Microsoft Sentinel Reviews

I'm currently using this solution for monitoring our SOC. I also implement Sentinel for clients.

We use Defender for Cloud, Defender for Endpoint, Defender for Office 365, and Defender for Identity. They were easy to integrate. It's necessary to understand the background of the data source to integrate the devices into Sentinel. If it is cloud-based, we can utilize the GeoLogic app or Azure function to integrate the log sources or use the slot method.

These solutions work natively together to deliver coordinated detection and response across our enterprise. We have different EDR solutions in our environment, and we have integrated them with Sentinel. We directly monitor all of the other security devices from Sentinel.

I haven't seen many issues with integrating different products. We can set a robust error detection mechanism. If there are some issues while integrating the logs, we can do automated alerting and easily troubleshoot any issues.

There are no issues with integrating multiple-location firewalls. We have Sentinel deployed in the US and other geolocations.

There are between 15 to 20 people using this solution in my team.

The solution is deployed on the cloud.

We mainly use this solution for monitoring purposes. We previously used on-premises data sources, but we wanted to integrate lots of log sources that weren't directly supported by other solutions. Sentinel provides the capability to integrate unsupported log sources. We have integrated lots of unsupported security devices with Sentinel as well.

Sentinel helps automate routine tasks and helps automate the finding of high-value alerts. Microsoft provides some very useful out-of-box automation playbooks that we can utilize in our day-to-day operations. This increases the efficiency of security analysts and our response time. We are using those solutions in our environment to do automation, increase productivity, and enhance the efficiency of our security analysts. Sentinel reduces our overall investigation time compared to other solutions.

Sentinel has helped eliminate the need to look at multiple dashboards. We can use the workbook for that. Correlating everything into a single workbook isn't available right now, but it's achievable in the future.

The solution's threat intelligence helps prepare us for potential threats before they hit and helps us take proactive steps. We have integrated one open-source solution for IOC monitoring, and Microsoft even provides the IOC data. To be proactive, we also rely on other solutions like Defender for Endpoint for detecting those threats before they actually happen.

We added IOCs into Sentinel from a monitoring perspective. If we can detect ransomware, we can prioritize that and work on mitigation.

Microsoft Sentinel saves us time. It has provided us with a very rich automation solution. We can see most of the details directly on the Sentinel site. We don't need to log in and check for different things, so it saves a lot of time for associates. It saves us about 30 to 40 minutes on average per incident.

The solution decreases our time to detect and respond. We can increase detection using dashboards. The automation and playbooks help us respond to threats if the user is compromised. We can directly reset the user's password or disable the user from the Sentinel portal by using the playbooks. We're saving about 15 to 20 minutes on our response times.

Sentinel is a Microsoft product, so they provide very robust use cases and analytic groups, which are very beneficial for the security team. I also like the ability to integrate data sources into the software for on-premise and cloud-based solutions. We can very easily integrate the devices with Sentinel. There are multiple ways that we can utilize the product. I also like how the solution processes data.

The solution helps prioritize threats across our enterprise. We can set the severity for the low and medium-priority severity incidents. Sentinel has machine learning and fusion rules, which help us effectively prioritize. Prioritization is very important for us in this security landscape because attacks are getting stronger.

Sentinel provides a lot of out-of-box analytic rules with Sentinel. It's very good at detecting threats compared to the different SIEM solutions in the market now.

Sentinel enables us to easily ingest data from our entire ecosystem. Attacks can happen from any of the devices. Even the IoT is vulnerable now. We can integrate different solutions for it. For instance, there is Microsoft Defender for IoT, which we can integrate into Sentinel. That provides a single pane of glass for security. In any SOC, we need to have multiple solutions. Sentinel is a great solution for managing and monitoring those products.

Sentinel enables us to investigate threats and respond holistically from one place. We can integrate other solutions like ServiceNow with Sentinel, and we can set the bidirectional sync.

Sentinel's security protection is comprehensive. In the area of UEBA, I use the entity behavior settings of Sentinel. It provides some enhancement in security monitoring, but it still needs some improvement regarding user and entity behavior.

