all the options so that you can drill down. For example, I have identified one incident where somebody was trying to do a brute-force attack. When this incident was generated, I had a lot of data with which I could start to investigate things.

It provides the best-in-class hunting capabilities. It's very easy to write the hunting logic. You have to write some searching queries. It's very easy to write those all queries and identify the test.

It'll give you the capabilities of automation. Azure is not only about security or infrastructure. It has a lot of programming features, functions, logic apps, and automation. You can easily integrate. If you can do a little bit more programming, then you can integrate it with functions or automation, or anything else.

There is a different tool for security postures. That's called Azure Security Center. From November, it's going to be called Azure Defender. This tool does not do posture management, however, it can integrate with Azure Security Center. There is also this XDR tool, Microsoft Defender. It can easily integrate it. Once you set up the integration between these tools, then you will have the advantage of both the tools. You will have a unified ticketing system where you can view the alerts from XDR and you can view the alerts from the posture management and from the SIEM.

Every month there are new features in Sentinel and the tools are stable. All the features and functionality that those tools provide are slowly coming to the Azure Sentinel as well. So it's improving a lot day by day. 

Initially, we had the data connector that could bring the data from any of the platforms that we wanted to monitor. Now, Microsoft has improved the solutions and they're providing a lot of options. While you can (and now have) almost all the functionalities that are needed for SIEM capabilities, it's still adapting to new things as well. 

Azure Sentinel will be directly competing with tools such as Splunk or Qradar. These are very established kinds of a product that have been around for the last seven, eight years or more. They have a lot of good things going for them and are slightly ahead of Microsoft, which is new to the game. However, Microsoft is adapting. Microsoft keeps working on its solutions and offers feature request platforms as well. We have given them a lot of feedback in terms of some customizations - and they keep adding to it. There are a lot of new things that are in the pipeline. In the next four to six months, we will see more new features which will further enhance the existing tools.

For example, there were some custom fields that were missing. We wanted to do mapping of the custom fields and this capability wasn't there in the Sentinel. However, when we requested it they implemented it.

I have been on Sentinel for the last two to two and a half years. Initially, I was just doing it for my own self-interest, however, for the last one and a half years, it's been more of a professional relationship and I've been working with it for customers.

The solution is quite stable. I have not seen any downtime so far. It is working for customers as well. It's good. It's on a cloud and therefore we need not worry about maintaining the databases or maintaining the platforms, or wherever the data is stored. It's all Microsoft's responsibility.

The scalability is a unique selling proposition for Sentinel. Due to the fact that it's on the cloud, you can scale it up to any limit. Of course, you have to pay for whatever data you are storing. As compared to an on-premises tool the sometimes they may fail to scale, however, this is great. You don't have to bring up a lot of hardware with Sentinel. 

This solution is being used quite extensively right now.

Whether or not the usage will increase depends on the pricing that comes up the more you use it. We have to pay for whatever data, telemetry, that gets into the Sentinel. For example, let's say today I collected 1GB of data, tomorrow I'm going to collect 5GB of data. Microsoft can easily hold this, however, then they also provide you with some kind of plans. You can reserve the space. You can say "I will use 100GB of data per month." Microsoft will give you a discount and you have to pay for the reserved 100GB. It is a pay-as-you-go model.

The solution is used by the development team, which sets it up, and then by the SOC team, which takes over and starts monitoring for security incidents.

Technical support depends on what kind of agreement you have with Microsoft. If you are a premier customer, under the top 100, then they can provide you with some direct connection with the Microsoft program managers. You can have a conversation with them once every two weeks. If you are not in the premier tier, if you are just directly buying it from Azure, then technical support, again, depends. There are two types of technical service. One is the professional and the second one is the premier. Premier support is good. Obviously, you will be paying extra for it. Professional support is not that great. Often, I'd rather not involve them. They will simply mess up things. It's better to just post your questions on the forums and try to get some answers from the experts.

I use all kinds of support. If you are working for a customer who has a very good rapport with Microsoft and they are their top Azure consumer, then they can do things for you. If you give them feedback and you are potentially a big customer for Sentinel, then they will try to adjust things according to your environment. However, if you are not, you are just using Sentinel, then it's okay. It all depends on how much money you are paying and how much business you are doing with Microsoft. 

If a customer is planning to buy Sentinel, then they should initially negotiate with Microsoft for premier support. They can ask for 100 hours of premier support or the fast-track service. You can initially negotiate for a situation where, if some technical issues arise, then you will only work with premier support, and you can reserve your 100 or so hours for that. 

