Our organization is an SSP, a service provider for manual threat detection and hunting. We use Microsoft Sentinel for threat detection. We have a few clients using Microsoft Sentinel, and we provide SOAR services to them.
Security Engineer at a tech services company with 5,001-10,000 employees
The solution prioritizes threats, integrates easily with other Microsoft products, and can be deployed within half an hour
Pros and Cons
- "We are able to deploy within half an hour and we only require one person to complete the implementation."
- "The playbook development environment is not as rich as it should be. There are multiple occasions when we face problems while creating the playbook."
What is our primary use case?
How has it helped my organization?
Having the ability to respond holistically from one place with Microsoft Sentinel is very useful. We don't need to log into different security consoles. It is less hectic and reduces our time to respond and resolve the issue.
The solution has helped improve our organization by detecting and hunting threats. The solution also correlates alerts from other solutions, such as Defender, Office 365, and other Endpoint solutions. Microsoft Sentinel has automated responses that help us reduce the number of analysts required for example, from ten to six because most of the tasks are done automatically.
The solution's automation of routine tasks helps us automate the finding of high-value alerts by reducing the manual work from 30 minutes down to three. 90 percent of the work is done by Sentinel which runs the playbook and provides us with all the data required to make a decision quickly.
The solution has helped eliminate the need to use multiple dashboards by incorporating SIEM plus SOAR into one convenient location. We don't need to log into each of the solutions individually. We can directly correlate the alerts and incidents from our Sentinel console. Sentinel reduces our time because we don't need to check multiple tabs for multiple solutions. All the information required to investigate and make a decision can be found in the solution's panel view.
We don't have any out-of-the-box threat intelligence from Microsoft, but with the integration of some open-source solutions and premium sources, Microsoft Sentinel helps us take proactive steps before threats enter our environment.
We have custom rules created to check IPs or domains for potential threats. Whenever an IP or domain is visible in our logs, the solution will automatically correlate with the threat intelligence feed and create an alert. If we skip the correlation portion and an alert has been created for a malicious IP or a malicious domain, the solution can check the reputation in different reputation sources such as a virus portal, or threat recorded future, and it will auto-populate the information for the analyst which helps us prepare for potential threats.
The solution has definitely saved us 90 percent of our time. Microsoft Sentinel reduces our time to detect, respond, and resolve incidents. Most of the incidents are detected automatically and we just need the data to make a decision. We don't have to go look for different clues or reputations over the internet or use other solutions.
Microsoft Sentinel has saved us from incurring costs related to a breach by protecting us.
The solution detects incidents and alerts us in real-time based on custom rules that we create or the out-of-the-box rules that are part of Sentinel. The information that auto-populates when we run the playbook reduces our response time in most cases because all the relevant data required for our investigation is provided on the incident details page.
What is most valuable?
Logic apps, playbooks, and dashboarding are all valuable features of this solution.
Microsoft Sentinel prioritizes threats across our organization because the solution allows us to correlate using multiple solutions including Defender.
Integrating Microsoft solutions with each other is very easy. The integrated solutions work together to deliver coordinated detection and response in our environment.
The solution enables us to investigate threats and respond holistically from one place. We can write AQL queries and also create rules to detect the alerts. In the event that we don't have rules, we can proactively hunt through KQL queries.
The workbook based on KQL queries, which is the query language is very extensive compared to other solutions such as QRada and Splunk.
The solution requires no in-house maintenance because it is all handled by Microsoft. We only need to monitor the updates.
What needs improvement?
The playbook development environment is not as rich as it should be. There are multiple occasions when we face problems while creating the playbook.
The cost is not straightforward and would benefit from a single charge model.
The UI is not impressive, we need to train our analysts to conduct the investigation. Unlike IBM QRadar which has a different UI for searching, there is no UI where we can conduct searches with Sentinel. With Sentinel, all our searches require a KQL query, and if our analysts are not familiar with KQL queries, we have to train them.
The data ingestion can use improvement. There are a few scenarios where we have experienced a delay in data ingestion.
Buyer's Guide
Microsoft Sentinel
October 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,649 professionals have used our research since 2012.
For how long have I used the solution?
I have been using the solution for one and a half years.
What do I think about the stability of the solution?
Sentinel is quite stable because it's a SaaS-based offering, so we don't have to worry about our stability. The solution is available 99.99999 percent of the time. The only time we have an issue is if there is a problem with the Azure portal. Microsoft handles the stability well.
What do I think about the scalability of the solution?
We can scale the solution as much as we want, and with a few clicks, we can increase or decrease capacity.
We currently have four engineering teams that handle the deployments and use case development as well as a SOAR team that consists of ten technical people who all use the solution.
How are customer service and support?
Microsoft Sentinel support is really good. They respond quickly to our requests and they try to resolve our issues as soon as possible. From my experience, Microsoft has the best support.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
For SIEM, we previously used IBM QRadar and Splunk Enterprise Security. For SOAR, We have used IBM Resilient, Palo Alto XSOAR, and D3 SOAR, which is a new tool. D3 SOAR is a startup based in Canada and we used it for POC, but we have not used it in production. Sentinel is a SaaS-based solution. There is less administration required and with a few clicks, we can deploy Microsoft Sentinel, whereas, with other solutions, we have to build everything from scratch. There are other SaaS-based solutions but Sentinel is one of the most popular and because a lot of organizations are already using Microsoft and Azure products, Sentinel is the best compatible solution.
How was the initial setup?
The initial setup for Sentinel is straightforward and the best I have worked with to date. We are able to deploy within half an hour and we only require one person to complete the implementation.
What about the implementation team?
The implementation was completed in-house.
What's my experience with pricing, setup cost, and licensing?
From a cost perspective, there are some additional charges in addition to the licensing. Initially, the cost appears expensive, but over time, the solution justifies that cost. The cost is not straightforward, but instead really complex. We are charged for data ingestion as well as data leaving the environment. We are also charged for running playbooks and for logic apps. Compared with SIEM solutions, whose cost is simply based on EPS or data storage, Microsoft Sentinel's cost is complex. Over time we can predict what the cost of using the solution will be. Other standalone SOAR tools have fixed licensing and their cost is simple. We don't need to pay for each command we run or each integration we have or each automation we do. With Microsoft Sentinel, there is a cost associated with each of the connectors that we use in our playbook. Every time we run that playbook, there will be charges, but the charges are minimal unless we run the playbook repeatedly, then over time the cost shoots up.
Which other solutions did I evaluate?
We occasionally test POC and we are still evaluating other solutions.
What other advice do I have?
I give the solution nine out of ten.
My impression of the visibility into threats that Microsoft Sentinel provides is that the solution is not perfect, but since it is part of Microsoft Workspace, Microsoft already provides so many services to clients, and Microsoft Sentinel is one of them. If we are already using Azure and other services from Microsoft, then Sentinel is easy to implement and use compared to other similar solutions. If I was not using Microsoft Solutions, then I can use other solutions, such as IBM QRadar or Splunk, and when it comes to XSOAR, Palo Alto XSOAR is a much better solution.
We use multiple solutions from Microsoft within our organization including Defender and Endpoint. We have integrated Endpoint with Defender and Microsoft Security Center to receive alerts.
Microsoft Sentinel has out-of-the-box support for up to 90 percent of solutions where we can find a connector to ingest the data directly, but for the remaining 10 percent, we need to write custom tables.
The ability to ingest data is the backbone of our security. If we don't ingest the data, we won't be able to perform anything at all in SIEM. SIEM is based on data ingestion. Once the data is ingested, then on top of that data, we can monitor and detect or hunt, whatever we want. We can create a reporting dashboard, but the data needs to be there.
