Microsoft Sentinel Reviews

We primarily use the solution for security purposes, to record events, and generate alerts, so that our security team can review the items and take proper action.

We work jointly with an MSSP, we have about 14 people working on a 24/7 schedule, around 25 people might use our Sentinel workspace regularly, and more than 40 people benefit directly from the output of this solution.

With Microsoft Sentinel we have detected threats in early stages of an attack through custom detection rules, helping us prevent escalation and further compromise.

Sentinel has provided visibility of administration events, which allows us to audit security processes and discover misconfigurations and errors.

Using Sentinel we have definitely saved time in our detection and response efforts.

Microsoft Sentinel as a SIEM uses KQL (Kusto Query Language) in their detection rules, which is an optimized query language with some really powerful functions. Generally SIEM vendors use different query languages. KQL queries can use complex logic and be executed in a few seconds, which would not be possible or may take up several minutes in other SIEMs, and now some vendors are trying to implement their own version of KQL.

Sentinel provides us with good visibility of threats. The different kinds of logs it ingests are good as long as the log sources are correct. It can integrate some out-of-the-box log sources in a short time, and log data fields are usually very complete. We don't have experience integrating custom log sources, but it should be possible.

Out-of-the-box log sources have the same data structure in all Sentinel workspaces, which allows queries and detection rules to be shared easily between Sentinel customers. We could rapidly adapt to a new threat with public detection rules created by Microsoft or other security professionals.

We work with Microsoft Sentinel and other Microsoft security solutions like Defender. We've integrated all of them together easily from their web portals. As long as you have the right privileges, integrating these solutions might be as simple as a click. Microsoft security solutions work natively together to deliver coordinated detection and response, which is important to us.

Sentinel allows us to ingest data from our entire ecosystem, wether it might be an on-prem or cloud service. It allows us to correlate different data tables, to create complex threat detections, and to investigate holistically across our infrastructure.

I like the automation portion of the product, it helps us automate routine tasks. We have created some automation playbooks in Microsoft Sentinel, however, in our environment these are not specific to security tasks.

Microsoft Sentinel has a lot of out-of-the-box detection rules. Many of these rules have not been tested, they may execute but they have errors or do not work as expected. Due to this I've made more than 80 requests for modifications in Microsoft Sentinel public repository. If you want to ensure that Sentinel detection works, you need to review the logic of the detection rules one by one, and this shouldn't be the case.

Sentinel does not seem to have rules by default that check and notify of execution errors. I have had to create custom rules to detect when a log source or automation rule stops working as expected.

There can be discrepancies between Microsoft tools. Not all information appears in Sentinel. Sometimes there are items provided in Microsoft 365 Defender that you could search for in Sentinel and you would not find them and therefore assume they do not exist.

The solution is powerful but it can be expensive. Other solutions that are on-premises should be cheaper.

I've been using the solution for more than three years.

The solution is largely stable but not completely. I have had issues with some log sources that stop being ingested or are delayed, and also with automation rules not responding to incidents. Sometimes automation rules stop working intermittently, and this issue might happen during a month or two, and then they go back to working as expected without being notified of any issue by Microsoft.

The scalability is excellent, Sentinel has some limits regarding the amount of ingested data and enabled Sentinel resources, but these limits exist for extreme cases, which our workspace and organization are not even close to.

I'd rate it ten out of ten.

I've opened many support tickets. When you open a support ticket, it will typically be resolved within the first interaction. And they've solved all of my support tickets quite quickly. Even if I have made a mistake when opening support tickets, it's always been a positive experience.

Positive

I've used a few different solutions, including ArcSight, LogRhythm, and QRadar. 

I don't have much insight into ArcSight.

LogRhythm did not let me create complex detection rules.

With QRadar, when we are looking at queries, they can be slow. However, IBM is trying to create its own KQL implementation for QRadar in order to make them faster. 

But I don't have the same level of administration experience with these tools than with Sentinel.

We had some cloud engineers who created our instance on Azure. They enabled the connectors for some out-of-the-box log sources, and created other kinds of neccesary resources, specially to connect on-premises resources to Sentinel. We did not have issues that didn't depend directly on us.

At first we enabled all the detection rules we could, without deeply inspecting them, we assumed they would work. We would not take this approach again, detection rules should be reviewed and enabled one by one.

Maintenance is minimal. It's all on the cloud. If something does not work as expected, we open a support ticket. Since the tool is supported by Microsoft, you are paying them to also maintain it, basically.

Our implementation was handled in-house.

