I use the solution to ensure proper security analytics and threat intelligence across the enterprise. The tool helps me to know the type of attack detection that happens and the kind of visibility, proactive hunting, and threat response we have.
Senior Manager ICT & Innovations at Bangalore International Airport Limited
Provides a unified set of tools to detect, investigate, and respond to incidents and enables proactive threat hunting
Pros and Cons
- "The product can integrate with any device."
- "The AI capabilities must be improved."
What is our primary use case?
How has it helped my organization?
We use the tool because we want a solution that can quickly analyze large volumes of data across the enterprise. Microsoft Sentinel is a one-stop solution for all our security needs. It gives threat visibility, enables proactive hunting, and provides investigation reports.
What is most valuable?
The product can integrate with any device. It has connectors. So, we do not have big issues in building connectors. Microsoft Sentinel gives us a unified set of tools to detect, investigate, and respond to incidents. It also helps us recover things. It is very important to our organization. It centralizes our total threat collection and detection and generates investigation reports.
What needs improvement?
The AI capabilities must be improved. The product must efficiently leverage the AI capabilities for threat detection and response. The product does not provide auto-configuration features. So, we need to do configuration, policy changes, and group policies ourselves. If AI can do these functions, it will be easier for the customers.
Buyer's Guide
Microsoft Sentinel
October 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,649 professionals have used our research since 2012.
For how long have I used the solution?
I have been using the solution for three years.
What do I think about the stability of the solution?
The product is stable.
What do I think about the scalability of the solution?
We have around 1500 users. We have only one administrator. The product is easily scalable. As long as the enterprise grows, we will continue using Microsoft Sentinel.
How are customer service and support?
The technical support team is very good.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We were using Splunk before. We decided to switch to Microsoft Sentinel because we were unable to work on large data using Splunk. Splunk did not have AI capabilities and was not user-friendly.
How was the initial setup?
The product is deployed on the cloud. It is a SaaS solution. The initial deployment was easy. We ensured that all the devices and the APIs were configured well. We needed two engineers from our team for the deployment. We have deployed the tool in a single location. The solution does not need any maintenance.
What about the implementation team?
We took help from an integrator to deploy the tool. It was a user-friendly experience.
What was our ROI?
The solution is efficient. We could see the returns on investment immediately. It doesn’t take much time.
What's my experience with pricing, setup cost, and licensing?
The product is costly compared to Splunk. When we pay for the product, we also have Azure Monitor Log Analytics as part of the package. It is economical for us.
What other advice do I have?
We use the tool to help secure our cloud-native security solutions. By enabling us to secure our cloud environments, it acts as a single solution for attack detection and threat visibility for proactive hunting. The solution gives us a library of customizable content that helps us address our unique needs. It also gives regular patch updates. It helps us to be updated with the latest threats happening across the world.
We use the Microsoft Sentinel Content hub. Integration with Active Directory is also helpful for us. The content hub enables us to see the latest features. We have Extended Detection and Response in SentinelOne. It provides effective protection for the platform. It provides more cybersecurity by providing more visibility and protects our enterprise.
The content hub helps us centralize out-of-the-box security information and event management content. It discovers and manages the built-in content. It provides an end-to-end security for us.
Microsoft Sentinel correlates signals from first and third-party sources into a single high-confidence incident. It can extract the information through the respective APIs of the third parties. It has increased our threat intelligence, monitoring, and incident analysis efficiency.
We use Microsoft Sentinel's AI in automation. The generative AI features enable real-time threat hunting and detection. The solution has helped improve our visibility into user and network behavior. The generative AI provides better detection and response capabilities and faster response times with actionable intelligence.
The product has saved us time. It helps us get various log files. When there’s an incident, it enables us to do investigations faster. The tool saves us three days in a week. It reduces the work involved in our event investigation by streamlining the processes and making automation effective. Event investigation is much faster.
If someone is looking for a comprehensive solution, Microsoft Sentinel is a good choice. It will fulfill all our needs, including attack detection, threat visibility, and response.
Overall, I rate the solution an eight out of ten.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
IT Senior Systems Administrator at Dubai Developments
Provides excellent log analysis but isn't the most user-friendly
Pros and Cons
- "The log analysis is excellent; it can predict what can or will happen regarding use patterns and vulnerabilities."
- "The solution could be more user-friendly; some query languages are required to operate it."
What is our primary use case?
We primarily use the solution for analyzing logs, such as those from Azure AD. We have it integrated with Microsoft 365 and plan to integrate it with our firewalls so we can analyze those logs too. So, our main uses are for log analysis and to check for vulnerabilities in our system.
We use more than one Microsoft security product; we also use Defender for Cloud.
How has it helped my organization?
Sentinel helps us to prioritize threats across our enterprise.
The solution reduced our time to detect and respond.
What is most valuable?
The log analysis is excellent; it can predict what can or will happen regarding use patterns and vulnerabilities.
Sentinel provides good visibility into threats.
The product enables us to investigate threats and respond holistically from one place, and that's important to us.
Given the solution's built-in SOAR, UEBA, and threat intelligence capabilities, it provides reasonably good comprehensive protection, and we are happy with it.
Sentinel helps us automate routine tasks and find high-value alerts; the playbooks are beneficial and allow us to optimize automation.
The tool helped eliminate multiple dashboards and gave us one XDR dashboard. Having one dashboard is the reason we purchased Sentinel.
Sentinel's threat intelligence helps us prepare for potential threats before they hit and to take proactive steps. It helps a lot, and that's another main reason we have the product.
What needs improvement?
The solution could be more user-friendly; some query languages are required to operate it.
A welcome improvement would be integrations with more products and connectors.
For how long have I used the solution?
We've been using the solution for over a year.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
Sentinel is a scalable product.
How are customer service and support?
Microsoft support is good, I rate them seven out of ten.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We didn't previously use another solution of this type; when we moved to Azure, Sentinel was one of the products Microsoft recommended, so we started using it.
How was the initial setup?
I was involved in the deployment of Sentinel, but my colleague did the majority. The setup was basic; some query language is required to implement it fully, and we could improve our configurations. Our implementation strategy was to cover the major products first, including Office 365 and Azure AD. We did that, and we're now adding the other tools we use in our environment.
Our setup is not particularly expansive, so we can deal with the maintenance requirements within our team; it only requires one team member. Our team consists of three or four admins; we manage the Azure AD logs, and Azure AD has 400 users.
What's my experience with pricing, setup cost, and licensing?
The pricing is reasonable, and we think Sentinel is worth what we pay for it.
One of the main reasons we switched from on-prem to Azure Cloud was to save money, but at the same time, we kept adding on features and spent a lot doing so. We're now looking at cost optimization and removing unnecessary elements, as one of our primary goals is to reduce costs. I'm unsure if we are, but we are trying to get there.
What other advice do I have?
I rate the solution seven out of ten.
Sentinel allows us to ingest data from our entire ecosystem, though we are attempting to integrate all our products. It can ingest and analyze all the data, but we aren't using this functionality to its fullest extent yet.
My advice to someone considering the product is to use it. Start by integrating your primary applications, then slowly move on to others in descending order of importance.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Buyer's Guide
Microsoft Sentinel
October 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,649 professionals have used our research since 2012.
IT Manager at a manufacturing company with 501-1,000 employees
Highly efficient and a time-saving solution with a single and easy dashboard in place
Pros and Cons
- "Previously, it was a little bit difficult to find where an incident came from, including which IP address and which country. So in Sentinel, it's very easy to find where the incident came from since we can easily get the information from the dashboard, after which we take action quickly."
- "Microsoft should improve Sentinel, considering that from the legacy systems, it cannot collect logs."
What is our primary use case?
