Try our new research platform with insights from 80,000+ expert users
Consultant Expert Microsoft at a tech services company with 1,001-5,000 employees
Real User
Brings all logs together in a single place, making it easy to track attacks and get information about breaches
Pros and Cons
  • "Sentinel also enables you to ingest data from your entire ecosystem and not just from the Microsoft ecosystem. It can receive data from third-party vendors' products such firewalls, network devices, and antivirus solutions. It's not only a Microsoft solution, it's for everything."
  • "Sentinel should be improved with more connectors. At the moment, it only covers a few vendors. If I remember correctly, only 100 products are supported natively in Sentinel, although you can connect them with syslog. But Microsoft should increase the number of native connectors to get logs into Sentinel."

What is our primary use case?

My customers mainly want to correlate logs so that they have a single point for their log information. In addition to correlating logs, they want to automate tasks.

Microsoft Sentinel is just a "watch tower" to get all the logs and manage threats. After that, you have the Microsoft Defender products that help to reduce threats. For example, Microsoft Defender for Endpoint is an anti-virus and EDR that helps to eliminate threats on devices such as laptops and smartphones. Microsoft Defender for Office 365 enables protection for Teams, Mail, or SharePoint, and Microsoft Defender for Identity helps to reduce risk on Active Directory or Azure AD. So Microsoft Defender products are the tools for reducing threats, and Microsoft Sentinel is the tool for analyzing incidents and threats.

How has it helped my organization?

Each time I deploy Sentinel, it helps the client get information about the overall security of their IT system. It brings together all the logs in a single place, so it's easy to track attacks and get information about breaches.

It also eliminates having to look at multiple dashboards. If you centralize the logs, you don't need to go to the firewall to get alerts or to the antivirus console or to a network device. You get everything in a single place, which means you have incidents in a single place, and then you can have a dashboard. You can check the built-in dashboard, or you can create one on your own, and these dashboards can be refreshed automatically or you can refresh them whenever you want.

What is most valuable?

The solution is well integrated with the Microsoft environment, so if a customer has a lot of Microsoft services, such as M365 or Azure, the solution fits well in their environment. Because I deploy solutions in general, I also use Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Office 365. It's really straightforward to integrate these products. You have just to check a box and all the logs from these products go to Sentinel. And if the customer has a Microsoft 365 E5 license, the Defender logs are free.

It also helps to prioritize threats across an enterprise. When you receive an alert of an incident, you can categorize it as a low, medium, or high priority. That's really important because sometimes low-priority incidents are just false positives. We need to categorize incidents to get to the high-risk incidents.

Sentinel also enables you to ingest data from your entire ecosystem and not just from the Microsoft ecosystem. It can receive data from third-party vendors' products such as firewalls, network devices, and antivirus solutions. It's not only a Microsoft solution, it's for everything. There are native connectors to get information from third-party vendors, but if you don't have a connector for something, you can get information from protocols such as syslog.

It's really important that Sentinel allows you to investigate threats and respond holistically from one place. It's important to know where an attacker went. For example, an attacker could go through a firewall and then to a specific application, and you need to know where the attacker started first.

When you enable this feature, Sentinel automatically gets information about the users and devices, and you can then search for specific entities. For example, if you know that a specific user is at risk, you can enter the username and get all the information about the user: on which device he's connected, to which servers he's connected, and what he did on these devices, among other things. This ability is important to a breach.

With Sentinel, you have some built-in rules to automate tasks. You can also create your own automation based on Logic Apps in Azure. You can do what you want with scripting with PowerShell or Python. The first time you have a given incident, you do some troubleshooting and when you write up this incident you can create a knowledge base. Once this knowledge base is done, you can try to automate the troubleshooting. If you do it via automation, you can close this incident because the incident will be managed automatically with Sentinel. And that helps you to save time.

What needs improvement?

Sentinel should be improved with more connectors. At the moment, it only covers a few vendors. If I remember correctly, only 100 products are supported natively in Sentinel, although you can connect them with syslog. But Microsoft should increase the number of native connectors to get logs into Sentinel. Each time we have a connector, it eases the configuration of Sentinel, and we don't need custom deployments to get the information from a specific vendor. 

The second thing they should do is create more built-in rules for the dashboard, automation, and hunting. The first time you use Sentinel, it's not easy to use the product because, beyond the dashboards, you need to know the Kusto Query Language (KQL) to create the right requests.

Buyer's Guide
Microsoft Sentinel
November 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,053 professionals have used our research since 2012.

For how long have I used the solution?

I have been using Microsoft Sentinel for two years. I implemented the solution for a customer a couple of months ago.

What do I think about the stability of the solution?

There is no problem with the stability of Sentinel. It's really stable. I have never experienced an issue with accessing the product.

What do I think about the scalability of the solution?

It's a SaaS solution, so you don't need to scale it. It scales by itself. 

If you need a multi-tenant implementation, for example, if you have a SOC and you have several customers, you can get your own Sentinel, and you can ask the customers to deploy Sentinel in their environments. You can then gather logs from several Sentinels in a single point.

How are customer service and support?

I haven't contacted Microsoft for support of Sentinel, but each time I contacted them for other products, it was a bad experience. The technical support of Microsoft is a negative point because, most of the time, they don't have the answer.

Which solution did I use previously and why did I switch?

I used QRadar and a Symantec solution, but that was 10 years ago.

How was the initial setup?

The first deployment was not complex. The first step, when you want to connect a solution to Sentinel, is pretty straightforward. When you want to use the built-in dashboard, it's also straightforward. But once you want to do some customization, like a custom dashboard, custom automation, or custom hunting rule, it can be complex because you have to know several languages, how Log Analytics works, and how Logic Apps works for automation.

Most of the time, I deploy a single Sentinel in a single location because it is a worldwide SaaS solution. And most of the time I deploy Sentinel to be used on-premises and in Azure, and I deploy Azure Sentinel for a SOC team. I have never deployed a multi-tenant Azure Sentinel setup, although it's possible to do.

In the beginning, when a customer uses Sentinel, they cannot use it on their own. They require some assistance. That is why, after deployment, a consultant is usually onsite two days per month to add some connectors and custom rules, and to end some incidents.

What's my experience with pricing, setup cost, and licensing?

Sentinel is a pay-as-you-go solution. To use it, you need a Log Analytics workspace. This is where the logs are stored and the cost of Log Analytics is based on gigabytes. You can get a discount of 10 percent if you get to 100 terabytes of data. On top of that, there is the cost of Sentinel, which is about €2 per gigabyte.

If a customer has an M365 E5 license, the logs that come from Microsoft Defender are free.

Which other solutions did I evaluate?

The solution is really easy to deploy compared to other solutions such as Splunk.

Taking proactive steps to prevent breaches is a default. It's not like competitors on the market. Sentinel doesn't give you advice about how to set some settings on your device to protect them from a specific breach. But you can use Microsoft Defender for Endpoint for devices and it helps you to know if a device is breachable from a specific attack and how to be protected against it.

The cost and ease of use of Sentinel compared with other standalone SIEM and SOAR solutions depends on whether the customer has the whole stack, meaning an M365 E5 license. If so, they get a really good discount because all the logs from Microsoft Defender are free. But if they don't have an M365 E5 license, those logs are not free and the solution can be expensive.

We haven't evaluated other options recently because our customer wanted Sentinel. But one of the differences I see between Sentinel and competitors' solutions is in the normalization of logs. With Sentinel, normalization is done automatically, whereas with other solutions, you need time to do the normalization manually. By "normalization" I mean lining up the fields. For example, in some logs, the time is in the first field, while in other logs, the description is in the first field. You need to sort the fields, but this task is done automatically by Sentinel.

What other advice do I have?

Before using Sentinel, I recommend reading the documentation and watching the YouTube Ninja Training channel. They go through all options for Sentinel. 

In addition, I recommend knowing KQL—it's a requirement—and how to automate tasks in Azure. Other than these points, Sentinel is easy to enter because if you have a native connector, it's just "next, next, next." But when you want to do customization, it can sometimes be hard to do what you want.

When you look at going with a best-of-breed strategy versus a single vendor's security stack, it depends on the strategy of the customer. Sometimes, the customer prefers to get all its security products from a single vendor because they get discounts when they do that. Other customers prefer to have several vendors for security reasons. From my point of view, there is no correct answer. If I were responsible for the security of a company, I think I would prefer to use an all-Microsoft security stack because it's easier to interconnect the solutions and you get more information as a result.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
reviewer6632 - PeerSpot reviewer
Assistant Manager at a consultancy with 10,001+ employees
Real User
A straightforward solution that provides comprehensiveness and coverage of multiple different on-prem, and cloud solutions
Pros and Cons
  • "Investigations are something really remarkable. We can drill down right to the raw logs by running different queries and getting those on the console itself."
  • "I think the number one area of improvement for Sentinel would be the cost."

