Microsoft Sentinel Reviews

My customers mainly want to correlate logs so that they have a single point for their log information. In addition to correlating logs, they want to automate tasks.

Microsoft Sentinel is just a "watch tower" to get all the logs and manage threats. After that, you have the Microsoft Defender products that help to reduce threats. For example, Microsoft Defender for Endpoint is an anti-virus and EDR that helps to eliminate threats on devices such as laptops and smartphones. Microsoft Defender for Office 365 enables protection for Teams, Mail, or SharePoint, and Microsoft Defender for Identity helps to reduce risk on Active Directory or Azure AD. So Microsoft Defender products are the tools for reducing threats, and Microsoft Sentinel is the tool for analyzing incidents and threats.

Each time I deploy Sentinel, it helps the client get information about the overall security of their IT system. It brings together all the logs in a single place, so it's easy to track attacks and get information about breaches.

It also eliminates having to look at multiple dashboards. If you centralize the logs, you don't need to go to the firewall to get alerts or to the antivirus console or to a network device. You get everything in a single place, which means you have incidents in a single place, and then you can have a dashboard. You can check the built-in dashboard, or you can create one on your own, and these dashboards can be refreshed automatically or you can refresh them whenever you want.

The solution is well integrated with the Microsoft environment, so if a customer has a lot of Microsoft services, such as M365 or Azure, the solution fits well in their environment. Because I deploy solutions in general, I also use Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Defender for Cloud Apps, and Microsoft Defender for Office 365. It's really straightforward to integrate these products. You have just to check a box and all the logs from these products go to Sentinel. And if the customer has a Microsoft 365 E5 license, the Defender logs are free.

It also helps to prioritize threats across an enterprise. When you receive an alert of an incident, you can categorize it as a low, medium, or high priority. That's really important because sometimes low-priority incidents are just false positives. We need to categorize incidents to get to the high-risk incidents.

Sentinel also enables you to ingest data from your entire ecosystem and not just from the Microsoft ecosystem. It can receive data from third-party vendors' products such as firewalls, network devices, and antivirus solutions. It's not only a Microsoft solution, it's for everything. There are native connectors to get information from third-party vendors, but if you don't have a connector for something, you can get information from protocols such as syslog.

It's really important that Sentinel allows you to investigate threats and respond holistically from one place. It's important to know where an attacker went. For example, an attacker could go through a firewall and then to a specific application, and you need to know where the attacker started first.

When you enable this feature, Sentinel automatically gets information about the users and devices, and you can then search for specific entities. For example, if you know that a specific user is at risk, you can enter the username and get all the information about the user: on which device he's connected, to which servers he's connected, and what he did on these devices, among other things. This ability is important to a breach.

With Sentinel, you have some built-in rules to automate tasks. You can also create your own automation based on Logic Apps in Azure. You can do what you want with scripting with PowerShell or Python. The first time you have a given incident, you do some troubleshooting and when you write up this incident you can create a knowledge base. Once this knowledge base is done, you can try to automate the troubleshooting. If you do it via automation, you can close this incident because the incident will be managed automatically with Sentinel. And that helps you to save time.

Sentinel should be improved with more connectors. At the moment, it only covers a few vendors. If I remember correctly, only 100 products are supported natively in Sentinel, although you can connect them with syslog. But Microsoft should increase the number of native connectors to get logs into Sentinel. Each time we have a connector, it eases the configuration of Sentinel, and we don't need custom deployments to get the information from a specific vendor. 

The second thing they should do is create more built-in rules for the dashboard, automation, and hunting. The first time you use Sentinel, it's not easy to use the product because, beyond the dashboards, you need to know the Kusto Query Language (KQL) to create the right requests.

I have been using Microsoft Sentinel for two years. I implemented the solution for a customer a couple of months ago.

There is no problem with the stability of Sentinel. It's really stable. I have never experienced an issue with accessing the product.

It's a SaaS solution, so you don't need to scale it. It scales by itself. 

If you need a multi-tenant implementation, for example, if you have a SOC and you have several customers, you can get your own Sentinel, and you can ask the customers to deploy Sentinel in their environments. You can then gather logs from several Sentinels in a single point.

I haven't contacted Microsoft for support of Sentinel, but each time I contacted them for other products, it was a bad experience. The technical support of Microsoft is a negative point because, most of the time, they don't have the answer.

I used QRadar and a Symantec solution, but that was 10 years ago.

The first deployment was not complex. The first step, when you want to connect a solution to Sentinel, is pretty straightforward. When you want to use the built-in dashboard, it's also straightforward. But once you want to do some customization, like a custom dashboard, custom automation, or custom hunting rule, it can be complex because you have to know several languages, how Log Analytics works, and how Logic Apps works for automation.

Most of the time, I deploy a single Sentinel in a single location because it is a worldwide SaaS solution. And most of the time I deploy Sentinel to be used on-premises and in Azure, and I deploy Azure Sentinel for a SOC team. I have never deployed a multi-tenant Azure Sentinel setup, although it's possible to do.

