Microsoft Sentinel Reviews

We use Microsoft Sentinel for centralized log aggregation and security management. Our environment uses a variety of security products to strengthen its security. This has made it difficult for the SOC team to analyze logs from different consoles and products. To ease the team's workload and help them prioritize events and attacks, we decided to acquire a centralized console. We chose Sentinel because it provides a centralized console where we can ingest and analyze logs. The logs that Sentinel analyzes add value.

Sentinel's threat visibility is good. It has analytics and threat detection capabilities that we can add to our own playbooks. We can use the predefined log analytics to create our own custom rules. Using these custom rules with predefined logs further improves our environment's security posture.

Sentinel helps us prioritize threats across our enterprise. When we have a lot of alerts and incidents, it is better to understand if they are false positives, because the SOC team sometimes wastes time on false positives, which are not very relevant. We must prioritize positive alerts, which should be given the highest priority. In order to solve this problem.

The manufacturing environment I work in is not very critical, so a simple attack is unlikely to have a major impact on the business. However, data is important in any business, and a data breach can damage our reputation. Therefore, it is important to have a good security posture to avoid threats. Threats and attacks can happen even with the highest level of security. Therefore, we look for products that can give us visibility into our environment and help us to proactively solve problems. Microsoft proactively identifies threats and informs its peers and partners. This allows us to take action to assess the impact of these threats on our environment. By taking proactive measures, we can prevent threats from harming our environment.

We also use Microsoft Defender for Cloud and Microsoft Defender for Identity. We have integrated these solutions with Microsoft Sentinel, and their logs are ingested by Sentinel. We do not incur any costs for ingesting Office 365 logs because Microsoft provides a free login exchange for Microsoft Office 365 and, I believe, for Defender as well into our Sentinel for analysis.

Our Microsoft products work seamlessly together to provide coordinated detection and response in our environment. We use a lot of Microsoft products, and it is best to use them in the same environment. This makes integration and collaboration easier. We also have licensing agreements that give us discounts when we use multiple products together. For example, we use Microsoft 365, OneDrive, and security products. We are also migrating our workloads to Azure. We have already migrated many workloads to Azure, and we are in the process of migrating the remaining workloads. We are heavily dependent on Microsoft, so we believe it is best to use one cloud provider. This makes it easier to manage different services. Additionally, Microsoft provides us with a lot of help and benefits, which can save us money. Cost is one of the factors that businesses consider, and IT is a major investment for businesses. Even though our business is not in the IT industry, IT plays a vital role in driving the business forward. Therefore, our organization needs to ensure that their IT investments are having a positive impact.

The comprehensiveness of the threat protection provided by our Microsoft security products is good. They have a large number of predefined indicators of compromise and a comprehensive team that monitors threats around the world. We receive notifications and newsletters from Microsoft whenever a new threat emerges. When an organization does not have experts on its team, it is very difficult to identify zero-day vulnerabilities or attacks. This makes it difficult for them to identify and mitigate these threats. Microsoft, on the other hand, proactively identifies threats and informs its teams and partners so that they can mitigate or prevent them in their environments.

Sentinel allows us to ingest data from our entire IT ecosystem, including network devices, servers, endpoints, and firewalls. This is important because if we are not monitoring all of our devices, we cannot know what threats they are facing or what attacks they have already been subjected to. Sentinel scans every device in the environment because it is difficult to see how many devices are compromised by a threat when we have an inventory of thousands of devices. This is why we need a centralized console where we can ingest all of our important logs and correlate them to identify threats. We need to know when our environment has been attacked by zero-day vulnerabilities. If we see that two devices have been affected, we still do not know how many additional devices the attack has compromised. This can only be known if we have all of our logs in our console. Sentinel provides us with a valuable capability: we can simply identify the source, user, or affected machines, and Sentinel will tell us how many machines have already been compromised and how far the threat has spread. This information allows us to isolate or quarantine the affected machines so that they cannot access more of our environment or steal more data.

We can react and respond holistically from one place with Sentinel.

The best part of Sentinel is its built-in SOAR, user and entity behavior analytics, and threat intelligence capabilities, which collaborate with the SIEM. Other products typically sell these capabilities as separate products. When we automate tasks, we reduce the team's manual effort. Whenever we detect an attack or need to provide analytics, we generate a lot of events and alerts. If we don't correlate these events and automatically resolve them, repetitive tasks will have to be performed by team members. This is not an efficient use of resources. Repetitive tasks can be automated by writing scripts and putting them into the system. Sentinel correlates events and creates incidents for us. These incidents can be resolved by scripts, such as by informing users that their IDs have been compromised and they need to reset their passwords or their IDs will be blocked. This saves SOC time so that they can focus on more important tasks, such as detecting and responding to threats that are already impacting the environment. Sentinel's features help organizations reduce manual and repetitive effort.

Sentinel has helped our organization by providing seamless collection and correlation of all logs. It is important to correlate logs into alerts and then to incidents, as this prevents the team that receives the alerts from becoming overloaded. Sentinel's analytics capabilities are also beneficial, as they allow me to easily perform searches and analyses of incidents. I do not have to spend much effort to determine the source of an incident, its impact, or how far it has spread through our environment. Additionally, Sentinel's automation features, such as its playbooks, templates, and integrations, help us to reduce manual effort.

Automating routine tasks that help find high-value alerts reduces the cost and workload of our SOC team. We have created several automation use cases by discussing them with multiple stakeholders and analyzing how frequently we receive the same type of incident alerts. When we receive the same type of incident alerts, we can correlate them and create scripts or automate solutions to resolve them. This helps to reduce the team's workload and headaches. We have already incorporated this automation into our SOC processes. If an incident is created, it is automatically resolved without any user or machine interaction. If we receive an alert that the resolution failed, some team members investigate the cause, such as a missing or disabled user ID or a technical system issue.

Automation has reduced our manual tasks, saving us around 30 percent of our time so that we can focus on more important tasks.

Previously, when I joined the organization, they were using Splunk on-premises and other security tools, such as Trend Micro and Darktrace devices, to collect logs. The security operations center team had to log into each console to see the logs, investigate them, and determine how to mitigate the alerts. This process was slow and inefficient, especially in the event of a critical attack. Sentinel provides a centralized console for log collection and analysis which helps the SOC team respond to alerts more quickly and reduce the impact of threats.

Microsoft Sentinel helped us eliminate the need for multiple dashboards by providing a single XDR dashboard. They have data connectors that can integrate with different security tools because they partner with other security companies to provide us with the functionality we need to integrate into our environment. Microsoft is at its best when we can integrate with our peers and security companies that are bringing new features to improve our security posture. We can then integrate these features with Sentinel, benefit from them, and ingest our logs into Sentinel as well. We no longer need to log in to multiple security tools; we can simply go to Sentinel, view the incidents and alerts that are being generated, and take action.

The automation feature is valuable. There are many events that happen, and we require manual effort from our SOC team to mitigate each one. When we started automating tasks, it helped us to reduce the time it takes to react to attacks. Attacks may not be able to penetrate our environment as easily because of this. Therefore, I believe that Sentinel's automation is the best.