Initially, it's better to agree in advance with Microsoft that you will be needing X number of technical support or the fast-track service or engagement with the Sentinel development team.

I did not use a different solution. I'm from the Azure Log Analytics Monitoring part. I came from that side.

We directly jumped into Sentinel. I've heard that people are doing migrations from Splunk. That's the number one tool that's available for SIEM. However, I directly started from Sentinel.

The initial setup is very easy. You just need some basic knowledge of the monitoring platform called Azure Log Analytics. If you have the knowledge of Azure Log Analytics, then you can easily set up this.

If you just want to set up over the Azure Portal, then it will hardly take 15 to 20 minutes to deploy. Of course, this is not the final setup. The final setup is when you will be connecting it with different sources. For example, if you have 100 machines, you will have 100 Linux machines, you will have routers and switches too. Everything you want to monitor needs to be there. You have to implement these all solutions one by one as per your requirement. If your requirement is you will want Linux machine monitoring, you want firewall monitor, then it can take time, however, it is pretty easy to accomplish.

The pricing model is good. Microsoft does the reservations as well. Perfect planning is needed, as, once you reserve the space, you can save up to 30% or 40% of the cost. If you are not doing good planning, then it'll cost you a lot. However, from a costing point of view, it's fair and comparatively low. It's not a costly service.

I'm not the decision-maker. I was mostly from the Azure Log Analytics Monitoring background, however, when this was released, even the Microsoft CEO and CTO were touting its abilities. Initially, I looked at it for self-interest, and then we thought of implementing it for our labs, and then we found it fruitful. Then we started getting Sentinel projects. 

I'm a consultant and service provider.

It's hosted on a cloud. There is nothing like versioning or anything. It's just software as a service.

I would rate the solution at around eight out of ten. When we do the migration, there are still few people who are used to it. Not many have hands-on experience. Sometimes we struggle in maintaining gaps.

Azure Sentinel is a next-generation SIEM, which is purely cloud-based. There is no on-premises deployment. We primarily use it to leverage the machine learning and AI capabilities that are embedded in the solution.

This solution has helped to improve our security posture in several ways. It includes machine learning and AI capabilities, but it's also got the functionality to ingest threat intelligence into the platform. Doing so can further enrich the events and the data that's in the backend, stored in the Sentinel database. Not only does that improve your detection capability, but also when it comes to threat hunting, you can leverage that threat intelligence and it gives you a much wider scope to be able to threat hunt against.

The fact that this is a next-generation SIEM is important because everybody's going through a digital transformation at the moment, and there is actually only one true next-generation SIEM. That is Azure Sentinel. There are no competing products at the moment.

The main benefit is that as companies migrate their systems and services into the Cloud, especially if they're migrating into Azure, they've got a native SIEM available to them immediately. With the market being predominately Microsoft, where perhaps 90% of the market uses Microsoft products, there are a lot of Microsoft houses out there and migration to Azure is common.

Legacy SIEMs used to take time in planning and looking at the specifications that were required from the hardware. It could be the case that to get an on-premises SIEM in place could take a month, whereas, with Azure Sentinel, you can have that available within two minutes. 

This product improves our end-user experience because of the enhanced ability to detect problems. What you've got is Microsoft Defender installed on all of the Windows devices, for instance, and the telemetry from Defender is sent to the Azure Defender portal. All of that analysis in Defender, including the alerts and incidents, can be forwarded into Sentinel. This improves the detection methods for the security monitoring team to be able to detect where a user has got malicious software or files or whatever it may be on their laptop, for instance.

It gives you that single pane of glass view for all of your security incidents, whether they're coming from Azure, AWS, or even GCP. You can actually expand the toolset from Azure Sentinel out to other Azure services as well.

The most valuable feature is the performance because unlike legacy SIEMs that were on-premises, it does not require as much maintenance. With an on-premises SIEM, you needed to maintain the hardware and you needed to upgrade the hardware, whereas, with Azure Sentinel, it's auto-scaling. This means that there is no need to worry about any performance impact. You can send very large volumes of data to Azure Sentinel and still have the performance that you need.

When you ingest data into Azure Sentinel, not all of the events are received. The way it works is that they're written to a native Sentinel table, but some events haven't got a native table available to them. In this case, what happens is that anything Sentinel doesn't recognize, it puts it into a custom table. This is something that you need to create. What would be good is the extension of the Azure Sentinel schema to cover a lot more technologies, so that you don't have to have custom tables.