Microsoft Sentinel's UEBA is quite capable. For SIEM, Splunk and IBM QRadar are slightly better than Sentinel, but Sentinel is catching up fast. The solution has only been in the market for two or three years and has already captured a large share with increasing popularity. For SOAR, Palo Alto XSOAR is much better than Microsoft Sentinel because Sentinel is a SIEM plus SOAR solution whereas Palo Alto XSOAR is a SOAR-focused solution only. What Microsoft Sentinel provides is one solution for SIEM plus SOAR, where we can detect and also respond in one place.
Currently, we have one environment based in a US data center, but we have the ability for multiple solutions in multiple regions within Azure, and we can integrate them using a master and slave configuration that will allow us to run all the queries from the master console.
Using a best-of-breed strategy rather than a single vendor suite is fine if we have a SIEM solution, a SOAR solution, or an Endpoint detection solution until a time when they are no longer compatible with each other and we can not integrate them. If we can not integrate the solutions it becomes difficult for our teams to log into and monitor multiple solutions separately.
I definitely recommend Microsoft Sentinel, but I suggest basing the decision on proof of concept by gathering the requirements, security solutions, and additional log source devices an organization has before using the solution. There are multiple solutions available that may be more suitable in some cases.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: MSP
Cyber Security Engineer at a retailer with 10,001+ employees
It helps us automate routine tasks and findings of high-value alerts from a detection perspective
Pros and Cons
- "The native integration of the Microsoft security solution has been essential because it helps reduce some false positives, especially with some of the impossible travel rules that may be configured in Microsoft 365. For some organizations, that might be benign because they're using VPNs, etc."
- "Sentinel could improve its ticketing and management. A few customers I have worked with liked to take the data created in Sentinel. You can make some basic efforts around that, but the customers wanted to push it to a third-party system so they could set up a proper ticketing management system, like ServiceNow, Jira, etc."
What is our primary use case?
We're a managed security service provider using Sentinel for its primary SIEM capability. Our company looks after multiple Sentinel instances for a variety of customers. However, we don't do anything through Lighthouse because every customer we monitor wants everything in their own tenant space.
The company ensures suitable detections are created and loaded into the Sentinel side, and we provide them with KQL to help them with some in-house use cases with a security focus. We also made some dashboards so they could visualize their data and what their issues would look like. We adopt different deployment models depending on the customer. It's usually a public cloud or hybrid in some instances.
We work with a few Microsoft products, but it's mostly the Defender for Cloud Suite, including Defender for Endpoint and Defender for Cloud. It's undergone a rebrand from the Cloud Application Security side. We also use Azure Active Directory, Microsoft Cloud Security, and several other Azure and Office 365 applications.
How has it helped my organization?
Sentinel made it easier to put everything into one place instead of checking multiple tools, especially when working with Microsoft shops. They focus a lot of the efforts on the Sentinel side, so the data is being correctly pushed across and easily integrated with third-party capabilities. Palo Alto and Cisco feeds can work almost side by side with the native Microsoft feeds seamlessly.
Sentinel helps us automate routine tasks and findings of high-value alerts from a detection perspective. Still, I haven't made much use of the SOAR capabilities with the Logic Apps side of things because of the cost associated with them, especially at volume from an enterprise environment. It was felt that using those features might push some of the usage costs up a bit. We thought it was more of a nice-to-have than something essential for the core services we wanted to leverage. We avoided using that again, but it was more of a cost issue than anything.
Instead of having to look at dashboards from multiple parties, we have one place to go to find all the information we want to know. This consolidation has simplified our security operations.
Usually, it isn't good to have all your eggs in one basket. However, with Azure replicating across the data center, it's better to have all your eggs in one basket to effectively leverage the raw data that would typically be going into multiple other tools. Having everything in one place allows a nice, clear, concise view if you want to see all your network data, which you can do easily with Sentinel.
Some of the UEBA features helped us identify abnormal behaviors and challenge users to ensure it's undertaking particular activities. You can isolate accounts that may have been compromised a bit quicker.
Sentinel reduced implementation time and sped up our response. I can't give a precise figure for how much time we've saved. Onboarding an Azure feed to a third-party SIEM system might take a couple of days or weeks to get the relevant accounts, etc., in place. Onboarding is a matter of minutes with Sentinel if it's a Microsoft feed. Having everything in one place makes our response a little quicker and easier. The KQL can be easily transferred to support the threat-hunting side because all the information is just there.
Our threat visibility also improved. Sentinel changed a lot since I started using it. It's like a whole new product, especially with the tighter integrations on the Defender for Cloud. For customers heavily reliant on Microsoft and Azure, it's much cleaner and more accessible than logging in to multiple tools.
I think some of the two-way integrations started to come through for the Defender for Cloud suite as well, so whenever you closed off notifications and threats, et cetera, that were being flagged up in Sentinel, it replicated that information further back to the source products as well, which I thought was a very nifty feature.
It helps us prioritize threats, especially with the way that the various signatures and alerts are deployed. You can flag priority values, and we leveraged Sentinel's capabilities to dynamically read values coming through from other threat vendors. We could assign similar alerts and incidents being created off the back of that. It was good at enabling that customizability.
The ability to prioritize threats is crucial because every business wants to treat threats differently. One organization might want to prioritize specific threats or signatures more than another customer based on how they've structured and layered their defense. It's useful from that perspective.
The native integration of the Microsoft Security solution has been essential because it helps reduce some false positives, especially with some of the impossible travel rules that may be configured in Microsoft 365. For some organizations, that might be benign because they use VPNs, etc.
What is most valuable?
Sentinel lets you ingest data from your entire ecosystem. When I started using it, there wasn't a third-party ingestion capability. We could get around that using Logstash. It was straightforward. The integration with the event hub side allowed us to bring in some stuff from other places and export some logs from Sentinel into Azure Data Explorer when we had legal requirements to retain logs longer.
I've used UEBA and the threat intel, which are about what I expect from those sorts of products, especially the threat intel. I like how the UEBA natively links to some Active Directory servers. It's excellent. Integration with the broader Microsoft infrastructure is painless if your account has the correct permissions. It was just ticking a box. It's clear from the connector screen what you need to do to integrate it.
The integration of all these solutions helped because they all feed into the same place. We can customize and monitor some of the alert data from these various products to create other derivative detections. It's like an alert for our alerts.
For example, we could look at a particular user IP or similar entity attribute and set an alert if they've met specific conditions. If there are more than a given number of alerts from different products, we treat that as a higher priority. It's beneficial for that.
What needs improvement?
Sentinel could improve its ticketing and management. A few customers I have worked with liked to take the data created in Sentinel. You can make some basic efforts around that, but the customers wanted to push it to a third-party system so they could set up a proper ticketing management system, like ServiceNow, Jira, etc.
It would be helpful for incident responders to be able to assign tickets and have permissions assigned to them. Once you have escalated tickets from Level 1 to Level 2, there may be areas where you want to control who has access to the raw Sentinel tool.
For how long have I used the solution?
I started using Sentinel in July of last year.
What do I think about the stability of the solution?
Sentinel's stability is great. We only had one outage for a couple of hours, but that was a global Azure issue.
What do I think about the scalability of the solution?
I think I've not had to worry too much about the scaling. It seems to be able to handle whatever has been thrown at it. I assume that's part of the SaaS piece that Sentinel falls under. Microsoft will worry about what's happening behind the scenes and spin up whatever resources are needed to make sure it can do what it needs to do.
How are customer service and support?
I rate Microsoft support a ten out of ten. We had a few issues with certain filters working with some connectors. There were problems with certain bits of data being truncated and potentially lost. I spoke to some people from the Israeli team. They responded quickly and tried to be as helpful as they could.
Support made a solid effort to understand the problem and resolve it. They maintained regular communications and provided reassurance that they were sorting out the problems.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I used Elasticsearch, Kibana, and Splunk. We switched to Sentinel because of the ease of use and integration. Microsoft infrastructure forms the backbone of our environment. We use Azure for hosting, Active Directory for user accounts, and Office 365 for communications and data storage.