I would recommend to check regularly for deviations or unexpected surges of ingested events, which will affect the cost. I do not directly handle the pricing portion of the solution. There is a calculator in Azure that helps you estimate the cost. 

It's ideal to go with a best-in-breed strategy rather than a single vendor. You need to know what is available in the market. Companies should be free to use any security tool that they consider to fit their needs. 

For companies considering Sentinel, they need to ensure a threat detection engineer will be available to manage their detection rules, you shouldn't enable all of them blindly. You may get value from Microsoft Sentinel, however, you need to continuously invest time and ensure everything is set up and working as expected. 

I'd rate the solution nine out of ten. 

My customers mainly want to correlate logs so that they have a single point for their log information. In addition to correlating logs, they want to automate tasks.

Microsoft Sentinel is just a "watch tower" to get all the logs and manage threats. After that, you have the Microsoft Defender products that help to reduce threats. For example, Microsoft Defender for Endpoint is an anti-virus and EDR that helps to eliminate threats on devices such as laptops and smartphones. Microsoft Defender for Office 365 enables protection for Teams, Mail, or SharePoint, and Microsoft Defender for Identity helps to reduce risk on Active Directory or Azure AD. So Microsoft Defender products are the tools for reducing threats, and Microsoft Sentinel is the tool for analyzing incidents and threats.

Each time I deploy Sentinel, it helps the client get information about the overall security of their IT system. It brings together all the logs in a single place, so it's easy to track attacks and get information about breaches.

It also eliminates having to look at multiple dashboards. If you centralize the logs, you don't need to go to the firewall to get alerts or to the antivirus console or to a network device. You get everything in a single place, which means you have incidents in a single place, and then you can have a dashboard. You can check the built-in dashboard, or you can create one on your own, and these dashboards can be refreshed automatically or you can refresh them whenever you want.

The solution is well integrated with the Microsoft environment, so if a customer has a lot of Microsoft services, such as M365 or Azure, the solution fits well in their environment. Because I deploy solutions in general, I also use Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Office 365. It's really straightforward to integrate these products. You have just to check a box and all the logs from these products go to Sentinel. And if the customer has a Microsoft 365 E5 license, the Defender logs are free.

It also helps to prioritize threats across an enterprise. When you receive an alert of an incident, you can categorize it as a low, medium, or high priority. That's really important because sometimes low-priority incidents are just false positives. We need to categorize incidents to get to the high-risk incidents.

Sentinel also enables you to ingest data from your entire ecosystem and not just from the Microsoft ecosystem. It can receive data from third-party vendors' products such as firewalls, network devices, and antivirus solutions. It's not only a Microsoft solution, it's for everything. There are native connectors to get information from third-party vendors, but if you don't have a connector for something, you can get information from protocols such as syslog.

It's really important that Sentinel allows you to investigate threats and respond holistically from one place. It's important to know where an attacker went. For example, an attacker could go through a firewall and then to a specific application, and you need to know where the attacker started first.

When you enable this feature, Sentinel automatically gets information about the users and devices, and you can then search for specific entities. For example, if you know that a specific user is at risk, you can enter the username and get all the information about the user: on which device he's connected, to which servers he's connected, and what he did on these devices, among other things. This ability is important to a breach.

With Sentinel, you have some built-in rules to automate tasks. You can also create your own automation based on Logic Apps in Azure. You can do what you want with scripting with PowerShell or Python. The first time you have a given incident, you do some troubleshooting and when you write up this incident you can create a knowledge base. Once this knowledge base is done, you can try to automate the troubleshooting. If you do it via automation, you can close this incident because the incident will be managed automatically with Sentinel. And that helps you to save time.

Sentinel should be improved with more connectors. At the moment, it only covers a few vendors. If I remember correctly, only 100 products are supported natively in Sentinel, although you can connect them with syslog. But Microsoft should increase the number of native connectors to get logs into Sentinel. Each time we have a connector, it eases the configuration of Sentinel, and we don't need custom deployments to get the information from a specific vendor. 

The second thing they should do is create more built-in rules for the dashboard, automation, and hunting. The first time you use Sentinel, it's not easy to use the product because, beyond the dashboards, you need to know the Kusto Query Language (KQL) to create the right requests.

I have been using Microsoft Sentinel for two years. I implemented the solution for a customer a couple of months ago.

There is no problem with the stability of Sentinel. It's really stable. I have never experienced an issue with accessing the product.

It's a SaaS solution, so you don't need to scale it. It scales by itself. 

If you need a multi-tenant implementation, for example, if you have a SOC and you have several customers, you can get your own Sentinel, and you can ask the customers to deploy Sentinel in their environments. You can then gather logs from several Sentinels in a single point.

