What is our primary use case?
When Exchange email is outside the domain, we have found sometimes that there are phishing emails. With the help of Microsoft Defender only, without Sentinel, we would not be able to track them. A couple of times data was compromised. With Sentinel, what we have done is integrate Microsoft Endpoint for Defender, M365 Defender, and our Exchange Online for all the email communications in and out.
How has it helped my organization?
With the investigation and threat-hunting services in Sentinel, we have been able to track and map our complete traffic: Where it started from, where it was intercepted, and where the files were downloaded and exchanged. We have been able to see how a phishing email was entering our domain. Accordingly, we understood that we needed to develop or modify some rules in Exchange and now, we do not have any phishing emails.
Sentinel enables us to investigate threats and respond holistically from one place to all of the attack techniques, such as MITRE ATT&CK, manual, DDoS, and brute force attacks. They are quickly identified by Sentinel. That is of high importance because we don't use any other product with Microsoft. Our SOC team continuously analyzes and monitors Sentinel, the activities and events that are happening. That team needs to be equipped with all of the real-time data we are getting from our ecosystem.
We have also integrated our SIEM with multiple firewalls and proxies. The traffic in and out, coming from the firewalls and proxies, is intercepted by Sentinel. We are now getting granular visibility into our traffic. We can see the hits we are getting from various regions, such as the hits that recently came from Russia. We have multiple such attacks on our firewall front end and we have been able to develop more granular rules on our firewalls.
And for DLP we have the help of protection from Microsoft Information Protection labels that we have defined for our data. Whenever this labeled data is shared, the data is limited to the recipients who were specified in the email. Similarly, our OneDrive data has been secured with the MIP Labels. All of this tracking is happening on Sentinel, which is giving us a broader view of where our data is traveling within and outside our organization as well.
People tend to go with Microsoft because it provides you with 360-degree protection, protecting your files, network, infra, and cloud environment. Each of its products is linked and interacts with the others. Microsoft Defender for Cloud will interact with Microsoft Defender for Cloud Apps, for example. And both of them can interact with Sentinel. Sentinel is the central SIEM in Microsoft and has the ability to take all the instructions from all of these Microsoft products and it gives you a central dashboard view in Azure. That helps manage infrastructure and identify threats. It's a single pane of glass. That's why Microsoft is gaining compared to other products.
Eliminating our multiple dashboards was a little tough in the beginning, but the Microsoft support team's expertise helped us create our own dashboard. Previously, when we started integrating all the products, it was very hard for us to give a broader review to management. It was only something the technical guys could do because they know what all those events mean. But when it came to a dashboard and presenting the data to the stakeholders, it was very tough. With the help of Microsoft's expert engineers, we were able to create dashboards into Sentinel, as well as with the help of Azure dashboards and Microsoft Power BI, and we were able to present the data.
We got Sentinel to send the data to Microsoft Power BI and that helped us create some very useful and easy dashboards so that our stakeholders and senior-level management, who are non-technical guys, could understand much better how we are utilizing this product. They can see how much we are making use of it to investigate, hunt, and track the incidents and events, and the unnecessary accessing of applications in the environment. As a result, we started to put granular controls in place and restrict unnecessary websites.
What is most valuable?
The watchlist is one of the features that we have found to be very helpful. We had some manual data in our Excels that we used to upload to Sentinel. It gives us more insightful information out of that Excel information, including user identities, IP addresses, hostnames, and more. We relate that data with the existing data in Sentinel and we understand more.
Another important feature is the user behavior analytics, UEBA. We can see how our users are behaving and if there is malicious behavior such as an atypical travel alert or a user is somewhere where he is not regularly found. Or, for example, if a user does not generally log in at night but we suddenly find him active at night, the user behavior analytics feature is very useful. It contains information from Azure Identity as well as Office 365.
With the E5 license, we have Microsoft Defender for Cloud Apps, Microsoft Information Protection, Defender for Cloud, and Defender for Office 365. All of these products are integrated with Sentinel because it has those connectors. With both Microsoft and non-Microsoft products it can be integrated easily. We also have ASA on-premises firewalls and we have created a connector and have been sending those syslogs to Sentinel to analyze the traffic. That is the reason we are able to reverse-investigate and hunt threats going on in our network, end to end.
Sentinel enables us to ingest data from our entire ecosystem. In addition to integrating our Cisco ASA Firewall logs, we get our Palo Alto proxy logs and some on-premises data coming from our hardware devices. We also get our Azure Firewall logs, and the logs from the Microsoft 360 bunch of products, like MIP and Defender for Cloud, Defender for Cloud Apps, et cetera.
When I think about the kinds of attack techniques that you are not able to understand at eye level, the AI/ML logic being used by Sentinel helps an administrator understand them in layman's language. It tells you that something has been identified as a malicious event or activity being performed by a user. All of those details are mentioned in an understandable manner. That is very important and is one way Sentinel is playing a wider role in our environment.
We use Microsoft Defender for Cloud and from that we get our regulatory compliance, recommendations, CSPM recommendations, cost recommendations, cost-optimizing strategies, and techniques for things like purchasing reserve instances. It helps us reduce the number of unused VMs or turn off VMs if they're not in production, as well as DevOp VMs in the early hours. We also use it for applying multi-factor authentications for users and reducing the number of owner or administrator roles that are assigned to subscriptions.
And the bi-directional sync capabilities of Defender for Cloud with other Microsoft products is near real-time, taking a couple of seconds. Within a minute, the information is updated, always, for all of the products that are integrated. Some products have a latency of around 4 to 12 hours of latency to update.
What needs improvement?