Sentinel made a lot of sense, especially given our difficulties getting our data onboarded into the Elasticsearch stack. We saw similar challenges with Splunk. Sentinel works natively with Microsoft, but we've still had some pain points with some of the data sources and feeds. I think that's just more about how the data has been structured, and I believe some of those issues have been rectified since they've been flagged with Microsoft support.
At the same time, Sentinel is a little more costly than Splunk and the Elasticsearch stack. However, it's easier to manage Sentinel and get it up and running. That's where a cost-benefit analysis comes in. You're paying more because it's easier to integrate with your environment than some of the other providers, but I'd say it is a little on the costly side.
How was the initial setup?
I've spun up my instance of Sentinel for development purposes at home, and it was quick and easy to get through. The documentation was thorough. From the Azure portal, you click Sentinel to ensure all the prerequisites and dependencies are up and running. On the connector side, it's just a matter of onboarding the data. It's straightforward as long as you have the correct permissions in place.
Deployment requires two or three people at most. You probably don't even need that many. Two of the three were just shadowing to get experience, so they could run with their deployments.
It doesn't require much maintenance. Microsoft does a great job of building a SaaS solution. Any problems in the region where Sentinel is hosted are visible on the Azure portal. Once the initial configuration and data sources are deployed, it takes minimal upkeep.
What about the implementation team?
The deployment was done in-house.
What was our ROI?
It's hard to say whether Sentinel saved us money because you only know the cost of a breach after the fact. We'll probably spend more on Sentinel than other products, but hopefully, we'll see a return by identifying and remediating threats before they've become an actual cost for our clients.
Sentinel has made it a little easier to get the initial Level 1 analysts onboarded because they don't need to know how to use, say, Palo Alto's Panorama. They can focus their efforts on one query language that enables them to go across multiple different vendors, products, and tools. It's quicker for a Level 1 analyst to get up to speed and become useful if they don't need to learn five or six different ways to query various technologies.
What's my experience with pricing, setup cost, and licensing?
Sentinel's pricing is on the higher side, but you can get a discount if you can predict your usage. You have to pay ingestion and storage fees. There are also fees for Logic Apps and particular features. It seems heavily focused on microtransactions, but they may be slightly optional. By contrast, Splunk requires no additional fee for their equivalent of Logic. You have a little more flexibility, but Sentinel's costs add up.
What other advice do I have?
I rate Sentinel an eight out of ten. My only issue is the cost. I would recommend Sentinel, but it depends on what you want to get from your investment. I've seen Sentinel deployed in everything from nonprofits to global enterprises. With multiple vendors, you're more at risk of causing analyst fatigue.
Microsoft has done a great job of integrating everything into one place. The setup and configuration of Azure's general hosting environments reduce the risk. Most services are on the cloud, so Sentinel makes it much quicker and easier to get up and running. You don't need to worry about training and getting multiple certifications to have an effective SOC.
I recommend sticking with Sentinel and putting in as many data sources as you can afford. Put it through its paces based on a defense-in-depth model. Take advantage of all the information Microsoft and others have made available in places like GitHub, where there is a vast repository of valuable detections that can be tweaked depending on your environment.
It makes it a lot easier to get started. Many people approaching security with a blank canvas aren't sure where to go. There are a lot of valuable resources and information available.
Disclosure: My company has a business relationship with this vendor other than being a customer: MSSP
Buyer's Guide
Microsoft Sentinel
October 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: October 2024.
814,649 professionals have used our research since 2012.
Information Security Lead at Enerjisa Üretim
Its rule sets work perfectly with our cloud resources. They need to integrate better with other security vendors.
Pros and Cons
- "It is always correlating to IOCs for normal attacks, using Azure-related resources. For example, if any illegitimate IP starts unusual activity on our Azure firewall, then it automatically generates an alarm for us."
- "They need to work with other security vendors. For example, we replaced our email gateway with Symantec, but we couldn't collect these logs with Azure Sentinel. Instead of collecting these logs with Azure Sentinel, we are collecting them on Qradar. We couldn't do it with Sentinel, which is a problem for us."
What is our primary use case?
We are using Microsoft Office 365 E5 license right now, which means we are using Windows Defender ATP because of its cloud application security platform. We also have Exchange Online Protection. The main thing is we are replacing all of our on-prem solutions with Microsoft Office 365 and Azure solutions.
Our use case is for Azure Active Directory, Advanced Threat Protection, Windows Defender ATP, Microsoft cloud applications, Security as a Platform, Azure Firewall, and Azure Front Door. All of the Azure Front Doors logs are coming to Azure Sentinel and correlating. However, for our correlation rules that exist on the QRadar, we are still implementing these rules in Azure Sentinel because we have more than 300 different correlation rules that exist from the QRadar.
How has it helped my organization?
It is always correlating to IOCs for normal attacks, using Azure-related resources. For example, if any illegitimate IP starts unusual activity on our Azure firewall, then it automatically generates an alarm for us.
We do not get so many attacks, but if any attacks occur on our Azure Firewall site, then we are able to understand where the attack came from. Sentinel lets us know who introduced it.
What is most valuable?
It is perfect for Azure-native solutions. With just one click, integrations are complete. It also works great with some software platforms, such as Cloudflare and vScaler.
The rule sets of Azure Sentinel work perfectly with our cloud resources. They have 200 to 300 rule sets, which is perfect for cloud resources.
What needs improvement?
They need to work with other security vendors. For example, we replaced our email gateway with Symantec, but we couldn't collect these logs with Azure Sentinel. Instead of collecting these logs with Azure Sentinel, we are collecting them on Qradar. We couldn't do it with Sentinel, which is a problem for us.
It is difficult right now because there are not so many consultants who exist for Azure Sentinel, like there are for QRadar. We are not able to find a Sentinel consultant right now.
For how long have I used the solution?
In Turkey, we are the biggest energy generation company for the public sector. We head more than 20 power plants right now and have more than 1,000 people working in the energy sector. Two years ago, we started to work with Microsoft to shift our infrastructure and workloads to the Azure and Office 365 platforms. So, our story starts two years ago.
What do I think about the stability of the solution?
It is stable. We have had one or two issues, but those are related to QRadar. We are creating and pushing logs all the time to QRadar, because the Microsoft security API does not send these logs to QRadar.
One resource is enough for day-to-day maintenance of our environment, which has 1,000 clients and 200 or 300 servers. However, our servers are not integrated with Azure Sentinel, because most of our servers are still on-prem.
What do I think about the scalability of the solution?
For Azure- and Office 365-related products, it is perfectly fine. It is scalable. However, if you want to integrate your on-prem sources with Azure Sentinel, then Azure will need to improve the solution.
How are customer service and support?
We are using Microsoft support for other Microsoft-related issues. They have been okay. They always respond to our issues on time. They know what to do. They solve our issues quickly, finding solutions for our problems.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Right now, we are using QRadar for on-prem devices. On the other hand, we have Azure Sentinel for log collecting in the cloud products. All of the Microsoft components give logs to Azure Sentinel, but all of the on-premises resources are being collected on IBM QRadar. So, Sentinel has been helping us because this is causing complications for us. While it is possible to collect logs from QRadar to Sentinel to QRadar, it is difficult to do. So, we are collecting incidents from our QRadar, then our associates monitor Azure Sentinel-related incidents from QRadar.
We have been starting to use Azure Kubernetes Service. However, our developers are afraid of shifting our production environment to the Azure Kubernetes so this whole process can continue. At the end of the day, our main goal is still completely replacing our on-premises sources with serverless architecture.
We also started to use Azure Firewall and Azure Front Door as our web application firewall solutions. So, we are still replacing our on-prem sources. Azure Sentinel works perfectly in this case because we are using Microsoft resources. We have replaced half of our on-premises with Azure Firewalls. The other half exists in our physical data centers in Istanbul.