The integration is not that difficult. The configuration is simple, but the data connector documentation is lacking in useful information. If Microsoft improves the documentation, we will be able to see how to complete the integration from start to finish. In the past, we have encountered problems during the integration process because the documentation was incomplete. For example, we recently deployed Microsoft Defender for Identity with the help of our Active Directory team. Initially, they told us that only a few ports were required, but later they said that more ports were needed. Our environment did not allow these additional ports, and we were not aware of this requirement. This delayed the project and caused frustration for our team members. The customer also expected the project to be completed sooner, but unexpected firewall rules and undocumented configuration requirements prevented us from doing so. We had to open a case with Microsoft for assistance, and we were eventually able to resolve the issue.

The playbook is a bit difficult and could be improved. For those who do not have a deep understanding of playbooks or programming languages, it would be better to have extensive documentation and information available online. When I started working with Sentinel, there were times when we had to refer to the documentation to get information about the configuration or implementation steps. If we encountered errors in the implementation, we had to rely on the internet to figure out how to fix them. The information available online is not that comprehensive and does not cover specific maintenance tasks. If the documentation were improved a bit, and the playbook and automation were made easier to use, it would be a great benefit for technical users.

The AI and Machine Learning can be improved.

I have been using Microsoft Sentinel for over one year.

I have not seen any downtime with Sentinel. Sentinel is stable.

Sentinel is highly scalable. We can easily integrate more devices without any effort. Microsoft has a large data center, and they are always ready to add our devices.

Microsoft technical support has declined in quality over the years. I have only been using Sentinel for a year, but I have experience with Microsoft technical support through Azure and other Microsoft products. In the past, we were able to resolve tickets quickly with minimal back-and-forth. However, recently, the quality of support has degraded. We had a few critical cases that directly impacted production, but Microsoft did not assign their senior engineers to these cases. This wasted a lot of our time, as we had to explain the problems to multiple support representatives.

Neutral

We previously used Splunk SOAR in conjunction with Trend Micro and Darktrace to ingest logs, but we switched to Sentinel because it is more seamless.

The initial setup was successful. The configuration is not difficult. There were some challenging areas. However, we had access to free tools and a Microsoft contact who was always available to help us if we encountered any knowledge gaps. When setting up Sentinel for the first time in our environment, we always have an expert with us to assist with the setup, as not everyone has extensive knowledge of implementing the product. The expert is there to help us with the implementation if we get stuck on a step.

We decided which devices and types of alerts or information we wanted to ingest. At that time, we were not using automation. Our environment was in poor condition, and we were not utilizing the automated features of Sentinel. We only required the basic features of Sentinel, which were to ingest logs from the devices we were interested in, correlate them, analyze them, and integrate them with our service tools and alerting. For alerting, we used ServiceNow as our ticketing system. We would receive a ticket from ServiceNow for the SOC team, and then the SOC team would investigate and mitigate the issue. However, as time went on, the number of events increased, and the time it took to investigate them also increased. If we did not automate our environment, we would have to keep increasing the size of our SOC team or the number of SOC members to handle the workload. We could not meet the priority requirements. That is when we proposed using some of the automation features to help with low-priority alerts.

The deployment required three to four people. I joined the team for the implementation phase. So, by the time I joined, a lot of decisions had already been made, and a low-level plan had been decided upon. This was a low-level design and plan that we had to follow.

We had help from our Microsoft representative for the implementation. This contact was provided to us by Microsoft from the initial trial period all the way through the implementation.

Currently, given our use case, the cost of Sentinel is justified, but it is expensive. It is not so cheap that any organization can afford it. However, if an organization has a requirement for good security posture and can invest in security tools, they should have at least a decent budget to afford Sentinel. Sentinel does offer good features, such as SIEM, SOAR, and automation. However, we need to monitor our budget because ingestion can increase at any time and exceed our budget. We can set alerts to notify us if our budget is increasing significantly on a monthly or yearly basis. We can then control our budget by adjusting what we ingest. We can ingest any amount of data because there is a lot of data flowing in. However, some data is not necessary to ingest because it is not valuable to our analytics. Therefore, being careful about what data we ingest through Sentinel will help us stay within our budget.

We evaluated IBM QRadar and Splunk. Splunk has been in the market for a long time and is trusted by many organizations. While it was once a leader in its field, it does not seem to be keeping up with new features and automation. However, I am not aware of their current state of development.

We saw good features in both Splunk and QRadar, but QRadar had more features that were relevant to us. However, we are moving more towards the cloud. Previously, we had on-premises infrastructure, but we migrated to Azure when a new management team came in.

When we evaluated Microsoft Sentinel, we found that it had good functionality and met our requirements. We also liked that it is a cloud-based solution, so we do not have to worry about underlying hardware, features, operating systems, or management. We simply need to configure the application, which is relatively straightforward. We also do not need to make any upfront capital expenditures.

However, we need to consider the cost of ingesting logs into our environment. Microsoft charges for the amount of data ingested per day, so we need to keep our costs within budget.

QRadar is more complex and difficult to configure than Sentinel. Sentinel is easy to expand. If we add new devices to our environment, we can simply connect them directly to Sentinel. We do not need to worry about additional hardware or configuration.

Overall, Sentinel is a good choice for us because it is cloud-based, easy to configure, and scalable.

I would rate Microsoft Sentinel an eight out of ten.

Whether to use separate SIEM and SOAR solutions or Microsoft Sentinel depends on each organization's specific needs. All SIEM and SOAR tools are expensive because they provide essential security features. Organizations with the resources to pay for these features may choose to purchase Sentinel or another SIEM or SOAR solution. However, small and medium-sized businesses may not be able to afford these tools. Instead, they may choose to use a third-party service provider that already has a license for an SIEM solution such as QRadar or Sentinel.

Sentinel ingests data from over 1,500 endpoints, including technical devices, Windows devices, and Linux devices in our environment.

There is no maintenance required on our end. Microsoft is doing everything for us. We only have to have our configurations in place.

Before using Sentinel, organizations should clearly understand their use cases and requirements. They can take a trial of Sentinel and collaborate with Microsoft to create use cases that demonstrate the value of the investment. Because there are thousands of SIEM and SOAR tools on the market, organizations should evaluate multiple solutions to see what benefits they offer. They can then create use cases for each solution in their environment and take trials to implement them. Organizations should compare the solutions based on visibility, budget, and additional features. Anyone who is considering using a SIEM or SOAR solution should evaluate multiple solutions. Budgeting is very important.

We utilize Microsoft Sentinel primarily to monitor our data storage software. Through the implementation of distinct connectors, we can accommodate multiple use cases for Sentinel. This solution also enables us to thwart failover attempts and prevent brute-force attacks. Moreover, we leverage the EDR tools to establish groups. For instance, if an unauthorized individual attempts to access a critical server from outside the designated group, we can promptly identify them by analyzing the event ID.

Using the Microsoft Sentinel Investigation tab, we can observe all activities related to access and unauthorized attempts taking place in our environment.

Sentinel assists us in prioritizing threats across our entire enterprise. When we receive high-priority alerts, we engage with the client to investigate whether they are conducting any testing first. If not, we identify the unknown activity and collaborate with them to resolve the issue as quickly as possible.

We also utilize Office 365. We have seamlessly integrated Office 365 with Sentinel, which is made easy through the provided connectors, especially when our API keys are associated with a cloud machine. All that is needed are the workspace ID, subscription ID, and API key.

The effectiveness of the protection offered by the integrated solutions is substantial. We are capable of preventing spam, tracking the complete trajectory of data transmitted by the end user, including its source, especially when originating from unauthorized URLs. Additionally, we can identify instances of unauthorized mail redirection. Furthermore, we can utilize SPF authentication to safeguard our domain against spoofing.