The following would be a challenge for any product in the market, but we have some in-house apps in our environment. We were thinking of getting the activities of those apps into Sentinel so that it could apply user behavior analytics to them. But our apps were built with different parameters and the APIs for them are not present in Sentinel. We are working with Microsoft to build those custom APIs that we require. That is currently in progress.
We are happy with the product, but when it comes to integrating more things, it is a never-ending task. Wherever we have a new application, we wish that Sentinel could also monitor and investigate it. But that's not possible for everything.
For how long have I used the solution?
I have used Microsoft Sentinel for around two years now.
What do I think about the scalability of the solution?
It is scalable, with the help of the log retention facility in Sentinel in the Log Analytics workspace. We can limit the data that is being retained in it and that limits the cost.
We have it deployed across multiple sites.
How are customer service and support?
In the beginning, it was not so good, but when we switched from standard support to premium support, the support improved.
Which solution did I use previously and why did I switch?
I have been using QRadar and Splunk, but they both only gave me a centralized SIEM solution, a SOAR, and a VAPT solution. But I wanted to reduce the efforts required when jumping into different portals at different points in time. The way things stood, I had to hire different engineers to maintain those different portals and products. With the help of Sentinel, I could integrate all of my applications with Sentinel, as the APIs were ready and the support for them from Microsoft was good. That's why we thought of moving to Sentinel.
What was our ROI?
It was pretty hard to convince the stakeholders to invest so much in protecting the ecosystem through investigating and hunting, which is mainly what Sentinel is for. The integration part comes later. But convincing the stakeholders about the cost we would be incurring was a big challenge.
Slowly but surely, we started integrating many of our products into Sentinel and it started showing us things on the dashboard. And with the help of the Logic Apps, we were able to do multiple other things, like automatically creating tickets out of the incidents that are detected by Sentinel, and assigning them to the SOC team. It reduced the SOC team's workload because they used to manually investigate activities and events. Sentinel killed those manual tasks and started giving "ready-made" incidents to work on and mitigate. It has helped my SOC team because that team was facing a lot of issues with workload.
Then we also got visibility into different products, like Microsoft Defender, and Defender for Cloud Apps, whereas we used to have to jump into different portals to see and analyze the logs. Now, we don't have to go to any other product. All the integration is happening with Sentinel, and with the help of the AI/ML in Sentinel, investigating and threat-hunting have become easier.
It took around six months for us to realize these benefits because we were slowly integrating things, one by one, into it. We were a little late in identifying the awesome capabilities it has.
Most of our products are integrated but a few of our products are facing challenges getting connected. We are dealing with it with Microsoft and they are creating a few connectors for us.
We had to pay extra compared to what we would pay for other products in the market. But you have to lose something to gain something. Sentinel reduced the efforts we are putting into monitoring different products on different portals, and reduced the different kinds of expertise we needed for that process. Now, there are two to three people handling Sentinel.
What's my experience with pricing, setup cost, and licensing?
The pricing was a big concern and it was very hard to explain to our stakeholders why they should bear the licensing cost and the Log Analytics cost. And the maintenance and use costs were on the higher side compared to other products. But the features and capabilities were going to ease things for my operations and SOC teams. Finally, the stakeholders had clarity.
Which other solutions did I evaluate?
Microsoft is costlier. Some organizations may not be able to afford the cost of Sentinel orchestration and the Log Analytics workspace. The transaction hosting cost is also a little bit on the high side, compared to AWS and GCP. But because it gives a 360-degree combination of security products that are linked with each other, Microsoft is getting more market share compared to Splunk, vScaler, or CrowdStrike.
But if I want to protect my files, to see where my files have been sent, or if the file I'm receiving is free of malware, or even if one of my users has tried to open it, Windows Defender would track it first. The ATP (Advanced Threat Protection) scans my emails and the attachments first. It determines if the attachment is safe and, if it is not safe, it will block it. I don't have to create any granular or manual settings. That connectivity across different products has a brighter future. That's the reason, even though we have a small budget, that we are shifting to Microsoft.
There are competitive applications in the market, like vScaler, Splunk, QRadar, and CrowdStrike. These are also good in terms of their features and capabilities. But these products only work as a SIEM or VAPT solution. They won't scan everything that we need to protect.
But if you are only considering SOAR, I prefer CrowdStrike because of cost and the features it provides. The AI/ML is also more developed compared to Sentinel.
But why Sentinel? Because it not only covers Microsoft products, but it also has API connectors to connect with any non-Microsoft products. It has inbound APIs for connectivity to QRadar, vScaler, or Splunk, so we can bring their data into Sentinel to be analyzed. Splunk is doing its job anyway, but Sentinel can filter the information and use it to investigate things.
Those have great visibility and great potential over Sentinel. But for products that are out of the ecosystem, those competitive solutions might face issues in connecting or integrating with them.
What other advice do I have?
We have created a logic app that creates tickets in our service desk. Whenever a ticket is raised, it is automatically assigned to one of the members of our SOC team. They investigate, or reverse-investigate, and track the incident.
Every solution requires continuous maintenance. We cannot rely on AI/ML for everything. Whenever there is a custom requirement or we want to do something differently, we do sit with the team to create the required analytic rules, et cetera. It doesn't involve more than three to four people.
In terms of the comprehensiveness of Sentinel when it comes to security, it plays a wide role in analysis, including geographical analysis, of our multiple sites. It is our centralized eye where we can have a complete analysis and view of our ecosystem.
Go with a single vendor security suite if you have the choice between that and a best-of-breed strategy. It is better to have a single vendor for security in such a complex environment of multiple vendors, a vendor who would understand all the requirements and give you a central contact. And the SLA for response should be on the low side in that situation, as Microsoft, with its premium support, gives an SLA of an immediate callback, within two to three minutes of creating a ticket.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.