If Azure Sentinel had the ability to ingest Azure services from different tenants into another tenant that was hosting Azure Sentinel, and not lose any metadata, that would be a huge benefit to a lot of companies.

I have been using Azure Sentinel for between 18 months and two years.

I work in the UK South region and it very rarely has not been available. I'd say its availability is probably 99.9%.

This is an extremely scalable product and you don't have to worry about that because as a SaaS, it auto-scales.

We have been 20 and 30 people who use it. I lead the delivery team, who are the engineers, and we've got some KQL programmers for developing the use cases. Then, we hand that over to the security monitoring team, who actually use the tool and monitor it. They deal with the alerts and incidents, as well as doing threat hunting and related tasks.

We use this solution extensively and our usage will only increase.

I would rate the Microsoft technical support a nine out of ten.

Support is very good but there is always room for improvement.

I have personally used ArcSight, Splunk, and LogRythm.

Comparing Azure Sentinel with these other solutions, the first thing to consider is scalability. That is something that you don't have to worry about anymore. It's excellent.

ArcSight was very good, although it had its problems the way all SIEMs do.

Azure Sentinel is very good but as it matures, I think it will probably be one of the best SIEMs that we've had available to us. There are too many pros and cons to adequately compare all of these products.

The actual standard Azure Sentinel setup is very easy. It is just a case where you create a log analytics workspace and then you enable Azure Sentinel to sit over the top. It's very easy except the challenge is actually getting the events into Azure Sentinel. That's the tricky part.

If you are talking about the actual platform itself, the initial setup is really simple. Onboarding is where the challenge is. Then, once you've onboarded, the other challenge is that you need to develop your use cases using KQL as the query language. You need to have expertise in KQL, which is a very new language.

The actual platform will take approximately 10 minutes to deploy. The onboarding, however, is something that we're still doing now. It's use case development and it's an ongoing process that never ends. You are always onboarding.

It's a little bit like setting up a configuration management platform and you're only using one push-up configuration.

We are getting to the point where we see a return on our investment. We're not 100% yet but getting there.

Azure Sentinel is very costly, or at least it appears to be very costly. The costs vary based on your ingestion and your retention charges. Although it's very costly to ingest and store data, what you've got to remember is that you don't have on-premises maintenance, you don't have hardware replacement, you don't have the software licensing that goes with that, you don't have the configuration management, and you don't have the licensing management. All of these costs that you incur with an on-premises deployment are taken away.

This is not to mention running data centers and the associated costs, including powering them and cooling them. All of those expenses are removed. So, when you consider those costs and you compare them to Azure Sentinel, you can see that it's comparative, or if not, Azure Sentinel offers better value for money.

All things considered, it really depends on how much you ingest into the solution and how much you retain.

There are no competitors. Azure Sentinel is the only next-generation SIEM.

This is a product that I highly recommend, for all of the positives that I've mentioned. The transition from an on-premises to a cloud-based SIEM is something that I've actually done, and it's not overly complicated. It doesn't have to be a complex migration, which is something that a lot of companies may be reluctant about.

Overall, this is a good product but there are parts of Sentinel that need improvement. There are some things that need to be more adaptable and more versatile.

I would rate this solution a nine out of ten.

We are using Microsoft Office 365 E5 license right now, which means we are using Windows Defender ATP because of its cloud application security platform. We also have Exchange Online Protection. The main thing is we are replacing all of our on-prem solutions with Microsoft Office 365 and Azure solutions.

Our use case is for Azure Active Directory, Advanced Threat Protection, Windows Defender ATP, Microsoft cloud applications, Security as a Platform, Azure Firewall, and Azure Front Door. All of the Azure Front Doors logs are coming to Azure Sentinel and correlating. However, for our correlation rules that exist on the QRadar, we are still implementing these rules in Azure Sentinel because we have more than 300 different correlation rules that exist from the QRadar.  

It is always correlating to IOCs for normal attacks, using Azure-related resources. For example, if any illegitimate IP starts unusual activity on our Azure firewall, then it automatically generates an alarm for us. 

We do not get so many attacks, but if any attacks occur on our Azure Firewall site, then we are able to understand where the attack came from. Sentinel lets us know who introduced it.