There is room for improvement in entity behavior and the integration site. It's a new solution, so it can include different security products in the data connector section. I've also experienced some performance issues with the runbook. It takes a lot of time to load.

In the automation section, there are some limitations.

I have used this solution for two and a half years.

It is pretty stable. I haven't had any issues in the two and a half years that I've worked with Sentinel.

The price goes up whenever we integrate more log sources, but there aren't any issues with scalability. We can increase it very easily.

Technical support is good. They're very quick to respond when we raise a case.

I would rate technical support a nine out of ten.

Positive

Splunk is also the leader in this market. I prefer Sentinel because it's a Microsoft product that provides a lot of free and built-in use cases.

We switched to Sentinel because it's a cloud-native solution. On-premises solutions involve managing IT databases and doing some upgrade activities, but we don't need to manage any of that in Sentinel. We can focus directly on security monitoring and detection and response.

The setup was straightforward. I worked on multiple projects before the deployment of Sentinel.

The amount of time it takes to deploy the solution depends on the client's network area, the firewall, and log sources. We have deployed the solution for user bases of 4,000 to 5,000. Deployment was completed within one month by integrating all the required processes.

We had a team of three people for deployment. I took care of the integration of the log sources, and the other two people took care of the customization.

Sentinel doesn't require much maintenance.

We evaluated Splunk and a few other solutions.

I would rate this solution as nine out of ten. 

My advice is that colleagues who have worked on different solutions, whether on-premises or cloud, should use the Ninja training. Microsoft provides this training directly. It is publicly available and provides a better understanding of how to utilize the solution more effectively.

I think it's ideal to go with different vendors across our environment rather than a single vendor for security purposes.

Our team uses Microsoft Sentinel to monitor all security incidents. Security analysts working the intake process configure rules that trigger alerts based on specific criteria and route them to the appropriate team based on the event ID. This unified view within Sentinel allows me to investigate each incident, tracing its origin, path, and endpoint. By analyzing the information gathered, I can then determine whether the alert is a true positive or a false positive.

The visibility into threats that Microsoft Sentinel provides is excellent.

Microsoft Sentinel prioritizes threats across our organization, with levels P1, P2, and P3. This helps me determine how to investigate since some alerts, especially P1s, might seem critical at first glance. However, further investigation may reveal non-critical situations, like a P1 triggered by an authorized user's access from an unfamiliar IP or location. Analyzing logs can help identify these scenarios and ensure appropriate responses.

Microsoft Sentinel and Defender seamlessly integrate to provide a unified system for detecting and responding to security threats across our entire environment. This is crucial for meeting compliance standards and informing client communication. By investigating all security events and summarizing key findings in reports, we can not only highlight critical incidents but also demonstrate the steps we're taking to reduce the overall number of high, medium, and low-severity threats for our clients.

I would rate the comprehensiveness of the threat-protection that Microsoft Sentinel provides an eight out of ten.

Once data is ingested, the process begins with reviewing the ticket information. This can then lead us to Sentinel, where we can view logs. The depth of our investigation determines the next step: a login to Defender, which provides the full range of investigation tools to pinpoint the root cause of the incident.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place.

I would rate the comprehensiveness of Microsoft Sentinel eight out of ten.

Microsoft Sentinel helps automate routine tasks and the finding of high-value alerts.

Microsoft Sentinel simplifies security management by offering a single, unified XDR dashboard, eliminating the need to switch between and monitor multiple disconnected security tools.

The threat intelligence gives us a proactive advantage by anticipating potential threats, allowing us to prioritize and swiftly address critical incidents before they cause harm.

Microsoft Sentinel has helped save us time.

The detection is in real-time with Microsoft Sentinel. 

While Microsoft Sentinel provides a log of security events, its true power lies in its integration with Microsoft Defender. Defender extends Sentinel's capabilities by allowing for in-depth investigation. Imagine investigating a phishing email: through Defender within Sentinel, we can view the email itself, block the malicious email address and its domain, and even take down its IP address – all within a unified platform.

I would like Microsoft Sentinel to enhance its SOAR capabilities. 

