Try our new research platform with insights from 80,000+ expert users
Wasif Kazia Mohamed - PeerSpot reviewer
IT Senior Systems Administrator at Dubai Developments
Real User
Top 10
Provides excellent log analysis but isn't the most user-friendly
Pros and Cons
  • "The log analysis is excellent; it can predict what can or will happen regarding use patterns and vulnerabilities."
  • "The solution could be more user-friendly; some query languages are required to operate it."

What is our primary use case?

We primarily use the solution for analyzing logs, such as those from Azure AD. We have it integrated with Microsoft 365 and plan to integrate it with our firewalls so we can analyze those logs too. So, our main uses are for log analysis and to check for vulnerabilities in our system.

We use more than one Microsoft security product; we also use Defender for Cloud. 

How has it helped my organization?

Sentinel helps us to prioritize threats across our enterprise. 

The solution reduced our time to detect and respond. 

What is most valuable?

The log analysis is excellent; it can predict what can or will happen regarding use patterns and vulnerabilities.

Sentinel provides good visibility into threats. 

The product enables us to investigate threats and respond holistically from one place, and that's important to us. 

Given the solution's built-in SOAR, UEBA, and threat intelligence capabilities, it provides reasonably good comprehensive protection, and we are happy with it. 

Sentinel helps us automate routine tasks and find high-value alerts; the playbooks are beneficial and allow us to optimize automation.

The tool helped eliminate multiple dashboards and gave us one XDR dashboard. Having one dashboard is the reason we purchased Sentinel.  

Sentinel's threat intelligence helps us prepare for potential threats before they hit and to take proactive steps. It helps a lot, and that's another main reason we have the product.  

What needs improvement?

The solution could be more user-friendly; some query languages are required to operate it.

A welcome improvement would be integrations with more products and connectors. 

Buyer's Guide
Microsoft Sentinel
November 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,192 professionals have used our research since 2012.

For how long have I used the solution?

We've been using the solution for over a year. 

What do I think about the stability of the solution?

The solution is stable.

What do I think about the scalability of the solution?

Sentinel is a scalable product. 

How are customer service and support?

Microsoft support is good, I rate them seven out of ten. 

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We didn't previously use another solution of this type; when we moved to Azure, Sentinel was one of the products Microsoft recommended, so we started using it.

How was the initial setup?

I was involved in the deployment of Sentinel, but my colleague did the majority. The setup was basic; some query language is required to implement it fully, and we could improve our configurations. Our implementation strategy was to cover the major products first, including Office 365 and Azure AD. We did that, and we're now adding the other tools we use in our environment.

Our setup is not particularly expansive, so we can deal with the maintenance requirements within our team; it only requires one team member. Our team consists of three or four admins; we manage the Azure AD logs, and Azure AD has 400 users.

What's my experience with pricing, setup cost, and licensing?

The pricing is reasonable, and we think Sentinel is worth what we pay for it.

One of the main reasons we switched from on-prem to Azure Cloud was to save money, but at the same time, we kept adding on features and spent a lot doing so. We're now looking at cost optimization and removing unnecessary elements, as one of our primary goals is to reduce costs. I'm unsure if we are, but we are trying to get there.

What other advice do I have?

I rate the solution seven out of ten. 

Sentinel allows us to ingest data from our entire ecosystem, though we are attempting to integrate all our products. It can ingest and analyze all the data, but we aren't using this functionality to its fullest extent yet.

My advice to someone considering the product is to use it. Start by integrating your primary applications, then slowly move on to others in descending order of importance. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
IT Manager at a manufacturing company with 501-1,000 employees
Real User
Top 20
Highly efficient and a time-saving solution with a single and easy dashboard in place
Pros and Cons
  • "Previously, it was a little bit difficult to find where an incident came from, including which IP address and which country. So in Sentinel, it's very easy to find where the incident came from since we can easily get the information from the dashboard, after which we take action quickly."
  • "Microsoft should improve Sentinel, considering that from the legacy systems, it cannot collect logs."

What is our primary use case?

We are using Microsoft Sentinel for our traditional SOC. So previously, we had multiple products, like VM products, log analytics products, and analysts. We are making so much effort to analyze incidents and events in the security operation center., after which we decide whether it's an incident or an event, and we take action. After Sentinel's implementation, it would be much better and much simpler. For instance, we can now save much more time since in Sentinel, there is artificial intelligence, so the system will decide for you instead of a human. The system will learn what kind of thing you should take action on, and it will save some time since you do not need much human power. In traditional SOC systems, there were three or four people. But in Sentinel, it's much easier, and you do not need so many people in the SOC. So you will save time and keep it cost-effective.


How has it helped my organization?

Previously, we were incurring a huge cost being paid to a person. But in Sentinel, you do not hire anyone because the system provides system insights through the cloud applications. So you do not need to put effort, or you don't need to hire either of the senior people. So in, in your SOC team, would be mid-level people, and it would be fine. Also, you do not need so many people. So, one or two people left the organization after the central implementation. So we just have an agreement with one company at a professional level since they're also managing Sentinel. We do not need to pay for the maintenance of applications. So that's also a benefit for us. So, in this case, we are only paying Sentinel yearly or annual costs.


What is most valuable?

Previously, we could not do some automation. So in Sentinel, we create some playbooks, and with some features in the playbooks, we have some capabilities. For example, when a virus enters the system, we will take action to keep the system safe. So, the machine with the virus can be automatically isolated from the network, and this might be a pretty cool feature in the solution currently.


What needs improvement?

Microsoft Sentinel has improved our entire SOC, like our log system and incident response. So we are able to quickly respond to incidents and take action. Even though Microsoft Sentinel has already improved our system, it should further improve for on-premises systems or traditional systems, especially to get or collect logs from the legacy systems. Also, Microsoft should improve Sentinel, considering that from the legacy systems, it cannot collect logs.

For how long have I used the solution?

I have been using Microsoft Sentinel for about six months. My company has a partnership with Microsoft.


How are customer service and support?

I have not contacted technical support.

Which solution did I use previously and why did I switch?

We are using Microsoft Intune. From the mobile device management point of view, it makes work very easy. We are just planning that with Microsoft Intune, we can easily export some logs to Sentinel to analyze them. We are not using this feature right now, but we are planning. If you are using Microsoft applications, it's very easy to integrate them with other Microsoft products.

Defender is something that we are using as an antivirus for Android applications, but we are not using it on the cloud.


What's my experience with pricing, setup cost, and licensing?

From a cost point of view, it is not a cheap product. It's, like, an enterprise-level application. So if you compare it with a low-level application, it's expensive, but if you compare it with the same-level application, it's pretty much cost-effective, I think. Because for other products, you need to purchase them by paying thousands of dollars. In Sentinel, you pay for how much you use, or you just pay for how much you consume storage, log interface, or system. It will not be a one-time cost, but it will be like a continuous rental system, where you subscribe to an application, and then you use it. That's very easy. I think the company got the solution for a long time. If you purchase some products, you need to invest in something, and it increases your investment budgeting. Many enterprises do not like investments. But this is not a one-time cost, to be honest, since continuously, we will pay. This is maybe a negative point of view, but considering from company to company, it entirely depends on a company's strategy.