Microsoft Sentinel allows us to gather data from our entire ecosystem. We also have the capability to exclude non-suspicious or non-malicious data, such as daily reminders, from the daily logs in order to prevent system slowdown.

Sentinel allows us to investigate threats and respond promptly from a central location. We can gather all the necessary information for an investigation with a single click, which will provide us with a comprehensive overview of the actions taken by the suspicious user by reviewing the Event ID.

The built-in SOAR, UEBA, and threat intelligence capabilities of Sentinel are commendable. The UEBA can furnish a summary of all entities and discern unfamiliar ones that are not commonly associated with our system, subsequently tagging them for our review.

It aids in the automation of routine tasks and the identification of high-value alerts. For instance, if we need to compile a list of our administrative or high-profile users, we can establish rules based on high and medium security criteria, or any other specifications we might have. The entries will then correspond to the information aligned with our requirements. Furthermore, we have generated a watchlist of blacklisted users, which assists us in conveniently tracking activities originating from them. 

It provides the ability to create personalized dashboards that offer all the necessary information in a single location. It is important to mention that this feature comes with an extra cost, as is the case with all aspects of Sentinel.

Sentinel's threat intelligence helps prepare us for potential threats before they hit. By utilizing the event summary, we can proactively prepare for unauthorized entries and directly block IPs at the firewall level.

As a partner of Microsoft, they pay us for any POCs we create.

Sentinel has contributed to a reduction in our time for detecting and responding to incidents. As Sentinel operates in the cloud, it offers user-friendly accessibility, enabling us to swiftly access crucial information for responding to potential threats.

The automation rules that enable us to create playbooks for each individual are valuable.

The Identity Behavior tab furnishes us with the entire history linked to each IP or domain that has either accessed or attempted to access our system. By utilizing the data supplied by Sentinel, we can ascertain whether there are any attempts to breach our system. Numerous pre-defined queries are at our disposal, and we also have the option to craft custom queries as needed.

We are invoiced according to the amount of data generated within each log. For example, if I neglect to specify the time period in a search, Sentinel will retrieve all the logs, leading to charges for both pertinent and irrelevant data. This could potentially cause a substantial increase in costs. We incur lower charges for data under 100 GB, but anything surpassing that threshold becomes more expensive.

When setting up EDR for multiple endpoints, we need to create distinct rules for each one to monitor the devices effectively. 

I am currently using Microsoft Sentinel.

Microsoft Sentinel is stable. It is extremely rare that the solution is down.

Microsoft Sentinel is highly scalable. We can create any random custom playbooks. We can create any custom rules over there As per our requirements. We can enable and disable policies also as per our requirements. We can combine both policies accordingly.

The technical support is good.

Positive

Compared to IBM Security QRadar and Securonix, Microsoft Sentinel is more user-friendly. QRadar is quicker to respond but it has stability issues.

We are charged based on the amount of data used, which can become expensive.

I rate Microsoft Sentinel nine out of ten.

Maintenance is overseen by Microsoft. They announce periods of system downtime for maintenance. If we have anything critical that we require while the system is down, we can request it from Microsoft, and they promptly provide it to us.

Microsoft Sentinel offers us query update suggestions every three months. If we find a suggestion we like, we can simply click on it to automatically update our policy.

I believe it is better to choose a single-vendor security suite over a best-of-breed strategy.

When Exchange email is outside the domain, we have found sometimes that there are phishing emails. With the help of Microsoft Defender only, without Sentinel, we would not be able to track them. A couple of times data was compromised. With Sentinel, what we have done is integrate Microsoft Endpoint for Defender, M365 Defender, and our Exchange Online for all the email communications in and out.

With the investigation and threat-hunting services in Sentinel, we have been able to track and map our complete traffic: Where it started from, where it was intercepted, and where the files were downloaded and exchanged. We have been able to see how a phishing email was entering our domain. Accordingly, we understood that we needed to develop or modify some rules in Exchange and now, we do not have any phishing emails.

Sentinel enables us to investigate threats and respond holistically from one place to all of the attack techniques, such as MITRE ATT&CK, manual, DDoS, and brute force attacks. They are quickly identified by Sentinel. That is of high importance because we don't use any other product with Microsoft. Our SOC team continuously analyzes and monitors Sentinel, the activities and events that are happening. That team needs to be equipped with all of the real-time data we are getting from our ecosystem.

We have also integrated our SIEM with multiple firewalls and proxies. The traffic in and out, coming from the firewalls and proxies, is intercepted by Sentinel. We are now getting granular visibility into our traffic. We can see the hits we are getting from various regions, such as the hits that recently came from Russia. We have multiple such attacks on our firewall front end and we have been able to develop more granular rules on our firewalls.

And for DLP we have the help of protection from Microsoft Information Protection labels that we have defined for our data. Whenever this labeled data is shared, the data is limited to the recipients who were specified in the email. Similarly, our OneDrive data has been secured with the MIP Labels. All of this tracking is happening on Sentinel, which is giving us a broader view of where our data is traveling within and outside our organization as well.

People tend to go with Microsoft because it provides you with 360-degree protection, protecting your files, network, infra, and cloud environment. Each of its products is linked and interacts with the others. Microsoft Defender for Cloud will interact with Microsoft Defender for Cloud Apps, for example. And both of them can interact with Sentinel. Sentinel is the central SIEM in Microsoft and has the ability to take all the instructions from all of these Microsoft products and it gives you a central dashboard view in Azure. That helps manage infrastructure and identify threats. It's a single pane of glass. That's why Microsoft is gaining compared to other products.

Eliminating our multiple dashboards was a little tough in the beginning, but the Microsoft support team's expertise helped us create our own dashboard. Previously, when we started integrating all the products, it was very hard for us to give a broader review to management. It was only something the technical guys could do because they know what all those events mean. But when it came to a dashboard and presenting the data to the stakeholders, it was very tough. With the help of Microsoft's expert engineers, we were able to create dashboards into Sentinel, as well as with the help of Azure dashboards and Microsoft Power BI, and we were able to present the data.

We got Sentinel to send the data to Microsoft Power BI and that helped us create some very useful and easy dashboards so that our stakeholders and senior-level management, who are non-technical guys, could understand much better how we are utilizing this product. They can see how much we are making use of it to investigate, hunt, and track the incidents and events, and the unnecessary accessing of applications in the environment. As a result, we started to put granular controls in place and restrict unnecessary websites.

The watchlist is one of the features that we have found to be very helpful. We had some manual data in our Excels that we used to upload to Sentinel. It gives us more insightful information out of that Excel information, including user identities, IP addresses, hostnames, and more. We relate that data with the existing data in Sentinel and we understand more.

Another important feature is the user behavior analytics, UEBA. We can see how our users are behaving and if there is malicious behavior such as an atypical travel alert or a user is somewhere where he is not regularly found. Or, for example, if a user does not generally log in at night but we suddenly find him active at night, the user behavior analytics feature is very useful. It contains information from Azure Identity as well as Office 365.

With the E5 license, we have Microsoft Defender for Cloud Apps, Microsoft Information Protection, Defender for Cloud, and Defender for Office 365. All of these products are integrated with Sentinel because it has those connectors. With both Microsoft and non-Microsoft products it can be integrated easily. We also have ASA on-premises firewalls and we have created a connector and have been sending those syslogs to Sentinel to analyze the traffic. That is the reason we are able to reverse-investigate and hunt threats going on in our network, end to end.