I have been using Microsoft Sentinel for two years.

I would rate the stability of Microsoft Sentinel ten out of ten.

I would rate the scalability of Microsoft Sentinel ten out of ten.

I evaluated a few other SIEM solutions but I prefer Microsoft Sentinel because it is straightforward and I can also use Defender to investigate.

I would rate Microsoft Sentinel nine out of ten.

While Microsoft Sentinel offers SIEM capabilities for security information and event management, it doesn't fully replace the need for a separate SOAR solution, which specializes in security orchestration, automation, and response.

In addition to Microsoft Sentinel, I've also used IBM Security QRadar, which I believe is a superior solution because it functions as both a SIEM and SOAR, offering a more comprehensive approach to handling complex security processes.

I advise taking the course before using Microsoft Sentinel to have a better understanding of the solution.

I recommend trying Microsoft Sentinel.

We're a cybersecurity company using Sentinel to provide SIEM services to our customers. 

Sentinel improved how we investigate incidents. We can create watchlists and update them to align with the latest threat intelligence. The information Microsoft provides enables us to understand thoroughly and improve as we go along. It allows us to provide monthly reports to our clients on their security posture. 

It helps us automate some tasks but not others. There are some things we missed because there aren't any rules. We're still working on integrating it. We know it can detect high-severity incidents if we utilize it correctly. We've been able to automate incident responses to some high-level threats we've encountered.

Microsoft's threat intelligence helped us prepare for attacks by developing rules before they hit. We know what behavior to expect because we have visibility into the threat and the actors. 

Sentinel's reporting features save us time. In the past, we created reports in Microsoft Word by dropping in screenshots. With Sentinel, we can create readymade reports from the dashboard. Our monthly report previously took about 16 to 24 hours to complete. We cut that in half. 

We have our own ticketing system for our soft team, and Sentinel's playbooks helped us automate many processes. 

Sentinel provides excellent visibility. Microsoft updates a lot of its security solutions via Sentinel. The content hub and connectors are available to integrate everything. Microsoft also created separate analytics groups, so we log behaviors and use a template. We often need to modify the template based on a customer's log behavior and our correlation and analysis. 

We can learn some new techniques for using KQL correctly by studying the latest templates that Microsoft releases and creating some KBs for our analysts. The MITRE ATT&CK framework is now integrated into Sentinel, so we can statistically identify which part of our microservices are vulnerable. We can assess the severity of threats and prioritize them accordingly. We also need to prioritize based on our SLAs. 

My company also provides managed service for Defender for Endpoint, previously called ATP. We also work with Defender for Cloud and Defender for Identity.

All the Microsoft solutions are integrated with Sentinel, including 365 apps, Azure AD, and various cloud-based security solutions. It includes all the connectors you need to ingest logs from multiple Microsoft products, giving us near-total visibility. Some customers use on-prem security appliances, so we have to correlate logs. 

Sentinel comes with Azure Lighthouse. We can link the subscription to our customer's tenant and ask them to create a global admin account. We can report on the activities using each account and how secure the credentials are. The integration is seamless when we have that level of access. 

We offer ingestion for all Microsoft products and always recommend our clients get everything so we can get full threat visibility and effectiveness. Having all the products integrated into Sentinel helps us see the big picture. In addition to the analytics rules and everything, we're utilizing dashboards and workbooks. Some workbooks are templates that Microsoft provides, but we also develop our own. 

We can compile all this data, put it in a workbook, and create rules. The other part is communicating with the customer because the user is still reviewing logs. Is it an admin? Is it doing daily counts of logins, etc? 

Three of our customers use Defender for Cloud. If a company needs it, we can support it. We have Microsoft-certified engineers who can provide expert frontline support.

Initially, we were only ingesting incidents from Defender for Endpoint, but now we can ingest more data throughout the system. Previously, we could not see some things. We could do it, but we had to search through the portal to find what we needed. Using a connector, we can see everything our employees do on the endpoint, such as device info, location, logins, etc. It's especially useful when employees work remotely or outside their normal area. 

Sentinel lets us investigate threats and comprehensively respond from one console. We can have multiple tabs on one application. The capabilities are robust and marketable. All of these solutions are combined. 