What is our primary use case?

My client has a huge environment in Azure. They have around 30,000 resources spread across the globe. They also have a huge presence on-premises itself. So, for on-prem, they have a SIEM solution already in place. But for the cloud, they didn't have anything. So, basically, no visibility into any kind of attacks or any kind of logging or monitoring in the cloud. We could not scale up our on-prem counterpart for it due to various reasons of cost and how much resources it would take. Microsoft Sentinel seemed like a pretty good solution since it's cloud-native, it's hosted by Azure itself. So we went ahead with the solution.

How has it helped my organization?

Microsoft Sentinel has given us great visibility into our cloud workloads and cloud environment as a whole. And not just that, but even, in fact, with the MCAS and email-security solutions also. We get a lot of visibility into what kind of emails we are getting and how many of them are malicious versus legitimate. From a visibility and compatibility perspective, it's really a nice product to have as a SIEM solution for your cloud environment. In fact, we have integrated this with our AWS, as well. At this point in time, it's just one account, but we plan on expanding more. So all the logs from our AWS environment flow to the solution. Microsoft Sentinel performs the analytics and gives us the alert for that.

The comprehensiveness and coverage of multiple different solutions, on-prem solutions, and cloud solutions, are the two aspects, Microsoft Sentinel really has an edge over other products.

Visibility into threats is above average. Since I also went through some slides of Microsoft and they receive a lot of telemetry because of their Windows platform, because of Azure. What I saw in those slides is that they benefit from this telemetry and create a rich threat-intelligence, kind of a backend service, which supports Sentinel and literally enriches the detection capabilities for Microsoft Sentinel.

Correlation is something that helps us instead of looking at every single alert. So, if we get a phishing email and five users click on it, instead of going through five individual detections, it correlates all of that and presents it in one single incident correlating all these five events. So, in terms of that correlation, it is pretty good. In terms of responding to these alerts, I know there is some automation. There were multiple calls with Microsoft when we were setting up this solution. They showed us how we can do this and they gave us a demo, which was really nice to see the automation. But from the response point of view, we haven't enabled any automation as of now because we are still in the nascent stages of setting this up. We have done multiple integrations, but, still, there's a lot of ground to cover. So, the response is something we would look at last. I think the response side also has a lot of automation and correlation, but we haven't worked on that as of now.

The time to detect and time to respond has been reduced considerably. Detect, because the analytics that is done by Microsoft Sentinel is near real-time, and response is based on us. So, when we see the alert, we respond to it, and we wait on the teams to receive an answer. Previously, the SOC guys were doing this. It was really slow and, sometimes, proceeded at a snail's pace. With Microsoft Sentinel, at least one part of it got addressed, which was running these queries with the SIEM and getting to analyze multiple events to go onto a specific security incident. That time has been saved by Sentinel. I would say 20 to 30% of the time to respond and detect has been saved.

What is most valuable?

In terms of Microsoft Sentinel, I think a large part of it has been automated by Azure itself. From a customer point of view, all you have to do is just run some queries and get the data. In terms of connections or the connectors for multiple data sources or multiple log sources, it's very easy to just set it up, be it Azure-native services or something customized, like some connection with the on-prem servers or things like that, or even connections with the other cloud platforms, such as AWS. The connectors are really one thing I appreciate. I think it sets Microsoft Sentinel apart from other solutions. Apart from that, the analytics that it performs and the built-in queries that it has, are valuable. A lot of automation on part of Microsoft Sentinel is really commendable.

Microsoft Sentinel definitely helps prioritize threats across our enterprise. I think Microsoft Defender for Cloud would also come in when we talk about this because Microsoft Defender for Cloud and Microsoft Sentinel work in conjunction with each other. We can set it up that way so any alerts that are found in Microsoft Defender for Cloud are forwarded to Microsoft Sentinel. Then, the prioritization is set based on the standard criticality, high, medium, low and informational. So, from our sense, what we can do is, we can simply target the high incidents.

Another thing is that it very efficiently correlates all the events. So if multiple emails have been sent from a single email ID, which is supposed to be a phishing email, Sentinel identifies it, flags all the emails, and it can very beautifully track all of it from their console such as who clicked it, when did they click it, which ID was it, who received it. So, in terms of all that, correlation also helps us prioritize those events.

Prioritization is important. If we have a bunch of alerts and we started investigating some alerts that are not of that much value, some alerts would get ignored if the prioritization was not set correctly. So if it's a phishing attempt and, in another area, we find that there's a brute-force attack going on, we would first want to address the phishing attempt since, in my opinion, in my experience, the probability of getting a link clicked is high rather than a password getting compromised by a brute-force attack. So, in those terms, prioritization really helps us.

Microsoft Sentinel definitely enables us to ingest data from the entire ecosystem. Microsoft Sentinel has around 122 or 123 connectors. Although we haven't set up the solution for our whole ecosystem, be it on-prem, Azure Cloud, AWS cloud, or any other cloud for that matter, looking at the connectors, I feel like there's a whole lot of support, and possibly, we can cover our whole ecosystem, with some exceptions for some solutions. Exceptions are always there. From a coverage point of view, I think it's pretty good. We can cover at least 80 to 90% of our ecosystem. Obviously, it comes at a cost. So at that point in time, it could get very costly. That is one downside.

From the SOC point of view, everything depends on how good the data you are ingesting is and the amount of data you are ingesting. So, the more data we have, the better insights we would have into what activities are going on in our cloud environment, and in our on-prem environment. So it's very critical to have the right data ingested into things like Microsoft Sentinel. Otherwise, you could have a great solution but an ineffective solution in place if you don't have data ingestion configured in the right manner.

Investigations are something really remarkable. We can drill down right to the raw logs by running different queries and getting those on the console itself.

What needs improvement?

The number one area of improvement for Sentinel would be the cost. 
At this point in time, I feel like, simply because we are a huge organization spread across the globe, we can afford it, but small and medium businesses cannot afford it. Maybe it's not meant for them? I don't know; that's a debatable topic. But even for organizations like ours, a problem that we face and for some of my other friends that I have talked to, it's a great solution, but we cannot deploy it everywhere because, frankly, we overrun our budget.

One thing that would really help or benefit would be the alerts that get thrown up. I've seen multiple alerts. For example, external file activity or external user activity. I open those alerts and there is absolutely no information in them. If there's external user activity, then who is that user, what is something that they are doing, how did Microsoft Sentinel detect this, or what were the analytics based on this outcome that it was a malicious activity or there was something anomalous or something like that? There is some particular type of alerts where a bit more data enrichment would help us.

The alerts get thrown out, and this is something we generally see with any kind of SIEM or any kind of other detection-based solution. For example, in an EDR solution or a vulnerability solution, the typical problem is alert fatigue. We get so many alerts that we start to see a large amount of them, and then we don't know where to start. Although here, we have the prioritization already shared by Microsoft Sentinel, so we have a starting point, but then it never ends. Perhaps tweaking and reducing the number of alerts that get thrown out, and enriching those alerts with more data would help. A lot of these alerts are just very normal things. They are not security incidents in their truest form, but it does take up our time just viewing those alerts. And sometimes, it also lacks a lot of information, like who did what, at exactly what time, and why did Microsoft Sentinel think that it was a malicious incident. That is one question I see a lot of times myself and don't get an answer for, like, "Okay, I get this a lot, but why do you think it's a security event?" So, enriching those alerts with more data might be a good area of improvement for Microsoft Sentinel.

The number of dashboards is something we complained a lot to Microsoft about, "You have great solutions, but you have a different console or a different dashboard for everything. So, as a person who is responding to these alerts, it really becomes overwhelming juggling between multiple different screens, dashboards, tabs, and windows." They have acknowledged this and they have mentioned to us that a lot of other customers made the same complaint and they're working on integrating these dashboards. So, for example, if you are using Microsoft Defender for Cloud, in one click you can reach a Microsoft Sentinel page wherein it would show you the raw logs. It sometimes gets overwhelming viewing the same alert on multiple different dashboards. In one sense, if I had to give an example, you might see an alert on Microsoft Sentinel, but it won't have much data to it. To drill down to the very specific raw data, you would have to go to some other console. You would have to go to the source of that event or detection, be it Microsoft Defender for Cloud, MDI, or MCAS. So in those terms, we have to sometimes juggle through all these dashboards and tabs of multiple solutions.

For how long have I used the solution?

I have been using the solution for eight months.

What do I think about the stability of the solution?