Sentinel enables us to ingest data from our entire ecosystem. In addition to integrating our Cisco ASA Firewall logs, we get our Palo Alto proxy logs and some on-premises data coming from our hardware devices. We also get our Azure Firewall logs, and the logs from the Microsoft 360 bunch of products, like MIP and Defender for Cloud, Defender for Cloud Apps, et cetera.

When I think about the kinds of attack techniques that you are not able to understand at eye level, the AI/ML logic being used by Sentinel helps an administrator understand them in layman's language. It tells you that something has been identified as a malicious event or activity being performed by a user. All of those details are mentioned in an understandable manner. That is very important and is one way Sentinel is playing a wider role in our environment.

We use Microsoft Defender for Cloud and from that we get our regulatory compliance, recommendations, CSPM recommendations, cost recommendations, cost-optimizing strategies, and techniques for things like purchasing reserve instances. It helps us reduce the number of unused VMs or turn off VMs if they're not in production, as well as DevOp VMs in the early hours. We also use it for applying multi-factor authentications for users and reducing the number of owner or administrator roles that are assigned to subscriptions.

And the bi-directional sync capabilities of Defender for Cloud with other Microsoft products is near real-time, taking a couple of seconds. Within a minute, the information is updated, always, for all of the products that are integrated. Some products have a latency of around 4 to 12 hours of latency to update.

The following would be a challenge for any product in the market, but we have some in-house apps in our environment. We were thinking of getting the activities of those apps into Sentinel so that it could apply user behavior analytics to them. But our apps were built with different parameters and the APIs for them are not present in Sentinel. We are working with Microsoft to build those custom APIs that we require. That is currently in progress. 

We are happy with the product, but when it comes to integrating more things, it is a never-ending task. Wherever we have a new application, we wish that Sentinel could also monitor and investigate it. But that's not possible for everything.

I have used Microsoft Sentinel for around two years now.

It is scalable, with the help of the log retention facility in Sentinel in the Log Analytics workspace. We can limit the data that is being retained in it and that limits the cost.

We have it deployed across multiple sites.

In the beginning, it was not so good, but when we switched from standard support to premium support, the support improved.

I have been using QRadar and Splunk, but they both only gave me a centralized SIEM solution, a SOAR, and a VAPT solution. But I wanted to reduce the efforts required when jumping into different portals at different points in time. The way things stood, I had to hire different engineers to maintain those different portals and products. With the help of Sentinel, I could integrate all of my applications with Sentinel, as the APIs were ready and the support for them from Microsoft was good. That's why we thought of moving to Sentinel.

It was pretty hard to convince the stakeholders to invest so much in protecting the ecosystem through investigating and hunting, which is mainly what Sentinel is for. The integration part comes later. But convincing the stakeholders about the cost we would be incurring was a big challenge.

Slowly but surely, we started integrating many of our products into Sentinel and it started showing us things on the dashboard. And with the help of the Logic Apps, we were able to do multiple other things, like automatically creating tickets out of the incidents that are detected by Sentinel, and assigning them to the SOC team. It reduced the SOC team's workload because they used to manually investigate activities and events. Sentinel killed those manual tasks and started giving "ready-made" incidents to work on and mitigate. It has helped my SOC team because that team was facing a lot of issues with workload.

Then we also got visibility into different products, like Microsoft Defender, and Defender for Cloud Apps, whereas we used to have to jump into different portals to see and analyze the logs. Now, we don't have to go to any other product. All the integration is happening with Sentinel, and with the help of the AI/ML in Sentinel, investigating and threat-hunting have become easier.

It took around six months for us to realize these benefits because we were slowly integrating things, one by one, into it. We were a little late in identifying the awesome capabilities it has.

Most of our products are integrated but a few of our products are facing challenges getting connected. We are dealing with it with Microsoft and they are creating a few connectors for us.

We had to pay extra compared to what we would pay for other products in the market. But you have to lose something to gain something. Sentinel reduced the efforts we are putting into monitoring different products on different portals, and reduced the different kinds of expertise we needed for that process. Now, there are two to three people handling Sentinel.

The pricing was a big concern and it was very hard to explain to our stakeholders why they should bear the licensing cost and the Log Analytics cost. And the maintenance and use costs were on the higher side compared to other products. But the features and capabilities were going to ease things for my operations and SOC teams. Finally, the stakeholders had clarity.

Microsoft is costlier. Some organizations may not be able to afford the cost of Sentinel orchestration and the Log Analytics workspace. The transaction hosting cost is also a little bit on the high side, compared to AWS and GCP. But because it gives a 360-degree combination of security products that are linked with each other, Microsoft is getting more market share compared to Splunk, vScaler, or CrowdStrike.

But if I want to protect my files, to see where my files have been sent, or if the file I'm receiving is free of malware, or even if one of my users has tried to open it, Windows Defender would track it first. The ATP (Advanced Threat Protection) scans my emails and the attachments first. It determines if the attachment is safe and, if it is not safe, it will block it. I don't have to create any granular or manual settings. That connectivity across different products has a brighter future. That's the reason, even though we have a small budget, that we are shifting to Microsoft.

There are competitive applications in the market, like vScaler, Splunk, QRadar, and CrowdStrike. These are also good in terms of their features and capabilities. But these products only work as a SIEM or VAPT solution. They won't scan everything that we need to protect.

But if you are only considering SOAR, I prefer CrowdStrike because of cost and the features it provides. The AI/ML is also more developed compared to Sentinel.

But why Sentinel? Because it not only covers Microsoft products, but it also has API connectors to connect with any non-Microsoft products. It has inbound APIs for connectivity to QRadar, vScaler, or Splunk, so we can bring their data into Sentinel to be analyzed. Splunk is doing its job anyway, but Sentinel can filter the information and use it to investigate things. 

Those have great visibility and great potential over Sentinel. But for products that are out of the ecosystem, those competitive solutions might face issues in connecting or integrating with them.

We have created a logic app that creates tickets in our service desk. Whenever a ticket is raised, it is automatically assigned to one of the members of our SOC team. They investigate, or reverse-investigate, and track the incident.

Every solution requires continuous maintenance. We cannot rely on AI/ML for everything. Whenever there is a custom requirement or we want to do something differently, we do sit with the team to create the required analytic rules, et cetera. It doesn't involve more than three to four people.

In terms of the comprehensiveness of Sentinel when it comes to security, it plays a wide role in analysis, including geographical analysis, of our multiple sites. It is our centralized eye where we can have a complete analysis and view of our ecosystem.

Go with a single vendor security suite if you have the choice between that and a best-of-breed strategy. It is better to have a single vendor for security in such a complex environment of multiple vendors, a vendor who would understand all the requirements and give you a central contact. And the SLA for response should be on the low side in that situation, as Microsoft, with its premium support, gives an SLA of an immediate callback, within two to three minutes of creating a ticket.

Our team uses Microsoft Sentinel to monitor all security incidents. Security analysts working the intake process configure rules that trigger alerts based on specific criteria and route them to the appropriate team based on the event ID. This unified view within Sentinel allows me to investigate each incident, tracing its origin, path, and endpoint. By analyzing the information gathered, I can then determine whether the alert is a true positive or a false positive.