In the beginning, when a customer uses Sentinel, they cannot use it on their own. They require some assistance. That is why, after deployment, a consultant is usually onsite two days per month to add some connectors and custom rules, and to end some incidents.

Sentinel is a pay-as-you-go solution. To use it, you need a Log Analytics workspace. This is where the logs are stored and the cost of Log Analytics is based on gigabytes. You can get a discount of 10 percent if you get to 100 terabytes of data. On top of that, there is the cost of Sentinel, which is about €2 per gigabyte.

If a customer has an M365 E5 license, the logs that come from Microsoft Defender are free.

The solution is really easy to deploy compared to other solutions such as Splunk.

Taking proactive steps to prevent breaches is a default. It's not like competitors on the market. Sentinel doesn't give you advice about how to set some settings on your device to protect them from a specific breach. But you can use Microsoft Defender for Endpoint for devices and it helps you to know if a device is breachable from a specific attack and how to be protected against it.

The cost and ease of use of Sentinel compared with other standalone SIEM and SOAR solutions depends on whether the customer has the whole stack, meaning an M365 E5 license. If so, they get a really good discount because all the logs from Microsoft Defender are free. But if they don't have an M365 E5 license, those logs are not free and the solution can be expensive.

We haven't evaluated other options recently because our customer wanted Sentinel. But one of the differences I see between Sentinel and competitors' solutions is in the normalization of logs. With Sentinel, normalization is done automatically, whereas with other solutions, you need time to do the normalization manually. By "normalization" I mean lining up the fields. For example, in some logs, the time is in the first field, while in other logs, the description is in the first field. You need to sort the fields, but this task is done automatically by Sentinel.

Before using Sentinel, I recommend reading the documentation and watching the YouTube Ninja Training channel. They go through all options for Sentinel. 

In addition, I recommend knowing KQL—it's a requirement—and how to automate tasks in Azure. Other than these points, Sentinel is easy to enter because if you have a native connector, it's just "next, next, next." But when you want to do customization, it can sometimes be hard to do what you want.

When you look at going with a best-of-breed strategy versus a single vendor's security stack, it depends on the strategy of the customer. Sometimes, the customer prefers to get all its security products from a single vendor because they get discounts when they do that. Other customers prefer to have several vendors for security reasons. From my point of view, there is no correct answer. If I were responsible for the security of a company, I think I would prefer to use an all-Microsoft security stack because it's easier to interconnect the solutions and you get more information as a result.

Sentinel ingests all the logs from various security products across on-premise and virtual servers. It has a lot of flexibility regarding different third parties that are not Microsoft, which I liked. We had some very, probably not as well-known systems from which it would ingest information. So it was nice to see that it was very flexible.

We have a hybrid setup with Sentinel deployed on the Azure cloud. We've got about 20 server endpoints, 400 desktop or laptop endpoints, and 1,520 network endpoints. The company has around 400 employees and a 10-person IT team operating out of one location in Alabama. 

Sentinel provides a single pane of glass for reviewing logs from disparate sources. Everything is on one XDR dashboard. We have a smaller IT team, so it's cumbersome to go to various places to get information and manage it. Having a clearinghouse of information makes it quicker to get to the critical items and resolve any problem.

Sentinel saved us time because we can find the information we need directly. It's hard to quantify that because we still need to look through lots of information. Without Sentinel, it would take about one to three hours each week to compile information from different sources.

It helps us proactively prevent threats. Sentinel is integrated with Defender and CloudApp. It gives us suggestions about best practices in security and recommends actions if it sees something within the network that seems out of line. The investigation part is thorough. We can figure out exactly what's wrong and what we need to check. Afterward, we have to go to a secondary product.

Sentinel's most important feature is the ability to centralize all the logs in one place. There's no need to search multiple systems for information. The automation capabilities are excellent and can be extended. We haven't tried to extend the automation features, but what is built in is great. 

The solution also has native integration with Microsoft Teams. It creates a Teams chat when there's an issue, so one of our analysts can look at it immediately. It can automatically flag something instead of sending an alert to an email that someone may not read until three weeks later.

Sentinel provides decent visibility, but it's sometimes a little cumbersome to get to the information I want because there is so much information. I would also like to see more seamless integration between Sentinel and third-party security products. 

When alerts appear in the Sentinel console, I can research them and see what to do, but I need to leave Sentinel and go to a second product to execute whatever I need to do. I would like to be able to fix everything within the Sentinel console.  

We used Sentinel for about six months.

We haven't had any issues with Sentinel so far. The uptime has been 100 percent. 

Sentinel is capable of handling all that we ingest. I think we've hit 80 to 100 Gigabytes so far, and it continues to scale upward. I'm pleased with it. It's a rolling scale, so it scales up as needed based on the number of logs you ingest. As long as you're willing to pay to house the data, they'll continue to scale upward with you.

We haven't had to contact Microsoft support for Sentinel yet. That worries me. Sometimes Microsoft support can be a little difficult to reach.