I haven't contacted Microsoft for support of Sentinel, but each time I contacted them for other products, it was a bad experience. The technical support of Microsoft is a negative point because, most of the time, they don't have the answer.

I used QRadar and a Symantec solution, but that was 10 years ago.

The first deployment was not complex. The first step, when you want to connect a solution to Sentinel, is pretty straightforward. When you want to use the built-in dashboard, it's also straightforward. But once you want to do some customization, like a custom dashboard, custom automation, or custom hunting rule, it can be complex because you have to know several languages, how Log Analytics works, and how Logic Apps works for automation.

Most of the time, I deploy a single Sentinel in a single location because it is a worldwide SaaS solution. And most of the time I deploy Sentinel to be used on-premises and in Azure, and I deploy Azure Sentinel for a SOC team. I have never deployed a multi-tenant Azure Sentinel setup, although it's possible to do.

In the beginning, when a customer uses Sentinel, they cannot use it on their own. They require some assistance. That is why, after deployment, a consultant is usually onsite two days per month to add some connectors and custom rules, and to end some incidents.

Sentinel is a pay-as-you-go solution. To use it, you need a Log Analytics workspace. This is where the logs are stored and the cost of Log Analytics is based on gigabytes. You can get a discount of 10 percent if you get to 100 terabytes of data. On top of that, there is the cost of Sentinel, which is about €2 per gigabyte.

If a customer has an M365 E5 license, the logs that come from Microsoft Defender are free.

The solution is really easy to deploy compared to other solutions such as Splunk.

Taking proactive steps to prevent breaches is a default. It's not like competitors on the market. Sentinel doesn't give you advice about how to set some settings on your device to protect them from a specific breach. But you can use Microsoft Defender for Endpoint for devices and it helps you to know if a device is breachable from a specific attack and how to be protected against it.

The cost and ease of use of Sentinel compared with other standalone SIEM and SOAR solutions depends on whether the customer has the whole stack, meaning an M365 E5 license. If so, they get a really good discount because all the logs from Microsoft Defender are free. But if they don't have an M365 E5 license, those logs are not free and the solution can be expensive.

We haven't evaluated other options recently because our customer wanted Sentinel. But one of the differences I see between Sentinel and competitors' solutions is in the normalization of logs. With Sentinel, normalization is done automatically, whereas with other solutions, you need time to do the normalization manually. By "normalization" I mean lining up the fields. For example, in some logs, the time is in the first field, while in other logs, the description is in the first field. You need to sort the fields, but this task is done automatically by Sentinel.

Before using Sentinel, I recommend reading the documentation and watching the YouTube Ninja Training channel. They go through all options for Sentinel. 

In addition, I recommend knowing KQL—it's a requirement—and how to automate tasks in Azure. Other than these points, Sentinel is easy to enter because if you have a native connector, it's just "next, next, next." But when you want to do customization, it can sometimes be hard to do what you want.

When you look at going with a best-of-breed strategy versus a single vendor's security stack, it depends on the strategy of the customer. Sometimes, the customer prefers to get all its security products from a single vendor because they get discounts when they do that. Other customers prefer to have several vendors for security reasons. From my point of view, there is no correct answer. If I were responsible for the security of a company, I think I would prefer to use an all-Microsoft security stack because it's easier to interconnect the solutions and you get more information as a result.

Sentinel ingests all the logs from various security products across on-premise and virtual servers. It has a lot of flexibility regarding different third parties that are not Microsoft, which I liked. We had some very, probably not as well-known systems from which it would ingest information. So it was nice to see that it was very flexible.

We have a hybrid setup with Sentinel deployed on the Azure cloud. We've got about 20 server endpoints, 400 desktop or laptop endpoints, and 1,520 network endpoints. The company has around 400 employees and a 10-person IT team operating out of one location in Alabama. 

Sentinel provides a single pane of glass for reviewing logs from disparate sources. Everything is on one XDR dashboard. We have a smaller IT team, so it's cumbersome to go to various places to get information and manage it. Having a clearinghouse of information makes it quicker to get to the critical items and resolve any problem.

Sentinel saved us time because we can find the information we need directly. It's hard to quantify that because we still need to look through lots of information. Without Sentinel, it would take about one to three hours each week to compile information from different sources.

It helps us proactively prevent threats. Sentinel is integrated with Defender and CloudApp. It gives us suggestions about best practices in security and recommends actions if it sees something within the network that seems out of line. The investigation part is thorough. We can figure out exactly what's wrong and what we need to check. Afterward, we have to go to a secondary product.