We've seen delays in getting the logs from third-party solutions and sometimes Microsoft products as well. It would be helpful if Microsoft created a list of the delays. That would make things more transparent for customers. 

In some instances, the customer reports that they suspect malware on a computer, and one of their IT guys noticed it. There is a five to ten minute delay before we can see it and respond. As a security company, we don't want the customer to be the first one to identify the threat. However, we must deal with delays from the various products we're integrating. For example, Apex One has a 15-minute delay.

Sometimes it's an issue with the third-party product, but sometimes it isn't. If it isn't, we need to open a ticket with Microsoft. We would benefit from transparency around delays and communication about what Microsoft is doing to resolve the issue. 

Another issue is transparency around usage and associated costs. There are charges if you use playbooks and queries. If you query 100,000 times a day, your costs will go up. The usage only displays in gigabytes per day. A breakdown would help us make reports for our management. 

We have used Sentinel since 2020, so it has been about three years.

We also have experienced some performance problems in the UK. I'm not sure how that works, but something might be going on in the back-end. We transferred to a different region a while ago and lost some of our workspaces. We were shocked.

If Microsoft needs to failover to another region, the customer should be informed because it affects many things. Some of the products we ingest just suddenly stopped, and we have to redo the integration with Cisco Umbrella, AWS S3, and SendGrid. Azure was pulling those logs, and the connections were suddenly cut when this happened. 

I rate Microsoft's support a five out of ten. We had problems using Azure and getting the logs from event services for one of our customers. The date and time the log generated on our customer's device were wrong. It showed the event's location but not the time that the event was generated. 

We contacted Microsoft, who told us to expect a reply the following day, but they didn't respond until four days later. Then, they sent us to another department to speak with someone more knowledgeable about our issue. 

We described the problem, and they asked us for evidence. They wanted our support team to recreate it. Microsoft's support team can create a lab environment and recreate the scenario for themselves. We had to stop the call because we were too busy.

Neutral

We previously used an in-house SIEM solution. 

Deploying Sentinel was complex initially, but it has gotten easier. We documented how we did everything, so it's easy for someone to replicate the steps. If we have accepted the CSP invite, we can deploy it in two days, including configuring ingestion, creating rules, and Azure onboarding. We also must build dashboards and templates. Sometimes there are delays, and it might take three to five weeks.

Sentinel is costly compared to other solutions, but it's fair. SIEM solutions like CrowdStrike charge based on daily log volume. They generally process a set number of logs for free before they start charging. Microsoft's pricing is clearer. It's free under five gigabytes. Some of these logs we ingest have a cost, so they don't hide it. I believe the tenant pays the price, and Microsoft helps create awareness of the cost.

With other solutions, you don't know what you're being charged until you get the bill. You might find that you're using playbooks or queries too much. Microsoft gives you visibility into your expenses. 

We evaluated a few other solutions, including CrowdStrike, Splunk, and LogRhythm. We decided to go with Sentinel because we have Microsoft-certified staff, and many companies in the UK are adopting Defender and other Microsoft security solutions. Sentinel offers seamless integration with Microsoft security products, and we've also seen how flexible it can be.

We can leverage KQL queries. If you're trying to send logs to another SIEM, you'll probably need an API and a lot of other components to make it work. Sentinel makes our jobs easier by providing all of the connectors and out-of-the-box integration. 

I rate Microsoft Sentinel a nine out of ten. I think the industry is shifting toward a single-vendor strategy instead of best-of-breed. If you have a lot of tools from various vendors, it makes things more complicated. You need to hire employees who specialize in each device. It's better if your team understands a solution's features and capabilities. 

If you're considering a SIEM solution, you should compare each product's mean detection and response time. I'm unsure if that information will be publicly available for every solution, so you may need to test them. You should also think about other components besides cost. Sentinel might be more expensive than other solutions, but it's more comprehensive because it incorporates all the different security elements and keeps evolving.