It is perfect for Azure-native solutions. With just one click, integrations are complete. It also works great with some software platforms, such as Cloudflare and vScaler. 

The rule sets of Azure Sentinel work perfectly with our cloud resources. They have 200 to 300 rule sets, which is perfect for cloud resources.

They need to work with other security vendors. For example, we replaced our email gateway with Symantec, but we couldn't collect these logs with Azure Sentinel. Instead of collecting these logs with Azure Sentinel, we are collecting them on Qradar. We couldn't do it with Sentinel, which is a problem for us.

It is difficult right now because there are not so many consultants who exist for Azure Sentinel, like there are for QRadar. We are not able to find a Sentinel consultant right now.

In Turkey, we are the biggest energy generation company for the public sector. We head more than 20 power plants right now and have more than 1,000 people working in the energy sector. Two years ago, we started to work with Microsoft to shift our infrastructure and workloads to the Azure and Office 365 platforms. So, our story starts two years ago.

It is stable. We have had one or two issues, but those are related to QRadar. We are creating and pushing logs all the time to QRadar, because the Microsoft security API does not send these logs to QRadar.

One resource is enough for day-to-day maintenance of our environment, which has 1,000 clients and 200 or 300 servers. However, our servers are not integrated with Azure Sentinel, because most of our servers are still on-prem.

For Azure- and Office 365-related products, it is perfectly fine. It is scalable. However, if you want to integrate your on-prem sources with Azure Sentinel, then Azure will need to improve the solution. 

We are using Microsoft support for other Microsoft-related issues. They have been okay. They always respond to our issues on time. They know what to do. They solve our issues quickly, finding solutions for our problems.

Positive

Right now, we are using QRadar for on-prem devices. On the other hand, we have Azure Sentinel for log collecting in the cloud products. All of the Microsoft components give logs to Azure Sentinel, but all of the on-premises resources are being collected on IBM QRadar. So, Sentinel has been helping us because this is causing complications for us. While it is possible to collect logs from QRadar to Sentinel to QRadar, it is difficult to do. So, we are collecting incidents from our QRadar, then our associates monitor Azure Sentinel-related incidents from QRadar.

We have been starting to use Azure Kubernetes Service. However, our developers are afraid of shifting our production environment to the Azure Kubernetes so this whole process can continue. At the end of the day, our main goal is still completely replacing our on-premises sources with serverless architecture. 

We also started to use Azure Firewall and Azure Front Door as our web application firewall solutions. So, we are still replacing our on-prem sources. Azure Sentinel works perfectly in this case because we are using Microsoft resources. We have replaced half of our on-premises with Azure Firewalls. The other half exists in our physical data centers in Istanbul.

The initial setup is getting more complex since we are using two different solutions: One is located on-prem and the other one is Azure Sentinel. This means Azure Sentinel needs to inspect both SIEMs and correlate them. This increased our environment's complexity. So, our end goal is to have one SIEM solution and eliminate QRadar.

The initial setup process takes only one or two weeks. For the Azure-related and Office 365-related log sources, they were enabled for Azure Sentinel using drag and drop, which was easy. However, if you need to get some logs from Azure Sentinel to your on-prem or integrate your on-prem resources with Azure Sentinel, then it gets messy. 

This is still an ongoing process. We are still trying to improve our Azure Sentinel environment right now, but the initial process was so easy.

We had two three guys on our security team do the initial setup, which took one or two weeks. 

We are not seeing cost savings right now, because using Azure Sentinel tools has increased our costs.

Pricing and licensing are okay. On the E5 license, many components exist for this license, e.g., Azure Sentinel and Azure AD.

I am just paying for the log space with Azure Sentinel. It costs us about $2,000 a month. Most of the logs are free. We are only paying money for Azure Firewall logs because email logs or Azure AD logs are free to use for us.

In Turkey, Microsoft is more powerful than other vendors. There are not so many partners who exist for AWS or G Cloud. This is the reason why we have been proceeding with Microsoft.

QRadar rules are easier to create than on the Azure Sentinel. It is possible to create rules with Sentinel, but it is very difficult.

There have been no negative effects on our end users.

I would rate Azure Sentinel as seven out of 10.

Log management is the primary purpose of Microsoft Sentinel to help us monitor the environment and detect threats. That way we can stop them at the first opportunity so that they do not impact the environment.

We take data from the data connectors. Some of the devices are default devices in Microsoft Sentinel, but we can easily add others. For some, we need to use an API or we need some extra help to add them into our security solution. At times, we need an agent.