I think the solution is pretty stable. I didn't see any aberrations or anomalous behavior of Microsoft Sentinel. And that's the benefit of having a managed service. Downtime is quite less. Especially from providers like Microsoft. With Microsoft Sentinel, we didn't feel like there were any hiccups in the operations or any sort of problems we faced with the solution, as of now.

What do I think about the scalability of the solution?

This is something good about having a managed product, you don't have to worry about scaling. And this is exactly the problem we felt with our existing on-prem solution LogRhythm: the scaling was not possible because of the cost included. With Microsoft Sentinel, you have to pay extra, but you don't have to worry about setting up more servers, configuring them, patching them, doing all the maintenance, and doing additional administrative work. The solution is pretty scalable.

How are customer service and support?

Based on our interactions at the time of setup, after that, we didn't really require that much assistance from Microsoft. So, at the time of setup, they really helped us with insights and with decisions that we had to take based on our organization type and how we work. We have teams distributed globally across multiple time zones, and similarly, we have data and operations distributed all over the world. So this becomes a challenge when dealing with anything related to IT. So, Microsoft did really help us with setting it up. From a technical-assistance point of view, at the initial stages, it was a good experience.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

Our on-prem solution is LogRhythm and the reason we decided to add Microsoft Sentinel was scaling up of LogRhythm would have been a huge cost to us. Because right now, on-prem LogRhythm is running on multiple VMs, so their cost structure is very different. If you run the same setup on Azure, it's just an exorbitant amount of money. So that was one factor that we chose not to scale up LogRhythm to our cloud environment and looked for some other solution. The other reason we went for Microsoft Sentinel was that it is cloud-native. Since it's a managed service from Microsoft and from Azure themselves, not just time but also a lot of responsibility on our end gets transferred to the cloud provider of just setting up and maintaining that infrastructure, updating and patching all those systems, and doing that maintenance work. That overhead gets taken off our heads. That's why we were looking for a cloud-native solution. And hence, in our comparison, in our multiple rounds of discussion with internal stakeholders within the cybersecurity team, Microsoft Sentinel seemed like a perfect fit, so we went ahead with the solution.

How was the initial setup?

The initial setup is pretty straightforward. We didn't face many problems or complexity. We had everything running in a couple of weeks. The deployment was just me and one other person from the security team. She had a lot more experience with Microsoft 365 and the MCAS side of things. And I was more from an Azure infrastructure point of view, Defender for Cloud and the like.

What about the implementation team?

We started the deployment from scratch and we brought on Microsoft for assistance. We already have a huge presence in Azure, so we already had a Microsoft contact. We reached out to them. We mentioned that we want Microsoft Sentinel on board. We got in touch with their own cloud security and Microsoft Sentinel experts. They advised us, but I can say all the setup and all the operational side of things we did because if Microsoft did it then that would be handled by the consulting arm of Microsoft and that would be a full-fledged project, which would have its own cost. So Microsoft had to play a role as an advisor. We used to get about four IT calls to set it up. Whatever Microsoft recommended us to do, we went ahead with that.

First of all, we enabled everything that was free of cost. When you onboard Microsoft Sentinel, you pay some fee for the solution itself, and with that, you get some free connectors. So Azure AD sign-in and audit logs are one thing, Azure activity logs, and Microsoft Defender for Cloud are another. All these integrations don't cost anything extra over and above. So we started off with integrating all of that, and later on, slowly and steadily, we scaled up our integrations. There's still a lot of ground to cover. We aren't there yet with what we envisioned initially.

What was our ROI?

At this time I don't have an answer about a return on investment but it is something we have been contemplating inside our own team and we have been thinking of since we talked about how good a solution Microsoft Sentinel is. We cannot enable it across the organization, so we are thinking about creating a story of how much value, not in just terms of money but how much value in terms of security has the solution brought for us, and communicating this idea to other stakeholders in other teams and probably to the leadership, and maybe getting a little more budget for this project.

What's my experience with pricing, setup cost, and licensing?

Microsoft Sentinel is definitely costly. If we factor in the cost of other services, MCAS, MDI, and Microsoft Defender for Cloud, it gets seriously costly, to the extent that we cannot enable it across the organization. It simply overshoots the budget by a huge margin. When talking about the Microsoft Sentinel piece itself, let's say we have set up custom integrations and it does not cost us that much, it is definitely costly. If we talk about log retention, then it is even more costly. Comparing it to the other solutions, in fact, when we started off with the SIEM solutions for the cloud, we did do a comparison between which one would be the best: the classic Splunk, like we used in our on-prem, or maybe Microsoft Defender for Cloud. So, for our use case, Splunk was also a bit costly but less than Microsoft Sentinel. We went ahead with Microsoft Sentinel being a cloud-native platform on our side, the effort would be a lot less. Splunk would require to be set up from scratch. From a cost perspective, Microsoft Sentinel is quite costly.

Which other solutions did I evaluate?

We compared Splunk with Microsoft Sentinel.

What other advice do I have?

I give the solution an eight out of ten.

We have used and tested additional Microsoft solutions. At one point in time, we used Microsoft Defender for Identity, MDI solution, but it was for three to four months only. We discontinued it because it was more of an experiment and the guys from Microsoft gave us the license for that product for a limited time for testing. We were short on budgets, hence we could not leverage or we could not go ahead and purchase it. Another product was MCAS, Microsoft Cloud App Security. Primarily, we use Microsoft Sentinel. Microsoft Defender for Cloud is also used, but it has not been enabled on a lot of resources because it has a cost implication. So cost is a huge factor that we have to think about every time we do anything in security related to all these four products. 

Wherever it is possible, wherever we have identified some critical resources and we had the budget, we enabled Microsoft Defender for Cloud and then integrated it with Microsoft Sentinel. Integration is super easy for anything which is an Azure service. It's mostly about doing a couple of clicks or maybe running a couple of commands. For Azure-native services, it's very easy, be it integrating the Azure AD logs or Microsoft Defender for Cloud or things like that. If I remember correctly, I integrated Microsoft Defender simply by flipping a toggle on the console. So it was easy to integrate Microsoft Defender for Cloud.

The coordination among all these tools is really marvelous. Although my role is not exactly that of an incident responder or from a SOC point of view, if I was a SOC person or an incident responder, it really takes the load off of my work to look around and to correlate that, and open four, five tabs and just juggling through them and trying to make a story. Microsoft Defender for Cloud, Microsoft Sentinel, and MCAS, all of them do it for us. So you just have a single pane of glass. Although these are four different products and you sometimes do have to juggle around, but not to that extent. Many times, it happens that your job gets done with just a single pane of glass.

I think the coverage is comprehensive from a protection point of view for all these four, or five products from Microsoft.

The bi-directional sync capabilities of Microsoft Defender is an option that we get at the time of integrating the solution. This is exactly what I mean by using the toggle button to integrate Microsoft Defender for Cloud with Microsoft Sentinel.

I would say the sync capabilities are both critical and a nice add-on to have. Even if it's not critical and there was no sync between Microsoft Defender for Cloud and Microsoft Sentinel, we would still be doing our job of looking at two multiple portals. But since Microsoft does it for us, then it's really good to have. It takes the load off our shoulders and we could do other tasks and possibly look at more alerts instead of juggling through these portals between Microsoft Defender for Cloud, Microsoft Sentinel, MCAS, and MDI.

Investigations are something really remarkable. We can drill down right to the raw logs by running different queries and getting those on the console itself.
In terms of response, I do not have that much experience in automating the responses or letting Azure handle it, because we feel like the automation here might go wrong and we might have to face another incident caused by some sort of misconfiguration. So, at this point in time, we respond manually to the alerts. We don't use many of the response capabilities of Microsoft Sentinel. I did have a look at what I think, these are called playbooks, which are based on LogicHub. They do seem very promising, but we haven't used those functionalities as of now.

If I had to rank the three capabilities in terms of comprehensiveness, at the top would be SOAR. I would put threat intelligence and UEBA second. I haven't used both of these capabilities that much. We haven't enabled UEBA in our environment. Threat intelligence is the default one. Again, this is something we haven't enabled on a custom basis or something add-on; it's the default one that Microsoft provides.

In regards to proactiveness, I don't feel like there is anything proactive about the solution. It's mostly reactive. The nature of the whole SIEM is reactive: you analyze the logs, you get some alerts, and then you react to those alerts. I think in terms of prediction, I don't see it like that. But in terms of using threat intelligence, I definitely think that it really adds value when, for example, there's something legitimate in the email, there's something malicious. But when it comes to the unknown, when you cannot determine if it's good or bad, it adds value there, its threat intelligence, by simply stating that. Just a couple of days back, we had an alert that said that "URL was clicked," and it wasn't able to determine the nature of the URL: Was it malicious? Was it bad? So it gave us a low or an informational alert. Threat intelligence helps us in those situations.