Microsoft is constantly updating all of its solutions. We mainly utilize Microsoft infrastructure, but some solutions are based on Unix or Linux. At the same time, threats on that side aren't as critical as those from Microsoft. They own the operating system, so they're positioned to understand the vulnerabilities and how to fix them. 

We primarily use the solution for security purposes, to record events, and generate alerts, so that our security team can review the items and take proper action.

We work jointly with an MSSP, we have about 14 people working on a 24/7 schedule, around 25 people might use our Sentinel workspace regularly, and more than 40 people benefit directly from the output of this solution.

With Microsoft Sentinel we have detected threats in early stages of an attack through custom detection rules, helping us prevent escalation and further compromise.

Sentinel has provided visibility of administration events, which allows us to audit security processes and discover misconfigurations and errors.

Using Sentinel we have definitely saved time in our detection and response efforts.

Microsoft Sentinel as a SIEM uses KQL (Kusto Query Language) in their detection rules, which is an optimized query language with some really powerful functions. Generally SIEM vendors use different query languages. KQL queries can use complex logic and be executed in a few seconds, which would not be possible or may take up several minutes in other SIEMs, and now some vendors are trying to implement their own version of KQL.

Sentinel provides us with good visibility of threats. The different kinds of logs it ingests are good as long as the log sources are correct. It can integrate some out-of-the-box log sources in a short time, and log data fields are usually very complete. We don't have experience integrating custom log sources, but it should be possible.

Out-of-the-box log sources have the same data structure in all Sentinel workspaces, which allows queries and detection rules to be shared easily between Sentinel customers. We could rapidly adapt to a new threat with public detection rules created by Microsoft or other security professionals.

We work with Microsoft Sentinel and other Microsoft security solutions like Defender. We've integrated all of them together easily from their web portals. As long as you have the right privileges, integrating these solutions might be as simple as a click. Microsoft security solutions work natively together to deliver coordinated detection and response, which is important to us.

Sentinel allows us to ingest data from our entire ecosystem, wether it might be an on-prem or cloud service. It allows us to correlate different data tables, to create complex threat detections, and to investigate holistically across our infrastructure.

I like the automation portion of the product, it helps us automate routine tasks. We have created some automation playbooks in Microsoft Sentinel, however, in our environment these are not specific to security tasks.

Microsoft Sentinel has a lot of out-of-the-box detection rules. Many of these rules have not been tested, they may execute but they have errors or do not work as expected. Due to this I've made more than 80 requests for modifications in Microsoft Sentinel public repository. If you want to ensure that Sentinel detection works, you need to review the logic of the detection rules one by one, and this shouldn't be the case.

Sentinel does not seem to have rules by default that check and notify of execution errors. I have had to create custom rules to detect when a log source or automation rule stops working as expected.

There can be discrepancies between Microsoft tools. Not all information appears in Sentinel. Sometimes there are items provided in Microsoft 365 Defender that you could search for in Sentinel and you would not find them and therefore assume they do not exist.

The solution is powerful but it can be expensive. Other solutions that are on-premises should be cheaper.

I've been using the solution for more than three years.

The solution is largely stable but not completely. I have had issues with some log sources that stop being ingested or are delayed, and also with automation rules not responding to incidents. Sometimes automation rules stop working intermittently, and this issue might happen during a month or two, and then they go back to working as expected without being notified of any issue by Microsoft.

The scalability is excellent, Sentinel has some limits regarding the amount of ingested data and enabled Sentinel resources, but these limits exist for extreme cases, which our workspace and organization are not even close to.

I'd rate it ten out of ten.

I've opened many support tickets. When you open a support ticket, it will typically be resolved within the first interaction. And they've solved all of my support tickets quite quickly. Even if I have made a mistake when opening support tickets, it's always been a positive experience.

Positive

I've used a few different solutions, including ArcSight, LogRhythm, and QRadar. 

I don't have much insight into ArcSight.

LogRhythm did not let me create complex detection rules.

With QRadar, when we are looking at queries, they can be slow. However, IBM is trying to create its own KQL implementation for QRadar in order to make them faster. 

But I don't have the same level of administration experience with these tools than with Sentinel.