How was the initial setup?
The initial setup is getting more complex since we are using two different solutions: One is located on-prem and the other one is Azure Sentinel. This means Azure Sentinel needs to inspect both SIEMs and correlate them. This increased our environment's complexity. So, our end goal is to have one SIEM solution and eliminate QRadar.
The initial setup process takes only one or two weeks. For the Azure-related and Office 365-related log sources, they were enabled for Azure Sentinel using drag and drop, which was easy. However, if you need to get some logs from Azure Sentinel to your on-prem or integrate your on-prem resources with Azure Sentinel, then it gets messy.
This is still an ongoing process. We are still trying to improve our Azure Sentinel environment right now, but the initial process was so easy.
We had two three guys on our security team do the initial setup, which took one or two weeks.
What was our ROI?
We are not seeing cost savings right now, because using Azure Sentinel tools has increased our costs.
What's my experience with pricing, setup cost, and licensing?
Pricing and licensing are okay. On the E5 license, many components exist for this license, e.g., Azure Sentinel and Azure AD.
I am just paying for the log space with Azure Sentinel. It costs us about $2,000 a month. Most of the logs are free. We are only paying money for Azure Firewall logs because email logs or Azure AD logs are free to use for us.
Which other solutions did I evaluate?
In Turkey, Microsoft is more powerful than other vendors. There are not so many partners who exist for AWS or G Cloud. This is the reason why we have been proceeding with Microsoft.
QRadar rules are easier to create than on the Azure Sentinel. It is possible to create rules with Sentinel, but it is very difficult.
What other advice do I have?
There have been no negative effects on our end users.
I would rate Azure Sentinel as seven out of 10.
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Real Time Operation Engineer at Eftech
Great interface, good automation capabilities, and nice workflows
Pros and Cons
- "Sentinel has reduced the work involved in the event investigation by quite a lot."
- "From a client perspective, they'd like to see more cost savings."
What is our primary use case?
We require a comprehensive, scalable solution for cyber threat protection.
What is most valuable?
The interface is simple. It was easy to click through and to refer back and assess things.
We can do frequent training sessions so that people or end users are able to get used to the system.
Microsoft Defender is proven to be able to incorporate with this product. We also utilize the Power BI dashboard. We wanted to monitor the logins. It's helpful for threat investigations. We're able to use the session queue report to identify the frameworks having issues.
The workflow is quite smart. Incidents alerts can be generated automatically. It has good automation capabilities and that helps us respond to incidents quickly.
Sentinel provide our customers with a unified set of tools to detect, investigate, and respond to incidents. It's actually a part of Defender. It's unified within the operating platform. This allows for the mobility of the end user.
Our customers use Sentinel to help secure hybrid cloud and multi-cloud environments. We do have a limited amount of space. Out of ten or so clients, five or six have adopted a cloud protection system.
We can use it with Microsoft Athena and we can manage compliance and see logs for analytics. Sentinel can correlate signals from first and third party sources into a single high-confidence incident. Since the process is automated, it makes our response times faster. This saves the team's time.
We do make use of the solution's AI capabilities. The machine learning is very mature. Its machine learning has been very good overall. It's also something that enhances response times and threat analysis.
It's provided us with improved visibility into user and network behavior.
Sentinel has reduced the work involved in the event investigation by quite a lot.
What needs improvement?
From a client perspective, they'd like to see more cost savings. I'm not sure if Sentinel gives a POC for free.
For how long have I used the solution?
I've been using the solution for two years.
What do I think about the stability of the solution?
The solution is very stable. We haven't received any complaints and haven't had outages.
What do I think about the scalability of the solution?
The solution is easily scalable. Of course, we do have to do due diligence with our Oracle system architecture.
How are customer service and support?
We have an SLA that says there will be a receiving engineer that will respond if the system is down. Technical support is great. They might have different tiers of service.
How would you rate customer service and support?
Positive
How was the initial setup?
I did not personally deploy the product. I just work with it.
There is some maintenance. We do have a resident engineer that's certified on troubleshooting.
What about the implementation team?
We have a technical partner that helps with deployment.
What's my experience with pricing, setup cost, and licensing?
The solution is less expensive than an APM option. If the client wants to have a complete solution that covers the whole big organization, a good option will be going with Microsoft Sentinel. For the features it has, the price is justified.
What other advice do I have?
We are an SSI system integrator.
I'd rate the solution nine out of ten.
For those interested in adopting the solution, I'd suggest looking at the costing and billing and ensuring you have the budget and maybe doing a POC for 45 days or two months so that they can really experience the product.
Which deployment model are you using for this solution?
Hybrid Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: integrator
Last updated: Jul 14, 2024
Flag as inappropriateSubject Matter Expert - Threat Management at a tech services company with 10,001+ employees
Helps prioritize threats and decreases time to detect and time to respond.
Pros and Cons
- "Sentinel pricing is good"
- "The reporting could be more structured."
What is our primary use case?
Sentinel is used to cover cloud-native customers for security monitoring. It includes UEBA, threat intelligence, behavioral analytics, etcetera. We also use it to automate incidents into tickets.
How has it helped my organization?
The solution improved our organization in a few ways. The key one is the cloud layer of integrations. When we were on-premises with SAP monitoring we faced a few issues in the integration of cloud infrastructure logs. Once we moved into the Sentinel Cloud the integration was pretty easy. Monitoring the cloud infrastructure and their respective applications and their cloud cloud-native products became pretty easy in terms of integration with monitored areas.
Also, the cost of infrastructure is no longer an issue.
The detection layer has also been improved with analytics. Plus, it keeps on getting better in Sentinel. Since 2020, I've seen Sentinel has made a lot more changes in feature improvements and performance. They’re fine-tuning detection and analysis layers.
What is most valuable?
The analytics rules are excellent. It's pretty easy to create them. It’s all about SQL queries that we need to deploy at the back end.
The search of the logs is easy. Before, there were no archival logs. Now, in recent versions, it’s easy to bring back the logs from the archives. We can research and query the archive of logs very easily.
The visibility is great. It gives good alerts. The way an analyst can go and drill down into more details is simple, The ability to threat hunt has been useful.
Sentinel helps us prioritize threats across the enterprise. With it, we have a single pane for monitoring security logs. As an MSP, they just ingest all the logs into the system, and this actually leads to a hierarchy for our integrations. It’s easy to review the logs for auditing purposes.
We use more than one Microsoft security product. Other team members use Intune, Microsoft CASB, and Microsoft Defender as well. It’s easy to integrate everything. You just need to enable the connector in the back end. It takes one minute. These solutions work natively together to deliver coordinated detection responses across our environment. We just integrated the Microsoft Defender logs into Sentinel. It already has the prebuilt use cases in Sentinel, including threat-hunting playbooks, and automation playbooks. It's pretty easy and ready to use out of the box.
Sentinel enables us to ingest data from our entire ecosystem. That's really the high point for us. The coverage needs to be expanded. The threat landscape is getting wider and wider and so we need to monitor each and every ecosystem in our customer organization's endpoints, including the endpoints or applications for systems or on the servers or network level. It needs to be integrated on all levels, whether it’s on-premises or cloud. It is really important to have a single point of security monitoring, to have everything coordinated.
Sentinel enables us to investigate threats and respond holistically from one place. For that analyst team, the Sentinel page is like a single point of investigation layer for them. Whenever an incident is created, they can just come in and get deeper into a particular investigation incident. They are able to get more information, figure out the indicators, and make recommendations to customers or internal teams to help them take action.
Given its built-in UEBA and threat intelligence capabilities, the comprehensiveness of Sentinel's security protection is really nice. The UEBA can be integrated with only the AD logs. And, since they need to get integrated with the networks and the VPN layers as well, it’s useful to have comprehensive security. It can be integrated into other Microsoft security products as well.