Sentinel was our first foray into the SIEM world. That's one reason we went back and reviewed it again this summer. We wanted to be sure we picked a good product. They mostly gave demos, so we probably didn't get the full run of these secondary products, but it at least gave us a feel for what else was out there.

Setting up Sentinel was pretty straightforward. We set everything up through Azure, and they had excellent documentation as far as integrating modules. They had scripts we could run within other environments to ingest the logs. Getting information into the system was fairly smooth. 

We had to spin up a new virtual machine for Linux because it required a Linux virtual machine within our on-premises environment to send log files. That was the biggest step I had to do. Spinning up another virtual machine is no big deal. 

We didn't pay for any implementation help. Our IT team spent a day talking through the plan. We let the server person spin up our VM and our network person got all the network stuff in place. We came back together and made sure the logs were delivered. Overall, it was a roughly two-week process of setting up and reviewing everything to ensure everything is working correctly. After deployment, there's no maintenance. It's in Azure, so Microsoft handles all the updates and server roles. It's seamless from a maintenance standpoint.

Sentinel was deployed by a four-person in-house IT team consisting of a network admin, systems admin, and a junior engineer who floated between all of us, helping out where they could. I supervised the deployment as the director. 

The jury is still out on whether we see a return, but I am pleased with the investment. Sentinel provides us with some new insights. It helps us improve our security posture with proactive measures, like informing us of best practices. 

These features helped us evaluate things within our network and cloud environments that we needed to tweak. That was a pretty helpful bonus. 

Sentinel's price is comparable to pretty much everything out there. None of it is cheap, but we didn't think we could save money by going a different route. Sentinel was part of our Azure expenditures, so it was easier to add the expense instead of having a completely separate vendor.

The licensing is straightforward because it's within Azure. There are lots of features in Azure that they gave us as a package. It's nice to do this without having to carve out special budgetary items. The flexibility was helpful. 

We looked at a couple of different solutions, including Splunk and Arctic Wolf. We primarily chose Sentinel because we had already carved out a budget within Azure for Sentinel. We could keep it within Azure and roll that into our Azure expenses versus carving out a new budget item for these other products. That was the biggest motivation.

Sentinel kept pace with the other major players in the field. We considered whether there was a better product to ingest all data. We didn't find anything new or different. 

I rate Microsoft Sentinel eight out of ten. If you plan to implement Sentinel, I recommend spending time thinking about all the sources of data you want to ingest. It's flexible in terms of how much you can ingest, but you may not want to pay that much. It might be better to only connect your critical systems to it.

If you're hesitant to adopt Sentinel, you should do a demo. The single pane of glass is nice to have. You'd really have to talk me out of that.

Public Cloud

Microsoft Azure

We use Microsoft Sentinel as our main SIEM suite alerts and automation rules. It feeds everything into Sentinel Logs and Realities for security purposes.

Microsoft Sentinel has helped by streamlining our security. We have a nine-member network team, with three members managing security for the city, and Sentinel allows us to operate an unofficial SOC. 

It makes investigations easy. We were spending a lot of time manually investigating and resolving false positives. Once Sentinel was fully integrated and we suppressed those false positives, our SOC environment greatly improved. 

The most valuable feature of Sentinel is the automation. Creating automation rules helps eliminate false positives, which is crucial due to the high amount of noise in security. Sentinel integrates with Microsoft Defender XDR as a single security hub. Sending our alerts from XDR into Sentinel has made it a decent transition to one solution.

We can easily build reports based on Sentinel alerts and logs. Around 80 percent of our logs go into Sentinel. The solution has improved our threat-hunting by enabling us to run KQL queries. If we learn something through threat intelligence, we can run a query to see if our environment is affected.

Sentinel MITRE ATT&CK recommendations strengthen our security posture. For a small security team like ours, the automation and integrated technologies increase our service efficiency.

There is room for improvement in terms of integrations. We have some tools, such as our off-site Meraki firewalls, that have not fully integrated with Sentinel. We lack integration for Syslogs into Sentinel.

Sentinel's stability is great. I don't see us changing Sentinel as our SIEM in the near future.

Sentinel's scalability is excellent. As our organization uses Microsoft Azure and Defender, everything grows together, and we can integrate various features seamlessly.

Customer service and support for Sentinel have been very responsive. Working with a Sentinel engineer helped us tune settings effectively.

Positive

The initial setup process involved working with a Microsoft Expert, which helped in achieving an effective setup.

The implementation team was a Microsoft Expert, providing substantial support in tuning Sentinel post-deployment.

The management has expressed that the return on investment has been favorable, especially due to the reduction in security investigations. However, specific metrics were not shared with me.

We already had the necessary licensing for Sentinel, so we didn't need to to spend extra money. 

We considered Splunk and ano Splunk and another unnamed product, but Splunk was a notable option.

I Sentinel nine out of 10. Our licensing strategy and the positive impact on investigations indicate a good return on investment.

Hybrid Cloud

Microsoft Azure

The company I work for delivers SOC-as-a-Service, so I set up Sentinel in the customer's Azure environment and then connect it to our central Sentinel through Azure Lighthouse.