We had some cloud engineers who created our instance on Azure. They enabled the connectors for some out-of-the-box log sources, and created other kinds of neccesary resources, specially to connect on-premises resources to Sentinel. We did not have issues that didn't depend directly on us.

At first we enabled all the detection rules we could, without deeply inspecting them, we assumed they would work. We would not take this approach again, detection rules should be reviewed and enabled one by one.

Maintenance is minimal. It's all on the cloud. If something does not work as expected, we open a support ticket. Since the tool is supported by Microsoft, you are paying them to also maintain it, basically.

Our implementation was handled in-house.

I would recommend to check regularly for deviations or unexpected surges of ingested events, which will affect the cost. I do not directly handle the pricing portion of the solution. There is a calculator in Azure that helps you estimate the cost. 

It's ideal to go with a best-in-breed strategy rather than a single vendor. You need to know what is available in the market. Companies should be free to use any security tool that they consider to fit their needs. 

For companies considering Sentinel, they need to ensure a threat detection engineer will be available to manage their detection rules, you shouldn't enable all of them blindly. You may get value from Microsoft Sentinel, however, you need to continuously invest time and ensure everything is set up and working as expected. 

I'd rate the solution nine out of ten. 

I'm an IT consultant, and I use Sentinel with two of my clients to monitor all their security signals and get alerts when things are happening that might be suspicious.

The fact that the solution helps automate routine tasks and the finding of high-value alerts has made it possible for me to provide security operations. If I didn't have automation, I wouldn't be able to do that. Nobody is going to pay me to sit and stare at a screen for eight hours a day. But with the automation built in to let me know about and fix things, it becomes viable. The automations have an email option, and all the alerts show up as emails in my inbox. I'm busy with other things, and I'm not looking at Sentinel all day. And the automation in those emails is available to deal with things automatically. Automation is incredibly important.

Sentinel gives me one XDR dashboard. In terms of security operations, it's improved them and makes it easy for me to do my job.

It saves my clients time, on the order of 30 percent.

It also saves costs for me and my clients. If we didn't have Sentinel in place, and they were to get compromised, it could cost them tens of thousands of dollars due to ransomware, a BEC scam, or another type of attack. Without Sentinel in place, that could be a very big cost.

And it decreases the time it takes to detect and respond by days, if not weeks.

My clients are small businesses, and mine is also a small business. Traditionally, even the concept of using a SIEM in most small businesses was unheard of. It was an on-premises product, and you needed to install servers, and most normal IT consultants wouldn't even look at it because it would be very complex for them. The standout feature of Sentinel is that, because it's cloud-based and because it's from Microsoft, it integrates really well with all the other Microsoft products. It's really simple to set up and get going. You don't have to set up a server or do a lot of configuring and setting up storage. It just lives in the cloud, you turn it on, and connecting most things to it is really easy.

It's fantastic when it comes to integration with other Microsoft products. It's so easy. I've been in IT for 30 years, and integrating products was, up until a few years ago, something we would never want to do. It was so hard, we wouldn't want to touch it. We would have to write custom code and configure things. It was just horrible. Now, it's literally a couple of sliders in the interface, and you're done.

And once these solutions are integrated, they work natively together to deliver coordinated detection and response across my clients' environments. I follow this space very closely, but I am not an expert in any other solution. Still, at least for my clients, with the threats they are facing and the alerts we get from the real world, Sentinel's detection and response are very comprehensive.

Sentinel enables you to ingest data from the entire ecosystem. I have integrated some non-Microsoft products with Sentinel, and, predictably, it's not as simple as one click because these are third-party products. But it is definitely quite easy. For cloud products and services, it's still very simple. It might be three or four clicks. But for on-premises products, it's a bit more work.

My clients also use Defender for Cloud, and its bi-directional sync capabilities are very important. It makes things much easier.

Sentinel provides a clear view into the threats that are coming in, and, compared to what I had before, it is night and day. I heard somebody say on a podcast, "The solution we had prior to Sentinel was like a dark room and you had a torch, and you could shine the torch in different directions and see some things. Having Sentinel, combined with Microsoft 365 Defender, the XDR solution, is like turning on the lights and seeing everything." I completely agree. That's exactly what it feels like.