The visibility into threats that Microsoft Sentinel provides is excellent.

Microsoft Sentinel prioritizes threats across our organization, with levels P1, P2, and P3. This helps me determine how to investigate since some alerts, especially P1s, might seem critical at first glance. However, further investigation may reveal non-critical situations, like a P1 triggered by an authorized user's access from an unfamiliar IP or location. Analyzing logs can help identify these scenarios and ensure appropriate responses.

Microsoft Sentinel and Defender seamlessly integrate to provide a unified system for detecting and responding to security threats across our entire environment. This is crucial for meeting compliance standards and informing client communication. By investigating all security events and summarizing key findings in reports, we can not only highlight critical incidents but also demonstrate the steps we're taking to reduce the overall number of high, medium, and low-severity threats for our clients.

I would rate the comprehensiveness of the threat-protection that Microsoft Sentinel provides an eight out of ten.

Once data is ingested, the process begins with reviewing the ticket information. This can then lead us to Sentinel, where we can view logs. The depth of our investigation determines the next step: a login to Defender, which provides the full range of investigation tools to pinpoint the root cause of the incident.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place.

I would rate the comprehensiveness of Microsoft Sentinel eight out of ten.

Microsoft Sentinel helps automate routine tasks and the finding of high-value alerts.

Microsoft Sentinel simplifies security management by offering a single, unified XDR dashboard, eliminating the need to switch between and monitor multiple disconnected security tools.

The threat intelligence gives us a proactive advantage by anticipating potential threats, allowing us to prioritize and swiftly address critical incidents before they cause harm.

Microsoft Sentinel has helped save us time.

The detection is in real-time with Microsoft Sentinel. 

While Microsoft Sentinel provides a log of security events, its true power lies in its integration with Microsoft Defender. Defender extends Sentinel's capabilities by allowing for in-depth investigation. Imagine investigating a phishing email: through Defender within Sentinel, we can view the email itself, block the malicious email address and its domain, and even take down its IP address – all within a unified platform.

I would like Microsoft Sentinel to enhance its SOAR capabilities. 

I have been using Microsoft Sentinel for two years.

I would rate the stability of Microsoft Sentinel ten out of ten.

I would rate the scalability of Microsoft Sentinel ten out of ten.

I evaluated a few other SIEM solutions but I prefer Microsoft Sentinel because it is straightforward and I can also use Defender to investigate.

I would rate Microsoft Sentinel nine out of ten.

While Microsoft Sentinel offers SIEM capabilities for security information and event management, it doesn't fully replace the need for a separate SOAR solution, which specializes in security orchestration, automation, and response.

In addition to Microsoft Sentinel, I've also used IBM Security QRadar, which I believe is a superior solution because it functions as both a SIEM and SOAR, offering a more comprehensive approach to handling complex security processes.

I advise taking the course before using Microsoft Sentinel to have a better understanding of the solution.

I recommend trying Microsoft Sentinel.

We're a cybersecurity company using Sentinel to provide SIEM services to our customers. 

Sentinel improved how we investigate incidents. We can create watchlists and update them to align with the latest threat intelligence. The information Microsoft provides enables us to understand thoroughly and improve as we go along. It allows us to provide monthly reports to our clients on their security posture. 

It helps us automate some tasks but not others. There are some things we missed because there aren't any rules. We're still working on integrating it. We know it can detect high-severity incidents if we utilize it correctly. We've been able to automate incident responses to some high-level threats we've encountered.

Microsoft's threat intelligence helped us prepare for attacks by developing rules before they hit. We know what behavior to expect because we have visibility into the threat and the actors. 

Sentinel's reporting features save us time. In the past, we created reports in Microsoft Word by dropping in screenshots. With Sentinel, we can create readymade reports from the dashboard. Our monthly report previously took about 16 to 24 hours to complete. We cut that in half. 

We have our own ticketing system for our soft team, and Sentinel's playbooks helped us automate many processes. 

Sentinel provides excellent visibility. Microsoft updates a lot of its security solutions via Sentinel. The content hub and connectors are available to integrate everything. Microsoft also created separate analytics groups, so we log behaviors and use a template. We often need to modify the template based on a customer's log behavior and our correlation and analysis. 

We can learn some new techniques for using KQL correctly by studying the latest templates that Microsoft releases and creating some KBs for our analysts. The MITRE ATT&CK framework is now integrated into Sentinel, so we can statistically identify which part of our microservices are vulnerable. We can assess the severity of threats and prioritize them accordingly. We also need to prioritize based on our SLAs. 

My company also provides managed service for Defender for Endpoint, previously called ATP. We also work with Defender for Cloud and Defender for Identity.

All the Microsoft solutions are integrated with Sentinel, including 365 apps, Azure AD, and various cloud-based security solutions. It includes all the connectors you need to ingest logs from multiple Microsoft products, giving us near-total visibility. Some customers use on-prem security appliances, so we have to correlate logs. 

Sentinel comes with Azure Lighthouse. We can link the subscription to our customer's tenant and ask them to create a global admin account. We can report on the activities using each account and how secure the credentials are. The integration is seamless when we have that level of access. 

We offer ingestion for all Microsoft products and always recommend our clients get everything so we can get full threat visibility and effectiveness. Having all the products integrated into Sentinel helps us see the big picture. In addition to the analytics rules and everything, we're utilizing dashboards and workbooks. Some workbooks are templates that Microsoft provides, but we also develop our own. 

We can compile all this data, put it in a workbook, and create rules. The other part is communicating with the customer because the user is still reviewing logs. Is it an admin? Is it doing daily counts of logins, etc? 

Three of our customers use Defender for Cloud. If a company needs it, we can support it. We have Microsoft-certified engineers who can provide expert frontline support.

Initially, we were only ingesting incidents from Defender for Endpoint, but now we can ingest more data throughout the system. Previously, we could not see some things. We could do it, but we had to search through the portal to find what we needed. Using a connector, we can see everything our employees do on the endpoint, such as device info, location, logins, etc. It's especially useful when employees work remotely or outside their normal area. 

Sentinel lets us investigate threats and comprehensively respond from one console. We can have multiple tabs on one application. The capabilities are robust and marketable. All of these solutions are combined. 

We've seen delays in getting the logs from third-party solutions and sometimes Microsoft products as well. It would be helpful if Microsoft created a list of the delays. That would make things more transparent for customers. 

In some instances, the customer reports that they suspect malware on a computer, and one of their IT guys noticed it. There is a five to ten minute delay before we can see it and respond. As a security company, we don't want the customer to be the first one to identify the threat. However, we must deal with delays from the various products we're integrating. For example, Apex One has a 15-minute delay.

Sometimes it's an issue with the third-party product, but sometimes it isn't. If it isn't, we need to open a ticket with Microsoft. We would benefit from transparency around delays and communication about what Microsoft is doing to resolve the issue. 

Another issue is transparency around usage and associated costs. There are charges if you use playbooks and queries. If you query 100,000 times a day, your costs will go up. The usage only displays in gigabytes per day. A breakdown would help us make reports for our management. 

We have used Sentinel since 2020, so it has been about three years.

We also have experienced some performance problems in the UK. I'm not sure how that works, but something might be going on in the back-end. We transferred to a different region a while ago and lost some of our workspaces. We were shocked.