Sentinel pricing is good. The customer doesn't want to worry about the enterprise infrastructure cost in the system. They worry about the enterprise cost and the management, and operation, CAPEX, et cetera. However, in general, the customer simply needs to worry only about the usage, for example, how much data is getting sent into the system. We can still refine the data ingestion layer as well and decide what needs to be monitored and whatnot. That way, we can pay only for what we are monitoring.
Our Microsoft security solution helps automate routine tasks and help automate the finding of high-value alerts. By leveraging Sentinel's automation playbook, we have automated the integrations and triage as well. This has simplified the initial investigation triage, to the point where we do not need to do any initial investigations. It will directly go on into layer two or it directly goes to the customer status.
Our Microsoft security solution helped eliminate having to look at multiple dashboards and gave us one XDR dashboard. The dashboard is pretty cool. We now have a single pane of glass. A lot of customization needs to be done, however, there are predefined dashboards and a content hub. We still leverage those dashboards to get the single view into multiple days, including the log volumes or types of security monitoring or in the operation monitoring system.
Sentinel saves us time. Even just the deployment, it only takes ten minutes for the could. When you have on-premises tasks that are manual, it can take hours or a day to deploy the entire setup. Integrating the log sources used also takes time. By enabling out-of-the-box tools, we can save a lot of time here and there. Also, once you leverage automation, by simply leveraging logic apps in a local kind of environment, you don’t need to know much coding. You just need knowledge of logic at the back end.
The solution has saved us money. While I’m not sure of the exact commercial price, it’s likely saved about 20% to 30%.
The solution decreased our time to detect and your time to respond. For time to detect, by leveraging analytic rules, we’ve been able to cut down on time. Everything is happening within minutes. We can begin remediation quickly instead of in hours.
What needs improvement?
The UEBA part needs improvement. They need to bring other log sources to UEBA.
The reporting could be more structured. There are no reporting modules or anything. It's only the dashboard. Therefore, when a customer requests a report, you need to manually pull the dashboard and send it to the customer for the reporting. However, if there was a report or template there, it would be easier to schedule and send the weekly reports or monthly executive reports.
The log ingestion could be improved on the connector layer.
For how long have I used the solution?
I've been using the solution since November of 2020.
What do I think about the stability of the solution?
The solution is stable. We had some issues with an automation component. There might have been outages on the back end, however, it's mostly fine.
What do I think about the scalability of the solution?
We have about 25 people using the solution in our organization, including analysts.
You only need to pay for what you are ingesting and monitoring. It scales well. There are no issues with it.
How are customer service and support?
Support is okay. We don't have many issues on the platform layers. We might reach out to support for integration questions. Largely, the engineering team would handle support cases.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We do use other solutions. We added this solution as we needed to support cloud-native customers.
We also use LogRhythm among other solutions.
Each solution has its own pros and cons. There isn't a direct contrast to each. Some have better reporting. However, Sentinel has very good analytical rules and automation. LogRhythm, however, requires more backend work.
How was the initial setup?
The deployment of the Microsoft bundle is pretty easy. It's fast and saves time. In ten minutes, we can deploy Sentinel to the customer and start monitoring data with the existing rules. You'll have dashboards in thirty minutes. One person can do the deployment. To manage the solution, one can manage the injections, and one can manage the detection layers.
The solution does not require any maintenance. You just have to make sure it's up to date.
We're using it in the automotive and energy industries.
What's my experience with pricing, setup cost, and licensing?
When we calculated the pricing, we thought it was 10% to 20% less, however, it depends on how much data is being collected. It's not overly expensive. It's fairly priced.
What other advice do I have?
Security vendors are chosen based on use cases. Those gaps are met by the respective solution. The benefit of a single vendor is that everything is on a single-layer stack. It helps you see everything in one single pane.
I'd rate the solution eight out of ten.
We are a Microsoft partner, an MSP.
Which deployment model are you using for this solution?
Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: MSP
Technical Specialist at a tech services company with 10,001+ employees
Has built-in SOAR, user and entity behavior analytics, and threat intelligence capabilities
Pros and Cons
- "The automation feature is valuable."
- "The playbook is a bit difficult and could be improved."
What is our primary use case?
We use Microsoft Sentinel for centralized log aggregation and security management. Our environment uses a variety of security products to strengthen its security. This has made it difficult for the SOC team to analyze logs from different consoles and products. To ease the team's workload and help them prioritize events and attacks, we decided to acquire a centralized console. We chose Sentinel because it provides a centralized console where we can ingest and analyze logs. The logs that Sentinel analyzes add value.
How has it helped my organization?
Sentinel's threat visibility is good. It has analytics and threat detection capabilities that we can add to our own playbooks. We can use the predefined log analytics to create our own custom rules. Using these custom rules with predefined logs further improves our environment's security posture.
Sentinel helps us prioritize threats across our enterprise. When we have a lot of alerts and incidents, it is better to understand if they are false positives, because the SOC team sometimes wastes time on false positives, which are not very relevant. We must prioritize positive alerts, which should be given the highest priority. In order to solve this problem.
The manufacturing environment I work in is not very critical, so a simple attack is unlikely to have a major impact on the business. However, data is important in any business, and a data breach can damage our reputation. Therefore, it is important to have a good security posture to avoid threats. Threats and attacks can happen even with the highest level of security. Therefore, we look for products that can give us visibility into our environment and help us to proactively solve problems. Microsoft proactively identifies threats and informs its peers and partners. This allows us to take action to assess the impact of these threats on our environment. By taking proactive measures, we can prevent threats from harming our environment.
We also use Microsoft Defender for Cloud and Microsoft Defender for Identity. We have integrated these solutions with Microsoft Sentinel, and their logs are ingested by Sentinel. We do not incur any costs for ingesting Office 365 logs because Microsoft provides a free login exchange for Microsoft Office 365 and, I believe, for Defender as well into our Sentinel for analysis.
Our Microsoft products work seamlessly together to provide coordinated detection and response in our environment. We use a lot of Microsoft products, and it is best to use them in the same environment. This makes integration and collaboration easier. We also have licensing agreements that give us discounts when we use multiple products together. For example, we use Microsoft 365, OneDrive, and security products. We are also migrating our workloads to Azure. We have already migrated many workloads to Azure, and we are in the process of migrating the remaining workloads. We are heavily dependent on Microsoft, so we believe it is best to use one cloud provider. This makes it easier to manage different services. Additionally, Microsoft provides us with a lot of help and benefits, which can save us money. Cost is one of the factors that businesses consider, and IT is a major investment for businesses. Even though our business is not in the IT industry, IT plays a vital role in driving the business forward. Therefore, our organization needs to ensure that their IT investments are having a positive impact.
The comprehensiveness of the threat protection provided by our Microsoft security products is good. They have a large number of predefined indicators of compromise and a comprehensive team that monitors threats around the world. We receive notifications and newsletters from Microsoft whenever a new threat emerges. When an organization does not have experts on its team, it is very difficult to identify zero-day vulnerabilities or attacks. This makes it difficult for them to identify and mitigate these threats. Microsoft, on the other hand, proactively identifies threats and informs its teams and partners so that they can mitigate or prevent them in their environments.
Sentinel allows us to ingest data from our entire IT ecosystem, including network devices, servers, endpoints, and firewalls. This is important because if we are not monitoring all of our devices, we cannot know what threats they are facing or what attacks they have already been subjected to. Sentinel scans every device in the environment because it is difficult to see how many devices are compromised by a threat when we have an inventory of thousands of devices. This is why we need a centralized console where we can ingest all of our important logs and correlate them to identify threats. We need to know when our environment has been attacked by zero-day vulnerabilities. If we see that two devices have been affected, we still do not know how many additional devices the attack has compromised. This can only be known if we have all of our logs in our console. Sentinel provides us with a valuable capability: we can simply identify the source, user, or affected machines, and Sentinel will tell us how many machines have already been compromised and how far the threat has spread. This information allows us to isolate or quarantine the affected machines so that they cannot access more of our environment or steal more data.