Microsoft Sentinel has made it easier for us to sell SOC-as-a-Service to, more or less, any customer and not just the big ones.

A lot of our customers run Microsoft products, and integrating those with Sentinel is simple and easy. Sentinel can be quickly deployed as well.

As long as the customers are licensed correctly and have, for example, the E5 security package, then the insights into threats provided by Sentinel are pretty good.

Sentinel helps prioritize threats well. The option to dig deeper and go into the different portals is good as well.

Our customers are very happy with incidents being closed in Sentinel and across the tenant.

We are able to fetch data from almost any source with Sentinel. There are some customers who try to customize, but we try to keep it to the out-of-the-box preconfigured data connectors or to what we can find in the Microsoft content hub.

In terms of the importance of data ingestion to our customers' security operations, they only have access to what is in Sentinel. Therefore, it's pretty important for them to have all of their data stored in one location. If it's stored on-premises in Microsoft 365 Defender, then the SOC team won't be able to access that data. Giving a good analysis will then be harder.

It's very important to us to be able to investigate threats and respond holistically from one place. We don't create several accounts for each customer. We utilize one account and then get insight into the Sentinel environments of different customers. It's great that we can do all this in one place.

The comprehensiveness of Sentinel's security protection is pretty good. The effectiveness of the web part of this depends on how well the customer has configured their Azure AD and what information they have included for each user, such as the phone number and the part of the organization where the user works.

One of the big issues for our customers is the need to look at multiple dashboards. Sentinel has eliminated this and made it a lot easier by having everything in one place.

Sentinel has definitely saved us time. It has also decreased our time to detection and our time to respond. We try to have an analysis ready within 30 minutes of an incident coming in.

Some of the data connectors are outdated, at least the ones that utilize Linux machines for log forwarding. I believe that Microsoft is already working on improving this.

I would like Microsoft Sentinel to have out-of-the-box threat intelligence because right now, the only option is to add your own threat intelligence.

I've been using Microsoft Sentinel for approximately one and a half years.

Sentinel has only been down once, as far as I know, as a result of Microsoft doing something with Azure Kubernetes, which affected log analytics and Sentinel. It was down for about 10 hours. Other than that, it's always been up.

The scalability is great. You can put unlimited logs in, as long as you can pay for it. There are commitment tiers, up to six terabytes per day, which is nowhere close to what any one of our customers is running.

I might be more fortunate than others, given the fact that I have easy access to Microsoft support. The only downside is that the support staff are not that technical, but there is a big community around Sentinel. I can ask the question on the forums instead, and I usually get an answer there. All in all, I'd rate technical support at eight out of ten.

Positive

The initial deployment is straightforward. We try to utilize a baseline of analytics rules in addition to connecting any security products already owned by the customer.

We usually deploy one Sentinel per Azure tenant. Maintenance-wise, Microsoft updates the analytics rules and the engine behind Sentinel, and it may require some tuning if it creates a lot of noise. Other than that, it's pretty straightforward. Thus, in comparison to other SIEM solutions that you need to upgrade and then turn off for the functionality to be updated, Sentinel saves us time.

My colleague and I usually work with someone at the customer's location to deploy the solution.

Compared to standalone SIEM and SOAR solutions, it is easy to start off with Sentinel. For example, with QRadar there are minimum licensing requirements, EPS costs compared to how many logs are being ingested, etc.

It can become costly with Sentinel if you try to run all of the raw logs for an entire organization. If you prioritize, however, you can have a cheaper SIEM solution compared to the ones that have a starting price of 50,000 US dollars.

The pricing is based on how much you ingest, so it's pretty straightforward. There are no tiers, and you pay for what you use, unlike with other types of SIEM solutions that are usually based on tiers.

It's a great way to get insight into exactly how much you're using. If you connect a log source that utilizes too much, you could turn it off or tune it down. You could also buy tiers in Sentinel and can save money with tier commitments.

Overall, I'm satisfied with Sentinel and would give it a rating of eight out of ten.

As far as going with a best-of-breed strategy versus a single vendor's suite, Microsoft gives a pretty good solution, especially when you get the E5 security package. It gives you a good view of the security across the organization, so I don't mind going for a single vendor's suite and opting to go completely with Microsoft.

Public Cloud

Microsoft Azure

My security team has been using Microsoft Sentinel for around two years. We also have Bastion and SolarWinds as part of our monitoring tools. We use a three-way tool, alongside Microsoft Sentinel, in our environment.

The most valuable features for us include threat collection, threat detection, response, and the knowledge base for investigation. These are the three separations in the tool that we are currently using.

My team enjoys using Microsoft Sentinel. However, we are not using it for some features, mainly for cost-related reasons and our company policy. We choose other solutions for basic monitoring due to better cost opportunities. There could be improvements in those areas, but these are based on management decisions.

We have been using it for approximately two years.

In the past two years, our team hasn't encountered any issues with the stability of Microsoft Sentinel from an operations perspective. We rate it an eight, as no escalations have been made for Microsoft Sentinel.