Sentinel's most important feature is the ability to centralize all the logs in one place. There's no need to search multiple systems for information. The automation capabilities are excellent and can be extended. We haven't tried to extend the automation features, but what is built in is great. 

The solution also has native integration with Microsoft Teams. It creates a Teams chat when there's an issue, so one of our analysts can look at it immediately. It can automatically flag something instead of sending an alert to an email that someone may not read until three weeks later.

Sentinel provides decent visibility, but it's sometimes a little cumbersome to get to the information I want because there is so much information. I would also like to see more seamless integration between Sentinel and third-party security products. 

When alerts appear in the Sentinel console, I can research them and see what to do, but I need to leave Sentinel and go to a second product to execute whatever I need to do. I would like to be able to fix everything within the Sentinel console.  

We used Sentinel for about six months.

We haven't had any issues with Sentinel so far. The uptime has been 100 percent. 

Sentinel is capable of handling all that we ingest. I think we've hit 80 to 100 Gigabytes so far, and it continues to scale upward. I'm pleased with it. It's a rolling scale, so it scales up as needed based on the number of logs you ingest. As long as you're willing to pay to house the data, they'll continue to scale upward with you.

We haven't had to contact Microsoft support for Sentinel yet. That worries me. Sometimes Microsoft support can be a little difficult to reach.

Sentinel was our first foray into the SIEM world. That's one reason we went back and reviewed it again this summer. We wanted to be sure we picked a good product. They mostly gave demos, so we probably didn't get the full run of these secondary products, but it at least gave us a feel for what else was out there.

Setting up Sentinel was pretty straightforward. We set everything up through Azure, and they had excellent documentation as far as integrating modules. They had scripts we could run within other environments to ingest the logs. Getting information into the system was fairly smooth. 

We had to spin up a new virtual machine for Linux because it required a Linux virtual machine within our on-premises environment to send log files. That was the biggest step I had to do. Spinning up another virtual machine is no big deal. 

We didn't pay for any implementation help. Our IT team spent a day talking through the plan. We let the server person spin up our VM and our network person got all the network stuff in place. We came back together and made sure the logs were delivered. Overall, it was a roughly two-week process of setting up and reviewing everything to ensure everything is working correctly. After deployment, there's no maintenance. It's in Azure, so Microsoft handles all the updates and server roles. It's seamless from a maintenance standpoint.

Sentinel was deployed by a four-person in-house IT team consisting of a network admin, systems admin, and a junior engineer who floated between all of us, helping out where they could. I supervised the deployment as the director. 

The jury is still out on whether we see a return, but I am pleased with the investment. Sentinel provides us with some new insights. It helps us improve our security posture with proactive measures, like informing us of best practices. 

These features helped us evaluate things within our network and cloud environments that we needed to tweak. That was a pretty helpful bonus. 

Sentinel's price is comparable to pretty much everything out there. None of it is cheap, but we didn't think we could save money by going a different route. Sentinel was part of our Azure expenditures, so it was easier to add the expense instead of having a completely separate vendor.

The licensing is straightforward because it's within Azure. There are lots of features in Azure that they gave us as a package. It's nice to do this without having to carve out special budgetary items. The flexibility was helpful. 

We looked at a couple of different solutions, including Splunk and Arctic Wolf. We primarily chose Sentinel because we had already carved out a budget within Azure for Sentinel. We could keep it within Azure and roll that into our Azure expenses versus carving out a new budget item for these other products. That was the biggest motivation.

Sentinel kept pace with the other major players in the field. We considered whether there was a better product to ingest all data. We didn't find anything new or different. 

I rate Microsoft Sentinel eight out of ten. If you plan to implement Sentinel, I recommend spending time thinking about all the sources of data you want to ingest. It's flexible in terms of how much you can ingest, but you may not want to pay that much. It might be better to only connect your critical systems to it.

If you're hesitant to adopt Sentinel, you should do a demo. The single pane of glass is nice to have. You'd really have to talk me out of that.

We use Microsoft Sentinel as our main SIEM suite alerts and automation rules. It feeds everything into Sentinel Logs and Realities for security purposes.

Microsoft Sentinel has helped by streamlining our security. We have a nine-member network team, with three members managing security for the city, and Sentinel allows us to operate an unofficial SOC. 

It makes investigations easy. We were spending a lot of time manually investigating and resolving false positives. Once Sentinel was fully integrated and we suppressed those false positives, our SOC environment greatly improved. 