We can react and respond holistically from one place with Sentinel.
The best part of Sentinel is its built-in SOAR, user and entity behavior analytics, and threat intelligence capabilities, which collaborate with the SIEM. Other products typically sell these capabilities as separate products. When we automate tasks, we reduce the team's manual effort. Whenever we detect an attack or need to provide analytics, we generate a lot of events and alerts. If we don't correlate these events and automatically resolve them, repetitive tasks will have to be performed by team members. This is not an efficient use of resources. Repetitive tasks can be automated by writing scripts and putting them into the system. Sentinel correlates events and creates incidents for us. These incidents can be resolved by scripts, such as by informing users that their IDs have been compromised and they need to reset their passwords or their IDs will be blocked. This saves SOC time so that they can focus on more important tasks, such as detecting and responding to threats that are already impacting the environment. Sentinel's features help organizations reduce manual and repetitive effort.
Sentinel has helped our organization by providing seamless collection and correlation of all logs. It is important to correlate logs into alerts and then to incidents, as this prevents the team that receives the alerts from becoming overloaded. Sentinel's analytics capabilities are also beneficial, as they allow me to easily perform searches and analyses of incidents. I do not have to spend much effort to determine the source of an incident, its impact, or how far it has spread through our environment. Additionally, Sentinel's automation features, such as its playbooks, templates, and integrations, help us to reduce manual effort.
Automating routine tasks that help find high-value alerts reduces the cost and workload of our SOC team. We have created several automation use cases by discussing them with multiple stakeholders and analyzing how frequently we receive the same type of incident alerts. When we receive the same type of incident alerts, we can correlate them and create scripts or automate solutions to resolve them. This helps to reduce the team's workload and headaches. We have already incorporated this automation into our SOC processes. If an incident is created, it is automatically resolved without any user or machine interaction. If we receive an alert that the resolution failed, some team members investigate the cause, such as a missing or disabled user ID or a technical system issue.
Automation has reduced our manual tasks, saving us around 30 percent of our time so that we can focus on more important tasks.
Previously, when I joined the organization, they were using Splunk on-premises and other security tools, such as Trend Micro and Darktrace devices, to collect logs. The security operations center team had to log into each console to see the logs, investigate them, and determine how to mitigate the alerts. This process was slow and inefficient, especially in the event of a critical attack. Sentinel provides a centralized console for log collection and analysis which helps the SOC team respond to alerts more quickly and reduce the impact of threats.
Microsoft Sentinel helped us eliminate the need for multiple dashboards by providing a single XDR dashboard. They have data connectors that can integrate with different security tools because they partner with other security companies to provide us with the functionality we need to integrate into our environment. Microsoft is at its best when we can integrate with our peers and security companies that are bringing new features to improve our security posture. We can then integrate these features with Sentinel, benefit from them, and ingest our logs into Sentinel as well. We no longer need to log in to multiple security tools; we can simply go to Sentinel, view the incidents and alerts that are being generated, and take action.
What is most valuable?
The automation feature is valuable. There are many events that happen, and we require manual effort from our SOC team to mitigate each one. When we started automating tasks, it helped us to reduce the time it takes to react to attacks. Attacks may not be able to penetrate our environment as easily because of this. Therefore, I believe that Sentinel's automation is the best.
What needs improvement?
The integration is not that difficult. The configuration is simple, but the data connector documentation is lacking in useful information. If Microsoft improves the documentation, we will be able to see how to complete the integration from start to finish. In the past, we have encountered problems during the integration process because the documentation was incomplete. For example, we recently deployed Microsoft Defender for Identity with the help of our Active Directory team. Initially, they told us that only a few ports were required, but later they said that more ports were needed. Our environment did not allow these additional ports, and we were not aware of this requirement. This delayed the project and caused frustration for our team members. The customer also expected the project to be completed sooner, but unexpected firewall rules and undocumented configuration requirements prevented us from doing so. We had to open a case with Microsoft for assistance, and we were eventually able to resolve the issue.
The playbook is a bit difficult and could be improved. For those who do not have a deep understanding of playbooks or programming languages, it would be better to have extensive documentation and information available online. When I started working with Sentinel, there were times when we had to refer to the documentation to get information about the configuration or implementation steps. If we encountered errors in the implementation, we had to rely on the internet to figure out how to fix them. The information available online is not that comprehensive and does not cover specific maintenance tasks. If the documentation were improved a bit, and the playbook and automation were made easier to use, it would be a great benefit for technical users.
The AI and Machine Learning can be improved.
For how long have I used the solution?
I have been using Microsoft Sentinel for over one year.
What do I think about the stability of the solution?
I have not seen any downtime with Sentinel. Sentinel is stable.
What do I think about the scalability of the solution?
Sentinel is highly scalable. We can easily integrate more devices without any effort. Microsoft has a large data center, and they are always ready to add our devices.
How are customer service and support?
Microsoft technical support has declined in quality over the years. I have only been using Sentinel for a year, but I have experience with Microsoft technical support through Azure and other Microsoft products. In the past, we were able to resolve tickets quickly with minimal back-and-forth. However, recently, the quality of support has degraded. We had a few critical cases that directly impacted production, but Microsoft did not assign their senior engineers to these cases. This wasted a lot of our time, as we had to explain the problems to multiple support representatives.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We previously used Splunk SOAR in conjunction with Trend Micro and Darktrace to ingest logs, but we switched to Sentinel because it is more seamless.
How was the initial setup?
The initial setup was successful. The configuration is not difficult. There were some challenging areas. However, we had access to free tools and a Microsoft contact who was always available to help us if we encountered any knowledge gaps. When setting up Sentinel for the first time in our environment, we always have an expert with us to assist with the setup, as not everyone has extensive knowledge of implementing the product. The expert is there to help us with the implementation if we get stuck on a step.
We decided which devices and types of alerts or information we wanted to ingest. At that time, we were not using automation. Our environment was in poor condition, and we were not utilizing the automated features of Sentinel. We only required the basic features of Sentinel, which were to ingest logs from the devices we were interested in, correlate them, analyze them, and integrate them with our service tools and alerting. For alerting, we used ServiceNow as our ticketing system. We would receive a ticket from ServiceNow for the SOC team, and then the SOC team would investigate and mitigate the issue. However, as time went on, the number of events increased, and the time it took to investigate them also increased. If we did not automate our environment, we would have to keep increasing the size of our SOC team or the number of SOC members to handle the workload. We could not meet the priority requirements. That is when we proposed using some of the automation features to help with low-priority alerts.
The deployment required three to four people. I joined the team for the implementation phase. So, by the time I joined, a lot of decisions had already been made, and a low-level plan had been decided upon. This was a low-level design and plan that we had to follow.
What about the implementation team?
We had help from our Microsoft representative for the implementation. This contact was provided to us by Microsoft from the initial trial period all the way through the implementation.
What's my experience with pricing, setup cost, and licensing?
Currently, given our use case, the cost of Sentinel is justified, but it is expensive. It is not so cheap that any organization can afford it. However, if an organization has a requirement for good security posture and can invest in security tools, they should have at least a decent budget to afford Sentinel. Sentinel does offer good features, such as SIEM, SOAR, and automation. However, we need to monitor our budget because ingestion can increase at any time and exceed our budget. We can set alerts to notify us if our budget is increasing significantly on a monthly or yearly basis. We can then control our budget by adjusting what we ingest. We can ingest any amount of data because there is a lot of data flowing in. However, some data is not necessary to ingest because it is not valuable to our analytics. Therefore, being careful about what data we ingest through Sentinel will help us stay within our budget.
Which other solutions did I evaluate?
We evaluated IBM QRadar and Splunk. Splunk has been in the market for a long time and is trusted by many organizations. While it was once a leader in its field, it does not seem to be keeping up with new features and automation. However, I am not aware of their current state of development.