I cannot provide a specific number for scalability, as I wasn't part of the scaling team. We did use an external vendor, I-Tracing, for assistance.

When my team needs to escalate issues to Microsoft, especially for Microsoft Sentinel, the response is fast through their French entity. We would rate technical support an eight.

Positive

We used Bastion before Microsoft Sentinel. We still use Bastion in some regions for end-to-end security and SolarWinds for monitoring. We switched to Microsoft Sentinel for specific security cases.

Initially, we had dedicated training from a UK trainer who worked with our team for three months. The cloud, DevOps, and security teams wrapped up training quickly, especially within the EMEA region. No major issues were encountered during the adoption.

We had a dedicated trainer from the UK who worked with our security level one and two teams during the initial setup. The DevOps team had some delays, but these were likely operational specifics.

I'm not on top of the full business case, but from a support and licensing perspective, it's fine. Microsoft Azure was not fitting for short-term cost savings but promised a better ROI over three to five years for medium to large companies.

I haven't seen the full business case, but the cost for support and licensing is justified with what we receive. Microsoft Sentinel offers more capabilities than Bastion, with a more intuitive experience.

We evaluated Bastion and SolarWinds.

My CISO wanted to get more with less money. Short-term, Microsoft Sentinel might not fit the budget, but long-term it makes sense, especially for medium to large companies. I rate Microsoft Sentinel an eight out of ten, offering a better experience than our previous solution.

Public Cloud

Microsoft Azure

We primarily use the solution for analyzing logs, such as those from Azure AD. We have it integrated with Microsoft 365 and plan to integrate it with our firewalls so we can analyze those logs too. So, our main uses are for log analysis and to check for vulnerabilities in our system.

We use more than one Microsoft security product; we also use Defender for Cloud. 

Sentinel helps us to prioritize threats across our enterprise. 

The solution reduced our time to detect and respond. 

The log analysis is excellent; it can predict what can or will happen regarding use patterns and vulnerabilities.

Sentinel provides good visibility into threats. 

The product enables us to investigate threats and respond holistically from one place, and that's important to us. 

Given the solution's built-in SOAR, UEBA, and threat intelligence capabilities, it provides reasonably good comprehensive protection, and we are happy with it. 

Sentinel helps us automate routine tasks and find high-value alerts; the playbooks are beneficial and allow us to optimize automation.

The tool helped eliminate multiple dashboards and gave us one XDR dashboard. Having one dashboard is the reason we purchased Sentinel.  

Sentinel's threat intelligence helps us prepare for potential threats before they hit and to take proactive steps. It helps a lot, and that's another main reason we have the product.  

The solution could be more user-friendly; some query languages are required to operate it.

A welcome improvement would be integrations with more products and connectors. 

We've been using the solution for over a year. 

The solution is stable.

Sentinel is a scalable product. 

Microsoft support is good, I rate them seven out of ten. 

Neutral

We didn't previously use another solution of this type; when we moved to Azure, Sentinel was one of the products Microsoft recommended, so we started using it.

I was involved in the deployment of Sentinel, but my colleague did the majority. The setup was basic; some query language is required to implement it fully, and we could improve our configurations. Our implementation strategy was to cover the major products first, including Office 365 and Azure AD. We did that, and we're now adding the other tools we use in our environment.

Our setup is not particularly expansive, so we can deal with the maintenance requirements within our team; it only requires one team member. Our team consists of three or four admins; we manage the Azure AD logs, and Azure AD has 400 users.

The pricing is reasonable, and we think Sentinel is worth what we pay for it.

One of the main reasons we switched from on-prem to Azure Cloud was to save money, but at the same time, we kept adding on features and spent a lot doing so. We're now looking at cost optimization and removing unnecessary elements, as one of our primary goals is to reduce costs. I'm unsure if we are, but we are trying to get there.

I rate the solution seven out of ten. 

Sentinel allows us to ingest data from our entire ecosystem, though we are attempting to integrate all our products. It can ingest and analyze all the data, but we aren't using this functionality to its fullest extent yet.

My advice to someone considering the product is to use it. Start by integrating your primary applications, then slowly move on to others in descending order of importance. 

Public Cloud

Microsoft Azure

When Exchange email is outside the domain, we have found sometimes that there are phishing emails. With the help of Microsoft Defender only, without Sentinel, we would not be able to track them. A couple of times data was compromised. With Sentinel, what we have done is integrate Microsoft Endpoint for Defender, M365 Defender, and our Exchange Online for all the email communications in and out.

With the investigation and threat-hunting services in Sentinel, we have been able to track and map our complete traffic: Where it started from, where it was intercepted, and where the files were downloaded and exchanged. We have been able to see how a phishing email was entering our domain. Accordingly, we understood that we needed to develop or modify some rules in Exchange and now, we do not have any phishing emails.

Sentinel enables us to investigate threats and respond holistically from one place to all of the attack techniques, such as MITRE ATT&CK, manual, DDoS, and brute force attacks. They are quickly identified by Sentinel. That is of high importance because we don't use any other product with Microsoft. Our SOC team continuously analyzes and monitors Sentinel, the activities and events that are happening. That team needs to be equipped with all of the real-time data we are getting from our ecosystem.