If Microsoft needs to failover to another region, the customer should be informed because it affects many things. Some of the products we ingest just suddenly stopped, and we have to redo the integration with Cisco Umbrella, AWS S3, and SendGrid. Azure was pulling those logs, and the connections were suddenly cut when this happened. 

I rate Microsoft's support a five out of ten. We had problems using Azure and getting the logs from event services for one of our customers. The date and time the log generated on our customer's device were wrong. It showed the event's location but not the time that the event was generated. 

We contacted Microsoft, who told us to expect a reply the following day, but they didn't respond until four days later. Then, they sent us to another department to speak with someone more knowledgeable about our issue. 

We described the problem, and they asked us for evidence. They wanted our support team to recreate it. Microsoft's support team can create a lab environment and recreate the scenario for themselves. We had to stop the call because we were too busy.

Neutral

We previously used an in-house SIEM solution. 

Deploying Sentinel was complex initially, but it has gotten easier. We documented how we did everything, so it's easy for someone to replicate the steps. If we have accepted the CSP invite, we can deploy it in two days, including configuring ingestion, creating rules, and Azure onboarding. We also must build dashboards and templates. Sometimes there are delays, and it might take three to five weeks.

Sentinel is costly compared to other solutions, but it's fair. SIEM solutions like CrowdStrike charge based on daily log volume. They generally process a set number of logs for free before they start charging. Microsoft's pricing is clearer. It's free under five gigabytes. Some of these logs we ingest have a cost, so they don't hide it. I believe the tenant pays the price, and Microsoft helps create awareness of the cost.

With other solutions, you don't know what you're being charged until you get the bill. You might find that you're using playbooks or queries too much. Microsoft gives you visibility into your expenses. 

We evaluated a few other solutions, including CrowdStrike, Splunk, and LogRhythm. We decided to go with Sentinel because we have Microsoft-certified staff, and many companies in the UK are adopting Defender and other Microsoft security solutions. Sentinel offers seamless integration with Microsoft security products, and we've also seen how flexible it can be.

We can leverage KQL queries. If you're trying to send logs to another SIEM, you'll probably need an API and a lot of other components to make it work. Sentinel makes our jobs easier by providing all of the connectors and out-of-the-box integration. 

I rate Microsoft Sentinel a nine out of ten. I think the industry is shifting toward a single-vendor strategy instead of best-of-breed. If you have a lot of tools from various vendors, it makes things more complicated. You need to hire employees who specialize in each device. It's better if your team understands a solution's features and capabilities. 

If you're considering a SIEM solution, you should compare each product's mean detection and response time. I'm unsure if that information will be publicly available for every solution, so you may need to test them. You should also think about other components besides cost. Sentinel might be more expensive than other solutions, but it's more comprehensive because it incorporates all the different security elements and keeps evolving.

Microsoft is constantly updating all of its solutions. We mainly utilize Microsoft infrastructure, but some solutions are based on Unix or Linux. At the same time, threats on that side aren't as critical as those from Microsoft. They own the operating system, so they're positioned to understand the vulnerabilities and how to fix them. 

We primarily use the solution for security purposes, to record events, and generate alerts, so that our security team can review the items and take proper action.

We work jointly with an MSSP, we have about 14 people working on a 24/7 schedule, around 25 people might use our Sentinel workspace regularly, and more than 40 people benefit directly from the output of this solution.

With Microsoft Sentinel we have detected threats in early stages of an attack through custom detection rules, helping us prevent escalation and further compromise.

Sentinel has provided visibility of administration events, which allows us to audit security processes and discover misconfigurations and errors.

Using Sentinel we have definitely saved time in our detection and response efforts.

Microsoft Sentinel as a SIEM uses KQL (Kusto Query Language) in their detection rules, which is an optimized query language with some really powerful functions. Generally SIEM vendors use different query languages. KQL queries can use complex logic and be executed in a few seconds, which would not be possible or may take up several minutes in other SIEMs, and now some vendors are trying to implement their own version of KQL.

Sentinel provides us with good visibility of threats. The different kinds of logs it ingests are good as long as the log sources are correct. It can integrate some out-of-the-box log sources in a short time, and log data fields are usually very complete. We don't have experience integrating custom log sources, but it should be possible.

Out-of-the-box log sources have the same data structure in all Sentinel workspaces, which allows queries and detection rules to be shared easily between Sentinel customers. We could rapidly adapt to a new threat with public detection rules created by Microsoft or other security professionals.

We work with Microsoft Sentinel and other Microsoft security solutions like Defender. We've integrated all of them together easily from their web portals. As long as you have the right privileges, integrating these solutions might be as simple as a click. Microsoft security solutions work natively together to deliver coordinated detection and response, which is important to us.

Sentinel allows us to ingest data from our entire ecosystem, wether it might be an on-prem or cloud service. It allows us to correlate different data tables, to create complex threat detections, and to investigate holistically across our infrastructure.

I like the automation portion of the product, it helps us automate routine tasks. We have created some automation playbooks in Microsoft Sentinel, however, in our environment these are not specific to security tasks.

Microsoft Sentinel has a lot of out-of-the-box detection rules. Many of these rules have not been tested, they may execute but they have errors or do not work as expected. Due to this I've made more than 80 requests for modifications in Microsoft Sentinel public repository. If you want to ensure that Sentinel detection works, you need to review the logic of the detection rules one by one, and this shouldn't be the case.

Sentinel does not seem to have rules by default that check and notify of execution errors. I have had to create custom rules to detect when a log source or automation rule stops working as expected.

There can be discrepancies between Microsoft tools. Not all information appears in Sentinel. Sometimes there are items provided in Microsoft 365 Defender that you could search for in Sentinel and you would not find them and therefore assume they do not exist.

The solution is powerful but it can be expensive. Other solutions that are on-premises should be cheaper.

I've been using the solution for more than three years.

The solution is largely stable but not completely. I have had issues with some log sources that stop being ingested or are delayed, and also with automation rules not responding to incidents. Sometimes automation rules stop working intermittently, and this issue might happen during a month or two, and then they go back to working as expected without being notified of any issue by Microsoft.

The scalability is excellent, Sentinel has some limits regarding the amount of ingested data and enabled Sentinel resources, but these limits exist for extreme cases, which our workspace and organization are not even close to.

I'd rate it ten out of ten.

I've opened many support tickets. When you open a support ticket, it will typically be resolved within the first interaction. And they've solved all of my support tickets quite quickly. Even if I have made a mistake when opening support tickets, it's always been a positive experience.

Positive

I've used a few different solutions, including ArcSight, LogRhythm, and QRadar. 

I don't have much insight into ArcSight.

LogRhythm did not let me create complex detection rules.

With QRadar, when we are looking at queries, they can be slow. However, IBM is trying to create its own KQL implementation for QRadar in order to make them faster. 

But I don't have the same level of administration experience with these tools than with Sentinel.

We had some cloud engineers who created our instance on Azure. They enabled the connectors for some out-of-the-box log sources, and created other kinds of neccesary resources, specially to connect on-premises resources to Sentinel. We did not have issues that didn't depend directly on us.

At first we enabled all the detection rules we could, without deeply inspecting them, we assumed they would work. We would not take this approach again, detection rules should be reviewed and enabled one by one.

Maintenance is minimal. It's all on the cloud. If something does not work as expected, we open a support ticket. Since the tool is supported by Microsoft, you are paying them to also maintain it, basically.

Our implementation was handled in-house.