The solution has saved us time in two aspects. A tremendous amount of time is saved in terms of integration. Nowadays every organization across any sector you talk about has a lot of IT solutions and security solutions in place. You talk about network devices, VPNs, security devices, these collaboration services, et cetera, all of these generate a lot of data integrating and investing all of that data into SIEM is really critical for the SIEM to function properly. That is something that Microsoft Sentinel does quite well. And I see that they are always working on not just creating those integrations but also making them very easy to configure, from a customer point of view. So, those integrations are one thing that I really like about Microsoft Sentinel. The second is the correlation of these alerts across multiple of these integrations. So, integrations and correlations are two aspects that I really like about the solution. I would say the solution saved me around 50% of the time. Simply, it's less of running the queries on a standard SIEM solution and more of clicking on the dashboards. So the typing time gets taken off and the loading time of getting the results back, and doing this over and over again with a typical SIEM solution, that has been absorbed, by the solution. Microsoft Sentinel does it for us. Our time has been saved in that sense.

I would say that, since the solution saved us time, and time is money, in that sense, the solution has saved us money. On the other, hand the solution's cost is such that it might have balanced out. So, I can say it saved us money in one sense, but I don't think it's because of the solution, it's because of how the processes are set up in our firm. When we find some detections primarily from Microsoft Defender for Cloud, we share it with the team and we get to know that "XYZ resource is not in use anymore," and it probably gets deleted. So, in that sense, resource getting deleted, obviously, would stop incurring the money and the extra cost that we would have been paying. In that sense, our money is saved, but I wouldn't really put Microsoft Sentinel there because if there was any other solution that would also do the same, the resource would eventually get deleted.

Microsoft Sentinel runs on top of Log Analytics. And right now, we have it just hosted in the European region, but logs get ingested from all over the world, and the logs are of all types. Such as Microsoft Defender for Cloud, Azure AD sign-in logs, audit logs, Azure activity logs, and MCAS. We stopped using MDIs. We also have AWS. From AWS, there is a couple of log types. I think it's the CloudTrail, and events around S3 buckets and Kubernetes, although we don't use Kubernetes. That is all that is configured as of now with Microsoft Sentinel.

Four people in our organization use the solution. We have a dedicated SOC team, two guys are from the SOC team: one is me, and one is another person who has experience with Microsoft 365, and two people from the cybersecurity team.

I don't think there is any maintenance required. But there is overhead administration. So far, what I have experienced, it's just about integration. If you have to get started with the integration, then that's the overhead administrative effort on your head. Otherwise, it's not much of a problem. Everything is pretty smooth and automated with regard to maintenance.

There's one guy in our organization who for some reason, doesn't really like Microsoft and its products. He thinks that it's a way for them to catch us in a net and then upsell all their services to us. But I have a different, opposing view. I think, yes, they do have their own strategy of upselling and cross-selling all their products and solutions, but I think they are pretty good when working with them with those solutions, be it Azure as a whole cloud service, or just one part of it like Microsoft Sentinel. It takes off a lot of overhead, also, in terms of when you want some support, since it's a one-vendor-based solution, they would be much more helpful to support you and give you the right resolution in comparison to having three different products from three different vendors. What happens is, more often than not, they all start blaming each other, and then there's a blame game going on, and we, as a customer, have to suffer with whatever problem we are dealing with. So, I would go with having one vendor's solution, provided the vendor is not the kind of vendor that just sees you as a cash cow.

The only advice I would give to someone is that when you are evaluating the solution, if possible, you onboard people from Microsoft so they can help you and guide you. It's their product, they know how to best use it. So you would be in a better position right from the get-go, and it would also save a lot of time and effort in case you did something wrong or you chose a bad design decision, which might end up wasting a lot of time in the future. So, one piece of advice I would say is, simply to onboard Microsoft and it won't cost you extra. I don't think it would cost you extra. If you are already using any good Azure service or Azure itself, then that could be possible with the help of the account manager and the relationship that you have already with Microsoft. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: MSSP
PeerSpot user
Buyer's Guide
Microsoft Sentinel
November 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
824,053 professionals have used our research since 2012.
Rohit-Patil - PeerSpot reviewer
Consultant at a consultancy with 10,001+ employees
Consultant
The excellent threat intelligence and machine learning cut our false positives, and automation saves us a lot of time
Pros and Cons
  • "Sentinel is a SIEM and SOAR tool, so its automation is the best feature; we can reduce human interaction, freeing up our human resources."
  • "The data connectors for third-party tools could be improved, as some aren't available in Sentinel. They need to be available in the data connector panel."

What is our primary use case?

Our two primary uses for the solution are incident management and threat hunting. We use Sentinel and other Microsoft security products for security investigations, threat, team, and incident management purposes. The tool is deployed across multiple departments and locations, with around 8,000 total end users.

We use multiple Microsoft security products, the full Defender suite including Defender for Cloud, Cloud Apps, and Identity, all integrated with Sentinel

Integrating multiple solutions is straightforward; as they are all Microsoft products, it's easy for Sentinel to ingest the logs and data connectors. The process is very simple, and we can configure log sources or data connectors in Sentinel in a couple of clicks.  

How has it helped my organization?

As a next-generation AI-powered SIEM and SOAR tool, Sentinel provides an all-encompassing cyber defense at the cloud scale. The solution's machine learning capabilities make threat hunting and identification rapid across the entire cloud environment.

The solution provides excellent visibility into threats; it's integrated with Microsoft's threat intelligence platform, which forwards information to Sentinel. We have robust threat detection 24/7.   

Sentinel helps us prioritize threats across our enterprise, an essential function that lets us focus on investigating and resolving high-priority incidents first. When the most significant threats are dealt with, we can move on to the medium and low-priority issues.  

The multiple Microsoft solutions work natively together to deliver coordinated detection and response across our environment; they work very well together, and we trust these products to investigate matters further. 

The Microsoft solutions provide comprehensive threat protection across our entire organization.  

Sentinel enables us to ingest data from our entire ecosystem, which is crucial to our security operation. We require the data not just from Microsoft products but also from different firewalls and other security products, including firewall proxies, web proxies, logs, etc. We can quickly integrate multiple data sources in just a few steps. 

The solution's threat intelligence helps prepare us for potential threats before they hit and take proactive steps. Sentinel's intelligent and fast threat detection allows us to respond rapidly to critical and high-priority incidents by leveraging built-in automation and orchestration tools. 

Using Sentinel gives us time savings of 30-40%.  

The solution also decreased our time to detect and respond by 30-40%. 

What is most valuable?

Sentinel is a SIEM and SOAR tool, so its automation is the best feature; we can reduce human interaction, freeing up our human resources.

The built-in AI and machine learning are excellent; they reduce the number of false positives by around 90%.

The centralized threat collection is a valuable feature. 

The solution is cloud-native, so it's faster and easier to deploy as there is no hardware or software to implement.

The product is flexible enough to deploy in the cloud and on-prem, which is an advantage over other SIEM tools.

Sentinel allows us to investigate threats and respond holistically from one place, which is crucial because time management is essential during a security investigation. Having all the relevant data in one place enables security analysts to investigate and resolve quickly.   

The solution's built-in SOAR, UEBA, and threat intelligence capabilities provide comprehensive protection. The SOAR capability is excellent and better than other products on the market, reducing our dependence on security analysts, and IT takes less investigation time. We can leverage the UEBA to focus on risky users and entities first during an investigation, which is an integral part of the process. 

Compared to standalone SIEM and SOAR products, Sentinel reduces infrastructure costs by around 50% due to the cloud and reduced maintenance relative to legacy solutions. Sentinel is also approximately 70% faster to deploy than legacy solutions with the same rules. 

The solution helped to automate routine tasks and the finding of high-value alerts. This reduced our dependency on security analysts and their workloads because the solution reduced false positive alerts by about 90%. This freed up our analysts and is the most significant benefit of automation.  

The product helped eliminate having to look at multiple dashboards and gave us one XDR dashboard, which provides us with greater visibility and a reduced time to investigate and resolve.  

What needs improvement?

The data connectors for third-party tools could be improved, as some aren't available in Sentinel. They need to be available in the data connector panel. 

The solution could have more favorable pricing; the cost is relatively high compared to other SIEM tools, which can be prohibitive for smaller organizations. 

For how long have I used the solution?

We've been using the solution for over a year. 

What do I think about the stability of the solution?

Sentinel is stable. 

What do I think about the scalability of the solution?

The solution is scalable. 