What other advice do I have?

Previously, it was a little bit difficult to find where an incident came from, including which IP address and which country. So in Sentinel, it's very easy to find where the incident came from since we can easily get the information from the dashboard, after which we take action quickly.

Sentinel does provide me with the ability to set priorities on all the threats across your entire enterprise. So, it is very important because we were previously getting the service from the outside. It would be yes. Sentinel is a next-generation SOC. So, Sentinel also still develops some applications on Sentinel's site, so maybe in the next release, they will introduce a much more effective version for the company. I'm not sure how many companies use it right now. Maybe in the future, more companies will use Sentinel because its features are such that compared to the traditional SOC systems, they are not affected since the system is a cloud-based system. So it's easy to manage. Also, you don't need to care about it from an infrastructure point of view. Additionally, we don't need to take care of products, and we don't need to take care of maintenance. From a product point of view, we do not need to manage since we just need to focus on the incident event.

Right now, we are using very traditional applications, so there is no use of native Microsoft applications right now.

Sentinel enables me to ingest or collect data from my entire ecosystem, but not all of them, because some traditional applications cannot provide some data needed for export. It cannot allow you to get reports or logs from outside. It's a challenging point, so this might be an opportunity for us to change the traditional application. In traditional applications, and sometimes in IT systems, it might be very difficult to get data insight. In some cases, we need to change the application since, in traditional applications, you cannot get support. To fix it, you need to decide something, or maybe you need to decide on the application change. It might be an opportunity for you. But in the next-generation application, there is no problem. With a new application, you can easily integrate with Sentinel. In Sentinel, the negative point is just related to cloud applications. With cloud applications, maybe sometimes you cannot get data from the on-prem application. So if you use a cloud system, like Sentinel, which is a cloud system, then it's very easy. If you are using an on-prem system, Microsoft Sentinel sometimes may not be easy to integrate.

Sentinel allows me to investigate threats and respond quickly and thoroughly from just one place. It accelerates our investigation, especially our event investigation and incident investigation. Using Sentinel, we take quick actions and get quick insights after its standard implementation. So it is time-efficient.

Previously, we had no SOAR applications. In Sentinel, if you want to take action quickly, you need to create playbooks so that if something happens, you can just develop an application like a playbook in Sentinel so that if something happens, you can tell Sentinel to take action. You can freely create your own playbooks since it's very easy. In my opinion, this is the best feature of one product. Normally, you need to purchase two applications or two products. But in Sentinel, they combine everything together. This is the most beautiful feature for me.

Sentinel helps automate routine tasks and help automate the finding of high-value alerts. We do not need to create manual operations like when our system engineers see the incident and they do a system analysis. So after Sentinel, the system analysis is not done by anyone since Sentinel can already make decisions and then take action by itself. So at this point, there's no human power. Sometimes human power is needed, but maybe eighty percent or ninety percent of the time, there is no human power needed. So, it has caused significant improvements in our entire company.

Sentinel has helped eliminate having to look at multiple dashboards and giving us just one XDR dashboard. Previously, we had to check multiple dashboards, especially in relation to whether logs were coming and other things, like incidents and events. In Sentinel, you do not need to check many dashboards. So you are just designing one dashboard, and then, on the entire dashboard, you will see everything. So, it now saves time since previously there were multiple dashboards causing our engineers and our analysts to get confused at times. So they used to ask our managers to understand better. Currently, it is very easy to understand since one needs to check in on one dashboard, and there's no confusion among the engineers. But they do not need to ask anyone to understand. Apart from better understanding, it has improved our systems.

From a security point of view, you need to go with multiple vendors, but this is a traditional system. But right now, if you want to create a good security system, you need to implement each product with one vendor. Because vendors currently state that, if you want to have a high-level security system. You need to implement each product on a security level from one vendor. Microsoft-level vendors offer many features, but people only just purchase or use one product, and that's all. It's not good for security infrastructure. So, you need to implement all security products from just one vendor. I think one vendor and the needed security products will be enough for a company. Sentinel is our next-generation SOC. Currently, I don't see any competitors at this level.

I rate the overall solution a nine out of ten.


Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Buyer's Guide
Microsoft Sentinel
November 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
816,192 professionals have used our research since 2012.
Sr. Security Engineer at Ebryx
Consultant
Because it is a cloud-based deployment, we don't need to worry about hardware infrastructure
Pros and Cons
  • "Azure Application Gateway makes things a lot easier. You can create dashboards, alert rules, hunting and custom queries, and functions with it."
  • "There are certain delays. For example, if an alert has been rated on Microsoft Defender for Endpoint, it might take up to an hour for that alert to reach Sentinel. This should ideally take no more than one or two seconds."

What is our primary use case?

We work as a managed security services provider (MSSP). We have different clients who have their own security team. 

One company that I worked for recently had a security team of three people, then they hired us for 24/7 analysis and monitoring. For that, I solely worked on building this product, then there are the eight to nine people who do 24/7 monitoring and analysis.

Sentinel is a full-fledged SIEM and SOAR solution. It is made to enhance your security posture and entirely centered around enhancing security. Every feature that is built into Azure Sentinel is for enhancing security posture.

How has it helped my organization?

It has increased our security posture a lot because there are a lot of services natively integrated to Azure Sentinel from Microsoft, e.g., Microsoft Defender for Endpoint and Defender for Office 365. 

From an analyst's point of view, we have created a lot of automation. This has affected the productivity of analysts because we have automated a lot of tasks that we used to do manually. From an end user's perspective, they don't even notice most of the time because most of our end users are mostly non-technical. They don't feel the difference. It is all about the security and operations teams who have felt the difference after moving from LogRhythm to Azure Sentinel.

What is most valuable?

It is cloud-based, so there isn't an accessibility issue. You don't have to worry about dialing a VPN to access it. Azure does require that for an on-prem solution that the security part is entirely on Microsoft's and Azure's sign-in and login processes.

Because it is a cloud-based deployment, we don't need to worry about hardware infrastructure. That is taken care of by Microsoft.

Azure Application Gateway makes things a lot easier. You can create dashboards, alert rules, hunting and custom queries, and functions with it.

Its integration capabilities are great. We have integrated everything from on-prem to the cloud.

What needs improvement?

There are certain delays. For example, if an alert has been rated on Microsoft Defender for Endpoint, it might take up to an hour for that alert to reach Sentinel. This should ideally take no more than one or two seconds.

There are a couple of delays with the service-to-service integration with Azure Sentinel as well as the tracking point.

For how long have I used the solution?

I have been using it for 14 to 15 months.

What do I think about the stability of the solution?

Azure Sentinel is pretty stable. Sometimes, the agents installed on endpoints go down for a bit. Also, we have faced a lot of issues with its correctors in particular. However, the platform is highly stable, and there have been no issues with that.

For operations, one to two people are actively using the solution. For analysis, there are eight to 10 people who are actively using it.

What do I think about the scalability of the solution?

Sentinel is scalable. If you want, you can hook up a lower balance security corrector. So, there are no issues with scalability.

We have coverage for around 60% to 70% of our environment. While this is not an ideal state, it has the capability to go to an ideal state, if needed.

How are customer service and support?