We are using Microsoft Sentinel for our traditional SOC. So previously, we had multiple products, like VM products, log analytics products, and analysts. We are making so much effort to analyze incidents and events in the security operation center., after which we decide whether it's an incident or an event, and we take action. After Sentinel's implementation, it would be much better and much simpler. For instance, we can now save much more time since in Sentinel, there is artificial intelligence, so the system will decide for you instead of a human. The system will learn what kind of thing you should take action on, and it will save some time since you do not need much human power. In traditional SOC systems, there were three or four people. But in Sentinel, it's much easier, and you do not need so many people in the SOC. So you will save time and keep it cost-effective.
How has it helped my organization?
Previously, we were incurring a huge cost being paid to a person. But in Sentinel, you do not hire anyone because the system provides system insights through the cloud applications. So you do not need to put effort, or you don't need to hire either of the senior people. So in, in your SOC team, would be mid-level people, and it would be fine. Also, you do not need so many people. So, one or two people left the organization after the central implementation. So we just have an agreement with one company at a professional level since they're also managing Sentinel. We do not need to pay for the maintenance of applications. So that's also a benefit for us. So, in this case, we are only paying Sentinel yearly or annual costs.
What is most valuable?
Previously, we could not do some automation. So in Sentinel, we create some playbooks, and with some features in the playbooks, we have some capabilities. For example, when a virus enters the system, we will take action to keep the system safe. So, the machine with the virus can be automatically isolated from the network, and this might be a pretty cool feature in the solution currently.
What needs improvement?
Microsoft Sentinel has improved our entire SOC, like our log system and incident response. So we are able to quickly respond to incidents and take action. Even though Microsoft Sentinel has already improved our system, it should further improve for on-premises systems or traditional systems, especially to get or collect logs from the legacy systems. Also, Microsoft should improve Sentinel, considering that from the legacy systems, it cannot collect logs.
For how long have I used the solution?
I have been using Microsoft Sentinel for about six months. My company has a partnership with Microsoft.
How are customer service and support?
I have not contacted technical support.
Which solution did I use previously and why did I switch?
We are using Microsoft Intune. From the mobile device management point of view, it makes work very easy. We are just planning that with Microsoft Intune, we can easily export some logs to Sentinel to analyze them. We are not using this feature right now, but we are planning. If you are using Microsoft applications, it's very easy to integrate them with other Microsoft products.
Defender is something that we are using as an antivirus for Android applications, but we are not using it on the cloud.
What's my experience with pricing, setup cost, and licensing?
From a cost point of view, it is not a cheap product. It's, like, an enterprise-level application. So if you compare it with a low-level application, it's expensive, but if you compare it with the same-level application, it's pretty much cost-effective, I think. Because for other products, you need to purchase them by paying thousands of dollars. In Sentinel, you pay for how much you use, or you just pay for how much you consume storage, log interface, or system. It will not be a one-time cost, but it will be like a continuous rental system, where you subscribe to an application, and then you use it. That's very easy. I think the company got the solution for a long time. If you purchase some products, you need to invest in something, and it increases your investment budgeting. Many enterprises do not like investments. But this is not a one-time cost, to be honest, since continuously, we will pay. This is maybe a negative point of view, but considering from company to company, it entirely depends on a company's strategy.
What other advice do I have?
Previously, it was a little bit difficult to find where an incident came from, including which IP address and which country. So in Sentinel, it's very easy to find where the incident came from since we can easily get the information from the dashboard, after which we take action quickly.
Sentinel does provide me with the ability to set priorities on all the threats across your entire enterprise. So, it is very important because we were previously getting the service from the outside. It would be yes. Sentinel is a next-generation SOC. So, Sentinel also still develops some applications on Sentinel's site, so maybe in the next release, they will introduce a much more effective version for the company. I'm not sure how many companies use it right now. Maybe in the future, more companies will use Sentinel because its features are such that compared to the traditional SOC systems, they are not affected since the system is a cloud-based system. So it's easy to manage. Also, you don't need to care about it from an infrastructure point of view. Additionally, we don't need to take care of products, and we don't need to take care of maintenance. From a product point of view, we do not need to manage since we just need to focus on the incident event.
Right now, we are using very traditional applications, so there is no use of native Microsoft applications right now.
Sentinel enables me to ingest or collect data from my entire ecosystem, but not all of them, because some traditional applications cannot provide some data needed for export. It cannot allow you to get reports or logs from outside. It's a challenging point, so this might be an opportunity for us to change the traditional application. In traditional applications, and sometimes in IT systems, it might be very difficult to get data insight. In some cases, we need to change the application since, in traditional applications, you cannot get support. To fix it, you need to decide something, or maybe you need to decide on the application change. It might be an opportunity for you. But in the next-generation application, there is no problem. With a new application, you can easily integrate with Sentinel. In Sentinel, the negative point is just related to cloud applications. With cloud applications, maybe sometimes you cannot get data from the on-prem application. So if you use a cloud system, like Sentinel, which is a cloud system, then it's very easy. If you are using an on-prem system, Microsoft Sentinel sometimes may not be easy to integrate.
Sentinel allows me to investigate threats and respond quickly and thoroughly from just one place. It accelerates our investigation, especially our event investigation and incident investigation. Using Sentinel, we take quick actions and get quick insights after its standard implementation. So it is time-efficient.
Previously, we had no SOAR applications. In Sentinel, if you want to take action quickly, you need to create playbooks so that if something happens, you can just develop an application like a playbook in Sentinel so that if something happens, you can tell Sentinel to take action. You can freely create your own playbooks since it's very easy. In my opinion, this is the best feature of one product. Normally, you need to purchase two applications or two products. But in Sentinel, they combine everything together. This is the most beautiful feature for me.
Sentinel helps automate routine tasks and help automate the finding of high-value alerts. We do not need to create manual operations like when our system engineers see the incident and they do a system analysis. So after Sentinel, the system analysis is not done by anyone since Sentinel can already make decisions and then take action by itself. So at this point, there's no human power. Sometimes human power is needed, but maybe eighty percent or ninety percent of the time, there is no human power needed. So, it has caused significant improvements in our entire company.
Sentinel has helped eliminate having to look at multiple dashboards and giving us just one XDR dashboard. Previously, we had to check multiple dashboards, especially in relation to whether logs were coming and other things, like incidents and events. In Sentinel, you do not need to check many dashboards. So you are just designing one dashboard, and then, on the entire dashboard, you will see everything. So, it now saves time since previously there were multiple dashboards causing our engineers and our analysts to get confused at times. So they used to ask our managers to understand better. Currently, it is very easy to understand since one needs to check in on one dashboard, and there's no confusion among the engineers. But they do not need to ask anyone to understand. Apart from better understanding, it has improved our systems.
From a security point of view, you need to go with multiple vendors, but this is a traditional system. But right now, if you want to create a good security system, you need to implement each product with one vendor. Because vendors currently state that, if you want to have a high-level security system. You need to implement each product on a security level from one vendor. Microsoft-level vendors offer many features, but people only just purchase or use one product, and that's all. It's not good for security infrastructure. So, you need to implement all security products from just one vendor. I think one vendor and the needed security products will be enough for a company. Sentinel is our next-generation SOC. Currently, I don't see any competitors at this level.
I rate the overall solution a nine out of ten.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Senior Cloud Infrastructure Consultant at a tech services company with 201-500 employees
Allows us to configure what we need and monitor multiple workspaces from one portal, and saves countless amounts of money
Pros and Cons
- "The part that was very unexpected was Sentinel's ability to integrate with Azure Lighthouse, which, as a managed services solution provider, gives us the ability to also manage our customers' Sentinel environments or Sentinel workspaces. It is a big plus for us. With its integration with Lighthouse, we get the ability to monitor multiple workspaces from one portal. A lot of the Microsoft Sentinel workbooks already integrate with that capability, and we save countless amounts of money by simply being able to almost immediately realize multitenant capabilities. That alone is a big plus for us."