How are customer service and support?

The technical support is good and responsive, but in some cases, it took a long time to resolve our issue.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We previously used IBM QRadar as a SIEM tool and switched because Sentinel is cloud-native and has more comprehensive capabilities, including SOAR capabilities. Sentinel fits our clients' requirements better, as many of them utilize the MS Defender security suite, which gives them a specific grant for free data ingestion. The solution also provides greater visibility.

How was the initial setup?

I wasn't involved in the solution's initial setup, and in terms of maintenance, it's very lightweight; updates are Microsoft's responsibility, so we don't need to do anything.

What's my experience with pricing, setup cost, and licensing?

Sentinel is expensive relative to other products of the class, so it often isn't affordable for small-scale businesses. However, considering the solution has more extensive capabilities than others, the price is not so high. Pricing is based on GBs of ingested daily data, either by a pay-as-you-go or subscription model.

The product saved us money, but actual savings depend on the project size, as the pricing is per GB of ingested data. Our savings are approximately 40-50%. 

Which other solutions did I evaluate?

We evaluated various solutions, including LogRhythm SIEM, Splunk, and Sumo Logic Security. We chose Sentinel because it's more advanced, cost-efficient has greater capabilities and fulfills our requirements better than the other products.

What other advice do I have?

I rate Sentinel nine out of ten. 

To a security colleague who says it's better to go with a best-of-breed strategy over a single vendor's security suite, it's better to go with multiple vendors. This provides better visibility and avoids a single point of failure.

My advice to others considering the product is it depends on the project requirements. For larger organizations, I recommend Sentinel, as it's very advanced. However, for smaller-scale industries, Splunk and IBM QRadar are good options. For primarily cloud-based organizations with the majority of users in the cloud, then Sentinel is again an excellent choice.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Disclosure: My company has a business relationship with this vendor other than being a customer: MSP
Flag as inappropriate
PeerSpot user
Security Ops Management at a manufacturing company with 1,001-5,000 employees
Real User
Top 20
Helps save us time, streamlines event investigations, and improves our visibility
Pros and Cons
  • "The analytic rule is the most valuable feature."
  • "While I appreciate the UI itself and the vast amount of information available on the platform, I'm finding the overall user experience to be frustrating due to frequent disconnections and the requirement to repeatedly re-authenticate."

What is our primary use case?

My role thus far has been to integrate security log sources into the platform. This includes developing or troubleshooting some of the data connectors for different sources, such as web application firewall interfaces.

Sentinel is a SOAR platform. It represents the next generation beyond traditional SIM and SIEM platforms. Its powerful SOAR functionality orchestrates and automates responses to security events, eliminating the need for manual intervention. Instead of relying on human analysts to monitor events and react, Microsoft Sentinel leverages pre-defined automation rules. These rules correlate relevant events, generating a holistic understanding of the situation. Based on this analysis, automated responses are triggered, expediting the resolution process and eliminating any delays associated with manual identification and decision-making.

How has it helped my organization?

Sentinel provides us with a unified set of tools for detecting, investigating, and responding to incidents. This centralized approach offers both advantages and challenges. On the one hand, it grants us the flexibility to tailor Sentinel's capabilities to various situations. However, this flexibility demands a deep understanding of the environments and activities we're dealing with to effectively utilize Sentinel's features. While this presents a challenge, it also highlights the potential benefits of this unified approach. The unified view is important to me because I get all the information together in a single pane of glass instead of having to switch between multiple applications. The ability to consolidate all of that information into a single application or dashboard and to centrally evaluate its intelligence is a significant advantage.

Sentinel's ability to secure our cloud environment is of the utmost importance.

Sentinel Cloud Protection offers a collection of customizable content that caters to our specific requirements, demonstrating the solution's flexibility. The versatility of this content allows us to address a wide range of needs. However, in most instances, we need to adapt the material to suit our unique circumstances. While Sentinel Cloud Protection provides a comprehensive set of resources, including pre-written responses, it often requires tailoring to fit specific situations. This customization process is not a drawback but rather an essential aspect of effectively utilizing the tool. It's crucial to understand the nuances of each situation to apply the content appropriately. While I wouldn't consider this a negative aspect, I've encountered individuals who believe they can purchase a solution, implement it without modification, and achieve optimal results. However, such unrealistic expectations often lead to disappointment.

The Sentinel Content Hub is essentially the central repository where we acquire the content to build upon. Therefore, it serves as the starting point for our efforts. Some of the hunt rules have been quite beneficial in terms of what they provide from the Content Hub, allowing for a plug-and-play approach. This means we can immediately benefit from what's available without having to do any additional work. We can then build upon this foundation and extend the capabilities beyond what's provided by the Content Hub. The Content Hub itself is a valuable asset that gives us a head start in achieving our objectives.

Content Hub helps us centralize out-of-the-box SIM content. This has made our workload more manageable.

The ability to correlate and centralize all of that information together, rather than having to manage it across multiple platforms and potentially miss things between different platforms, makes it more likely that we will not miss anything. The workload and the missed threats that we need to respond to have been reduced because of that unified approach. The mean time to detect has been reduced, and the mean time to respond has been reduced.

Sentinel correlates signals from first- and third-party sources into a single, high-confidence incident. The third-party integrations provided through Microsoft offer all the tools we need to integrate those sources. In other cases, we have to build the integrations from the ground up. Currently, we are struggling to integrate some of the sources that don't have existing connectors. However, the platform is flexible enough to allow us to build these integrations. It is just a matter of finding the time to address this issue.

Our security team's overall efficiency has improved. The build phase is still ongoing. We have not yet fully transitioned to an operational model. We are still in the build implementation stage because we need to integrate some third-party sources into the existing platform and ensure that they are included in the scope of the analytics rules. However, this has significantly reduced the amount of time spent working between different platforms.

The automation capabilities are perhaps the platform's most significant advantage. The force multiplier capability is exceptional. Traditional SIM or SIEM-like platforms were effective in gathering and presenting security information to security personnel. However, security personnel were still responsible for evaluating the information and determining whether a response was necessary. One of the benefits of Sentinel's automation capabilities is the ability to automatically trigger an action or response activity, which is a significant advantage.

The automation capabilities have helped reduce our mean time to respond. Automated events can prevent a problem from escalating beyond a single incident to multiple occurrences before we have to respond to it. In this way, automation effectively catches problems right away.

Sentinel has helped to improve our visibility into user and network behavior. This is extremely important because it allows us to have a better understanding of how users and networks are behaving.

Sentinel has helped reduce our team's time.

Sentinel has streamlined our event investigation process by eliminating the need to manually track down specific event activities. The rules are now automatically identifying and processing these activities, significantly reducing the time required for investigation. Tasks that previously took half an hour can now be completed in under five minutes.

What is most valuable?

The analytic rule is the most valuable feature. It allows us to assess the various use cases we've developed and then automate those processes accordingly. I consider it a force multiplier. It empowers a small team to achieve a significant impact, whereas previously, I would have relied on multiple individuals. By utilizing it, we can accomplish more with fewer resources.

What needs improvement?

While I appreciate the UI itself and the vast amount of information available on the platform, I'm finding the overall user experience to be frustrating due to frequent disconnections and the requirement to repeatedly re-authenticate. Microsoft needs to address these usability issues to enhance the user experience.

For how long have I used the solution?

I have been using Microsoft Sentinel for seven months.

What do I think about the stability of the solution?

The stability is exceptionally reliable. I tend to be quite vocal when things don't function as expected. The web interface requires using a browser for interaction, and I often find myself multitasking between Sentinel-related tasks and other activities, such as responding to emails. When I return to the Sentinel interface, I'm prompted to re-enter my credentials, which causes me to lose my previous work. If I'm using KQL to query data, I frequently have to restart my work from scratch. This can be frustrating, but I've learned to copy my work periodically to avoid losing it. I haven't encountered this issue with previous platforms, even those that use web interfaces.

What do I think about the scalability of the solution?

Sentinel boasts exceptional scalability. While it's crucial to monitor data ingestion costs, Microsoft has effectively crafted a platform capable of expanding to accommodate far greater volumes than initially anticipated.

How are customer service and support?

The technical support has room for improvement.

How would you rate customer service and support?

Neutral

How was the initial setup?

The initial deployment was straightforward. Our strategy was to consolidate onto a common platform. We have a significant portion of our security information being handled through SysLog events. As a result, it was almost as straightforward as simply rerouting data from the old platform to the new one. This served as a preliminary test of the new platform to ensure it was functioning as intended and could effectively redirect and handle the increased volume.

The deployment likely involved six people, but not all at the same time. There were six people involved in the deployment overall, but we probably had four people working on it at any given time. From a headcount perspective, I believe four people is the appropriate number.