I have worked with Azure Sentinel for four clients. With only one of those clients, the support was great. For the last three clients, there were a lot of delays. For example, the issues that could have been resolved within one or two hours did not get resolved for a month or two. So, it depends on your support plan. It depends on the networking connections that you have with Microsoft. If you are on your own with a lower priority plan, it will take a lot of time to resolve minor issues. Therefore, Microsoft support is not that great. They are highly understaffed. I would rate them as six or seven out of 10.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We had a full-fledged SIEM, LogRhythm, already working, but we wanted to migrate towards something that was cloud-based and more inclusive of all technologies. So, we shifted to Azure Sentinel and migrated all our log sources onto Azure Sentinel. We also added a lot of log sources besides those that were reporting to LogRhythm.

We have used a lot of SIEMs. We have used Wazuh, QRadar, Rapid7's SIEM, EventLog Analyzer (ELA), and Splunk. We used Wazuh with ELK Stack, then we shifted to Azure Sentinel because of client requirements.

How was the initial setup?

The initial setup was really straightforward because I had already worked with FireEye Security Orchestrator, so the automation parts were not that difficult. There were a couple of things that got me confused, but it was pretty straightforward overall.

Initially, the deployment took seven and a half months.

What about the implementation team?

We used a lot of forums. We used Microsoft support and online help. We used a lot of things to get everything into one picture. There is plenty of help available online for any log sources that you want to move to Azure Sentinel.

What's my experience with pricing, setup cost, and licensing?

I have worked with a lot of SIEMs. We are using Sentinel three to four times more than other SIEMs that we have used. Azure Sentinel's only limitation is its price point. Sentinel costs a lot if your ingestion goes up to a certain point.

Initially, you should create cost alerts in the cost management of Azure. With one of my clients, we deployed the solution. We estimated that the ingestion would be up to this particular mark, but that ingestion somehow got way beyond that. Within a month to a month and a half, they got charged 35,000 CAD, which was a huge turn off for us. So, at the very beginning, do your cost estimation, then apply a cost alert in the cost management of Azure. You will then get notified if anything goes out of bounds or unexpected happens. After that, start building your entire security operation center on Sentinel.

Which other solutions did I evaluate?

The SOAR capabilities of Azure Sentinel are great. FireEye Security Orchestrator looks like an infant in front of Azure Sentinel's SOAR capabilities, which is great.

What other advice do I have?

The solution is great. As far as the product itself is concerned, not the pricing, I would rate it as nine out of 10. Including pricing, I would rate the product as five to six out of 10.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
reviewer2181228 - PeerSpot reviewer
Senior Cyber Security Manager at a tech services company with 11-50 employees
Reseller
The threat intelligence helped us prepare for attacks by developing rules before they hit
Pros and Cons
  • "Sentinel improved how we investigate incidents. We can create watchlists and update them to align with the latest threat intelligence. The information Microsoft provides enables us to understand thoroughly and improve as we go along. It allows us to provide monthly reports to our clients on their security posture."
  • "We've seen delays in getting the logs from third-party solutions and sometimes Microsoft products as well. It would be helpful if Microsoft created a list of the delays. That would make things more transparent for customers."

What is our primary use case?

We're a cybersecurity company using Sentinel to provide SIEM services to our customers. 

How has it helped my organization?

Sentinel improved how we investigate incidents. We can create watchlists and update them to align with the latest threat intelligence. The information Microsoft provides enables us to understand thoroughly and improve as we go along. It allows us to provide monthly reports to our clients on their security posture. 

It helps us automate some tasks but not others. There are some things we missed because there aren't any rules. We're still working on integrating it. We know it can detect high-severity incidents if we utilize it correctly. We've been able to automate incident responses to some high-level threats we've encountered.

Microsoft's threat intelligence helped us prepare for attacks by developing rules before they hit. We know what behavior to expect because we have visibility into the threat and the actors. 

Sentinel's reporting features save us time. In the past, we created reports in Microsoft Word by dropping in screenshots. With Sentinel, we can create readymade reports from the dashboard. Our monthly report previously took about 16 to 24 hours to complete. We cut that in half. 

What is most valuable?

We have our own ticketing system for our soft team, and Sentinel's playbooks helped us automate many processes. 

Sentinel provides excellent visibility. Microsoft updates a lot of its security solutions via Sentinel. The content hub and connectors are available to integrate everything. Microsoft also created separate analytics groups, so we log behaviors and use a template. We often need to modify the template based on a customer's log behavior and our correlation and analysis. 

We can learn some new techniques for using KQL correctly by studying the latest templates that Microsoft releases and creating some KBs for our analysts. The MITRE ATT&CK framework is now integrated into Sentinel, so we can statistically identify which part of our microservices are vulnerable. We can assess the severity of threats and prioritize them accordingly. We also need to prioritize based on our SLAs. 

My company also provides managed service for Defender for Endpoint, previously called ATP. We also work with Defender for Cloud and Defender for Identity.

All the Microsoft solutions are integrated with Sentinel, including 365 apps, Azure AD, and various cloud-based security solutions. It includes all the connectors you need to ingest logs from multiple Microsoft products, giving us near-total visibility. Some customers use on-prem security appliances, so we have to correlate logs. 

Sentinel comes with Azure Lighthouse. We can link the subscription to our customer's tenant and ask them to create a global admin account. We can report on the activities using each account and how secure the credentials are. The integration is seamless when we have that level of access. 

We offer ingestion for all Microsoft products and always recommend our clients get everything so we can get full threat visibility and effectiveness. Having all the products integrated into Sentinel helps us see the big picture. In addition to the analytics rules and everything, we're utilizing dashboards and workbooks. Some workbooks are templates that Microsoft provides, but we also develop our own. 

We can compile all this data, put it in a workbook, and create rules. The other part is communicating with the customer because the user is still reviewing logs. Is it an admin? Is it doing daily counts of logins, etc? 

Three of our customers use Defender for Cloud. If a company needs it, we can support it. We have Microsoft-certified engineers who can provide expert frontline support.

Initially, we were only ingesting incidents from Defender for Endpoint, but now we can ingest more data throughout the system. Previously, we could not see some things. We could do it, but we had to search through the portal to find what we needed. Using a connector, we can see everything our employees do on the endpoint, such as device info, location, logins, etc. It's especially useful when employees work remotely or outside their normal area. 

Sentinel lets us investigate threats and comprehensively respond from one console. We can have multiple tabs on one application. The capabilities are robust and marketable. All of these solutions are combined. 

What needs improvement?

We've seen delays in getting the logs from third-party solutions and sometimes Microsoft products as well. It would be helpful if Microsoft created a list of the delays. That would make things more transparent for customers. 

In some instances, the customer reports that they suspect malware on a computer, and one of their IT guys noticed it. There is a five to ten minute delay before we can see it and respond. As a security company, we don't want the customer to be the first one to identify the threat. However, we must deal with delays from the various products we're integrating. For example, Apex One has a 15-minute delay.

Sometimes it's an issue with the third-party product, but sometimes it isn't. If it isn't, we need to open a ticket with Microsoft. We would benefit from transparency around delays and communication about what Microsoft is doing to resolve the issue. 