I would recommend to check regularly for deviations or unexpected surges of ingested events, which will affect the cost. I do not directly handle the pricing portion of the solution. There is a calculator in Azure that helps you estimate the cost. 

It's ideal to go with a best-in-breed strategy rather than a single vendor. You need to know what is available in the market. Companies should be free to use any security tool that they consider to fit their needs. 

For companies considering Sentinel, they need to ensure a threat detection engineer will be available to manage their detection rules, you shouldn't enable all of them blindly. You may get value from Microsoft Sentinel, however, you need to continuously invest time and ensure everything is set up and working as expected. 

I'd rate the solution nine out of ten. 

I'm an IT consultant, and I use Sentinel with two of my clients to monitor all their security signals and get alerts when things are happening that might be suspicious.

The fact that the solution helps automate routine tasks and the finding of high-value alerts has made it possible for me to provide security operations. If I didn't have automation, I wouldn't be able to do that. Nobody is going to pay me to sit and stare at a screen for eight hours a day. But with the automation built in to let me know about and fix things, it becomes viable. The automations have an email option, and all the alerts show up as emails in my inbox. I'm busy with other things, and I'm not looking at Sentinel all day. And the automation in those emails is available to deal with things automatically. Automation is incredibly important.

Sentinel gives me one XDR dashboard. In terms of security operations, it's improved them and makes it easy for me to do my job.

It saves my clients time, on the order of 30 percent.

It also saves costs for me and my clients. If we didn't have Sentinel in place, and they were to get compromised, it could cost them tens of thousands of dollars due to ransomware, a BEC scam, or another type of attack. Without Sentinel in place, that could be a very big cost.

And it decreases the time it takes to detect and respond by days, if not weeks.

My clients are small businesses, and mine is also a small business. Traditionally, even the concept of using a SIEM in most small businesses was unheard of. It was an on-premises product, and you needed to install servers, and most normal IT consultants wouldn't even look at it because it would be very complex for them. The standout feature of Sentinel is that, because it's cloud-based and because it's from Microsoft, it integrates really well with all the other Microsoft products. It's really simple to set up and get going. You don't have to set up a server or do a lot of configuring and setting up storage. It just lives in the cloud, you turn it on, and connecting most things to it is really easy.

It's fantastic when it comes to integration with other Microsoft products. It's so easy. I've been in IT for 30 years, and integrating products was, up until a few years ago, something we would never want to do. It was so hard, we wouldn't want to touch it. We would have to write custom code and configure things. It was just horrible. Now, it's literally a couple of sliders in the interface, and you're done.

And once these solutions are integrated, they work natively together to deliver coordinated detection and response across my clients' environments. I follow this space very closely, but I am not an expert in any other solution. Still, at least for my clients, with the threats they are facing and the alerts we get from the real world, Sentinel's detection and response are very comprehensive.

Sentinel enables you to ingest data from the entire ecosystem. I have integrated some non-Microsoft products with Sentinel, and, predictably, it's not as simple as one click because these are third-party products. But it is definitely quite easy. For cloud products and services, it's still very simple. It might be three or four clicks. But for on-premises products, it's a bit more work.

My clients also use Defender for Cloud, and its bi-directional sync capabilities are very important. It makes things much easier.

Sentinel provides a clear view into the threats that are coming in, and, compared to what I had before, it is night and day. I heard somebody say on a podcast, "The solution we had prior to Sentinel was like a dark room and you had a torch, and you could shine the torch in different directions and see some things. Having Sentinel, combined with Microsoft 365 Defender, the XDR solution, is like turning on the lights and seeing everything." I completely agree. That's exactly what it feels like.

Another incredibly important factor is the solution's ability to investigate threats and respond holistically from one place. Again, as a small business, I wouldn't have the time and energy to look in several different places. I need one place where it all shows up, and that's what Sentinel provides.

And with built-in SOAR, UEBA, and threat intelligence, the comprehensiveness of Sentinel's security protection is good.

Given that I am in the small business space, I wish they would make it easier to operate Sentinel without being a Sentinel expert. Examples of things that could be easier are creating alerts and automations from scratch and designing workbooks. All of those are available as templates and community-produced content, but doing all that from scratch and keeping it up-to-date, is not easy. Because I have lots of other things on my plate, it would really improve things for me if they would make it more accessible for small businesses and non-experts.

I have been using Microsoft Sentinel since it was in public preview, so that's at least three and a half years.

It's a very stable solution—rock-solid.

It's also very scalable.

I have only ever contacted them about Sentinel once, but I have certainly dealt with Microsoft support in various ways. Their response time is pretty good. But they have a difficult time providing good support, at the level that would cause me to give them a higher score than six out of 10, because things change so fast. And it's so much wider than it used to be 10 years ago. There's so much to cover, and that's difficult for them.

Neutral

We used ESET for one client, but it wasn't a SIEM, it was just endpoint protection. We replaced that with Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, and Sentinel. It's not an apples-to-apples comparison.

The initial deployment is very straightforward. It took me four or five hours to set it up.

The product itself, obviously, does not require maintenance, but the alerts and rules require work.

Sentinel is fairly priced and pretty cost-effective. Compared to on-premises solutions, Sentinel is very cost-effective.

It's certainly possible, if you're not careful about what you connect, to shoot yourself in the foot by ending up with large data sources being ingested that cost you a fair bit of money. You do need to think about what data sources you actually need, which ones will lead to the detection of actual attackers, and how much of that data you need. You also have to consider how you're going to store it, because Sentinel has different levels. You don't have to store it all in the expensive "this will give me alerts" tiers. But, as I said, my clients are small businesses. They certainly don't have a budget for anything expensive, and they're very happy with the costs.

Do a proof of concept. It's really easy to set up and get started. You don't have to turn everything on to start. Do a small proof of concept, get familiar with it, and you'll see how easy it is.

Does it help prioritize threats across the enterprise? The short answer is, "Yes, it does." The slightly longer answer is that it is not a set-and-forget solution. And no SIEM is. You do need to configure Sentinel and fine-tune it. I have a calendar reminder every two weeks to go back in and make sure the right analytics rules are in place and change the ones that need changing, et cetera. It does prioritize threats, but it's not an automatic process that you never have to worry about again.

Sentinel's threat intelligence doesn't really help with proactive steps. The threat intelligence has indicators of compromise, such as IP addresses, URLs, and file hashes. They get detected, but that's not really proactive. Perhaps it's "proactive" in the sense that somebody else has figured out that those things are bad and let the system know. But Microsoft 365 Defender does the proactive part because it has threat intelligence in it. It will tell you, "A new threat that we have a report on seems to be targeting your type of client." That's proactive, but Sentinel isn't proactive. Meaning, if you read about a threat and then protect yourself before that threat reaches you, Sentinel doesn't really do that.

In the debate about best-of-breed versus a single-vendor security solution, if you pick best-of-breed individual security solutions and you have to integrate them, now you're an integrator. And that is hard. It's not easy to integrate different security products. And that's why, at least for my clients, Sentinel and Microsoft 365 Defender have been a huge shift. They're so easy to integrate. My clients could license separate products and then try to integrate them to get the same level of integration, but that would never work.

Every day, I log into Microsoft Sentinel to check the logs. I start by checking the incidents and analyzing them. If I need to create an automatic rule, I do so. If the logic needs to be changed, I make the necessary adjustments. I am responsible for managing Microsoft Sentinel for our organization.