The most valuable feature of Sentinel is the automation. Creating automation rules helps eliminate false positives, which is crucial due to the high amount of noise in security. Sentinel integrates with Microsoft Defender XDR as a single security hub. Sending our alerts from XDR into Sentinel has made it a decent transition to one solution.

We can easily build reports based on Sentinel alerts and logs. Around 80 percent of our logs go into Sentinel. The solution has improved our threat-hunting by enabling us to run KQL queries. If we learn something through threat intelligence, we can run a query to see if our environment is affected.

Sentinel MITRE ATT&CK recommendations strengthen our security posture. For a small security team like ours, the automation and integrated technologies increase our service efficiency.

There is room for improvement in terms of integrations. We have some tools, such as our off-site Meraki firewalls, that have not fully integrated with Sentinel. We lack integration for Syslogs into Sentinel.

Sentinel's stability is great. I don't see us changing Sentinel as our SIEM in the near future.

Sentinel's scalability is excellent. As our organization uses Microsoft Azure and Defender, everything grows together, and we can integrate various features seamlessly.

Customer service and support for Sentinel have been very responsive. Working with a Sentinel engineer helped us tune settings effectively.

Positive

The initial setup process involved working with a Microsoft Expert, which helped in achieving an effective setup.

The implementation team was a Microsoft Expert, providing substantial support in tuning Sentinel post-deployment.

The management has expressed that the return on investment has been favorable, especially due to the reduction in security investigations. However, specific metrics were not shared with me.

We already had the necessary licensing for Sentinel, so we didn't need to to spend extra money. 

We considered Splunk and ano Splunk and another unnamed product, but Splunk was a notable option.

I Sentinel nine out of 10. Our licensing strategy and the positive impact on investigations indicate a good return on investment.

The company I work for delivers SOC-as-a-Service, so I set up Sentinel in the customer's Azure environment and then connect it to our central Sentinel through Azure Lighthouse.

Microsoft Sentinel has made it easier for us to sell SOC-as-a-Service to, more or less, any customer and not just the big ones.

A lot of our customers run Microsoft products, and integrating those with Sentinel is simple and easy. Sentinel can be quickly deployed as well.

As long as the customers are licensed correctly and have, for example, the E5 security package, then the insights into threats provided by Sentinel are pretty good.

Sentinel helps prioritize threats well. The option to dig deeper and go into the different portals is good as well.

Our customers are very happy with incidents being closed in Sentinel and across the tenant.

We are able to fetch data from almost any source with Sentinel. There are some customers who try to customize, but we try to keep it to the out-of-the-box preconfigured data connectors or to what we can find in the Microsoft content hub.

In terms of the importance of data ingestion to our customers' security operations, they only have access to what is in Sentinel. Therefore, it's pretty important for them to have all of their data stored in one location. If it's stored on-premises in Microsoft 365 Defender, then the SOC team won't be able to access that data. Giving a good analysis will then be harder.

It's very important to us to be able to investigate threats and respond holistically from one place. We don't create several accounts for each customer. We utilize one account and then get insight into the Sentinel environments of different customers. It's great that we can do all this in one place.

The comprehensiveness of Sentinel's security protection is pretty good. The effectiveness of the web part of this depends on how well the customer has configured their Azure AD and what information they have included for each user, such as the phone number and the part of the organization where the user works.

One of the big issues for our customers is the need to look at multiple dashboards. Sentinel has eliminated this and made it a lot easier by having everything in one place.

Sentinel has definitely saved us time. It has also decreased our time to detection and our time to respond. We try to have an analysis ready within 30 minutes of an incident coming in.

Some of the data connectors are outdated, at least the ones that utilize Linux machines for log forwarding. I believe that Microsoft is already working on improving this.

I would like Microsoft Sentinel to have out-of-the-box threat intelligence because right now, the only option is to add your own threat intelligence.

I've been using Microsoft Sentinel for approximately one and a half years.

Sentinel has only been down once, as far as I know, as a result of Microsoft doing something with Azure Kubernetes, which affected log analytics and Sentinel. It was down for about 10 hours. Other than that, it's always been up.

The scalability is great. You can put unlimited logs in, as long as you can pay for it. There are commitment tiers, up to six terabytes per day, which is nowhere close to what any one of our customers is running.

I might be more fortunate than others, given the fact that I have easy access to Microsoft support. The only downside is that the support staff are not that technical, but there is a big community around Sentinel. I can ask the question on the forums instead, and I usually get an answer there. All in all, I'd rate technical support at eight out of ten.