We have also integrated our SIEM with multiple firewalls and proxies. The traffic in and out, coming from the firewalls and proxies, is intercepted by Sentinel. We are now getting granular visibility into our traffic. We can see the hits we are getting from various regions, such as the hits that recently came from Russia. We have multiple such attacks on our firewall front end and we have been able to develop more granular rules on our firewalls.

And for DLP we have the help of protection from Microsoft Information Protection labels that we have defined for our data. Whenever this labeled data is shared, the data is limited to the recipients who were specified in the email. Similarly, our OneDrive data has been secured with the MIP Labels. All of this tracking is happening on Sentinel, which is giving us a broader view of where our data is traveling within and outside our organization as well.

People tend to go with Microsoft because it provides you with 360-degree protection, protecting your files, network, infra, and cloud environment. Each of its products is linked and interacts with the others. Microsoft Defender for Cloud will interact with Microsoft Defender for Cloud Apps, for example. And both of them can interact with Sentinel. Sentinel is the central SIEM in Microsoft and has the ability to take all the instructions from all of these Microsoft products and it gives you a central dashboard view in Azure. That helps manage infrastructure and identify threats. It's a single pane of glass. That's why Microsoft is gaining compared to other products.

Eliminating our multiple dashboards was a little tough in the beginning, but the Microsoft support team's expertise helped us create our own dashboard. Previously, when we started integrating all the products, it was very hard for us to give a broader review to management. It was only something the technical guys could do because they know what all those events mean. But when it came to a dashboard and presenting the data to the stakeholders, it was very tough. With the help of Microsoft's expert engineers, we were able to create dashboards into Sentinel, as well as with the help of Azure dashboards and Microsoft Power BI, and we were able to present the data.

We got Sentinel to send the data to Microsoft Power BI and that helped us create some very useful and easy dashboards so that our stakeholders and senior-level management, who are non-technical guys, could understand much better how we are utilizing this product. They can see how much we are making use of it to investigate, hunt, and track the incidents and events, and the unnecessary accessing of applications in the environment. As a result, we started to put granular controls in place and restrict unnecessary websites.

The watchlist is one of the features that we have found to be very helpful. We had some manual data in our Excels that we used to upload to Sentinel. It gives us more insightful information out of that Excel information, including user identities, IP addresses, hostnames, and more. We relate that data with the existing data in Sentinel and we understand more.

Another important feature is the user behavior analytics, UEBA. We can see how our users are behaving and if there is malicious behavior such as an atypical travel alert or a user is somewhere where he is not regularly found. Or, for example, if a user does not generally log in at night but we suddenly find him active at night, the user behavior analytics feature is very useful. It contains information from Azure Identity as well as Office 365.

With the E5 license, we have Microsoft Defender for Cloud Apps, Microsoft Information Protection, Defender for Cloud, and Defender for Office 365. All of these products are integrated with Sentinel because it has those connectors. With both Microsoft and non-Microsoft products it can be integrated easily. We also have ASA on-premises firewalls and we have created a connector and have been sending those syslogs to Sentinel to analyze the traffic. That is the reason we are able to reverse-investigate and hunt threats going on in our network, end to end.

Sentinel enables us to ingest data from our entire ecosystem. In addition to integrating our Cisco ASA Firewall logs, we get our Palo Alto proxy logs and some on-premises data coming from our hardware devices. We also get our Azure Firewall logs, and the logs from the Microsoft 360 bunch of products, like MIP and Defender for Cloud, Defender for Cloud Apps, et cetera.

When I think about the kinds of attack techniques that you are not able to understand at eye level, the AI/ML logic being used by Sentinel helps an administrator understand them in layman's language. It tells you that something has been identified as a malicious event or activity being performed by a user. All of those details are mentioned in an understandable manner. That is very important and is one way Sentinel is playing a wider role in our environment.

We use Microsoft Defender for Cloud and from that we get our regulatory compliance, recommendations, CSPM recommendations, cost recommendations, cost-optimizing strategies, and techniques for things like purchasing reserve instances. It helps us reduce the number of unused VMs or turn off VMs if they're not in production, as well as DevOp VMs in the early hours. We also use it for applying multi-factor authentications for users and reducing the number of owner or administrator roles that are assigned to subscriptions.

And the bi-directional sync capabilities of Defender for Cloud with other Microsoft products is near real-time, taking a couple of seconds. Within a minute, the information is updated, always, for all of the products that are integrated. Some products have a latency of around 4 to 12 hours of latency to update.

The following would be a challenge for any product in the market, but we have some in-house apps in our environment. We were thinking of getting the activities of those apps into Sentinel so that it could apply user behavior analytics to them. But our apps were built with different parameters and the APIs for them are not present in Sentinel. We are working with Microsoft to build those custom APIs that we require. That is currently in progress. 

We are happy with the product, but when it comes to integrating more things, it is a never-ending task. Wherever we have a new application, we wish that Sentinel could also monitor and investigate it. But that's not possible for everything.