We saw good features in both Splunk and QRadar, but QRadar had more features that were relevant to us. However, we are moving more towards the cloud. Previously, we had on-premises infrastructure, but we migrated to Azure when a new management team came in.
When we evaluated Microsoft Sentinel, we found that it had good functionality and met our requirements. We also liked that it is a cloud-based solution, so we do not have to worry about underlying hardware, features, operating systems, or management. We simply need to configure the application, which is relatively straightforward. We also do not need to make any upfront capital expenditures.
However, we need to consider the cost of ingesting logs into our environment. Microsoft charges for the amount of data ingested per day, so we need to keep our costs within budget.
QRadar is more complex and difficult to configure than Sentinel. Sentinel is easy to expand. If we add new devices to our environment, we can simply connect them directly to Sentinel. We do not need to worry about additional hardware or configuration.
Overall, Sentinel is a good choice for us because it is cloud-based, easy to configure, and scalable.
What other advice do I have?
I would rate Microsoft Sentinel an eight out of ten.
Whether to use separate SIEM and SOAR solutions or Microsoft Sentinel depends on each organization's specific needs. All SIEM and SOAR tools are expensive because they provide essential security features. Organizations with the resources to pay for these features may choose to purchase Sentinel or another SIEM or SOAR solution. However, small and medium-sized businesses may not be able to afford these tools. Instead, they may choose to use a third-party service provider that already has a license for an SIEM solution such as QRadar or Sentinel.
Sentinel ingests data from over 1,500 endpoints, including technical devices, Windows devices, and Linux devices in our environment.
There is no maintenance required on our end. Microsoft is doing everything for us. We only have to have our configurations in place.
Before using Sentinel, organizations should clearly understand their use cases and requirements. They can take a trial of Sentinel and collaborate with Microsoft to create use cases that demonstrate the value of the investment. Because there are thousands of SIEM and SOAR tools on the market, organizations should evaluate multiple solutions to see what benefits they offer. They can then create use cases for each solution in their environment and take trials to implement them. Organizations should compare the solutions based on visibility, budget, and additional features. Anyone who is considering using a SIEM or SOAR solution should evaluate multiple solutions. Budgeting is very important.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
SOC Analyst at Aujas Networks Pvt Ltd
We can easily automate rules that enable us to create playbooks, provides good visibility into our environment, and seamless integration capability
Pros and Cons
- "The Identity Behavior tab furnishes us with the entire history linked to each IP or domain that has either accessed or attempted to access our system."
- "We are invoiced according to the amount of data generated within each log."
What is our primary use case?
We utilize Microsoft Sentinel primarily to monitor our data storage software. Through the implementation of distinct connectors, we can accommodate multiple use cases for Sentinel. This solution also enables us to thwart failover attempts and prevent brute-force attacks. Moreover, we leverage the EDR tools to establish groups. For instance, if an unauthorized individual attempts to access a critical server from outside the designated group, we can promptly identify them by analyzing the event ID.
How has it helped my organization?
Using the Microsoft Sentinel Investigation tab, we can observe all activities related to access and unauthorized attempts taking place in our environment.
Sentinel assists us in prioritizing threats across our entire enterprise. When we receive high-priority alerts, we engage with the client to investigate whether they are conducting any testing first. If not, we identify the unknown activity and collaborate with them to resolve the issue as quickly as possible.
We also utilize Office 365. We have seamlessly integrated Office 365 with Sentinel, which is made easy through the provided connectors, especially when our API keys are associated with a cloud machine. All that is needed are the workspace ID, subscription ID, and API key.
The effectiveness of the protection offered by the integrated solutions is substantial. We are capable of preventing spam, tracking the complete trajectory of data transmitted by the end user, including its source, especially when originating from unauthorized URLs. Additionally, we can identify instances of unauthorized mail redirection. Furthermore, we can utilize SPF authentication to safeguard our domain against spoofing.
Microsoft Sentinel allows us to gather data from our entire ecosystem. We also have the capability to exclude non-suspicious or non-malicious data, such as daily reminders, from the daily logs in order to prevent system slowdown.
Sentinel allows us to investigate threats and respond promptly from a central location. We can gather all the necessary information for an investigation with a single click, which will provide us with a comprehensive overview of the actions taken by the suspicious user by reviewing the Event ID.
The built-in SOAR, UEBA, and threat intelligence capabilities of Sentinel are commendable. The UEBA can furnish a summary of all entities and discern unfamiliar ones that are not commonly associated with our system, subsequently tagging them for our review.
It aids in the automation of routine tasks and the identification of high-value alerts. For instance, if we need to compile a list of our administrative or high-profile users, we can establish rules based on high and medium security criteria, or any other specifications we might have. The entries will then correspond to the information aligned with our requirements. Furthermore, we have generated a watchlist of blacklisted users, which assists us in conveniently tracking activities originating from them.
It provides the ability to create personalized dashboards that offer all the necessary information in a single location. It is important to mention that this feature comes with an extra cost, as is the case with all aspects of Sentinel.
Sentinel's threat intelligence helps prepare us for potential threats before they hit. By utilizing the event summary, we can proactively prepare for unauthorized entries and directly block IPs at the firewall level.
As a partner of Microsoft, they pay us for any POCs we create.
Sentinel has contributed to a reduction in our time for detecting and responding to incidents. As Sentinel operates in the cloud, it offers user-friendly accessibility, enabling us to swiftly access crucial information for responding to potential threats.
What is most valuable?
The automation rules that enable us to create playbooks for each individual are valuable.
The Identity Behavior tab furnishes us with the entire history linked to each IP or domain that has either accessed or attempted to access our system. By utilizing the data supplied by Sentinel, we can ascertain whether there are any attempts to breach our system. Numerous pre-defined queries are at our disposal, and we also have the option to craft custom queries as needed.
What needs improvement?
We are invoiced according to the amount of data generated within each log. For example, if I neglect to specify the time period in a search, Sentinel will retrieve all the logs, leading to charges for both pertinent and irrelevant data. This could potentially cause a substantial increase in costs. We incur lower charges for data under 100 GB, but anything surpassing that threshold becomes more expensive.
When setting up EDR for multiple endpoints, we need to create distinct rules for each one to monitor the devices effectively.
For how long have I used the solution?
I am currently using Microsoft Sentinel.
What do I think about the stability of the solution?
Microsoft Sentinel is stable. It is extremely rare that the solution is down.
What do I think about the scalability of the solution?
Microsoft Sentinel is highly scalable. We can create any random custom playbooks. We can create any custom rules over there As per our requirements. We can enable and disable policies also as per our requirements. We can combine both policies accordingly.
How are customer service and support?
The technical support is good.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
Compared to IBM Security QRadar and Securonix, Microsoft Sentinel is more user-friendly. QRadar is quicker to respond but it has stability issues.
What's my experience with pricing, setup cost, and licensing?
We are charged based on the amount of data used, which can become expensive.
What other advice do I have?
I rate Microsoft Sentinel nine out of ten.
Maintenance is overseen by Microsoft. They announce periods of system downtime for maintenance. If we have anything critical that we require while the system is down, we can request it from Microsoft, and they promptly provide it to us.
Microsoft Sentinel offers us query update suggestions every three months. If we find a suggestion we like, we can simply click on it to automatically update our policy.
I believe it is better to choose a single-vendor security suite over a best-of-breed strategy.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Owner at Expert IT Solutions
Automation enables me to provide security operations to my clients
Pros and Cons
- "The standout feature of Sentinel is that, because it's cloud-based and because it's from Microsoft, it integrates really well with all the other Microsoft products. It's really simple to set up and get going."
- "Given that I am in the small business space, I wish they would make it easier to operate Sentinel without being a Sentinel expert. Examples of things that could be easier are creating alerts and automations from scratch and designing workbooks."