Another issue is transparency around usage and associated costs. There are charges if you use playbooks and queries. If you query 100,000 times a day, your costs will go up. The usage only displays in gigabytes per day. A breakdown would help us make reports for our management. 

For how long have I used the solution?

We have used Sentinel since 2020, so it has been about three years.

What do I think about the stability of the solution?

We also have experienced some performance problems in the UK. I'm not sure how that works, but something might be going on in the back-end. We transferred to a different region a while ago and lost some of our workspaces. We were shocked.

If Microsoft needs to failover to another region, the customer should be informed because it affects many things. Some of the products we ingest just suddenly stopped, and we have to redo the integration with Cisco Umbrella, AWS S3, and SendGrid. Azure was pulling those logs, and the connections were suddenly cut when this happened. 

How are customer service and support?

I rate Microsoft's support a five out of ten. We had problems using Azure and getting the logs from event services for one of our customers. The date and time the log generated on our customer's device were wrong. It showed the event's location but not the time that the event was generated. 

We contacted Microsoft, who told us to expect a reply the following day, but they didn't respond until four days later. Then, they sent us to another department to speak with someone more knowledgeable about our issue. 

We described the problem, and they asked us for evidence. They wanted our support team to recreate it. Microsoft's support team can create a lab environment and recreate the scenario for themselves. We had to stop the call because we were too busy.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We previously used an in-house SIEM solution. 

How was the initial setup?

Deploying Sentinel was complex initially, but it has gotten easier. We documented how we did everything, so it's easy for someone to replicate the steps. If we have accepted the CSP invite, we can deploy it in two days, including configuring ingestion, creating rules, and Azure onboarding. We also must build dashboards and templates. Sometimes there are delays, and it might take three to five weeks.

What's my experience with pricing, setup cost, and licensing?

Sentinel is costly compared to other solutions, but it's fair. SIEM solutions like CrowdStrike charge based on daily log volume. They generally process a set number of logs for free before they start charging. Microsoft's pricing is clearer. It's free under five gigabytes. Some of these logs we ingest have a cost, so they don't hide it. I believe the tenant pays the price, and Microsoft helps create awareness of the cost.

With other solutions, you don't know what you're being charged until you get the bill. You might find that you're using playbooks or queries too much. Microsoft gives you visibility into your expenses. 

Which other solutions did I evaluate?

We evaluated a few other solutions, including CrowdStrike, Splunk, and LogRhythm. We decided to go with Sentinel because we have Microsoft-certified staff, and many companies in the UK are adopting Defender and other Microsoft security solutions. Sentinel offers seamless integration with Microsoft security products, and we've also seen how flexible it can be.

We can leverage KQL queries. If you're trying to send logs to another SIEM, you'll probably need an API and a lot of other components to make it work. Sentinel makes our jobs easier by providing all of the connectors and out-of-the-box integration. 

What other advice do I have?

I rate Microsoft Sentinel a nine out of ten. I think the industry is shifting toward a single-vendor strategy instead of best-of-breed. If you have a lot of tools from various vendors, it makes things more complicated. You need to hire employees who specialize in each device. It's better if your team understands a solution's features and capabilities. 

If you're considering a SIEM solution, you should compare each product's mean detection and response time. I'm unsure if that information will be publicly available for every solution, so you may need to test them. You should also think about other components besides cost. Sentinel might be more expensive than other solutions, but it's more comprehensive because it incorporates all the different security elements and keeps evolving.

Microsoft is constantly updating all of its solutions. We mainly utilize Microsoft infrastructure, but some solutions are based on Unix or Linux. At the same time, threats on that side aren't as critical as those from Microsoft. They own the operating system, so they're positioned to understand the vulnerabilities and how to fix them. 

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Reseller
PeerSpot user
Hatice Solak - PeerSpot reviewer
Information Security Analyst at a tech vendor with 201-500 employees
Real User
Valuable threat hunting, user-friendly dashboard, and helps prioritize threats
Pros and Cons
  • "The dashboard that allows me to view all the incidents is the most valuable feature."
  • "I believe one of the challenges I encountered was the absence of live training sessions, even with the option to pay for them."

What is our primary use case?

Every day, I log into Microsoft Sentinel to check the logs. I start by checking the incidents and analyzing them. If I need to create an automatic rule, I do so. If the logic needs to be changed, I make the necessary adjustments. I am responsible for managing Microsoft Sentinel for our organization.

How has it helped my organization?

For our organization, Microsoft Sentinel helps us prioritize threats across most of our environment because we have not yet fully integrated the solution into all aspects of our operations. Currently, we are working on integrating mutual source AWS into Sentinel, which will provide us with more visibility. Apart from that, there is already a lot of visibility in case of any failures or anyone attempting large deployments across other companies or similar activities. Additionally, if someone attempts to use login information from a different location, it becomes apparent, as it is impossible to travel that quickly. Sentinel covers almost everything.

We are using Microsoft Office 365 for email security in our environment. Our infrastructure engineers have integrated Microsoft Office 365 with Sentinel. When we view the old connectors in the application, it mentions Microsoft Office 365. Currently, it also indicates this in terms of firmware.

Microsoft Sentinel can enable us to ingest data from our entire ecosystem. However, since we are currently receiving services from an external source, we are not integrating the tool right now. That's why we are looking for another tool that we can integrate with Microsoft Sentinel. Once we do that, I believe we will be able to see everything, including any malware-related issues, as well as other security and licensing concerns.

The ingestion of data into our security operations is of utmost importance. If we are not monitoring whether people are sending large documents to other companies, how will we realize it? We don't have any other tool for that. Of course, we have email security and EDR, which cover some aspects, but some of them are not effective or are too basic. Unlike them, Microsoft Sentinel is comprehensive. It records everything: every click, download, login, and search. Therefore, it is a necessary tool for our operations.

Microsoft Sentinel allows us to investigate threats and respond quickly from a unified dashboard. A couple of months ago, there was a concern with the AWS environment, and our director asked us to identify any relevant code-related alerts originating from the environment. Since we didn't have the rules at that time, I looked into the recommended analytics section, which turned out to be quite straightforward. When we write Python or work with any logs, cells, or Java-related elements, Microsoft Sentinel provides us with insights and a logical approach to integrating our environment. During my investigation, I discovered some configurations related to the Python code, and it appears to be functioning well now.

Microsoft Sentinel's built-in SOAR, UEBA, and threat intelligence capabilities work well and are further enhanced with the addition of a firewall for added protection.

Before our organization implemented Microsoft Sentinel, we only had an email security DLP solution and some other tools. While we could see the logs on our computer, they were often presented in a confusing manner, appearing like gibberish to us. However, with the introduction of Sentinel, we can now interpret and make sense of that information.

When I joined the organization, they were already in the process of implementing Microsoft Sentinel. However, I am familiar with other integrations with Sentinel, such as AWS, and the integration is not difficult. We simply create the necessary resources, and everything is well-documented, which is a huge plus. We can access all the information online, both in the AWS part and in Microsoft Sentinel. So, I believe it's not rocket science.