- "Improvement-wise, I would like to see more integration with third-party solutions or old-school antivirus products that have some kind of logging capability. I wouldn't mind having that exposed within Sentinel. We do have situations where certain companies have bought licensing or have made an investment in a product, and that product will be there for the next two or three years. To be able to view information from those legacy products would be great. We can then better leverage the Sentinel solution and its capabilities."
What is our primary use case?
We needed a SIEM solution that could integrate with our Microsoft 365 stack. Being a Microsoft product, that was the first SIEM we looked at, and we haven't looked back. We're still growing with the product over the last couple of years. It is phenomenal.
We're mainly focused on the cloud, but one of our selling points is that you can integrate with on-prem. We push to get the Azure Arc implementation done on top of Sentinel so that we can ingest data from your on-prem environment into Azure Monitor, which is then exposed to Sentinel. That's how we drive that integration, but we mainly have the cloud. We have 80% cloud and 20% on-prem.
How has it helped my organization?
The specific focus on entity behavior is where the gold is within Sentinel. The machine learning and AI capabilities that Microsoft already provides within their toolset are exposed through entity behavior analytics. That really is magic. It is something we don't live without. We have specific key metrics we measure against, and this information is very relevant information to our security approach. That's because not everything is an alert and not everything is a threat. In some cases, the anomalous sign or the anomalous behavior is more important than the actual alert coming up and saying that something has been infected. It could be those sign-ins a week before or a month before into a database that you don't always look into that end up being the actual threat. The entity behavior or the overall feature that Sentinel has is absolute gold for us.
In terms of the visibility into threats, because I set up the product, I'm very much aware of the fact that you see what you configure. That's probably a plus in terms of if you have an appetite only for product one, you ingest and you consume only product one. In our company, we have the full E5 solution, and we tend to have a lot of endpoints or metrics that we can pull into one space. So, each and every sub-component, such as Defender for Endpoint, Defender for Identity, and all the incidents end up within Sentinel. It is one spot from where we can manage everything. That works very well for us. We do have small customers with one or two Microsoft solutions, and even third-party solutions, and we can still integrate or expose those product-specific incidents within Sentinel. For me, that's a big plus.
It definitely helps us to prioritize threats across our enterprise. There is not just a clear classification of severity but also the ability to team certain alerts together. It can chain events and bring you a bigger picture to tell you this is something that you need to take care of or look at because it is tied or chained to multiple events or alerts. That ability is again a big plus.
We probably use all of the Microsoft products. We use Azure Active Directory, and we use Defender for pretty much everything, such as Defender for Identity, Defender for Endpoint, Defender for Cloud, and Defender for Cloud Apps. As a senior cloud infrastructure consultant, it is a part of my role to provide or customize and configure these products on behalf of our customers. We have integrated these products for multiple customers. One of my favorite benefits of Sentinel is its integration with the entire stack. I am yet to find a Microsoft product with which it does not integrate well. All of the Microsoft products are fairly simple to integrate with it. Anyone can set up their own environment. It is only third-party products where you tend to have a bit of technicality to configure, but even that is not a difficult process. It is fairly straightforward and easy to follow.
All these solutions work natively together to deliver coordinated detection and response across our environment. Microsoft Defender stack does that quite well. One of the reasons why Microsoft personally favors the Microsoft Defender stack is because of the integration with the rest of the products.
I'm a big fan of the layered approach, and it should be in every environment. Microsoft does a good job of providing you with that layered approach without too much of an oversight or a combination of a bunch of products. They work well individually, and they stack together quite well based on the individual requirements or the needs of each.
We use Microsoft Defender for Cloud. Our footprint in the cloud is limited. We only have two or three customers that fully make use of the product, but it is something that I do make use of and will. We do make use of its bi-directional sync capabilities. Especially within the organization, we have a very small team dedicated to assisting in our cloud-managed servers. If one person has to run around and duplicate these efforts in multiple portals, that wouldn't be an effective use of their time. So, the simple ability to just be in one portal or one place and apply the remediation or the management of an item is a big plus for us.
It allows us to ingest data from our ecosystem. I have found only one or two third-party antivirus products that still don't integrate fully with Sentinel, but for my use case within my own environment, as well as the environments we manage through our inSOC offering, there hasn't been any case or instance I know of where we could not find a solution to ingest necessary logs.
I work with security, and I also work with compliance. On the compliance side, the ability to have an audit trail and all your logs in one central location is important. The data is queryable. The KQL language is not a difficult language to get under. So, for me, having it all in one place and being able to query it and slice the data to what I need to provide or expose is a key feature of a SIEM solution.
It enables us to investigate threats and respond holistically from one place. It is very important, and bidirectional ties into this. We have a small team. So, the following capabilities are critical to our managed solution:
- The ability to hunt from one location or one stream.
- The ability to integrate with multiple sources and data tables for ingestion.
- The ability to expose information from those tables from one stream or portal.
We probably would end up having to hire twice as many people to accomplish what we can do simply by integrating Sentinel with the rest of our product stack.
It helps automate routine tasks and the finding of high-value alerts. Being able to automate routine tasks or routine alerts is a big save for us because our analysts are not bogged down trying to just close alerts in a portal. This freeing up of time alone is a big save for us.
It helps eliminate having to look at multiple dashboards and gives us one XDR dashboard. The workbooks already integrate well with Azure Lighthouse. So, right out the bat, we had that multitenant capability from one dashboard or one screen. It is just absolutely brilliant.
It saves time on a daily basis. For example, as a desktop engineer, if I have to go through 20,000 devices, it would take a long time to go one device at a time. To make sure everything is fine, if I have to log in, upload some logs, do some metrics, log off, and go to the next office, it would take us a good part of a year to be able to work on each of these devices. With Sentinel, once your logs are configured and analytics rules are in place, a simple hunting query could accomplish exactly the same in a month.
Previously, four hours of my day were spent on just dashboards here and there, logging into tenants one time to the next, running the same view in the same portals, and looking through, for example, the alerts for the day or the threats for the day. With Sentinel, all that is in one place. I can just log on with my company-provided credentials, do MFA once, and through a portal with multiple links, seamlessly go through entity after entity. My whole exercise of four hours per day is now probably down to half an hour just because everything is in one place.
It has decreased our time to detection and time to respond. In the past, we would have to get someone to physically log onto a portal once there is an alert, and if that alert was in multiple places or multiple customers, it would mean multiple portals and multiple logins. The ability to manage from one screen and run an effective service has alone saved us 60% of our day.
What is most valuable?
I work with the Microsoft 365 products stack quite a bit, and I'm a big fan of the granularity that the products have. For example, the Defender stack is very focused on endpoints, identities, and so forth. With Sentinel, we have the ability to integrate with each of these components and enhance the view that we would have through the Defender portal. It also gives us the ability to customize our queries and workbooks to provide the solution that we have in mind on behalf of our team to our customers.
The part that was very unexpected was Sentinel's ability to integrate with Azure Lighthouse, which, as a managed services solution provider, gives us the ability to also manage our customers' Sentinel environments or Sentinel workspaces. It is a big plus for us. With its integration with Lighthouse, we get the ability to monitor multiple workspaces from one portal. A lot of the Microsoft Sentinel workbooks already integrate with that capability, and we save countless amounts of money by simply being able to almost immediately realize multitenant capabilities. That alone is a big plus for us. Never mind everything else, such as the security benefits, visibility, and the ability to query the data. They all are great, but the ability to see multiple workspaces is a big money saver and a big time saver for our team.