I have used Microsoft Sentinel for around two years now.

It is scalable, with the help of the log retention facility in Sentinel in the Log Analytics workspace. We can limit the data that is being retained in it and that limits the cost.

We have it deployed across multiple sites.

In the beginning, it was not so good, but when we switched from standard support to premium support, the support improved.

I have been using QRadar and Splunk, but they both only gave me a centralized SIEM solution, a SOAR, and a VAPT solution. But I wanted to reduce the efforts required when jumping into different portals at different points in time. The way things stood, I had to hire different engineers to maintain those different portals and products. With the help of Sentinel, I could integrate all of my applications with Sentinel, as the APIs were ready and the support for them from Microsoft was good. That's why we thought of moving to Sentinel.

It was pretty hard to convince the stakeholders to invest so much in protecting the ecosystem through investigating and hunting, which is mainly what Sentinel is for. The integration part comes later. But convincing the stakeholders about the cost we would be incurring was a big challenge.

Slowly but surely, we started integrating many of our products into Sentinel and it started showing us things on the dashboard. And with the help of the Logic Apps, we were able to do multiple other things, like automatically creating tickets out of the incidents that are detected by Sentinel, and assigning them to the SOC team. It reduced the SOC team's workload because they used to manually investigate activities and events. Sentinel killed those manual tasks and started giving "ready-made" incidents to work on and mitigate. It has helped my SOC team because that team was facing a lot of issues with workload.

Then we also got visibility into different products, like Microsoft Defender, and Defender for Cloud Apps, whereas we used to have to jump into different portals to see and analyze the logs. Now, we don't have to go to any other product. All the integration is happening with Sentinel, and with the help of the AI/ML in Sentinel, investigating and threat-hunting have become easier.

It took around six months for us to realize these benefits because we were slowly integrating things, one by one, into it. We were a little late in identifying the awesome capabilities it has.

Most of our products are integrated but a few of our products are facing challenges getting connected. We are dealing with it with Microsoft and they are creating a few connectors for us.

We had to pay extra compared to what we would pay for other products in the market. But you have to lose something to gain something. Sentinel reduced the efforts we are putting into monitoring different products on different portals, and reduced the different kinds of expertise we needed for that process. Now, there are two to three people handling Sentinel.

The pricing was a big concern and it was very hard to explain to our stakeholders why they should bear the licensing cost and the Log Analytics cost. And the maintenance and use costs were on the higher side compared to other products. But the features and capabilities were going to ease things for my operations and SOC teams. Finally, the stakeholders had clarity.

Microsoft is costlier. Some organizations may not be able to afford the cost of Sentinel orchestration and the Log Analytics workspace. The transaction hosting cost is also a little bit on the high side, compared to AWS and GCP. But because it gives a 360-degree combination of security products that are linked with each other, Microsoft is getting more market share compared to Splunk, vScaler, or CrowdStrike.

But if I want to protect my files, to see where my files have been sent, or if the file I'm receiving is free of malware, or even if one of my users has tried to open it, Windows Defender would track it first. The ATP (Advanced Threat Protection) scans my emails and the attachments first. It determines if the attachment is safe and, if it is not safe, it will block it. I don't have to create any granular or manual settings. That connectivity across different products has a brighter future. That's the reason, even though we have a small budget, that we are shifting to Microsoft.

There are competitive applications in the market, like vScaler, Splunk, QRadar, and CrowdStrike. These are also good in terms of their features and capabilities. But these products only work as a SIEM or VAPT solution. They won't scan everything that we need to protect.

But if you are only considering SOAR, I prefer CrowdStrike because of cost and the features it provides. The AI/ML is also more developed compared to Sentinel.

But why Sentinel? Because it not only covers Microsoft products, but it also has API connectors to connect with any non-Microsoft products. It has inbound APIs for connectivity to QRadar, vScaler, or Splunk, so we can bring their data into Sentinel to be analyzed. Splunk is doing its job anyway, but Sentinel can filter the information and use it to investigate things. 

Those have great visibility and great potential over Sentinel. But for products that are out of the ecosystem, those competitive solutions might face issues in connecting or integrating with them.

We have created a logic app that creates tickets in our service desk. Whenever a ticket is raised, it is automatically assigned to one of the members of our SOC team. They investigate, or reverse-investigate, and track the incident.

Every solution requires continuous maintenance. We cannot rely on AI/ML for everything. Whenever there is a custom requirement or we want to do something differently, we do sit with the team to create the required analytic rules, et cetera. It doesn't involve more than three to four people.

In terms of the comprehensiveness of Sentinel when it comes to security, it plays a wide role in analysis, including geographical analysis, of our multiple sites. It is our centralized eye where we can have a complete analysis and view of our ecosystem.

Go with a single vendor security suite if you have the choice between that and a best-of-breed strategy. It is better to have a single vendor for security in such a complex environment of multiple vendors, a vendor who would understand all the requirements and give you a central contact. And the SLA for response should be on the low side in that situation, as Microsoft, with its premium support, gives an SLA of an immediate callback, within two to three minutes of creating a ticket.

