What is our primary use case?
We're a cybersecurity company using Sentinel to provide SIEM services to our customers.
How has it helped my organization?
Sentinel improved how we investigate incidents. We can create watchlists and update them to align with the latest threat intelligence. The information Microsoft provides enables us to understand thoroughly and improve as we go along. It allows us to provide monthly reports to our clients on their security posture.
It helps us automate some tasks but not others. There are some things we missed because there aren't any rules. We're still working on integrating it. We know it can detect high-severity incidents if we utilize it correctly. We've been able to automate incident responses to some high-level threats we've encountered.
Microsoft's threat intelligence helped us prepare for attacks by developing rules before they hit. We know what behavior to expect because we have visibility into the threat and the actors.
Sentinel's reporting features save us time. In the past, we created reports in Microsoft Word by dropping in screenshots. With Sentinel, we can create readymade reports from the dashboard. Our monthly report previously took about 16 to 24 hours to complete. We cut that in half.
What is most valuable?
We have our own ticketing system for our soft team, and Sentinel's playbooks helped us automate many processes.
Sentinel provides excellent visibility. Microsoft updates a lot of its security solutions via Sentinel. The content hub and connectors are available to integrate everything. Microsoft also created separate analytics groups, so we log behaviors and use a template. We often need to modify the template based on a customer's log behavior and our correlation and analysis.
We can learn some new techniques for using KQL correctly by studying the latest templates that Microsoft releases and creating some KBs for our analysts. The MITRE ATT&CK framework is now integrated into Sentinel, so we can statistically identify which part of our microservices are vulnerable. We can assess the severity of threats and prioritize them accordingly. We also need to prioritize based on our SLAs.
My company also provides managed service for Defender for Endpoint, previously called ATP. We also work with Defender for Cloud and Defender for Identity.
All the Microsoft solutions are integrated with Sentinel, including 365 apps, Azure AD, and various cloud-based security solutions. It includes all the connectors you need to ingest logs from multiple Microsoft products, giving us near-total visibility. Some customers use on-prem security appliances, so we have to correlate logs.
Sentinel comes with Azure Lighthouse. We can link the subscription to our customer's tenant and ask them to create a global admin account. We can report on the activities using each account and how secure the credentials are. The integration is seamless when we have that level of access.
We offer ingestion for all Microsoft products and always recommend our clients get everything so we can get full threat visibility and effectiveness. Having all the products integrated into Sentinel helps us see the big picture. In addition to the analytics rules and everything, we're utilizing dashboards and workbooks. Some workbooks are templates that Microsoft provides, but we also develop our own.
We can compile all this data, put it in a workbook, and create rules. The other part is communicating with the customer because the user is still reviewing logs. Is it an admin? Is it doing daily counts of logins, etc?
Three of our customers use Defender for Cloud. If a company needs it, we can support it. We have Microsoft-certified engineers who can provide expert frontline support.
Initially, we were only ingesting incidents from Defender for Endpoint, but now we can ingest more data throughout the system. Previously, we could not see some things. We could do it, but we had to search through the portal to find what we needed. Using a connector, we can see everything our employees do on the endpoint, such as device info, location, logins, etc. It's especially useful when employees work remotely or outside their normal area.
Sentinel lets us investigate threats and comprehensively respond from one console. We can have multiple tabs on one application. The capabilities are robust and marketable. All of these solutions are combined.
What needs improvement?
We've seen delays in getting the logs from third-party solutions and sometimes Microsoft products as well. It would be helpful if Microsoft created a list of the delays. That would make things more transparent for customers.
In some instances, the customer reports that they suspect malware on a computer, and one of their IT guys noticed it. There is a five to ten minute delay before we can see it and respond. As a security company, we don't want the customer to be the first one to identify the threat. However, we must deal with delays from the various products we're integrating. For example, Apex One has a 15-minute delay.