What about the implementation team?

We employed a third-party company for the implementation because we sought expertise in Sentinel and the Azure platform, and we aimed to augment our existing staff.

What was our ROI?

We have achieved a positive return on our investment. In my previous jobs of comparable size, I would have needed approximately three people to manage the event activity and to handle and respond to it. Here, we can accomplish this with two people. As a result, we have saved at least one headcount with our current staffing levels. Additionally, as we expand the platform, we will not need to increase the headcount to manage the growth.

What's my experience with pricing, setup cost, and licensing?

Microsoft Sentinel can be costly, particularly for data management. While Microsoft provides various free offerings to attract users, these benefits can quickly become overwhelmed by escalating data management expenses if proper precautions are not taken.

I don't think it's Microsoft engaging in underhanded tactics. I believe the issue lies with customers not paying close enough attention to what they're enabling. Initially, they're excited and eager to incorporate everything, but before they realize it, they've incurred unexpected costs.

Azure Monitor Log Analytics and Sentinel have different subscription plans and pricing tiers. This segmentation was implemented to accommodate the distinct business relationships within our organization. Sentinel costs are managed separately from Azure costs.

Which other solutions did I evaluate?

The decision to adopt Microsoft Sentinel was made before I joined the organization. I understand that they evaluated all the major solutions available, including Splunk and QRadar. However, due to the selection of a cloud-based solution, they opted for Microsoft Sentinel as it aligned with their overall strategy.

What other advice do I have?

I would rate Microsoft Sentinel eight out of ten.

We've got a user base globally of about 5,000 people.

Microsoft Sentinel does require maintenance, which includes monitoring the incoming data and ensuring that everything is functioning as expected. While automation simplifies many tasks, it doesn't eliminate the need for oversight. We still need to verify that everything is working correctly. Part of the maintenance cycle involves ensuring that the automation agents are operational and performing their intended tasks and that events are being collected and evaluated properly.

Users need to have a clear understanding of their goals before selecting a solution. I have encountered too many people who believe that simply choosing a solution will resolve all of their problems. It is crucial to understand the desired outcome and the specific requirements of the use case to determine whether or not Sentinel is the appropriate fit.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Cybersecurity Engineer at General Motors
User
Top 20
Improves our visibility, centralizes out-of-the-box content, and is user-friendly
Pros and Cons
  • "Microsoft Sentinel stands out among SIEM tools for its user-friendliness and powerful built-in query language."
  • "Microsoft Sentinel's search efficiency can be improved, especially for queries spanning large datasets or long timeframes like 90 days compared to competitors like Splunk."

What is our primary use case?

In our Security Operations Center, we rely on Microsoft Sentinel for continuous security monitoring. We collect logs from various customer environments and define security use cases with correlation rules to analyze activities. These rules leverage predefined criteria to identify potential malicious behavior. Microsoft Sentinel serves as our central platform for security monitoring, investigation, and remediation of security threats detected through alerts.

The biggest challenge in security monitoring is managing the vast amount of logs generated daily from various devices like web servers and firewalls. Microsoft Sentinel tackles this by collecting all logs in a central location and allowing us to define rules. Using its query language, we can search across these logs for specific conditions, like malicious activity. If a suspicious event is identified, Sentinel generates an immediate security alert, enabling our team to investigate and take appropriate action to stop potential attacks.

How has it helped my organization?

Microsoft Sentinel helps us identify security threats through built-in machine learning. It analyzes network traffic patterns and can detect anomalies, like unusually high data transfers outside typical hours. These anomalies trigger alerts, allowing for early intervention.

Microsoft Sentinel shines in its ability to bridge hybrid and multi-cloud environments. It seamlessly integrates with on-premises infrastructure through Azure Arc, and even private clouds can be connected via Azure Gateway and a VPN to the Azure Log Analytics workspace. This unified approach ensures all our security data, regardless of origin, is ingested and analyzed for potential threats.

Microsoft recently launched Content Hub, a marketplace for pre-configured security solutions within Azure Sentinel. Unlike our previous experience setting up data connectors a few years ago, Content Hub offers a one-stop shop for integrating security tools. When we choose a data connector, we also get pre-built correlation rules, playbooks, and workbooks – all packaged together for faster and more effective security monitoring. The content hub streamlines onboarding pre-built SIEM content, especially during the initial SOC setup. When starting fresh with a new environment and unsure of specific use cases, we can search for relevant data sources in the hub. Once integrated, the content hub provides pre-configured rules alongside those connectors. Simply enabling these rules offers substantial coverage for our MITRE ATT&CK mapping, a framework that assesses our ability to detect various attack techniques. By leveraging these out-of-the-box tools, we gain significant initial security coverage with minimal effort.

The content hub helps us centralize all of the out-of-the-box content available from Sentinel.

Sentinel acts as a central hub, bringing together information from various sources both internal, first-party, and external, third-party into a single, unified view. This allows us to analyze logs stored in different tables, regardless of their naming conventions. By defining correlation routes, Sentinel can examine specific activities across these disparate sources. For example, we could create a route that checks firewall logs for suspicious activity and then correlates it with specific user actions in Windows device logs, providing a more comprehensive picture of potential security incidents.

Sentinel improves our visibility into user and network behavior through a feature called User Entity Behavior Analytics. This leverages Microsoft's machine learning to analyze user and device activity. If we're investigating multiple security incidents involving a user or device, UEBA provides a broader view. We can directly access the user's history of incidents and visualize their connections to other alerts and impacted devices in a graph format. This allows for efficient investigation of complex incidents impacting multiple users and devices.

Microsoft Sentinel streamlines security incident investigation. The incident page clearly displays involved entities and details of triggered alerts, including logs. This allows SOC analysts to quickly assess the situation and potentially predict the nature of the activity, even before diving into event logs. Sentinel's powerful query language further simplifies investigation by enabling easy data visualization, formatting, and custom functions, all within various timeframes. This significantly accelerates the overall investigation process.

Sentinel has streamlined our event investigation process. By allowing us to predefine keyword queries for specific alerts, it eliminates the need to manually craft queries each time. Similar to how SOCs use pre-defined playbooks for various incidents, Sentinel lets us define queries that return relevant data quickly. This cuts down on investigation time by allowing us to focus on the specific alert and the data it generates.

What is most valuable?

Microsoft Sentinel stands out among SIEM tools for its user-friendliness and powerful built-in query language. This language, included at no additional cost, allows for easy data collection, sorting, formatting, and visualization, making it accessible even to non-experts. Additionally, its seamless integration with other Azure products eliminates the need for custom parsing logic, saving time and resources.

What needs improvement?

Microsoft Sentinel's search efficiency can be improved, especially for queries spanning large datasets or long timeframes like 90 days compared to competitors like Splunk. While Sentinel might take several minutes to return results for such investigations, Splunk queries are significantly faster.

For how long have I used the solution?

I have been using Microsoft Sentinel for two years.

What do I think about the stability of the solution?

Since the entire Azure Sentinel analytics workspace resides within the Azure environment, we've never experienced lag or downtime. This is because Microsoft handles all data storage, hosting, and infrastructure maintenance. As a result, we're relieved of those burdens and haven't encountered any Sentinel downtime.

What do I think about the scalability of the solution?

Microsoft Sentinel's cloud-based deployment on Azure allows it to scale automatically. This likely involves built-in load-balancing mechanisms that distribute processing across different Azure resources when needed. This ensures Sentinel can handle increased workloads without manual intervention.

How was the initial setup?

While I wasn't involved in deploying Microsoft Sentinel myself, I did help configure and set it up on our end. The initial setup process wasn't particularly simple, but it wasn't overly complex either.

While the user interface in Azure simplifies the deployment process of Microsoft Sentinel, some architectural knowledge is still necessary. The initial configuration might involve just a few selections, deciding on the deployment architecture, data replication workspace locations, etc. requires experience. This prior experience, however, should make integration with existing systems smoother. Three people on average are required for the initial deployment.

What about the implementation team?

Our Microsoft Sentinel implementation approach depended on available time. For complex deployments, we handled it directly. In time-sensitive situations, we collaborated with teams managing the devices, providing them with implementation steps and troubleshooting support as needed.

What's my experience with pricing, setup cost, and licensing?

While I wasn't involved with the specifics of Microsoft Sentinel's pricing, my understanding is it scales based on data ingestion. This means we only pay for the amount of data we bring in, which is fair. However, if a device generates excessive data like hundreds of GBs daily, investigating the cause becomes crucial to avoid unnecessary costs. In most cases though, the pay-as-you-go model shouldn't be an issue.

What other advice do I have?