It is a great tool for log management. It uses KQL (Kusto Query Language) which makes it very easy to find out anything in the environment by writing code.

If we have found some threat intel apart from Microsoft, we can add that to the watchlist category. We have a MITRE ATT&CK framework category and we can map the new threat method methodology into our environment through Microsoft Sentinel. There are multiple features in Microsoft Sentinel that help us add threats into the environment and detect threats easily and quickly.

There are multiple things integrated with it, like CrowdStrike, Carbon Black, Windows and Linux devices, and Oracle. We can see threats from all the environments. If an attack happens on the AD side, we can see that things are signed off. All those sources are integrated and that's a good thing.

On a weekly basis, it is saving us 10 hours, because we get results from the solution very fast.

There are many features, including watchlists and analytics. We can also use it to find out multiple things related to log management and heartbeat. All the features have different importance in those processes. 

The analytics have a lot of advantages because there are 300 default use cases for rules and we can modify them per our environment. We can create other rules as well. Analytics is a useful feature.

Another good feature is the data connectors, where we are collecting the logs from external devices and mapping them into the security solution. That feature is helpful.

The information Sentinel provides is of great use. Microsoft has its own threat intelligence team and they are mapping the threats per the IoCs. It lets us see multiple things that are happening. These things are a starting point for any type of attack and they are already in the solution's threat intelligence. Once something has been mapped, meaning whenever we get an alert from a threat actor, based on IoCs, we can analyze things and block them. There are multiple use cases and we can modify them for our environment.

We need to map things through the MITRE ATT&CK framework. Sentinel is a detection tool. Once it detects things, that is where human intervention comes in and we do an analysis. It is giving us ideas because it is generating events. We can see what events are happening, such as what packets are being analyzed, and what processes are being created. We can analyze all these aspects, including EDR cloud, because they are integrated with Microsoft Sentinel. It lets us see third-party sources. It is a very nice security monitoring tool.

The comprehensiveness of Sentinel's security protection is really great. I don't think it has SOAR capabilities, but it has UEBA.

Sentinel still has some anomalies. For example, sometimes when we write a query for log analysis with KQL, it doesn't give us the data in a proper way. We are trying to improve it and write the query in a manner that will give the desired results. We're trying to put in the conditions based on the events we want to look at, and for the log sources from which we are getting them. For that, we are working on modifications of our KQL queries. Sentinel could be improved by Microsoft because sometimes queries are not giving the desired results. This is something they should look into.

Also, the fields or columns could be improved. Sometimes, it is not giving the desired results and there is a blank field. 

In addition, while the graphical user interface of Microsoft Sentinel is good, there is some lag in the user interface.

I have been using Microsoft Sentinel for the last year. I have been more into the analysis part and the creation of use cases by using the analytics.

It's a stable solution.

The combination of the ease of accessibility and the free cost of the service is great. But we buy storage based on our events per second and on how many sources are integrated into the solution. We have to store the data in our environment to do analysis on past events or to check past threats.

It is for tracking the logs. I'm working on automation. So, the use case basically includes logs, incidents, automation, UEBA, and endpoint integration with Office 365 Defender.

We didn't have anything similar. So, it really provides value from the incidents and automation point of view. The overview of the security fabric is most valuable.

Its implementation could be simpler. It is not really simple or straightforward. It is in the middle. Sometimes, connectors are a little bit complex. 

I just started using it. I have just set it up.

It is stable.

It is scalable.

I haven't dealt with Microsoft's tech support. I haven't reached out to them.

It was of medium complexity. It wasn't too bad, but it can be complex because of the connectors.

I don't know yet because they gave us a 30-day test window for free. 

Because it is mainly artificial intelligence and machine learning, you would need some time to learn it. It is a good solution, and it is straightforward.

I would rate it a six out of 10. I haven't really dealt with other ones.

We use Sentinel to monitor events and incidents that occur on our tenant. It covers all the servers and applications in the cloud, too. 

We can use Sentinel's playbook to block threats. It covers all of the environment, giving us great visibility.  

If Sentinel had a graphical user interface, it would be easier to use. I would also like it to be more customizable. 

We've been using Microsoft Sentinel for nearly 20 years. 

Sentinel isn't very easy to set up, especially when we're trying to connect to a server at the entry point. We run into some configuration issues when connecting. 

I rate Microsoft Sentinel eight out of 10.