Public Cloud

Microsoft Azure

We have had various use cases depending on the needs of our customers.

It is a SaaS-based solution. It does not have any versions.

In traditional SIEM solutions, there is a lot of hardware, and there is a lot of maintenance around it. We require a lot of resources for administrative tasks, whereas with Microsoft Sentinel, we don't have to get into all those details straight away. We can concentrate on the use cases such as detection and start ingesting our logs, and right away, get insights from those logs. In addition, traditional SIEM solutions, such as Splunk, QRadar, LogRhythm, or ArcSight, do not support cloud-based logs much. This is where Microsoft Sentinel comes into the picture. Nowadays, everyone is moving to the cloud, and we need solutions like Sentinel to easily ingest logs and then get insights from those logs.

It has definitely helped to improve the security posture.

The in-built SOAR of Sentinel is valuable. Kusto Query Language is also valuable for the ease of writing queries and ease of getting insights from the logs. Schedule-based queries within Sentinel are also valuable. I found these three features most useful for my projects.

Microsoft Sentinel has many native connectors, which are plug-and-play connectors. You don't have to do any kind of analysis before starting. Taking Azure Cloud logs as an example, once you enable Sentinel and the connector, you start getting the logs straight away. You get a visualization within Sentinel through dashboards, which are called workbooks. So, right from day one, you can have security for Azure Cloud. If you have other clouds, such as AWS and GCP, even they can be included right away.

There is not much guidance on the in-built SOAR solution that uses Azure Logic Apps as a service. For people coming from traditional SIEM solutions, it is difficult to understand how SOAR works. Because the security teams are not from a programming or coding background, they cannot directly jump into SOAR. For Kusto Query Language within Sentinel, Microsoft provides a lot of documents and articles, and they also have a community, but when it comes to SOAR, other than a few open articles, there isn't much information. The documentation part of SOAR should be improved.

The dashboards can be improved. Creating dashboards is very easy, but the visualizations are not as good as Microsoft Power BI. People who are using Microsoft Power BI do not like Sentinel's dashboards.

I have been using this solution since October of 2019.

It is stable.

It is a SaaS-based solution. So, as end-users or customers, we don't have to think about scalability. 

Sentinel Contributor and Sentinel Responder are the primary roles of its users. Users with the Sentinel Contributor role can perform anything on Sentinel. The Sentinel Responder role is allocated to L1 and L2 monitoring teams. They actively monitor the Sentinel console for any triggered incidents and remediate those tickets.

In terms of the number of users, it is a typical SOC team, which depends on the number of incidents. We calculate the full-time employees based on how many alerts are being triggered per month. If 1,000 alerts are being triggered per month, we would need eight FTE to run 24/7 operations.

We definitely have plans to increase its usage. Microsoft is continuously improving this product, and we also have private access where we can see what features are being launched and provide input to them.

Microsoft Sentinel is a SaaS-based solution. They are improving it all the time. You can see new features every month and week. They are bringing more and more features based on customer feedback. That's one of the things that I liked the most about Microsoft Sentinel, which I did not see in other products.

I like their support. When you raise a ticket with Microsoft, you'll get a response within four hours or so. A support person is assigned who then directly reaches out to you on Teams to troubleshoot.

They send the ticket to the right team. They reach out and guide appropriately. They inform me that they are taking care of the issue, and if a meeting is required, they ask about a suitable time so that they can block the calendar. I have never encountered any issues with the support team where I had to escalate anything to someone else. I would rate them a nine out of ten.

Positive

I have worked with QRadar and NetIQ Sentinel. These traditional SIEM solutions are not equipped to effectively handle API integrations on the cloud. Nowadays, most organizations are on the cloud. For Microsoft-heavy or cloud-heavy environments, it is very easy to manage and very easy to ingest logs with Microsoft Sentinel.

It was straightforward. Deploying Sentinel doesn't take much time, but the initial design required for any solution takes time. Once you have planned the design, deployment involves using toggle buttons or bars.

In terms of the implementation strategy, being a cloud solution, not all customers are there in a single subscription. There could be various tenants and various subscriptions. We have to consider all the tenants and subscriptions and accordingly design and place Sentinel.

Ideally, it takes two to three months to onboard log sources, and for implementation, three to four resources are required.

We have definitely seen an ROI. In traditional SIEM solutions, we need to have people to maintain those servers and work on the upgrades, whereas when it comes to the SaaS-based solution, we don't need resources for these activities. We can leverage the same resources for Sentinel monitoring and building effective detection rules for threat hunting.

There are no additional costs other than the initial costs of Sentinel.

We didn't evaluate other solutions.

I would recommend this solution. Before implementing it, I will also suggest carefully designing it based on your requirements.

You have two options when it comes to ingesting the logs. If you aren’t bothered about the cost and you need the features, you can ingest all logs into Sentinel. If you are cost-conscious, you can ingest only the required logs into Sentinel.

I would rate it a seven out of ten.

Public Cloud