I would rate Microsoft Sentinel eight out of ten. I've tried Splunk, QRadar, and Azure Sentinel. While Splunk requires knowledge of SPL for deeper exploration and QRadar's query language isn't powerful, Azure Sentinel strikes a great balance. It offers a user-friendly interface for basic investigations without needing a query language but also allows for custom queries and visualizations for advanced users. This makes it the most versatile of the three.

Splunk requires users to learn SPL for full functionality, making it less accessible for basic investigations. Conversely, Microsoft Sentinel's intuitive UI allows even those without KQL knowledge to conduct basic security analysis through its built-in features and informative interface.

Because our service is hosted on Microsoft's cloud, they completely manage all maintenance tasks, freeing us from infrastructure management responsibilities.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
Sachin Paul - PeerSpot reviewer
Product Manager, Cyber Security at Mactel
Real User
Top 10
Makes data integration very easy for our SOC
Pros and Cons
  • "The features that stand out are the detection engine and its integration with multiple data sources."
  • "One key area that can be improved is by building a strong integration with our XDR platform."

What is our primary use case?

We use it for our security operations center. We have private and multi-cloud environments.

How has it helped my organization?

It enables data integration within our hybrid, multi-cloud environment, and it makes this data integration very easy for our security operations center.

Sentinel has helped improve our visibility into user and network behavior. It helps in identifying risky users, creating a watch list for specific users and their activities, which is very important.

It has also been saving us time. It's a complete cloud-based solution, so there is no time wasted on setting up servers, infrastructure, et cetera.

It also reduces the work involved in event investigation because it puts together detection logic through detection rules. That helps in automating incident identification.

What is most valuable?

The features that stand out are the 

  • detection engine
  • integration with multiple data sources.

And while it does not give the tools to detect and investigate, it provides
the ability to integrate multiple tools together on the platform. This is very important for us. Sentinel provides very good integration with Microsoft Power Apps and Power Automate. That is a very handy feature.

It provides a good user interface for an operations analyst and makes it easy for an ops analyst to do incident analysis and investigations.

What needs improvement?

One key area that can be improved is by building a strong integration with our XDR platform.

For how long have I used the solution?

I have been using Microsoft Sentinel for over a year. I'm a product manager, and I do not do hands-on deployment, but I do product definition, platform selection, and product feature definition.

What do I think about the stability of the solution?

It is a stable product.

How are customer service and support?

The technical support team is good. They have account managers aligned with our customers. It is a good, scalable model.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We started with Sentinel only. We have had some experience with Splunk, but Sentinel is more mature, flexible, and scalable.

How was the initial setup?

The install or setup time is very small. Without Sentinel, it would usually take 15 to 30 days to set up a SIEM solution in an environment. With Sentinel, it is very easy. A completely production-grade environment can be set up within a week.

Setting up Sentinel is straightforward. Because it is a cloud-based solution, there is no infrastructure deployment involved. Much of the implementation can be done in automated ways. We leverage that automation for implementation. It doesn't require much staff. It is very automated.

It requires maintenance, and that is part of what we cover by providing our customers with managed services.

What about the implementation team?

Our team does the deployment.

What was our ROI?

We have seen ROI.

What's my experience with pricing, setup cost, and licensing?

The licensing cost is available on the Microsoft Azure calculator. It depends on the size of the deployment, the size of the data ingestion. It is consumption-based pricing. It is an affordable solution.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
PeerSpot user
Ankit-Joshi - PeerSpot reviewer
Senior Cyber Security Consultant at a financial services firm with 10,001+ employees
Real User
Helps us monitor our SOC, provides the capability to integrate unsupported log sources, and saves about 40 minutes per incident
Pros and Cons
  • "Sentinel is a Microsoft product, so they provide very robust use cases and analytic groups, which are very beneficial for the security team. I also like the ability to integrate data sources into the software for on-premise and cloud-based solutions."
  • "There is room for improvement in entity behavior and the integration site."

What is our primary use case?

I'm currently using this solution for monitoring our SOC. I also implement Sentinel for clients.

We use Defender for Cloud, Defender for Endpoint, Defender for Office 365, and Defender for Identity. They were easy to integrate. It's necessary to understand the background of the data source to integrate the devices into Sentinel. If it is cloud-based, we can utilize the GeoLogic app or Azure function to integrate the log sources or use the slot method.

These solutions work natively together to deliver coordinated detection and response across our enterprise. We have different EDR solutions in our environment, and we have integrated them with Sentinel. We directly monitor all of the other security devices from Sentinel.

I haven't seen many issues with integrating different products. We can set a robust error detection mechanism. If there are some issues while integrating the logs, we can do automated alerting and easily troubleshoot any issues.

There are no issues with integrating multiple-location firewalls. We have Sentinel deployed in the US and other geolocations.

There are between 15 to 20 people using this solution in my team.

The solution is deployed on the cloud.

How has it helped my organization?

We mainly use this solution for monitoring purposes. We previously used on-premises data sources, but we wanted to integrate lots of log sources that weren't directly supported by other solutions. Sentinel provides the capability to integrate unsupported log sources. We have integrated lots of unsupported security devices with Sentinel as well.

Sentinel helps automate routine tasks and helps automate the finding of high-value alerts. Microsoft provides some very useful out-of-box automation playbooks that we can utilize in our day-to-day operations. This increases the efficiency of security analysts and our response time. We are using those solutions in our environment to do automation, increase productivity, and enhance the efficiency of our security analysts. Sentinel reduces our overall investigation time compared to other solutions.

Sentinel has helped eliminate the need to look at multiple dashboards. We can use the workbook for that. Correlating everything into a single workbook isn't available right now, but it's achievable in the future.

The solution's threat intelligence helps prepare us for potential threats before they hit and helps us take proactive steps. We have integrated one open-source solution for IOC monitoring, and Microsoft even provides the IOC data. To be proactive, we also rely on other solutions like Defender for Endpoint for detecting those threats before they actually happen.

We added IOCs into Sentinel from a monitoring perspective. If we can detect ransomware, we can prioritize that and work on mitigation.

Microsoft Sentinel saves us time. It has provided us with a very rich automation solution. We can see most of the details directly on the Sentinel site. We don't need to log in and check for different things, so it saves a lot of time for associates. It saves us about 30 to 40 minutes on average per incident.

The solution decreases our time to detect and respond. We can increase detection using dashboards. The automation and playbooks help us respond to threats if the user is compromised. We can directly reset the user's password or disable the user from the Sentinel portal by using the playbooks. We're saving about 15 to 20 minutes on our response times.

What is most valuable?

Sentinel is a Microsoft product, so they provide very robust use cases and analytic groups, which are very beneficial for the security team. I also like the ability to integrate data sources into the software for on-premise and cloud-based solutions. We can very easily integrate the devices with Sentinel. There are multiple ways that we can utilize the product. I also like how the solution processes data.

The solution helps prioritize threats across our enterprise. We can set the severity for the low and medium-priority severity incidents. Sentinel has machine learning and fusion rules, which help us effectively prioritize. Prioritization is very important for us in this security landscape because attacks are getting stronger.

Sentinel provides a lot of out-of-box analytic rules with Sentinel. It's very good at detecting threats compared to the different SIEM solutions in the market now.

Sentinel enables us to easily ingest data from our entire ecosystem. Attacks can happen from any of the devices. Even the IoT is vulnerable now. We can integrate different solutions for it. For instance, there is Microsoft Defender for IoT, which we can integrate into Sentinel. That provides a single pane of glass for security. In any SOC, we need to have multiple solutions. Sentinel is a great solution for managing and monitoring those products.

Sentinel enables us to investigate threats and respond holistically from one place. We can integrate other solutions like ServiceNow with Sentinel, and we can set the bidirectional sync.

Sentinel's security protection is comprehensive. In the area of UEBA, I use the entity behavior settings of Sentinel. It provides some enhancement in security monitoring, but it still needs some improvement regarding user and entity behavior.

What needs improvement?

There is room for improvement in entity behavior and the integration site. It's a new solution, so it can include different security products in the data connector section. I've also experienced some performance issues with the runbook. It takes a lot of time to load.

In the automation section, there are some limitations.

For how long have I used the solution?

I have used this solution for two and a half years.

What do I think about the stability of the solution?

It is pretty stable. I haven't had any issues in the two and a half years that I've worked with Sentinel.

What do I think about the scalability of the solution?

The price goes up whenever we integrate more log sources, but there aren't any issues with scalability. We can increase it very easily.

How are customer service and support?

Technical support is good. They're very quick to respond when we raise a case.

I would rate technical support a nine out of ten.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

Splunk is also the leader in this market. I prefer Sentinel because it's a Microsoft product that provides a lot of free and built-in use cases.