Positive

The initial deployment is straightforward. We try to utilize a baseline of analytics rules in addition to connecting any security products already owned by the customer.

We usually deploy one Sentinel per Azure tenant. Maintenance-wise, Microsoft updates the analytics rules and the engine behind Sentinel, and it may require some tuning if it creates a lot of noise. Other than that, it's pretty straightforward. Thus, in comparison to other SIEM solutions that you need to upgrade and then turn off for the functionality to be updated, Sentinel saves us time.

My colleague and I usually work with someone at the customer's location to deploy the solution.

Compared to standalone SIEM and SOAR solutions, it is easy to start off with Sentinel. For example, with QRadar there are minimum licensing requirements, EPS costs compared to how many logs are being ingested, etc.

It can become costly with Sentinel if you try to run all of the raw logs for an entire organization. If you prioritize, however, you can have a cheaper SIEM solution compared to the ones that have a starting price of 50,000 US dollars.

The pricing is based on how much you ingest, so it's pretty straightforward. There are no tiers, and you pay for what you use, unlike with other types of SIEM solutions that are usually based on tiers.

It's a great way to get insight into exactly how much you're using. If you connect a log source that utilizes too much, you could turn it off or tune it down. You could also buy tiers in Sentinel and can save money with tier commitments.

Overall, I'm satisfied with Sentinel and would give it a rating of eight out of ten.

As far as going with a best-of-breed strategy versus a single vendor's suite, Microsoft gives a pretty good solution, especially when you get the E5 security package. It gives you a good view of the security across the organization, so I don't mind going for a single vendor's suite and opting to go completely with Microsoft.

We primarily use the solution for analyzing logs, such as those from Azure AD. We have it integrated with Microsoft 365 and plan to integrate it with our firewalls so we can analyze those logs too. So, our main uses are for log analysis and to check for vulnerabilities in our system.

We use more than one Microsoft security product; we also use Defender for Cloud. 

Sentinel helps us to prioritize threats across our enterprise. 

The solution reduced our time to detect and respond. 

The log analysis is excellent; it can predict what can or will happen regarding use patterns and vulnerabilities.

Sentinel provides good visibility into threats. 

The product enables us to investigate threats and respond holistically from one place, and that's important to us. 

Given the solution's built-in SOAR, UEBA, and threat intelligence capabilities, it provides reasonably good comprehensive protection, and we are happy with it. 

Sentinel helps us automate routine tasks and find high-value alerts; the playbooks are beneficial and allow us to optimize automation.

The tool helped eliminate multiple dashboards and gave us one XDR dashboard. Having one dashboard is the reason we purchased Sentinel.  

Sentinel's threat intelligence helps us prepare for potential threats before they hit and to take proactive steps. It helps a lot, and that's another main reason we have the product.  

The solution could be more user-friendly; some query languages are required to operate it.

A welcome improvement would be integrations with more products and connectors. 

We've been using the solution for over a year. 

The solution is stable.

Sentinel is a scalable product. 

Microsoft support is good, I rate them seven out of ten. 

Neutral

We didn't previously use another solution of this type; when we moved to Azure, Sentinel was one of the products Microsoft recommended, so we started using it.

I was involved in the deployment of Sentinel, but my colleague did the majority. The setup was basic; some query language is required to implement it fully, and we could improve our configurations. Our implementation strategy was to cover the major products first, including Office 365 and Azure AD. We did that, and we're now adding the other tools we use in our environment.

Our setup is not particularly expansive, so we can deal with the maintenance requirements within our team; it only requires one team member. Our team consists of three or four admins; we manage the Azure AD logs, and Azure AD has 400 users.

The pricing is reasonable, and we think Sentinel is worth what we pay for it.

One of the main reasons we switched from on-prem to Azure Cloud was to save money, but at the same time, we kept adding on features and spent a lot doing so. We're now looking at cost optimization and removing unnecessary elements, as one of our primary goals is to reduce costs. I'm unsure if we are, but we are trying to get there.

I rate the solution seven out of ten. 

Sentinel allows us to ingest data from our entire ecosystem, though we are attempting to integrate all our products. It can ingest and analyze all the data, but we aren't using this functionality to its fullest extent yet.

My advice to someone considering the product is to use it. Start by integrating your primary applications, then slowly move on to others in descending order of importance. 

We have had various use cases depending on the needs of our customers.

It is a SaaS-based solution. It does not have any versions.