It helps automate routine tasks and aids in identifying high-value alerts. We have automated the tool to receive critical or high alerts and send us messages accordingly. This automation is currently active. Whenever a high alert is generated, it comes through direct messages. Even during non-working hours, I receive these alerts on my phone immediately. If it's an important alert, I can respond promptly. We had an incident where I had to work on weekends due to such an alert. However, if I'm not using the tool or haven't activated it, I generally don't turn on the computer after work hours. So, this feature has been beneficial for us. Some months ago, there was a Microsoft bug that created false positive alerts for every clean link, including company links. We made modifications to the alerts, and now we no longer receive those unnecessary alerts.

It helps eliminate the need to look at multiple dashboards by providing us with just one XDR dashboard. We no longer have to go to other places. However, there are instances when we receive alerts about failing servers, and we can't check them using Sentinel; instead, we have to use Azure Active Directory. It's not Sentinel's fault, and checking through Azure Active Directory is not difficult, but we still have to go somewhere else.

Sentinel's threat intelligence assists us in preparing for potential threats before they strike, allowing us to take necessary precautions. My weekly routine includes dedicating at least two hours to the accounting part. I am constantly searching for any threats in our environment that may have gone unnoticed. So far, I haven't found anything, but I'm always vigilant because we can never be entirely certain that there are no threats.

We have been enabled to save a significant amount of time. The log files consist of hundreds of pages, and to review them, we need to possess networking knowledge to identify the specific case. Without knowing what we are searching for, it's like trying to find a needle in a haystack. Sentinel migrates the logs and presents the visual information in a user-friendly manner, which has proven to be a time-saving solution for us.

Sentinel saves money by reducing the number of people required to monitor the alerts. For example, if there are normally 50 alerts per week, fine-tuning reduces them to just one.

Microsoft Sentinel helps decrease our time to detect and time to resolve. Sentinel provides a brief introduction to the events occurring in the environment when someone is causing instability in the AWS environment. Sentinel precisely identifies the issue and offers a link for accessing more information about the situation.

What is most valuable?

The dashboard that allows me to view all the incidents is the most valuable feature. Threat hunting is also valuable. Sentinel has a Microsoft framework, so we can experiment with numerous queries. There are almost 500 queries available that we can utilize based on our environment.

What needs improvement?

I believe one of the challenges I encountered was the absence of live training sessions, even with the option to pay for them. Microsoft insists that all information is available in the documentation, which I must admit is quite comprehensive and helpful. However, for someone without a coding background, learning solely from the documents can be challenging at times. It would be much easier to learn if there were practical exercises and instructional videos available. This aspect bothered me significantly. While I did come across a course, my preference was to access it through Sentinel since they are already providing us with their services. Having the team trained up would undoubtedly streamline my job and save a considerable amount of time.

For how long have I used the solution?

I have been using Microsoft Sentinel for one year.

What do I think about the stability of the solution?

We have not had any scalability issues with Microsoft Sentinel.

What do I think about the scalability of the solution?

Microsoft Sentinel is scalable. We can add as many services as we want, and Microsoft automatically increases the capacity by adding memory and storage.

How are customer service and support?

I have used technical support many times. Sometimes, I have a really hard time understanding them. I am not sure if they are calling from India, but there was background noise at times. However, they are really helpful, even though they seem a bit indifferent. They frequently inquire whether we have addressed the issue and if it has been resolved—quite a lot, actually.

In a company, we are often very busy. They expect us to address the issues immediately, but sometimes it can take months. So, I inform them that I will follow up. They can be a little pushy, which is understandable from their perspective, but for us, it can be challenging because we have many other tasks to handle. Sentinel is just one of my priorities, and there are a lot of other things I need to take care of. That's why sometimes we need time, but to their credit, they are always responsive. Whenever we ask them a question, they promptly provide a response.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I had previously used Kibana, which is quite different from Microsoft Sentinel. When I used Microsoft Sentinel for the first time, I realized that this was the ideal solution. Microsoft Sentinel is user-friendly, unlike Kibana, which I found difficult to install and not very user-friendly. Microsoft Sentinel, on the other hand, is incredibly user-friendly, making it easy for everyone to understand and learn how to use it. It is a straightforward solution to comprehend.

What other advice do I have?

I give Microsoft Sentinel a nine out of ten.

We are currently evaluating Microsoft Defender and CrowdStrike in our environment to determine which one is a better fit. As for Defender, I cannot claim to have a complete understanding of it since it's in a testing environment. I can monitor people's devices, but I have not yet received any alerts generated by the devices. It has only been around ten days.

I am responsible for creating documentation for all of our implementations, while other teams handle the infrastructure portion.

Maintenance is minimal for Microsoft Sentinel. There is a check button in the house. Sometimes I go there because we occasionally find that some things are not working properly. So we have to go there and address the issue, but it is not a common occurrence. Maybe it happens, like, three times a year which is not bad.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Amazon Web Services (AWS)
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Mahmoud Hanafi - PeerSpot reviewer
IT Operation Manager at Orascom Construction Industries
Real User
Top 5
Comprehensive with good automation and prioritizing of threats
Pros and Cons
  • "The Log analytics are useful."
  • "I would like to see more AI used in processes."

What is our primary use case?

We have possible use cases for the solution. We have ten or 12 different use cases under this solution.

What is most valuable?

The Log analytics are useful. You can review many details. 

The portal and the full integration and collaboration between the cloud workloads and multi-tenants have been useful. We can use it with Sharepoint and Exchange.

The solution helps us prioritize all of our threats. It's one of the most important and critical systems we have here. 

We have a lot of Microsoft solutions. For example, we also use Defender for endpoints and Microsoft Cloud. We mostly use Microsoft products, although we also use Crowdstrike. 

It was easy to integrate Defender for Endpoint. Each of these solutions works natively together. It's very crucial that they work together. 

Microsoft is very comprehensive. It helps protect us and offers very clear information. It's easy to assess everything. It's a good user experience. 

We make use of Microsoft Defender for Cloud's bi-directional sync capabilities. We have different customers under our umbrella and multiple subsidiaries. Not all have access to the same license. We don't have the same security exposure everywhere. We can pick and choose who needs access.

Sentinel does enable us to ingest data from our entire ecosystem. This is crucial. That said, it can cost us a lot of money. We try to get feature visibility and enhance the collected logs to be able to identify only certain logs that would need to be uploaded. That said, it's very crucial we can ingest data from anywhere.  

We can investigate threats and respond holistically from one place, one dashboard. Having one dashboard is important as it saves the team from headaches. We can collect all the information we need in one view.

The comprehensiveness of Sentinel is good in that it helps us identify most of our gaps in security. In the last few years, we have been able to fill in most of the gaps.

Once we enabled the connectors and started getting incident reports to our dashboard we were able to realize the benefits of the solution. It took about one month to begin to get the value of this product.

Sentinel helps automate routine tasks and helps automate the findings via high-value alerts. We've been able to automate a lot of the cycle and leave the investigation to humans. Support is very crucial and we can take the right actions fast.

The product helps us prepare for potential threats before they hit and we can take proactive steps. We're very satisfied in terms of security operations.

Before implementing the solution, we didn't know we were wasting a lot of time. Once the solution was in place, we discovered a lot of gaps across the traditional way we were handling security. 