We offer a managed service where we are geared toward a proactive approach rather than a reactive one. Sentinel obviously covers quite a lot of the proactive approach, but if you engage all of your Microsoft products, especially around the Microsoft endpoint stack, you also gain the ability to manage your vulnerability. For us, gaining the ability to realize a full managed service or managed solution in one product stack has been valuable.
Its threat intelligence helps us prepare for potential threats before they hit and take proactive steps. It highlights items that are not really an alert yet. They are items that are running around in the wild that Microsoft or other threat intelligence providers have picked up and would expose to you through Sentinel by running a query. This ability to integrate with those kinds of signals is a big plus. Security is not only about the alerts but also about what else is going on within your environment and what is going on unnoticed. Threat intelligence helps in highlighting that kind of information.
What needs improvement?
Improvement-wise, I would like to see more integration with third-party solutions or old-school antivirus products that have some kind of logging capability. I wouldn't mind having that exposed within Sentinel. We do have situations where certain companies have bought licensing or have made an investment in a product, and that product will be there for the next two or three years. To be able to view information from those legacy products would be great. We can then better leverage the Sentinel solution and its capabilities. It is being enhanced, and it has been growing day to day. It has gone a long way since it started, but I would like to see some more improvement on the integration with those third parties or old products that some companies still have an investment in.
In terms of additional features, one thing that I was hoping for is now being introduced through Microsoft Defender Threat Intelligence. I believe that is going to be integrated with Sentinel completely. That's what I've been waiting for.
For how long have I used the solution?
I have been working with this solution for close to two years.
What do I think about the stability of the solution?
It is very much stable. We've had one or two issues in the last two years where we had a Microsoft-reported incident, and there were data flow issues, but overall, they are 99.9999% available. We've not had an unrecoverable event across the solution. We've had incidents where users ended up not paying the subscription and the subscription got disabled. It simply required just turning it back on and paying your bill, and you were back up and running. It is quite robust.
What do I think about the scalability of the solution?
It definitely is scalable. It will adapt to your needs. It is really about how much you're willing to spend or what your investment is like. That's basically the only limitation. We've seen customers or deployed to customers with thousands of endpoints across the world, ingesting tons and tons of data. We're talking 200, 300 gigabytes per day, and the product is able to cope with that. It does a great job all the way up there at 200, 300 gigs per day to all the way down to the 10, 20 megs per day. It is really scalable. I am quite a fan of the product.
It is being used at multiple locations and multiple departments, and in our case, multiple companies as well. In terms of user entities, the number is probably close to 40,000 in total across our state. In terms of endpoints, we probably are looking at close to 30,000 endpoints.
How are customer service and support?
I've dealt with Microsoft technical support in the recent past, and I'm overall quite happy with it. Being a big company with big solutions and lots of moving parts, overall, their approach to troubleshooting or fault finding is great. I'm going to give them an eight out of ten. There is always some room for improvement, but they're doing well.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We didn't really use a full SIEM solution at the time. We hovered between dashboards and certain portals. We didn't have a SIEM in place. The first solution we looked at was Sentinel, and we fell in love. It does everything we want and everything we need, and we haven't looked back. We're not even looking at any other solutions right now. For us, it is unnecessary. We're very happy with Sentinel and what Sentinel can do.
How was the initial setup?
It is very straightforward. As a service provider, we'd love to be part of that integration or setup. That's where we make our bread and butter. It is simple enough for the average IT enthusiast to get going, but if you do want to get the best out of your product and if you want to start with some customization, reaching out to a service provider or to a specialist does make sense because they have learned a few things on your behalf. Other than that, it is easy enough to get going on your own. It is a very straightforward configuration, and it does make sense. It is easy to follow.
If you already have a subscription in place, you could be fully operational in less than one business day.
What about the implementation team?
For its deployment, it is a one consultant kind of approach. What is important is that everyone from within the company that is part of the decision-making chain is present as part of it. That's because the main pushback is not the implementation of Sentinel, but the connection to it for the data. So, you would have your firewall guys push back and say, "I don't want to give my data to you." You have your Defender guys saying, "No, I don't want to give my data to you." That's more important in terms of the deployment. One person can easily manage the deployment in terms of the workload.
There is some maintenance. There are some daily, monthly, and weekly tasks that we set out for ourselves. It is normally in the form of query updates, workbook updates, or playbook updates. If some schema update has happened to the underlying data, that needs to be deployed within your environment. Microsoft does a great job of alerting you, if you are within the portal, as to what element needs updating. We have 16 customers in total, and we have one person dedicated to maintenance.
What was our ROI?
We could realize its benefits very early from the time of deployment. Probably within the first three months, we realized that this tool was a lot more than just a simple SIEM, SOAR solution.
It has absolutely saved us money. Of course, there is an upfront investment in Sentinel, which has to be kept in mind, but overall, after two years, the return on investment has been absolutely staggering. In security, you don't always have people available 24/7. You don't have people awake at two o'clock in the morning. By deploying Sentinel, we pretty much have a 24/7 AI that's looking at signals, metrics, and alerts coming in, making decisions on those, and applying automated actions. It is like a 24-hour help desk service from a solution that is completely customizable. We have programmatic access to the likes of playbooks to be able to further enhance that capability. The savings on that alone have been astronomical. If we did not have Sentinel, we would have had to double the amount of staff that we have now. There is about a 40% reduction in costs.
What's my experience with pricing, setup cost, and licensing?
I'm not happy with the pricing on the integration with Defender for Endpoint. Defender for Endpoint is log-rich. There is a lot of information coming through, and it is needed information. The price point at which you ingest those logs has made a lot of my customers make the decision to leave that within the Defender stack. The big challenge for me right now is having to query data with the Microsoft Defender API and then querying a similar structure. That's a simple cost decision. If that cost can be brought down, I'm sure more of my clients would be interested in ingesting more of the Defender for Endpoint data, and that alone will obviously drive up ingestion. They are very willing to look at that, but right now, it is at such a price point that it is not cost-effective. Most of them are relying on us to recreate our solution, to integrate with two portals rather than having the data integrator Sentinel. If we can make a way there, it'll be a big one.
Which other solutions did I evaluate?
We have had some assessments where we were asked to do a comparison with the likes of Splunk and other similar tools. What I love about Sentinel is the granularity. You can configure what you need. Whether it just logs from a server or logs from any of the Microsoft solutions, you have the ability to limit data depending on your use or your need. You can couple that with the ability to archive data, as well as retain data, on a set schedule.
Its cost is comparable to the other products that we've had, but we get much more control. If you have a large appetite for security, you can ingest a lot of information right down to a server event type of log. That obviously would be costly, but for ingesting from the Microsoft stack itself, a lot of the key logs are free to use. So, you could get up and running for a very small amount per month or very small investment demand, and then grow your appetite over time, whereas with some of the other solutions, I believe you buy a commitment. So, you are in it for a certain price from the beginning. Whether you consume that, whether you have an appetite for that, or whether there are actual people in your company who can make use of that tool is separate from that commitment. That commitment is upfront, whereas Sentinel is much more granular. You have much more control, and you can grow into a fully-fledged product. You don't need to switch everything on from day one and then run and see what it will cost. You can grow based on your needs, appetite, and budget until you find that sweet spot between what you ingest and what you can afford.
What other advice do I have?
Having worked with the product and knowing the capabilities of the product, it is worth investing in a product that Microsoft has spent a great deal on integrating with the rest of its product stack. Now, we can argue how far along the third-party vendors are in terms of integration with the rest of the security landscape, but if you're a Microsoft house, there is literally no better solution right now in terms of integration and highlighting the best out of your investment. Of course, every use case is different, but I'm happy to look at any challenge in terms of what a third-party solution can bring and what they reckon Sentinel can't.