In traditional SIEM solutions, there is a lot of hardware, and there is a lot of maintenance around it. We require a lot of resources for administrative tasks, whereas with Microsoft Sentinel, we don't have to get into all those details straight away. We can concentrate on the use cases such as detection and start ingesting our logs, and right away, get insights from those logs. In addition, traditional SIEM solutions, such as Splunk, QRadar, LogRhythm, or ArcSight, do not support cloud-based logs much. This is where Microsoft Sentinel comes into the picture. Nowadays, everyone is moving to the cloud, and we need solutions like Sentinel to easily ingest logs and then get insights from those logs.

It has definitely helped to improve the security posture.

The in-built SOAR of Sentinel is valuable. Kusto Query Language is also valuable for the ease of writing queries and ease of getting insights from the logs. Schedule-based queries within Sentinel are also valuable. I found these three features most useful for my projects.

Microsoft Sentinel has many native connectors, which are plug-and-play connectors. You don't have to do any kind of analysis before starting. Taking Azure Cloud logs as an example, once you enable Sentinel and the connector, you start getting the logs straight away. You get a visualization within Sentinel through dashboards, which are called workbooks. So, right from day one, you can have security for Azure Cloud. If you have other clouds, such as AWS and GCP, even they can be included right away.

There is not much guidance on the in-built SOAR solution that uses Azure Logic Apps as a service. For people coming from traditional SIEM solutions, it is difficult to understand how SOAR works. Because the security teams are not from a programming or coding background, they cannot directly jump into SOAR. For Kusto Query Language within Sentinel, Microsoft provides a lot of documents and articles, and they also have a community, but when it comes to SOAR, other than a few open articles, there isn't much information. The documentation part of SOAR should be improved.

The dashboards can be improved. Creating dashboards is very easy, but the visualizations are not as good as Microsoft Power BI. People who are using Microsoft Power BI do not like Sentinel's dashboards.

I have been using this solution since October of 2019.

It is stable.

It is a SaaS-based solution. So, as end-users or customers, we don't have to think about scalability. 

Sentinel Contributor and Sentinel Responder are the primary roles of its users. Users with the Sentinel Contributor role can perform anything on Sentinel. The Sentinel Responder role is allocated to L1 and L2 monitoring teams. They actively monitor the Sentinel console for any triggered incidents and remediate those tickets.

In terms of the number of users, it is a typical SOC team, which depends on the number of incidents. We calculate the full-time employees based on how many alerts are being triggered per month. If 1,000 alerts are being triggered per month, we would need eight FTE to run 24/7 operations.

We definitely have plans to increase its usage. Microsoft is continuously improving this product, and we also have private access where we can see what features are being launched and provide input to them.

Microsoft Sentinel is a SaaS-based solution. They are improving it all the time. You can see new features every month and week. They are bringing more and more features based on customer feedback. That's one of the things that I liked the most about Microsoft Sentinel, which I did not see in other products.

I like their support. When you raise a ticket with Microsoft, you'll get a response within four hours or so. A support person is assigned who then directly reaches out to you on Teams to troubleshoot.

They send the ticket to the right team. They reach out and guide appropriately. They inform me that they are taking care of the issue, and if a meeting is required, they ask about a suitable time so that they can block the calendar. I have never encountered any issues with the support team where I had to escalate anything to someone else. I would rate them a nine out of ten.

Positive

I have worked with QRadar and NetIQ Sentinel. These traditional SIEM solutions are not equipped to effectively handle API integrations on the cloud. Nowadays, most organizations are on the cloud. For Microsoft-heavy or cloud-heavy environments, it is very easy to manage and very easy to ingest logs with Microsoft Sentinel.

It was straightforward. Deploying Sentinel doesn't take much time, but the initial design required for any solution takes time. Once you have planned the design, deployment involves using toggle buttons or bars.

In terms of the implementation strategy, being a cloud solution, not all customers are there in a single subscription. There could be various tenants and various subscriptions. We have to consider all the tenants and subscriptions and accordingly design and place Sentinel.

Ideally, it takes two to three months to onboard log sources, and for implementation, three to four resources are required.

We have definitely seen an ROI. In traditional SIEM solutions, we need to have people to maintain those servers and work on the upgrades, whereas when it comes to the SaaS-based solution, we don't need resources for these activities. We can leverage the same resources for Sentinel monitoring and building effective detection rules for threat hunting.

There are no additional costs other than the initial costs of Sentinel.

We didn't evaluate other solutions.

I would recommend this solution. Before implementing it, I will also suggest carefully designing it based on your requirements.

You have two options when it comes to ingesting the logs. If you aren’t bothered about the cost and you need the features, you can ingest all logs into Sentinel. If you are cost-conscious, you can ingest only the required logs into Sentinel.