I can't say if we are saving money. However, we're investing in the right places. We're now utilizing services we actually need. From a business perspective, although it does have a cost, it's saving the business since it's protecting us from any security breach.

What needs improvement?

I'd like to see more integration with other technologies beyond the Microsoft OS. 

I would like to see more AI used in processes.

For how long have I used the solution?

I've been using the solution for three or four years. 

What do I think about the stability of the solution?

The stability is not an issue. 

What do I think about the scalability of the solution?

We do have plans to increase usage. The solution has the ability to scale. 

How are customer service and support?

We have not opened a ticket for technical support yet. So far, we haven't had any issues. 

My understanding is Microsoft does not have good support and has done a lot of outsourcing. In general, they used to be brilliant as they were focused on customer satisfaction and engaged with experts, however, the quality is not as good.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We also use Crowdstrike as our EDR solution. However, before Sentinel, I did not use anything else in this category.

How was the initial setup?

I took part in the initial deployment. The process was very straightforward. It took about one week to onboard all that we needed. We did it in three phases. First, we did a demo and looked for items that needed to be addressed. We then onboarded the device and put the analytics and logs in place. 

We had a team of three on hand that handled the deployment. They also handle support and maintenance. 

What about the implementation team?

We initially had the assistance of Microsoft partners. However, we failed to get all of the information we needed. We found it more valuable to get assistance from the vendor directly. 

What's my experience with pricing, setup cost, and licensing?

I can't speak to the exact cost.

What other advice do I have?

We are a customer of Microsoft. 

During implementation, it's helpful to get the vendor engaged in the implementation. 

I'd rate the solution nine out of ten.

It's good to go with a single-vendor strategy. I've recommended this product to others.

The user experience should be the number one priority. Microsoft is working on this every day. It's very important to us that the user experience is maintained and there's no conflict between the products or connectors. Having one dashboard makes it easier for admins and businesses to be in touch, engage, and share. For example, my manager can see my reports even if he's not knowledgeable in the technology.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Cyber Security Operations Analyst at a financial services firm with 5,001-10,000 employees
Real User
Top 20
Provides good visibility, integrates with different log sources, and supports automation with Playbooks
Pros and Cons
  • "Microsoft Sentinel provides the capability to integrate different log sources. On top of having several data connectors in place, you can also do integration with a threat intelligence platform to enhance and enrich the data that's available. You can collect as many logs and build all the use cases."
  • "We do have in-built or out-of-the-box metrics that are shown on the dashboard, but it doesn't give the kind of metrics that we need from our environment whereby we need to check the meantime to detect and meantime to resolve an incident. I have to do it manually. I have to pull all the logs or all the alerts that are fed into Sentinel over a certain period. We do this on a monthly basis, so I go into Microsoft Sentinel and pull all the alerts or incidents we closed over a period of thirty days."

What is our primary use case?

We use it for security. It's at the forefront of managing the security within our organization. We use the platform as our main SIEM for enterprise security whereby we have several tools that feed into Microsoft Sentinel and then from there, we have the use cases. It's a major tool for security monitoring within the enterprise.

How has it helped my organization?

Microsoft Sentinel provides the capability to integrate different log sources. On top of having several data connectors in place, you can also do integration with a threat intelligence platform to enhance and enrich the data that's available. You can collect as many logs and build all the use cases. 

Microsoft Sentinel helps to prioritize threats across the enterprise. We do threat categorization based on a risk-based approach. We categorize incidents as critical, high, and medium. The platform gives us the capability of categorizing the threats based on our assets' criticality and the type of data on our systems. At the end of the day, it does help in managing the threats within the organization. There are different levels of threats depending on the data that we have.

We also use Microsoft Defender for Endpoint. We have integrated Microsoft Defender for Endpoint with Microsoft Sentinel. Most of the alerts that come on our Microsoft Defender for Endpoint are fed into Microsoft Sentinel. We manage those alerts through Microsoft Sentinel, but when we are doing our investigations, we always leverage Microsoft Defender for Endpoint because we are able to do the investigation from the original source. Integrating a Microsoft product with other Microsoft products is not as difficult as compared to integrating Microsoft products with other vendor applications. With the inbuilt data connectors that already exist in Microsoft Sentinel, it's much easier to do the integrations with the Azure environment and other Microsoft products. If there's no data connector, it's somehow tricky. If we have a data connector in place, it's better. We also need to do some customization of the data that we ingest because we need to have the right size of the data that we feed into Microsoft Sentinel because of the cost aspect. At the end of the day, we managed to do an integration of on-prem AD with Microsoft Sentinel via a platform that acts as a bridge between them

Microsoft Sentinel and Microsoft Defender for Endpoint work together natively. The alerts are fed into Microsoft Sentinel seamlessly, but when it comes to investigations, you need to leverage Microsoft Defender for Endpoint to isolate a device and to see some of the timelines or actions that were done with that machine. You can't do that with Microsoft Sentinel.

Microsoft Sentinel allows us to investigate threats from one place, but it doesn't let us respond from one place. For responding, we need to narrow down the source of the threat. If it has been flagged from a Cisco perimeter solution that we use, such as Cisco Meraki, we need to go back and check in that platform. If it's flagging an issue that's happening on an endpoint, we need to go back to Microsoft Defender for Endpoint and do further investigation to respond.

Microsoft Sentinel helps to automate routine tasks. We have playbooks and once we establish a baseline or a routine task that needs to be done, we can just automate it through the playbook.

We have the Sentinel dashboard, but we still need other dashboards for other logs, such as from email. We can't see email logs from Sentinel. We still need a network security monitoring platform. It has helped us to secure 90% of our cloud environment.

With the integrations we have, its threat intelligence helps prepare us for potential threats before they hit and to take proactive steps. We get visibility into what's happening on the AD on a real-time basis. If there's any issue going on with the AD, we are able to fix that within the minimum time possible. It also helps with the visibility of different resources across the cloud environment. However, it can't do all that by itself. We also need other tools. 

It has saved us time. It has helped in handling most of the issues within the cloud environments or any misconfigurations done on the cloud environment. We are able to handle any issues within the shortest time possible. In terms of threat detection, I can give it a nine out of ten. If we didn't have Microsoft Sentinel, it would have taken us three to four days to discover a security incident that is happening or any security misconfiguration in the cloud environment. Within a week, it saves me about three days.

It has saved us money from a security risk perspective, but from a technology perspective, it hasn't saved much. The main value that it's giving to the organization is from a security perspective.

It has saved our time to detect, but that also depends on the original platform. If the original platform, such as Microsoft Defender, fails to detect incidents, then Microsoft Sentinel will definitely not flag anything. The feed that Microsoft Sentinel gets comes from other platforms. With better fine-tuning across the other platforms and with good integrations, it can really help.

What is most valuable?

Playbooks are valuable. When it comes to automation, it helps in terms of managing the logs. It brings the SOAR capability or the SOAR perspective to the platform with the high usage of Microsoft products within our environment. We are utilizing most of the Azure resources. Our AD runs on Azure. We have on-prem and Azure AD, so we have the integrations. At the end of the day, when we are managing the security, we have the capability of initiating some options from Microsoft Sentinel and directly to AD. We also have automation with Cisco Meraki. We have configured playbooks where if there is a suspicious IP, it blocks the IP.