Sometimes it's an issue with the third-party product, but sometimes it isn't. If it isn't, we need to open a ticket with Microsoft. We would benefit from transparency around delays and communication about what Microsoft is doing to resolve the issue.
Another issue is transparency around usage and associated costs. There are charges if you use playbooks and queries. If you query 100,000 times a day, your costs will go up. The usage only displays in gigabytes per day. A breakdown would help us make reports for our management.
For how long have I used the solution?
We have used Sentinel since 2020, so it has been about three years.
What do I think about the stability of the solution?
We also have experienced some performance problems in the UK. I'm not sure how that works, but something might be going on in the back-end. We transferred to a different region a while ago and lost some of our workspaces. We were shocked.
If Microsoft needs to failover to another region, the customer should be informed because it affects many things. Some of the products we ingest just suddenly stopped, and we have to redo the integration with Cisco Umbrella, AWS S3, and SendGrid. Azure was pulling those logs, and the connections were suddenly cut when this happened.
How are customer service and support?
I rate Microsoft's support a five out of ten. We had problems using Azure and getting the logs from event services for one of our customers. The date and time the log generated on our customer's device were wrong. It showed the event's location but not the time that the event was generated.
We contacted Microsoft, who told us to expect a reply the following day, but they didn't respond until four days later. Then, they sent us to another department to speak with someone more knowledgeable about our issue.
We described the problem, and they asked us for evidence. They wanted our support team to recreate it. Microsoft's support team can create a lab environment and recreate the scenario for themselves. We had to stop the call because we were too busy.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We previously used an in-house SIEM solution.
How was the initial setup?
Deploying Sentinel was complex initially, but it has gotten easier. We documented how we did everything, so it's easy for someone to replicate the steps. If we have accepted the CSP invite, we can deploy it in two days, including configuring ingestion, creating rules, and Azure onboarding. We also must build dashboards and templates. Sometimes there are delays, and it might take three to five weeks.
What's my experience with pricing, setup cost, and licensing?
Sentinel is costly compared to other solutions, but it's fair. SIEM solutions like CrowdStrike charge based on daily log volume. They generally process a set number of logs for free before they start charging. Microsoft's pricing is clearer. It's free under five gigabytes. Some of these logs we ingest have a cost, so they don't hide it. I believe the tenant pays the price, and Microsoft helps create awareness of the cost.
With other solutions, you don't know what you're being charged until you get the bill. You might find that you're using playbooks or queries too much. Microsoft gives you visibility into your expenses.
Which other solutions did I evaluate?
We evaluated a few other solutions, including CrowdStrike, Splunk, and LogRhythm. We decided to go with Sentinel because we have Microsoft-certified staff, and many companies in the UK are adopting Defender and other Microsoft security solutions. Sentinel offers seamless integration with Microsoft security products, and we've also seen how flexible it can be.
We can leverage KQL queries. If you're trying to send logs to another SIEM, you'll probably need an API and a lot of other components to make it work. Sentinel makes our jobs easier by providing all of the connectors and out-of-the-box integration.
What other advice do I have?
I rate Microsoft Sentinel a nine out of ten. I think the industry is shifting toward a single-vendor strategy instead of best-of-breed. If you have a lot of tools from various vendors, it makes things more complicated. You need to hire employees who specialize in each device. It's better if your team understands a solution's features and capabilities.
If you're considering a SIEM solution, you should compare each product's mean detection and response time. I'm unsure if that information will be publicly available for every solution, so you may need to test them. You should also think about other components besides cost. Sentinel might be more expensive than other solutions, but it's more comprehensive because it incorporates all the different security elements and keeps evolving.
Microsoft is constantly updating all of its solutions. We mainly utilize Microsoft infrastructure, but some solutions are based on Unix or Linux. At the same time, threats on that side aren't as critical as those from Microsoft. They own the operating system, so they're positioned to understand the vulnerabilities and how to fix them.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Reseller