My advice to others evaluating the solution is that Sentinel isn't a silver bullet solution. It is not something you deploy and set up, and it is going to work 100% well and you're going to be happy. There is going to be some upfront investment. You're going to have to spend some time getting the product in place and getting it configured to your needs. To showcase in a PoC environment is quick and easy, but to realize real-world day-to-day benefits from this product, there is going to be some investment. Keep that in mind. If you're willing to spend that time upfront within the first couple of days or a couple of weeks of you deploying the solution, you'll immediately realize the benefit, but you have to have that mindset. It is not going to just be next, next, next, where it is deployed, and congratulations, you are now secure. That's never going to be the case, but after spending a bit of time on this product, there is nothing it can't do.
I want to give it a 10 out of 10 just because I'm very passionate about this product. I've seen it grow from a very basic SIEM solution to a fully-fledged SIEM, SOAR solution. Some of the capabilities that are built in right now make my day so much easier. Overall, it is a brilliant product, and I love what Microsoft is doing to it. It is a great product.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Sr. Security Engineer at Ebryx
Because it is a cloud-based deployment, we don't need to worry about hardware infrastructure
Pros and Cons
- "Azure Application Gateway makes things a lot easier. You can create dashboards, alert rules, hunting and custom queries, and functions with it."
- "There are certain delays. For example, if an alert has been rated on Microsoft Defender for Endpoint, it might take up to an hour for that alert to reach Sentinel. This should ideally take no more than one or two seconds."
What is our primary use case?
We work as a managed security services provider (MSSP). We have different clients who have their own security team.
One company that I worked for recently had a security team of three people, then they hired us for 24/7 analysis and monitoring. For that, I solely worked on building this product, then there are the eight to nine people who do 24/7 monitoring and analysis.
Sentinel is a full-fledged SIEM and SOAR solution. It is made to enhance your security posture and entirely centered around enhancing security. Every feature that is built into Azure Sentinel is for enhancing security posture.
How has it helped my organization?
It has increased our security posture a lot because there are a lot of services natively integrated to Azure Sentinel from Microsoft, e.g., Microsoft Defender for Endpoint and Defender for Office 365.
From an analyst's point of view, we have created a lot of automation. This has affected the productivity of analysts because we have automated a lot of tasks that we used to do manually. From an end user's perspective, they don't even notice most of the time because most of our end users are mostly non-technical. They don't feel the difference. It is all about the security and operations teams who have felt the difference after moving from LogRhythm to Azure Sentinel.
What is most valuable?
It is cloud-based, so there isn't an accessibility issue. You don't have to worry about dialing a VPN to access it. Azure does require that for an on-prem solution that the security part is entirely on Microsoft's and Azure's sign-in and login processes.
Because it is a cloud-based deployment, we don't need to worry about hardware infrastructure. That is taken care of by Microsoft.
Azure Application Gateway makes things a lot easier. You can create dashboards, alert rules, hunting and custom queries, and functions with it.
Its integration capabilities are great. We have integrated everything from on-prem to the cloud.
What needs improvement?
There are certain delays. For example, if an alert has been rated on Microsoft Defender for Endpoint, it might take up to an hour for that alert to reach Sentinel. This should ideally take no more than one or two seconds.
There are a couple of delays with the service-to-service integration with Azure Sentinel as well as the tracking point.
For how long have I used the solution?
I have been using it for 14 to 15 months.
What do I think about the stability of the solution?
Azure Sentinel is pretty stable. Sometimes, the agents installed on endpoints go down for a bit. Also, we have faced a lot of issues with its correctors in particular. However, the platform is highly stable, and there have been no issues with that.
For operations, one to two people are actively using the solution. For analysis, there are eight to 10 people who are actively using it.
What do I think about the scalability of the solution?
Sentinel is scalable. If you want, you can hook up a lower balance security corrector. So, there are no issues with scalability.
We have coverage for around 60% to 70% of our environment. While this is not an ideal state, it has the capability to go to an ideal state, if needed.
How are customer service and support?
I have worked with Azure Sentinel for four clients. With only one of those clients, the support was great. For the last three clients, there were a lot of delays. For example, the issues that could have been resolved within one or two hours did not get resolved for a month or two. So, it depends on your support plan. It depends on the networking connections that you have with Microsoft. If you are on your own with a lower priority plan, it will take a lot of time to resolve minor issues. Therefore, Microsoft support is not that great. They are highly understaffed. I would rate them as six or seven out of 10.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We had a full-fledged SIEM, LogRhythm, already working, but we wanted to migrate towards something that was cloud-based and more inclusive of all technologies. So, we shifted to Azure Sentinel and migrated all our log sources onto Azure Sentinel. We also added a lot of log sources besides those that were reporting to LogRhythm.
We have used a lot of SIEMs. We have used Wazuh, QRadar, Rapid7's SIEM, EventLog Analyzer (ELA), and Splunk. We used Wazuh with ELK Stack, then we shifted to Azure Sentinel because of client requirements.
How was the initial setup?
The initial setup was really straightforward because I had already worked with FireEye Security Orchestrator, so the automation parts were not that difficult. There were a couple of things that got me confused, but it was pretty straightforward overall.
Initially, the deployment took seven and a half months.
What about the implementation team?
We used a lot of forums. We used Microsoft support and online help. We used a lot of things to get everything into one picture. There is plenty of help available online for any log sources that you want to move to Azure Sentinel.
What's my experience with pricing, setup cost, and licensing?
I have worked with a lot of SIEMs. We are using Sentinel three to four times more than other SIEMs that we have used. Azure Sentinel's only limitation is its price point. Sentinel costs a lot if your ingestion goes up to a certain point.
Initially, you should create cost alerts in the cost management of Azure. With one of my clients, we deployed the solution. We estimated that the ingestion would be up to this particular mark, but that ingestion somehow got way beyond that. Within a month to a month and a half, they got charged 35,000 CAD, which was a huge turn off for us. So, at the very beginning, do your cost estimation, then apply a cost alert in the cost management of Azure. You will then get notified if anything goes out of bounds or unexpected happens. After that, start building your entire security operation center on Sentinel.
Which other solutions did I evaluate?
The SOAR capabilities of Azure Sentinel are great. FireEye Security Orchestrator looks like an infant in front of Azure Sentinel's SOAR capabilities, which is great.
What other advice do I have?
The solution is great. As far as the product itself is concerned, not the pricing, I would rate it as nine out of 10. Including pricing, I would rate the product as five to six out of 10.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Information Security Analyst at a tech vendor with 201-500 employees
Valuable threat hunting, user-friendly dashboard, and helps prioritize threats
Pros and Cons
- "The dashboard that allows me to view all the incidents is the most valuable feature."
- "I believe one of the challenges I encountered was the absence of live training sessions, even with the option to pay for them."
What is our primary use case?
Every day, I log into Microsoft Sentinel to check the logs. I start by checking the incidents and analyzing them. If I need to create an automatic rule, I do so. If the logic needs to be changed, I make the necessary adjustments. I am responsible for managing Microsoft Sentinel for our organization.
How has it helped my organization?
For our organization, Microsoft Sentinel helps us prioritize threats across most of our environment because we have not yet fully integrated the solution into all aspects of our operations. Currently, we are working on integrating mutual source AWS into Sentinel, which will provide us with more visibility. Apart from that, there is already a lot of visibility in case of any failures or anyone attempting large deployments across other companies or similar activities. Additionally, if someone attempts to use login information from a different location, it becomes apparent, as it is impossible to travel that quickly. Sentinel covers almost everything.