For our organization, Microsoft Sentinel helps us prioritize threats across most of our environment because we have not yet fully integrated the solution into all aspects of our operations. Currently, we are working on integrating mutual source AWS into Sentinel, which will provide us with more visibility. Apart from that, there is already a lot of visibility in case of any failures or anyone attempting large deployments across other companies or similar activities. Additionally, if someone attempts to use login information from a different location, it becomes apparent, as it is impossible to travel that quickly. Sentinel covers almost everything.

We are using Microsoft Office 365 for email security in our environment. Our infrastructure engineers have integrated Microsoft Office 365 with Sentinel. When we view the old connectors in the application, it mentions Microsoft Office 365. Currently, it also indicates this in terms of firmware.

Microsoft Sentinel can enable us to ingest data from our entire ecosystem. However, since we are currently receiving services from an external source, we are not integrating the tool right now. That's why we are looking for another tool that we can integrate with Microsoft Sentinel. Once we do that, I believe we will be able to see everything, including any malware-related issues, as well as other security and licensing concerns.

The ingestion of data into our security operations is of utmost importance. If we are not monitoring whether people are sending large documents to other companies, how will we realize it? We don't have any other tool for that. Of course, we have email security and EDR, which cover some aspects, but some of them are not effective or are too basic. Unlike them, Microsoft Sentinel is comprehensive. It records everything: every click, download, login, and search. Therefore, it is a necessary tool for our operations.

Microsoft Sentinel allows us to investigate threats and respond quickly from a unified dashboard. A couple of months ago, there was a concern with the AWS environment, and our director asked us to identify any relevant code-related alerts originating from the environment. Since we didn't have the rules at that time, I looked into the recommended analytics section, which turned out to be quite straightforward. When we write Python or work with any logs, cells, or Java-related elements, Microsoft Sentinel provides us with insights and a logical approach to integrating our environment. During my investigation, I discovered some configurations related to the Python code, and it appears to be functioning well now.

Microsoft Sentinel's built-in SOAR, UEBA, and threat intelligence capabilities work well and are further enhanced with the addition of a firewall for added protection.

Before our organization implemented Microsoft Sentinel, we only had an email security DLP solution and some other tools. While we could see the logs on our computer, they were often presented in a confusing manner, appearing like gibberish to us. However, with the introduction of Sentinel, we can now interpret and make sense of that information.

When I joined the organization, they were already in the process of implementing Microsoft Sentinel. However, I am familiar with other integrations with Sentinel, such as AWS, and the integration is not difficult. We simply create the necessary resources, and everything is well-documented, which is a huge plus. We can access all the information online, both in the AWS part and in Microsoft Sentinel. So, I believe it's not rocket science.

It helps automate routine tasks and aids in identifying high-value alerts. We have automated the tool to receive critical or high alerts and send us messages accordingly. This automation is currently active. Whenever a high alert is generated, it comes through direct messages. Even during non-working hours, I receive these alerts on my phone immediately. If it's an important alert, I can respond promptly. We had an incident where I had to work on weekends due to such an alert. However, if I'm not using the tool or haven't activated it, I generally don't turn on the computer after work hours. So, this feature has been beneficial for us. Some months ago, there was a Microsoft bug that created false positive alerts for every clean link, including company links. We made modifications to the alerts, and now we no longer receive those unnecessary alerts.

It helps eliminate the need to look at multiple dashboards by providing us with just one XDR dashboard. We no longer have to go to other places. However, there are instances when we receive alerts about failing servers, and we can't check them using Sentinel; instead, we have to use Azure Active Directory. It's not Sentinel's fault, and checking through Azure Active Directory is not difficult, but we still have to go somewhere else.

Sentinel's threat intelligence assists us in preparing for potential threats before they strike, allowing us to take necessary precautions. My weekly routine includes dedicating at least two hours to the accounting part. I am constantly searching for any threats in our environment that may have gone unnoticed. So far, I haven't found anything, but I'm always vigilant because we can never be entirely certain that there are no threats.

We have been enabled to save a significant amount of time. The log files consist of hundreds of pages, and to review them, we need to possess networking knowledge to identify the specific case. Without knowing what we are searching for, it's like trying to find a needle in a haystack. Sentinel migrates the logs and presents the visual information in a user-friendly manner, which has proven to be a time-saving solution for us.

Sentinel saves money by reducing the number of people required to monitor the alerts. For example, if there are normally 50 alerts per week, fine-tuning reduces them to just one.

Microsoft Sentinel helps decrease our time to detect and time to resolve. Sentinel provides a brief introduction to the events occurring in the environment when someone is causing instability in the AWS environment. Sentinel precisely identifies the issue and offers a link for accessing more information about the situation.

The dashboard that allows me to view all the incidents is the most valuable feature. Threat hunting is also valuable. Sentinel has a Microsoft framework, so we can experiment with numerous queries. There are almost 500 queries available that we can utilize based on our environment.

I believe one of the challenges I encountered was the absence of live training sessions, even with the option to pay for them. Microsoft insists that all information is available in the documentation, which I must admit is quite comprehensive and helpful. However, for someone without a coding background, learning solely from the documents can be challenging at times. It would be much easier to learn if there were practical exercises and instructional videos available. This aspect bothered me significantly. While I did come across a course, my preference was to access it through Sentinel since they are already providing us with their services. Having the team trained up would undoubtedly streamline my job and save a considerable amount of time.

I have been using Microsoft Sentinel for one year.

We have not had any scalability issues with Microsoft Sentinel.

Microsoft Sentinel is scalable. We can add as many services as we want, and Microsoft automatically increases the capacity by adding memory and storage.

I have used technical support many times. Sometimes, I have a really hard time understanding them. I am not sure if they are calling from India, but there was background noise at times. However, they are really helpful, even though they seem a bit indifferent. They frequently inquire whether we have addressed the issue and if it has been resolved—quite a lot, actually.

In a company, we are often very busy. They expect us to address the issues immediately, but sometimes it can take months. So, I inform them that I will follow up. They can be a little pushy, which is understandable from their perspective, but for us, it can be challenging because we have many other tasks to handle. Sentinel is just one of my priorities, and there are a lot of other things I need to take care of. That's why sometimes we need time, but to their credit, they are always responsive. Whenever we ask them a question, they promptly provide a response.

Positive

I had previously used Kibana, which is quite different from Microsoft Sentinel. When I used Microsoft Sentinel for the first time, I realized that this was the ideal solution. Microsoft Sentinel is user-friendly, unlike Kibana, which I found difficult to install and not very user-friendly. Microsoft Sentinel, on the other hand, is incredibly user-friendly, making it easy for everyone to understand and learn how to use it. It is a straightforward solution to comprehend.

I give Microsoft Sentinel a nine out of ten.

We are currently evaluating Microsoft Defender and CrowdStrike in our environment to determine which one is a better fit. As for Defender, I cannot claim to have a complete understanding of it since it's in a testing environment. I can monitor people's devices, but I have not yet received any alerts generated by the devices. It has only been around ten days.

I am responsible for creating documentation for all of our implementations, while other teams handle the infrastructure portion.

Maintenance is minimal for Microsoft Sentinel. There is a check button in the house. Sometimes I go there because we occasionally find that some things are not working properly. So we have to go there and address the issue, but it is not a common occurrence. Maybe it happens, like, three times a year which is not bad.