I would rate it a seven out of ten.

Microsoft Defender for Cloud's bi-directional sync capabilities are important in the following way. If you have an issue that shows in Defender for Cloud, an incident on your dashboard, and you look into Sentinel and see the same alert has been triggered, after someone on your team looks into it and fixes it, if bi-directional is not enabled, you will still have the alert showing. If someone is looking at the Defender for Cloud dashboard, that alert will still show as active. That's why it's important to have bi-directional sync. It helps make sure that people work on the right cases.

Sentinel enables you to investigate threats and respond holistically in one place. It gives you a central repository where you can have a historical view and see the access point where something started, where it went, and how things were accessed. For instance, if someone was anomalously accessing keywords, with everything in one place you can see where it started, where it went, who was involved in it, what kind of endpoints were involved, what IP address was involved, and what devices were involved. In this way, you have complete historical data to investigate the root cause.

Previously, I worked with a number of different tools to pull the data. But having one pane of glass has obviously helped. When you consider the time it takes to go into each and every dashboard and look into alerts, and take the necessary actions, Sentinel saves me a minimum of 15 minutes for each dashboard. If you have three to four dashboards altogether, it saves you around one hour.

And when it comes to automating routine tasks, if you want to notify the right people so that they can look into a P-1 incident, for example, Sentinel can automatically tag the respective SOC or security incident teams through a team chart and they can directly jump into a call.

Another point to consider is multi-stage attack detection. We have a granular view into the incident. We can investigate which IPs, user entities, and endpoints are involved in the alert. If you have to look at multiple, separate points, it could take one hour to see what happened at a particular point in time. With Sentinel, we can directly look into a certain person and points and that saves a lot of time. And then we can take action on the incident.

Among the valuable features of Sentinel are that it 

• has seamless integration with Azure native tools 
• has out-of-the-box data connectors available
• is user-friendly
• is being expanded with more updates.

The visibility into threats that the solution provides is pretty good. We can see a live attack if something is going wrong; we can see the live data in Sentinel.

I work on the complete Azure/Microsoft stack. With Azure native, we can integrate the various products in a few clicks. It doesn't require configuring a server, pulling of logs, or other heavy work. It's very easy, plug-and-play. The data collectors are available with Azure native so you can deploy policies or it will take care of everything in the backend. If various tools have different priorities for issues, monitoring everything is a hectic task. You have to go into each tool and look into the alerts that have been triggered. It's a big task. If you can integrate them into a single pane of glass, that helps you to find out everything you need to know.

And in terms of the comprehensiveness of the threat protection that these products provide, I would give it a 10 out of 10.

Microsoft Sentinel enables you to ingest data from the entire ecosystem and that connection of data helps you to monitor critical resources and to know what's happening in the environment. At a minimum, we should monitor the servers that are critical in the environment.

It also has hunting capabilities so that you can proactively hunt for things, but a different team looks after that in our organization.

In terms of features I would like to see in future releases, I'm interested in a few more use cases around automation. I do believe a lot of automation is available, and more is in progress, but that would be my area of interest.

I have been using Microsoft Sentinel for more than two and a half years.

It's a stable solution.

It's a scalable model but as you scale up you pay for it.

Microsoft technical support is responsive and helpful. And their technical documents are pretty detailed and well-explained.

Positive

The initial deployment was pretty straightforward.

The number of people involved in the deployment is completely dependent upon the environment and the access we have. If there's something to be done with a third-party application—for instance, Cisco Meraki or ASA—for those, we require support from the networking team to open up ports and forwarding of logs from the firewalls to Sentinel. If it is a native Azure environment, we don't need any support.

As for maintenance, if there are any updates they will pop up in your alerts and you can then upgrade to the latest version. It doesn't take much effort and there is no downtime. You simply update and it takes a few seconds. If someone is experienced, that person can handle the maintenance. If the environment is very big and it requires injecting more logs, then it requires some helping hands.

The pricing is fair.

With a traditional SIEM, people are required for SOC operations and investigations and they require licenses. With Sentinel, people in SOC operations are still required to investigate, but we don't need any licenses for them. With a traditional SIEM, you pay a lump sum for licenses. But with Sentinel, it's pay-as-you-go according to the amount of data you inject.

I would recommend Microsoft Sentinel.

It's always good to compare against other tools when it comes to the value, to get an idea of what you are paying for. Compare the market strategies and the new capabilities that are coming out and whether you're able to unlock the full capabilities or not. Double-check that. As for best-of-breed versus one vendor, you should stick with one vendor only and take whatever they gave.