We are using Microsoft Office 365 for email security in our environment. Our infrastructure engineers have integrated Microsoft Office 365 with Sentinel. When we view the old connectors in the application, it mentions Microsoft Office 365. Currently, it also indicates this in terms of firmware.
Microsoft Sentinel can enable us to ingest data from our entire ecosystem. However, since we are currently receiving services from an external source, we are not integrating the tool right now. That's why we are looking for another tool that we can integrate with Microsoft Sentinel. Once we do that, I believe we will be able to see everything, including any malware-related issues, as well as other security and licensing concerns.
The ingestion of data into our security operations is of utmost importance. If we are not monitoring whether people are sending large documents to other companies, how will we realize it? We don't have any other tool for that. Of course, we have email security and EDR, which cover some aspects, but some of them are not effective or are too basic. Unlike them, Microsoft Sentinel is comprehensive. It records everything: every click, download, login, and search. Therefore, it is a necessary tool for our operations.
Microsoft Sentinel allows us to investigate threats and respond quickly from a unified dashboard. A couple of months ago, there was a concern with the AWS environment, and our director asked us to identify any relevant code-related alerts originating from the environment. Since we didn't have the rules at that time, I looked into the recommended analytics section, which turned out to be quite straightforward. When we write Python or work with any logs, cells, or Java-related elements, Microsoft Sentinel provides us with insights and a logical approach to integrating our environment. During my investigation, I discovered some configurations related to the Python code, and it appears to be functioning well now.
Microsoft Sentinel's built-in SOAR, UEBA, and threat intelligence capabilities work well and are further enhanced with the addition of a firewall for added protection.
Before our organization implemented Microsoft Sentinel, we only had an email security DLP solution and some other tools. While we could see the logs on our computer, they were often presented in a confusing manner, appearing like gibberish to us. However, with the introduction of Sentinel, we can now interpret and make sense of that information.
When I joined the organization, they were already in the process of implementing Microsoft Sentinel. However, I am familiar with other integrations with Sentinel, such as AWS, and the integration is not difficult. We simply create the necessary resources, and everything is well-documented, which is a huge plus. We can access all the information online, both in the AWS part and in Microsoft Sentinel. So, I believe it's not rocket science.
It helps automate routine tasks and aids in identifying high-value alerts. We have automated the tool to receive critical or high alerts and send us messages accordingly. This automation is currently active. Whenever a high alert is generated, it comes through direct messages. Even during non-working hours, I receive these alerts on my phone immediately. If it's an important alert, I can respond promptly. We had an incident where I had to work on weekends due to such an alert. However, if I'm not using the tool or haven't activated it, I generally don't turn on the computer after work hours. So, this feature has been beneficial for us. Some months ago, there was a Microsoft bug that created false positive alerts for every clean link, including company links. We made modifications to the alerts, and now we no longer receive those unnecessary alerts.
It helps eliminate the need to look at multiple dashboards by providing us with just one XDR dashboard. We no longer have to go to other places. However, there are instances when we receive alerts about failing servers, and we can't check them using Sentinel; instead, we have to use Azure Active Directory. It's not Sentinel's fault, and checking through Azure Active Directory is not difficult, but we still have to go somewhere else.
Sentinel's threat intelligence assists us in preparing for potential threats before they strike, allowing us to take necessary precautions. My weekly routine includes dedicating at least two hours to the accounting part. I am constantly searching for any threats in our environment that may have gone unnoticed. So far, I haven't found anything, but I'm always vigilant because we can never be entirely certain that there are no threats.
We have been enabled to save a significant amount of time. The log files consist of hundreds of pages, and to review them, we need to possess networking knowledge to identify the specific case. Without knowing what we are searching for, it's like trying to find a needle in a haystack. Sentinel migrates the logs and presents the visual information in a user-friendly manner, which has proven to be a time-saving solution for us.
Sentinel saves money by reducing the number of people required to monitor the alerts. For example, if there are normally 50 alerts per week, fine-tuning reduces them to just one.
Microsoft Sentinel helps decrease our time to detect and time to resolve. Sentinel provides a brief introduction to the events occurring in the environment when someone is causing instability in the AWS environment. Sentinel precisely identifies the issue and offers a link for accessing more information about the situation.
What is most valuable?
The dashboard that allows me to view all the incidents is the most valuable feature. Threat hunting is also valuable. Sentinel has a Microsoft framework, so we can experiment with numerous queries. There are almost 500 queries available that we can utilize based on our environment.
What needs improvement?
I believe one of the challenges I encountered was the absence of live training sessions, even with the option to pay for them. Microsoft insists that all information is available in the documentation, which I must admit is quite comprehensive and helpful. However, for someone without a coding background, learning solely from the documents can be challenging at times. It would be much easier to learn if there were practical exercises and instructional videos available. This aspect bothered me significantly. While I did come across a course, my preference was to access it through Sentinel since they are already providing us with their services. Having the team trained up would undoubtedly streamline my job and save a considerable amount of time.
For how long have I used the solution?
I have been using Microsoft Sentinel for one year.
What do I think about the stability of the solution?
We have not had any scalability issues with Microsoft Sentinel.
What do I think about the scalability of the solution?
Microsoft Sentinel is scalable. We can add as many services as we want, and Microsoft automatically increases the capacity by adding memory and storage.
How are customer service and support?
I have used technical support many times. Sometimes, I have a really hard time understanding them. I am not sure if they are calling from India, but there was background noise at times. However, they are really helpful, even though they seem a bit indifferent. They frequently inquire whether we have addressed the issue and if it has been resolved—quite a lot, actually.
In a company, we are often very busy. They expect us to address the issues immediately, but sometimes it can take months. So, I inform them that I will follow up. They can be a little pushy, which is understandable from their perspective, but for us, it can be challenging because we have many other tasks to handle. Sentinel is just one of my priorities, and there are a lot of other things I need to take care of. That's why sometimes we need time, but to their credit, they are always responsive. Whenever we ask them a question, they promptly provide a response.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I had previously used Kibana, which is quite different from Microsoft Sentinel. When I used Microsoft Sentinel for the first time, I realized that this was the ideal solution. Microsoft Sentinel is user-friendly, unlike Kibana, which I found difficult to install and not very user-friendly. Microsoft Sentinel, on the other hand, is incredibly user-friendly, making it easy for everyone to understand and learn how to use it. It is a straightforward solution to comprehend.
What other advice do I have?
I give Microsoft Sentinel a nine out of ten.
We are currently evaluating Microsoft Defender and CrowdStrike in our environment to determine which one is a better fit. As for Defender, I cannot claim to have a complete understanding of it since it's in a testing environment. I can monitor people's devices, but I have not yet received any alerts generated by the devices. It has only been around ten days.
I am responsible for creating documentation for all of our implementations, while other teams handle the infrastructure portion.
Maintenance is minimal for Microsoft Sentinel. There is a check button in the house. Sometimes I go there because we occasionally find that some things are not working properly. So we have to go there and address the issue, but it is not a common occurrence. Maybe it happens, like, three times a year which is not bad.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Amazon Web Services (AWS)
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
IT Operation Manager at Orascom Construction Industries
Comprehensive with good automation and prioritizing of threats
Pros and Cons
- "The Log analytics are useful."
- "I would like to see more AI used in processes."
What is our primary use case?
We have possible use cases for the solution. We have ten or 12 different use cases under this solution.
What is most valuable?
The Log analytics are useful. You can review many details.
The portal and the full integration and collaboration between the cloud workloads and multi-tenants have been useful. We can use it with Sharepoint and Exchange.
The solution helps us prioritize all of our threats. It's one of the most important and critical systems we have here.