What needs improvement?

Microsoft Sentinel needs to be improved on the metrics part. I've had an issue in the recent past while trying to do my metrics from it. It gives me an initial report, but sometimes an incident is created on Microsoft Sentinel, but you realize that when a lot of information is being fed from Microsoft Defender to Microsoft Sentinel, instead of feeding the existing alert, Microsoft Sentinel creates a new alert. So, metrics-wise, it can do better. It can also do better in terms of managing the endpoint notifications.

We do have in-built or out-of-the-box metrics that are shown on the dashboard, but it doesn't give the kind of metrics that we need from our environment whereby we need to check the meantime to detect and meantime to resolve an incident. I have to do it manually. I have to pull all the logs or all the alerts that are fed into Sentinel over a certain period. We do this on a monthly basis, so I go into Microsoft Sentinel and pull all the alerts or incidents we closed over a period of thirty days. I then calculate the meantime to detect and the mean time to resolve. I have to check when all the tickets were created, when they were handled by the analysts, and when they were closed. I do a manual metrics calculation after pulling all the data. I believe Microsoft can do better on the metrics side of Sentinel. They can provide monthly reports. If I want to submit the reports to my senior management, it will be much easier for me to pull the data as a report. Currently, you can't pull any reports from Sentinel. It would be helpful if they can build a reporting tool within it and allow me to have my own customization. I should be able to customize the reports based on my needs. For example, I should be able to generate a report only for incidents with high and medium severity.

It should also provide information on trends within the platform. There should be reports on specific alerts or security incidents.

They should build more analytics rules to assess key security threats. I have had to build a lot of custom analytics rules. There should be more of them out of the box.

There should be more information about how to utilize the notebooks. They can have a better approach to enlightening the end-users about the straightforward use of notebooks. The data point analysis rules and automation are straightforward compared to the way you utilize the notebooks. They can do better in terms of sharing how we can utilize the notebooks. 

We are able to ingest data across all our tenants and on-prem solutions, but we have been chasing Microsoft for the longest time possible for ingesting some data from Microsoft Dynamics 365. The kind of logs that we need or the kind of security monitoring that we need to do on Microsoft Dynamics 365 versus what's available through data connector tools is different. The best advice that they have managed to give us is to monitor the database logs, but we can't go into monitoring database logs because that's a different platform. There are several things that we want to address across Microsoft Dynamics 365, but the kind of logs that we get from the data connector are not of any significance. It would be better if they could give us customization for that one. That's the worst application from Microsoft to add because we can't monitor any business processes in that application, and there's no capability to do even customization. We are so frustrated with that.

It's quite comprehensive in threat intelligence capabilities, but it takes some time to establish a baseline. They can also improve the UEBA module so that it can help us address and have an overview of the risk. It's not yet that complete. It can establish a baseline for a user, but it doesn't inform how I can leverage the capability to address risks.

We can also have more integrations within Microsoft Sentinel with TI feeds out of the box. Currently, we don't have something out of the box for other TI feeds. Microsoft has its own TI feed, but we aren't utilizing that.

Microsoft Sentinel should provide more capability to end-users for customization of the logs they feed into Microsoft Sentinel.

For how long have I used the solution?

It has been two years.

What do I think about the stability of the solution?

We haven't had any issues with it so far. It's very stable. 

What do I think about the scalability of the solution?

It's scalable. There are data connectors for different technologies and products.

How are customer service and support?

I've not contacted their support for Microsoft Sentinel.

Which solution did I use previously and why did I switch?

I've used QRadar.

How was the initial setup?

We are ingesting on-prem and cloud logs. The initial setup was a bit complex. It wasn't that straightforward because of the integrations.

What about the implementation team?

We had help from a Microsoft partner for visibility and integrations. We had about five engineers involved in its implementation.

In terms of maintenance, it doesn't require any maintenance from our side.

What was our ROI?

Microsoft Sentinel is costly, but it provides value in terms of managing security or managing the threats within our organization.

The return on investment is in terms of better security, visibility, and management. If you don't know what's going on in the cloud environment or the on-prem environment, you might need to pay a huge price in terms of compliance or ransomware to restore your data. We have seen value in investing in Microsoft Sentinel because we are building a better security capability within our environment.

What's my experience with pricing, setup cost, and licensing?

The current licensing is based on the logs that are being ingested on the platform. Most of the SIEM solutions utilize that pricing model, but Microsoft should give us a customization option for controlling the kind of logs that we feed into Microsoft Sentinel. That will be much better. Otherwise, the pricing is a bit higher.

Which other solutions did I evaluate?

We evaluated other solutions. The reason why we chose Microsoft Sentinel was because of the cloud visibility. We needed a lot of visibility across the cloud environment, and choosing another product that's not Microsoft native wouldn't have been easy in terms of integrations and shipping logs from Microsoft Sentinel to on-prem.

A good thing about Microsoft Sentinel as compared to the other platform is that most organizations run on Azure, and the integration of Microsoft Sentinel is much easier with other products, but when it comes to other SIEM solutions, integrating them with Microsoft sometimes becomes an issue.

What other advice do I have?

You need to customize the kind of logs that you feed to Microsoft Sentinel. If you just plug-in data connectors and don't do any customization and feed everything to Microsoft Sentinel, it will be very expensive in terms of cost. You only need the traffic that assists you in addressing security issues within your environment. You only need the information that gives you visibility to address security issues.

Overall, I would rate Microsoft Sentinel an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
reviewer2017212 - PeerSpot reviewer
Security Engineer at a tech services company with 5,001-10,000 employees
Real User
The solution prioritizes threats, integrates easily with other Microsoft products, and can be deployed within half an hour
Pros and Cons
  • "We are able to deploy within half an hour and we only require one person to complete the implementation."
  • "The playbook development environment is not as rich as it should be. There are multiple occasions when we face problems while creating the playbook."

What is our primary use case?

Our organization is an SSP, a service provider for manual threat detection and hunting. We use Microsoft Sentinel for threat detection. We have a few clients using Microsoft Sentinel, and we provide SOAR services to them.

How has it helped my organization?

Having the ability to respond holistically from one place with Microsoft Sentinel is very useful. We don't need to log into different security consoles. It is less hectic and reduces our time to respond and resolve the issue.

The solution has helped improve our organization by detecting and hunting threats. The solution also correlates alerts from other solutions, such as Defender, Office 365, and other Endpoint solutions. Microsoft Sentinel has automated responses that help us reduce the number of analysts required for example, from ten to six because most of the tasks are done automatically.

The solution's automation of routine tasks helps us automate the finding of high-value alerts by reducing the manual work from 30 minutes down to three. 90 percent of the work is done by Sentinel which runs the playbook and provides us with all the data required to make a decision quickly.

The solution has helped eliminate the need to use multiple dashboards by incorporating SIEM plus SOAR into one convenient location. We don't need to log into each of the solutions individually. We can directly correlate the alerts and incidents from our Sentinel console. Sentinel reduces our time because we don't need to check multiple tabs for multiple solutions. All the information required to investigate and make a decision can be found in the solution's panel view.