We switched to Sentinel because it's a cloud-native solution. On-premises solutions involve managing IT databases and doing some upgrade activities, but we don't need to manage any of that in Sentinel. We can focus directly on security monitoring and detection and response.

How was the initial setup?

The setup was straightforward. I worked on multiple projects before the deployment of Sentinel.

The amount of time it takes to deploy the solution depends on the client's network area, the firewall, and log sources. We have deployed the solution for user bases of 4,000 to 5,000. Deployment was completed within one month by integrating all the required processes.

We had a team of three people for deployment. I took care of the integration of the log sources, and the other two people took care of the customization.

Sentinel doesn't require much maintenance.

Which other solutions did I evaluate?

We evaluated Splunk and a few other solutions.

What other advice do I have?

I would rate this solution as nine out of ten. 

My advice is that colleagues who have worked on different solutions, whether on-premises or cloud, should use the Ninja training. Microsoft provides this training directly. It is publicly available and provides a better understanding of how to utilize the solution more effectively.

I think it's ideal to go with different vendors across our environment rather than a single vendor for security purposes.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Arun-Raj - PeerSpot reviewer
Associate Consultant, SIEM Engineer at a tech services company with 501-1,000 employees
Consultant
Gives us better security and allows us to capture all the data in a single console, which we can analyze from the cloud
Pros and Cons
  • "The best feature is that onboarding to the SIM solution is quite easy. If you are using cloud-based solutions, it's just a few clicks to migrate it."
  • "If we want to use more features, we have to pay more. There are multiple solutions on the cloud itself, but the pricing model package isn't consistent, which is confusing to clients."

What is our primary use case?

We have multiple use cases based on the data sources we have onboarded, like Sophos UTM or Firewall.

We also use Microsoft Defender for cloud and Microsoft Office.

We have integrated MD with Sentinel to receive alerts. If there are any suspicious activities in any of our resources, MD will create an alert. Once an alert comes through MDC, it is converted to Sentinel.

It was easy to integrate the solutions. It took about two or three clicks. The solutions work natively together, specifically to give us coordinated detection and response across our environment.

There is a correlation with the mail-based algorithm. We have an AML model algorithm in Sentinel. It has the capability to catch the pattern of attacks and shows that to us in the Sentinel app.

How has it helped my organization?

We mostly have cloud-based solutions, so Sentinel gives us better security. There's a feature that allows us to capture all the data in a single console, which we can analyze from the cloud itself.

We don't have to use third-party services to check these activities. If we see that one of our accounts is compromised or anything has happened, we can remove that person from other groups.

There's a feature that allows us to see what is in a secure state and what is in a critical state.

Sentinel helps automate routine tasks and find high-value alerts. We can have a custom playbook and create automation rules through that. If there is a false positive address, we can do the automation from there. If we want an email notification based on high-activated rules, we can provide the automation rules that will notify us on Outlook or through Teams.

It minimizes our analyst's workload. Once a high activity comes up, we'll get a notification on Teams. As analysts, they will validate and send us the email or notification within 10 to 15 minutes with more valid data. If there's a playbook with the top 10 critical rules, we can create multiple playbooks and attach them with the data that we want to protect.

Once that incentive is triggered, we'll get notifications with the full details of that incentive. If high severity comes up, that email is sent to the client, and we do more analysis on that rather than wasting time on the first analysis. We can directly get into the deeper version of the automation.

If an incident comes up, we have to validate the load and find out the correlation of the users. We can focus on the advanced test rather than wasting time on the previous one. This saves five to ten minutes.

On a monthly basis, the analyst team saves at least three to four hours with automation. We have multiple rules based on our more critical test. From that perspective, analysts don't want to work more on low priorities because we'll be automatically notified of low and high priorities. We focus more on critical users where the threat is high. By focusing on what is a high priority, our analysts save five to six hours per week.

We have multiple dashboard views that allow us to see logs coming from different solutions and users who were involved in the previous incident.

What is most valuable?

The best feature is that onboarding to the SIM solution is quite easy. If you use cloud-based solutions, it's just a few clicks to migrate it.

The console is user-friendly. We have almost 120 different types of data, so the solution helps us to onboard different types of third-party services to the SIM solution. We have UB features, and the SOAR capability in the Sentinel server is also a good feature.

Sentinel's visibility into threats is very good. We have an investigation graph that allows us to see the correlation between the incident and the users. We can see if there are multiple incidents with the same IP address and if there are multiple breaches. We can correlate with the rules and check if any inside threat activities are going on with the malicious site or the malicious URL link that we have onboarded. The threat view provides good visibility.

We can prioritize threats based on our investigation assets. It's very fast. We're able to see the rest of the threat activities and how impactful they are. Based on the AML algorithm, we can get all the stages of the attack as well.

Sentinel enables us to ingest data from our entire ecosystem.

The importance of this ingestion of data to our security operations depends on the data and the type of solutions we have to onboard. We onboard our critical servers and assets to the same solution so we'll have good visibility.

We're able to investigate threats and respond holistically from one place.

We can validate the logs from where the logs have been received. By doing the log analysis, we'll be able to find them. It's a straightforward function and isn't very hard.

There's an incident pane in Sentinel. We have a query package, and we can have a deep dive alert through that, or we can have a deep look into the log. From the console itself, we have a great view of our threats and the current phase we're in.

We have multiple source features. There are between 20 to 30 in addition to data. Microsoft provides custom features through which we can connect with third-party solutions and correlate the incident. For example, if we have multiple incidents, we can use the SOAR capabilities and correlate them with multiple third-party threats. It's an easier way of understanding whether or not we have a malicious bug.

We can see how much time our analysts have taken to raise the ticket and how much time they have taken to resolve the issue assets. We can create a dashboard for that. They're able to notify us within five or ten minutes for high priorities. For the medium priorities, it is 10 to 12 minutes. Our detection time for low priorities is within three hours, but our team still performs under 15 to 18 minutes.

What needs improvement?

If we want to use more features, we have to pay more. There are multiple solutions on the cloud itself, but the pricing model package isn't consistent, which is confusing to clients.

For how long have I used the solution?

We have been using this solution for almost two years.

What do I think about the stability of the solution?

The stability is very good.

What do I think about the scalability of the solution?

I would rate the scalability an eight out of ten.

How are customer service and support?

I would rate technical support a six out of ten. Technical support doesn't understand the features well enough. They will give us links to reference, so we go through those links as a team or Google the solution. We reach out to them if we can't find the solution, but they provide us with the same links and URLs that we've already referred to. It's a hassle because it wastes a week and a half of our time. Their solutions and response time aren't very good.

How would you rate customer service and support?

Neutral

How was the initial setup?

The setup is based on our data sources. We have a segregated timeframe of two payments. It depends on the client or who is doing the operation. Onboarding on the cloud is pretty easy. It takes just a few clicks from migrating the data sources to getting the logs.

For an on-premises or third-party software servicer, it will take more time and troubleshooting to do the setup. It won't be hard if you have a good team for the onboarding process. It can be complicated initially, but the rest of the timeframe will involve fine-tuning the logs and creating the custom rules based on your requirement.

It doesn't require a lot of maintenance. It's pretty simple. We just had to play with it for a couple of months.

What was our ROI?

We haven't seen any financial ROI.

What's my experience with pricing, setup cost, and licensing?

Sentinel is the best solution that we use. It's a pay-as-you-go model. We can fine-tune the features we want and choose if we want to remove logs. We can also segregate logs, which helps us minimize costs. Sentinel provides free Office 365 and Azure-based logs without pricing assets. When it comes to the third-party solution or our server logs, we just have to do the fine-tuning of the logs.

The pricing isn't very high. It depends on the number of logs you have. If you're expecting to ingest 50 to 60G in a day, but you're only ingesting 20 to 25G per day at first and you have a good team to analyze the logs, then you can segregate the ingestion at under 15G.

What other advice do I have?

I would rate this solution a nine out of ten.

It's very user-friendly. The only issue is that Microsoft's technical support isn't very good. If you have a good team who can onboard the resources to the solution, then you'll be happy with the solution itself.

For us, it's better to go for multiple solutions rather than a single suite because we cannot strictly trust one client. If you only have one cloud-based solution, it's better to use Sentinel to secure it. It's helpful to have a good team that can do the monitoring and onboarding smoothly. You can go with one solution if you have a trusted partner. If you don't, then I would use multiple solutions.

You should purchase the features that Microsoft provides. It's a configured network, so they will correlate with the end resources, RMD, and receiver identity. The fusion-based algorithm rule will detect advanced multistage attacks to stop the attack.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2024
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.