What is our primary use case?
I'm an IT consultant, and I use Sentinel with two of my clients to monitor all their security signals and get alerts when things are happening that might be suspicious.
How has it helped my organization?
The fact that the solution helps automate routine tasks and the finding of high-value alerts has made it possible for me to provide security operations. If I didn't have automation, I wouldn't be able to do that. Nobody is going to pay me to sit and stare at a screen for eight hours a day. But with the automation built in to let me know about and fix things, it becomes viable. The automations have an email option, and all the alerts show up as emails in my inbox. I'm busy with other things, and I'm not looking at Sentinel all day. And the automation in those emails is available to deal with things automatically. Automation is incredibly important.
Sentinel gives me one XDR dashboard. In terms of security operations, it's improved them and makes it easy for me to do my job.
It saves my clients time, on the order of 30 percent.
It also saves costs for me and my clients. If we didn't have Sentinel in place, and they were to get compromised, it could cost them tens of thousands of dollars due to ransomware, a BEC scam, or another type of attack. Without Sentinel in place, that could be a very big cost.
And it decreases the time it takes to detect and respond by days, if not weeks.
What is most valuable?
My clients are small businesses, and mine is also a small business. Traditionally, even the concept of using a SIEM in most small businesses was unheard of. It was an on-premises product, and you needed to install servers, and most normal IT consultants wouldn't even look at it because it would be very complex for them. The standout feature of Sentinel is that, because it's cloud-based and because it's from Microsoft, it integrates really well with all the other Microsoft products. It's really simple to set up and get going. You don't have to set up a server or do a lot of configuring and setting up storage. It just lives in the cloud, you turn it on, and connecting most things to it is really easy.
It's fantastic when it comes to integration with other Microsoft products. It's so easy. I've been in IT for 30 years, and integrating products was, up until a few years ago, something we would never want to do. It was so hard, we wouldn't want to touch it. We would have to write custom code and configure things. It was just horrible. Now, it's literally a couple of sliders in the interface, and you're done.
And once these solutions are integrated, they work natively together to deliver coordinated detection and response across my clients' environments. I follow this space very closely, but I am not an expert in any other solution. Still, at least for my clients, with the threats they are facing and the alerts we get from the real world, Sentinel's detection and response are very comprehensive.
Sentinel enables you to ingest data from the entire ecosystem. I have integrated some non-Microsoft products with Sentinel, and, predictably, it's not as simple as one click because these are third-party products. But it is definitely quite easy. For cloud products and services, it's still very simple. It might be three or four clicks. But for on-premises products, it's a bit more work.
My clients also use Defender for Cloud, and its bi-directional sync capabilities are very important. It makes things much easier.
Sentinel provides a clear view into the threats that are coming in, and, compared to what I had before, it is night and day. I heard somebody say on a podcast, "The solution we had prior to Sentinel was like a dark room and you had a torch, and you could shine the torch in different directions and see some things. Having Sentinel, combined with Microsoft 365 Defender, the XDR solution, is like turning on the lights and seeing everything." I completely agree. That's exactly what it feels like.
Another incredibly important factor is the solution's ability to investigate threats and respond holistically from one place. Again, as a small business, I wouldn't have the time and energy to look in several different places. I need one place where it all shows up, and that's what Sentinel provides.
And with built-in SOAR, UEBA, and threat intelligence, the comprehensiveness of Sentinel's security protection is good.
What needs improvement?
Given that I am in the small business space, I wish they would make it easier to operate Sentinel without being a Sentinel expert. Examples of things that could be easier are creating alerts and automations from scratch and designing workbooks. All of those are available as templates and community-produced content, but doing all that from scratch and keeping it up-to-date, is not easy. Because I have lots of other things on my plate, it would really improve things for me if they would make it more accessible for small businesses and non-experts.
For how long have I used the solution?
I have been using Microsoft Sentinel since it was in public preview, so that's at least three and a half years.
What do I think about the stability of the solution?
It's a very stable solution—rock-solid.
What do I think about the scalability of the solution?
It's also very scalable.
How are customer service and support?
I have only ever contacted them about Sentinel once, but I have certainly dealt with Microsoft support in various ways. Their response time is pretty good. But they have a difficult time providing good support, at the level that would cause me to give them a higher score than six out of 10, because things change so fast. And it's so much wider than it used to be 10 years ago. There's so much to cover, and that's difficult for them.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
We used ESET for one client, but it wasn't a SIEM, it was just endpoint protection. We replaced that with Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, and Sentinel. It's not an apples-to-apples comparison.
How was the initial setup?
The initial deployment is very straightforward. It took me four or five hours to set it up.
The product itself, obviously, does not require maintenance, but the alerts and rules require work.
What's my experience with pricing, setup cost, and licensing?
Sentinel is fairly priced and pretty cost-effective. Compared to on-premises solutions, Sentinel is very cost-effective.
It's certainly possible, if you're not careful about what you connect, to shoot yourself in the foot by ending up with large data sources being ingested that cost you a fair bit of money. You do need to think about what data sources you actually need, which ones will lead to the detection of actual attackers, and how much of that data you need. You also have to consider how you're going to store it, because Sentinel has different levels. You don't have to store it all in the expensive "this will give me alerts" tiers. But, as I said, my clients are small businesses. They certainly don't have a budget for anything expensive, and they're very happy with the costs.
What other advice do I have?
Do a proof of concept. It's really easy to set up and get started. You don't have to turn everything on to start. Do a small proof of concept, get familiar with it, and you'll see how easy it is.
Does it help prioritize threats across the enterprise? The short answer is, "Yes, it does." The slightly longer answer is that it is not a set-and-forget solution. And no SIEM is. You do need to configure Sentinel and fine-tune it. I have a calendar reminder every two weeks to go back in and make sure the right analytics rules are in place and change the ones that need changing, et cetera. It does prioritize threats, but it's not an automatic process that you never have to worry about again.
Sentinel's threat intelligence doesn't really help with proactive steps. The threat intelligence has indicators of compromise, such as IP addresses, URLs, and file hashes. They get detected, but that's not really proactive. Perhaps it's "proactive" in the sense that somebody else has figured out that those things are bad and let the system know. But Microsoft 365 Defender does the proactive part because it has threat intelligence in it. It will tell you, "A new threat that we have a report on seems to be targeting your type of client." That's proactive, but Sentinel isn't proactive. Meaning, if you read about a threat and then protect yourself before that threat reaches you, Sentinel doesn't really do that.
In the debate about best-of-breed versus a single-vendor security solution, if you pick best-of-breed individual security solutions and you have to integrate them, now you're an integrator. And that is hard. It's not easy to integrate different security products. And that's why, at least for my clients, Sentinel and Microsoft 365 Defender have been a huge shift. They're so easy to integrate. My clients could license separate products and then try to integrate them to get the same level of integration, but that would never work.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros
sharing their opinions.
Updated: October 2024
Product Categories
Security Information and Event Management (SIEM) Security Orchestration Automation and Response (SOAR) Microsoft Security SuitePopular Comparisons
Microsoft Intune
Microsoft Defender for Endpoint
Microsoft Entra ID
Splunk Enterprise Security
Microsoft Defender for Cloud
Microsoft Defender XDR
Azure Key Vault
Microsoft Purview Data Governance
IBM Security QRadar
Azure Firewall
Elastic Security
Azure Front Door
Microsoft Defender for Cloud Apps
Palo Alto Networks Cortex XSOAR
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What are your approaches on Azure Sentinel content deployment automation?
- Which is better - Azure Sentinel or AWS Security Hub?
- What is a better choice, Splunk or Azure Sentinel?
- Which solution do you prefer: Microsoft Sentinel or Palo Alto Networks Cortex XSOAR?
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- Which is the best SIEM solution for a government organization?
- What is the difference between IT event correlation and aggregation?
- What Is SIEM Used For?