We have a lot of Microsoft solutions. For example, we also use Defender for endpoints and Microsoft Cloud. We mostly use Microsoft products, although we also use Crowdstrike.
It was easy to integrate Defender for Endpoint. Each of these solutions works natively together. It's very crucial that they work together.
Microsoft is very comprehensive. It helps protect us and offers very clear information. It's easy to assess everything. It's a good user experience.
We make use of Microsoft Defender for Cloud's bi-directional sync capabilities. We have different customers under our umbrella and multiple subsidiaries. Not all have access to the same license. We don't have the same security exposure everywhere. We can pick and choose who needs access.
Sentinel does enable us to ingest data from our entire ecosystem. This is crucial. That said, it can cost us a lot of money. We try to get feature visibility and enhance the collected logs to be able to identify only certain logs that would need to be uploaded. That said, it's very crucial we can ingest data from anywhere.
We can investigate threats and respond holistically from one place, one dashboard. Having one dashboard is important as it saves the team from headaches. We can collect all the information we need in one view.
The comprehensiveness of Sentinel is good in that it helps us identify most of our gaps in security. In the last few years, we have been able to fill in most of the gaps.
Once we enabled the connectors and started getting incident reports to our dashboard we were able to realize the benefits of the solution. It took about one month to begin to get the value of this product.
Sentinel helps automate routine tasks and helps automate the findings via high-value alerts. We've been able to automate a lot of the cycle and leave the investigation to humans. Support is very crucial and we can take the right actions fast.
The product helps us prepare for potential threats before they hit and we can take proactive steps. We're very satisfied in terms of security operations.
Before implementing the solution, we didn't know we were wasting a lot of time. Once the solution was in place, we discovered a lot of gaps across the traditional way we were handling security.
I can't say if we are saving money. However, we're investing in the right places. We're now utilizing services we actually need. From a business perspective, although it does have a cost, it's saving the business since it's protecting us from any security breach.
What needs improvement?
I'd like to see more integration with other technologies beyond the Microsoft OS.
I would like to see more AI used in processes.
For how long have I used the solution?
I've been using the solution for three or four years.
What do I think about the stability of the solution?
The stability is not an issue.
What do I think about the scalability of the solution?
We do have plans to increase usage. The solution has the ability to scale.
How are customer service and support?
We have not opened a ticket for technical support yet. So far, we haven't had any issues.
My understanding is Microsoft does not have good support and has done a lot of outsourcing. In general, they used to be brilliant as they were focused on customer satisfaction and engaged with experts, however, the quality is not as good.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We also use Crowdstrike as our EDR solution. However, before Sentinel, I did not use anything else in this category.
How was the initial setup?
I took part in the initial deployment. The process was very straightforward. It took about one week to onboard all that we needed. We did it in three phases. First, we did a demo and looked for items that needed to be addressed. We then onboarded the device and put the analytics and logs in place.
We had a team of three on hand that handled the deployment. They also handle support and maintenance.
What about the implementation team?
We initially had the assistance of Microsoft partners. However, we failed to get all of the information we needed. We found it more valuable to get assistance from the vendor directly.
What's my experience with pricing, setup cost, and licensing?
I can't speak to the exact cost.
What other advice do I have?
We are a customer of Microsoft.
During implementation, it's helpful to get the vendor engaged in the implementation.
I'd rate the solution nine out of ten.
It's good to go with a single-vendor strategy. I've recommended this product to others.
The user experience should be the number one priority. Microsoft is working on this every day. It's very important to us that the user experience is maintained and there's no conflict between the products or connectors. Having one dashboard makes it easier for admins and businesses to be in touch, engage, and share. For example, my manager can see my reports even if he's not knowledgeable in the technology.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Cyber Security Operations Analyst at a financial services firm with 5,001-10,000 employees
Provides good visibility, integrates with different log sources, and supports automation with Playbooks
Pros and Cons
- "Microsoft Sentinel provides the capability to integrate different log sources. On top of having several data connectors in place, you can also do integration with a threat intelligence platform to enhance and enrich the data that's available. You can collect as many logs and build all the use cases."
- "We do have in-built or out-of-the-box metrics that are shown on the dashboard, but it doesn't give the kind of metrics that we need from our environment whereby we need to check the meantime to detect and meantime to resolve an incident. I have to do it manually. I have to pull all the logs or all the alerts that are fed into Sentinel over a certain period. We do this on a monthly basis, so I go into Microsoft Sentinel and pull all the alerts or incidents we closed over a period of thirty days."
What is our primary use case?
We use it for security. It's at the forefront of managing the security within our organization. We use the platform as our main SIEM for enterprise security whereby we have several tools that feed into Microsoft Sentinel and then from there, we have the use cases. It's a major tool for security monitoring within the enterprise.
How has it helped my organization?
Microsoft Sentinel provides the capability to integrate different log sources. On top of having several data connectors in place, you can also do integration with a threat intelligence platform to enhance and enrich the data that's available. You can collect as many logs and build all the use cases.
Microsoft Sentinel helps to prioritize threats across the enterprise. We do threat categorization based on a risk-based approach. We categorize incidents as critical, high, and medium. The platform gives us the capability of categorizing the threats based on our assets' criticality and the type of data on our systems. At the end of the day, it does help in managing the threats within the organization. There are different levels of threats depending on the data that we have.
We also use Microsoft Defender for Endpoint. We have integrated Microsoft Defender for Endpoint with Microsoft Sentinel. Most of the alerts that come on our Microsoft Defender for Endpoint are fed into Microsoft Sentinel. We manage those alerts through Microsoft Sentinel, but when we are doing our investigations, we always leverage Microsoft Defender for Endpoint because we are able to do the investigation from the original source. Integrating a Microsoft product with other Microsoft products is not as difficult as compared to integrating Microsoft products with other vendor applications. With the inbuilt data connectors that already exist in Microsoft Sentinel, it's much easier to do the integrations with the Azure environment and other Microsoft products. If there's no data connector, it's somehow tricky. If we have a data connector in place, it's better. We also need to do some customization of the data that we ingest because we need to have the right size of the data that we feed into Microsoft Sentinel because of the cost aspect. At the end of the day, we managed to do an integration of on-prem AD with Microsoft Sentinel via a platform that acts as a bridge between them
Microsoft Sentinel and Microsoft Defender for Endpoint work together natively. The alerts are fed into Microsoft Sentinel seamlessly, but when it comes to investigations, you need to leverage Microsoft Defender for Endpoint to isolate a device and to see some of the timelines or actions that were done with that machine. You can't do that with Microsoft Sentinel.
Microsoft Sentinel allows us to investigate threats from one place, but it doesn't let us respond from one place. For responding, we need to narrow down the source of the threat. If it has been flagged from a Cisco perimeter solution that we use, such as Cisco Meraki, we need to go back and check in that platform. If it's flagging an issue that's happening on an endpoint, we need to go back to Microsoft Defender for Endpoint and do further investigation to respond.
Microsoft Sentinel helps to automate routine tasks. We have playbooks and once we establish a baseline or a routine task that needs to be done, we can just automate it through the playbook.
We have the Sentinel dashboard, but we still need other dashboards for other logs, such as from email. We can't see email logs from Sentinel. We still need a network security monitoring platform. It has helped us to secure 90% of our cloud environment.
With the integrations we have, its threat intelligence helps prepare us for potential threats before they hit and to take proactive steps. We get visibility into what's happening on the AD on a real-time basis. If there's any issue going on with the AD, we are able to fix that within the minimum time possible. It also helps with the visibility of different resources across the cloud environment. However, it can't do all that by itself. We also need other tools.