We don't have any out-of-the-box threat intelligence from Microsoft, but with the integration of some open-source solutions and premium sources, Microsoft Sentinel helps us take proactive steps before threats enter our environment.

We have custom rules created to check IPs or domains for potential threats. Whenever an IP or domain is visible in our logs, the solution will automatically correlate with the threat intelligence feed and create an alert. If we skip the correlation portion and an alert has been created for a malicious IP or a malicious domain, the solution can check the reputation in different reputation sources such as a virus portal, or threat recorded future, and it will auto-populate the information for the analyst which helps us prepare for potential threats.

The solution has definitely saved us 90 percent of our time. Microsoft Sentinel reduces our time to detect, respond, and resolve incidents. Most of the incidents are detected automatically and we just need the data to make a decision. We don't have to go look for different clues or reputations over the internet or use other solutions.

Microsoft Sentinel has saved us from incurring costs related to a breach by protecting us.

The solution detects incidents and alerts us in real-time based on custom rules that we create or the out-of-the-box rules that are part of Sentinel. The information that auto-populates when we run the playbook reduces our response time in most cases because all the relevant data required for our investigation is provided on the incident details page.

What is most valuable?

Logic apps, playbooks, and dashboarding are all valuable features of this solution. 

Microsoft Sentinel prioritizes threats across our organization because the solution allows us to correlate using multiple solutions including Defender.

Integrating Microsoft solutions with each other is very easy. The integrated solutions work together to deliver coordinated detection and response in our environment.

The solution enables us to investigate threats and respond holistically from one place. We can write AQL queries and also create rules to detect the alerts. In the event that we don't have rules, we can proactively hunt through KQL queries.

The workbook based on KQL queries, which is the query language is very extensive compared to other solutions such as QRada and Splunk.

The solution requires no in-house maintenance because it is all handled by Microsoft. We only need to monitor the updates.

What needs improvement?

The playbook development environment is not as rich as it should be. There are multiple occasions when we face problems while creating the playbook. 

The cost is not straightforward and would benefit from a single charge model. 

The UI is not impressive, we need to train our analysts to conduct the investigation. Unlike IBM QRadar which has a different UI for searching, there is no UI where we can conduct searches with Sentinel. With Sentinel, all our searches require a KQL query, and if our analysts are not familiar with KQL queries, we have to train them. 

The data ingestion can use improvement. There are a few scenarios where we have experienced a delay in data ingestion.

For how long have I used the solution?

I have been using the solution for one and a half years.

What do I think about the stability of the solution?

Sentinel is quite stable because it's a SaaS-based offering, so we don't have to worry about our stability. The solution is available 99.99999 percent of the time. The only time we have an issue is if there is a problem with the Azure portal. Microsoft handles the stability well.

What do I think about the scalability of the solution?

We can scale the solution as much as we want, and with a few clicks, we can increase or decrease capacity.

We currently have four engineering teams that handle the deployments and use case development as well as a SOAR team that consists of ten technical people who all use the solution.

How are customer service and support?

Microsoft Sentinel support is really good. They respond quickly to our requests and they try to resolve our issues as soon as possible. From my experience, Microsoft has the best support.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

For SIEM, we previously used IBM QRadar and Splunk Enterprise Security. For SOAR, We have used IBM Resilient, Palo Alto XSOAR, and D3 SOAR, which is a new tool. D3 SOAR is a startup based in Canada and we used it for POC, but we have not used it in production. Sentinel is a SaaS-based solution. There is less administration required and with a few clicks, we can deploy Microsoft Sentinel, whereas, with other solutions, we have to build everything from scratch. There are other SaaS-based solutions but Sentinel is one of the most popular and because a lot of organizations are already using Microsoft and Azure products, Sentinel is the best compatible solution.

How was the initial setup?

The initial setup for Sentinel is straightforward and the best I have worked with to date. We are able to deploy within half an hour and we only require one person to complete the implementation. 

What about the implementation team?

The implementation was completed in-house.

What's my experience with pricing, setup cost, and licensing?

From a cost perspective, there are some additional charges in addition to the licensing. Initially, the cost appears expensive, but over time, the solution justifies that cost. The cost is not straightforward, but instead really complex. We are charged for data ingestion as well as data leaving the environment. We are also charged for running playbooks and for logic apps. Compared with SIEM solutions, whose cost is simply based on EPS or data storage, Microsoft Sentinel's cost is complex. Over time we can predict what the cost of using the solution will be. Other standalone SOAR tools have fixed licensing and their cost is simple. We don't need to pay for each command we run or each integration we have or each automation we do. With Microsoft Sentinel, there is a cost associated with each of the connectors that we use in our playbook. Every time we run that playbook, there will be charges, but the charges are minimal unless we run the playbook repeatedly, then over time the cost shoots up.

Which other solutions did I evaluate?

We occasionally test POC and we are still evaluating other solutions.

What other advice do I have?

I give the solution nine out of ten.

My impression of the visibility into threats that Microsoft Sentinel provides is that the solution is not perfect, but since it is part of Microsoft Workspace, Microsoft already provides so many services to clients, and Microsoft Sentinel is one of them. If we are already using Azure and other services from Microsoft, then Sentinel is easy to implement and use compared to other similar solutions. If I was not using Microsoft Solutions, then I can use other solutions, such as IBM QRadar or Splunk, and when it comes to XSOAR, Palo Alto XSOAR is a much better solution.

We use multiple solutions from Microsoft within our organization including Defender and Endpoint. We have integrated Endpoint with Defender and Microsoft Security Center to receive alerts.

Microsoft Sentinel has out-of-the-box support for up to 90 percent of solutions where we can find a connector to ingest the data directly, but for the remaining 10 percent, we need to write custom tables.

The ability to ingest data is the backbone of our security. If we don't ingest the data, we won't be able to perform anything at all in SIEM. SIEM is based on data ingestion. Once the data is ingested, then on top of that data, we can monitor and detect or hunt, whatever we want. We can create a reporting dashboard, but the data needs to be there.

Microsoft Sentinel's UEBA is quite capable. For SIEM, Splunk and IBM QRadar are slightly better than Sentinel, but Sentinel is catching up fast. The solution has only been in the market for two or three years and has already captured a large share with increasing popularity. For SOAR, Palo Alto XSOAR is much better than Microsoft Sentinel because Sentinel is a SIEM plus SOAR solution whereas Palo Alto XSOAR is a SOAR-focused solution only. What Microsoft Sentinel provides is one solution for SIEM plus SOAR, where we can detect and also respond in one place.

Currently, we have one environment based in a US data center, but we have the ability for multiple solutions in multiple regions within Azure, and we can integrate them using a master and slave configuration that will allow us to run all the queries from the master console.

Using a best-of-breed strategy rather than a single vendor suite is fine if we have a SIEM solution, a SOAR solution, or an Endpoint detection solution until a time when they are no longer compatible with each other and we can not integrate them. If we can not integrate the solutions it becomes difficult for our teams to log into and monitor multiple solutions separately.

I definitely recommend Microsoft Sentinel, but I suggest basing the decision on proof of concept by gathering the requirements, security solutions, and additional log source devices an organization has before using the solution. There are multiple solutions available that may be more suitable in some cases.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: MSP
PeerSpot user
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2024
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.