It has saved us time. It has helped in handling most of the issues within the cloud environments or any misconfigurations done on the cloud environment. We are able to handle any issues within the shortest time possible. In terms of threat detection, I can give it a nine out of ten. If we didn't have Microsoft Sentinel, it would have taken us three to four days to discover a security incident that is happening or any security misconfiguration in the cloud environment. Within a week, it saves me about three days.
It has saved us money from a security risk perspective, but from a technology perspective, it hasn't saved much. The main value that it's giving to the organization is from a security perspective.
It has saved our time to detect, but that also depends on the original platform. If the original platform, such as Microsoft Defender, fails to detect incidents, then Microsoft Sentinel will definitely not flag anything. The feed that Microsoft Sentinel gets comes from other platforms. With better fine-tuning across the other platforms and with good integrations, it can really help.
What is most valuable?
Playbooks are valuable. When it comes to automation, it helps in terms of managing the logs. It brings the SOAR capability or the SOAR perspective to the platform with the high usage of Microsoft products within our environment. We are utilizing most of the Azure resources. Our AD runs on Azure. We have on-prem and Azure AD, so we have the integrations. At the end of the day, when we are managing the security, we have the capability of initiating some options from Microsoft Sentinel and directly to AD. We also have automation with Cisco Meraki. We have configured playbooks where if there is a suspicious IP, it blocks the IP.
What needs improvement?
Microsoft Sentinel needs to be improved on the metrics part. I've had an issue in the recent past while trying to do my metrics from it. It gives me an initial report, but sometimes an incident is created on Microsoft Sentinel, but you realize that when a lot of information is being fed from Microsoft Defender to Microsoft Sentinel, instead of feeding the existing alert, Microsoft Sentinel creates a new alert. So, metrics-wise, it can do better. It can also do better in terms of managing the endpoint notifications.
We do have in-built or out-of-the-box metrics that are shown on the dashboard, but it doesn't give the kind of metrics that we need from our environment whereby we need to check the meantime to detect and meantime to resolve an incident. I have to do it manually. I have to pull all the logs or all the alerts that are fed into Sentinel over a certain period. We do this on a monthly basis, so I go into Microsoft Sentinel and pull all the alerts or incidents we closed over a period of thirty days. I then calculate the meantime to detect and the mean time to resolve. I have to check when all the tickets were created, when they were handled by the analysts, and when they were closed. I do a manual metrics calculation after pulling all the data. I believe Microsoft can do better on the metrics side of Sentinel. They can provide monthly reports. If I want to submit the reports to my senior management, it will be much easier for me to pull the data as a report. Currently, you can't pull any reports from Sentinel. It would be helpful if they can build a reporting tool within it and allow me to have my own customization. I should be able to customize the reports based on my needs. For example, I should be able to generate a report only for incidents with high and medium severity.
It should also provide information on trends within the platform. There should be reports on specific alerts or security incidents.
They should build more analytics rules to assess key security threats. I have had to build a lot of custom analytics rules. There should be more of them out of the box.
There should be more information about how to utilize the notebooks. They can have a better approach to enlightening the end-users about the straightforward use of notebooks. The data point analysis rules and automation are straightforward compared to the way you utilize the notebooks. They can do better in terms of sharing how we can utilize the notebooks.
We are able to ingest data across all our tenants and on-prem solutions, but we have been chasing Microsoft for the longest time possible for ingesting some data from Microsoft Dynamics 365. The kind of logs that we need or the kind of security monitoring that we need to do on Microsoft Dynamics 365 versus what's available through data connector tools is different. The best advice that they have managed to give us is to monitor the database logs, but we can't go into monitoring database logs because that's a different platform. There are several things that we want to address across Microsoft Dynamics 365, but the kind of logs that we get from the data connector are not of any significance. It would be better if they could give us customization for that one. That's the worst application from Microsoft to add because we can't monitor any business processes in that application, and there's no capability to do even customization. We are so frustrated with that.
It's quite comprehensive in threat intelligence capabilities, but it takes some time to establish a baseline. They can also improve the UEBA module so that it can help us address and have an overview of the risk. It's not yet that complete. It can establish a baseline for a user, but it doesn't inform how I can leverage the capability to address risks.
We can also have more integrations within Microsoft Sentinel with TI feeds out of the box. Currently, we don't have something out of the box for other TI feeds. Microsoft has its own TI feed, but we aren't utilizing that.
Microsoft Sentinel should provide more capability to end-users for customization of the logs they feed into Microsoft Sentinel.
For how long have I used the solution?
It has been two years.
What do I think about the stability of the solution?
We haven't had any issues with it so far. It's very stable.
What do I think about the scalability of the solution?
It's scalable. There are data connectors for different technologies and products.
How are customer service and support?
I've not contacted their support for Microsoft Sentinel.
Which solution did I use previously and why did I switch?
I've used QRadar.
How was the initial setup?
We are ingesting on-prem and cloud logs. The initial setup was a bit complex. It wasn't that straightforward because of the integrations.
What about the implementation team?
We had help from a Microsoft partner for visibility and integrations. We had about five engineers involved in its implementation.
In terms of maintenance, it doesn't require any maintenance from our side.
What was our ROI?
Microsoft Sentinel is costly, but it provides value in terms of managing security or managing the threats within our organization.
The return on investment is in terms of better security, visibility, and management. If you don't know what's going on in the cloud environment or the on-prem environment, you might need to pay a huge price in terms of compliance or ransomware to restore your data. We have seen value in investing in Microsoft Sentinel because we are building a better security capability within our environment.
What's my experience with pricing, setup cost, and licensing?
The current licensing is based on the logs that are being ingested on the platform. Most of the SIEM solutions utilize that pricing model, but Microsoft should give us a customization option for controlling the kind of logs that we feed into Microsoft Sentinel. That will be much better. Otherwise, the pricing is a bit higher.
Which other solutions did I evaluate?
We evaluated other solutions. The reason why we chose Microsoft Sentinel was because of the cloud visibility. We needed a lot of visibility across the cloud environment, and choosing another product that's not Microsoft native wouldn't have been easy in terms of integrations and shipping logs from Microsoft Sentinel to on-prem.
A good thing about Microsoft Sentinel as compared to the other platform is that most organizations run on Azure, and the integration of Microsoft Sentinel is much easier with other products, but when it comes to other SIEM solutions, integrating them with Microsoft sometimes becomes an issue.
What other advice do I have?
You need to customize the kind of logs that you feed to Microsoft Sentinel. If you just plug-in data connectors and don't do any customization and feed everything to Microsoft Sentinel, it will be very expensive in terms of cost. You only need the traffic that assists you in addressing security issues within your environment. You only need the information that gives you visibility to address security issues.
Overall, I would rate Microsoft Sentinel an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Security Information and Event Management (SIEM) Security Orchestration Automation and Response (SOAR) Microsoft Security SuitePopular Comparisons
Microsoft Intune
Microsoft Defender for Endpoint
Microsoft Entra ID
Splunk Enterprise Security
Microsoft Defender for Cloud
Microsoft Defender XDR
Azure Key Vault
Microsoft Purview Data Governance
IBM Security QRadar
Azure Firewall
Elastic Security
Azure Front Door
Microsoft Defender for Cloud Apps
Palo Alto Networks Cortex XSOAR
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What are your approaches on Azure Sentinel content deployment automation?
- Which is better - Azure Sentinel or AWS Security Hub?
- What is a better choice, Splunk or Azure Sentinel?
- Which solution do you prefer: Microsoft Sentinel or Palo Alto Networks Cortex XSOAR?
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- Which is the best SIEM solution for a government organization?
- What is the difference between IT event correlation and aggregation?
- What Is SIEM Used For?