Another incredibly important factor is the solution's ability to investigate threats and respond holistically from one place. Again, as a small business, I wouldn't have the time and energy to look in several different places. I need one place where it all shows up, and that's what Sentinel provides.

And with built-in SOAR, UEBA, and threat intelligence, the comprehensiveness of Sentinel's security protection is good.

Given that I am in the small business space, I wish they would make it easier to operate Sentinel without being a Sentinel expert. Examples of things that could be easier are creating alerts and automations from scratch and designing workbooks. All of those are available as templates and community-produced content, but doing all that from scratch and keeping it up-to-date, is not easy. Because I have lots of other things on my plate, it would really improve things for me if they would make it more accessible for small businesses and non-experts.

I have been using Microsoft Sentinel since it was in public preview, so that's at least three and a half years.

It's a very stable solution—rock-solid.

It's also very scalable.

I have only ever contacted them about Sentinel once, but I have certainly dealt with Microsoft support in various ways. Their response time is pretty good. But they have a difficult time providing good support, at the level that would cause me to give them a higher score than six out of 10, because things change so fast. And it's so much wider than it used to be 10 years ago. There's so much to cover, and that's difficult for them.

Neutral

We used ESET for one client, but it wasn't a SIEM, it was just endpoint protection. We replaced that with Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, and Sentinel. It's not an apples-to-apples comparison.

The initial deployment is very straightforward. It took me four or five hours to set it up.

The product itself, obviously, does not require maintenance, but the alerts and rules require work.

Sentinel is fairly priced and pretty cost-effective. Compared to on-premises solutions, Sentinel is very cost-effective.

It's certainly possible, if you're not careful about what you connect, to shoot yourself in the foot by ending up with large data sources being ingested that cost you a fair bit of money. You do need to think about what data sources you actually need, which ones will lead to the detection of actual attackers, and how much of that data you need. You also have to consider how you're going to store it, because Sentinel has different levels. You don't have to store it all in the expensive "this will give me alerts" tiers. But, as I said, my clients are small businesses. They certainly don't have a budget for anything expensive, and they're very happy with the costs.

Do a proof of concept. It's really easy to set up and get started. You don't have to turn everything on to start. Do a small proof of concept, get familiar with it, and you'll see how easy it is.

Does it help prioritize threats across the enterprise? The short answer is, "Yes, it does." The slightly longer answer is that it is not a set-and-forget solution. And no SIEM is. You do need to configure Sentinel and fine-tune it. I have a calendar reminder every two weeks to go back in and make sure the right analytics rules are in place and change the ones that need changing, et cetera. It does prioritize threats, but it's not an automatic process that you never have to worry about again.

Sentinel's threat intelligence doesn't really help with proactive steps. The threat intelligence has indicators of compromise, such as IP addresses, URLs, and file hashes. They get detected, but that's not really proactive. Perhaps it's "proactive" in the sense that somebody else has figured out that those things are bad and let the system know. But Microsoft 365 Defender does the proactive part because it has threat intelligence in it. It will tell you, "A new threat that we have a report on seems to be targeting your type of client." That's proactive, but Sentinel isn't proactive. Meaning, if you read about a threat and then protect yourself before that threat reaches you, Sentinel doesn't really do that.

In the debate about best-of-breed versus a single-vendor security solution, if you pick best-of-breed individual security solutions and you have to integrate them, now you're an integrator. And that is hard. It's not easy to integrate different security products. And that's why, at least for my clients, Sentinel and Microsoft 365 Defender have been a huge shift. They're so easy to integrate. My clients could license separate products and then try to integrate them to get the same level of integration, but that would never work.

Every day, I log into Microsoft Sentinel to check the logs. I start by checking the incidents and analyzing them. If I need to create an automatic rule, I do so. If the logic needs to be changed, I make the necessary adjustments. I am responsible for managing Microsoft Sentinel for our organization.

For our organization, Microsoft Sentinel helps us prioritize threats across most of our environment because we have not yet fully integrated the solution into all aspects of our operations. Currently, we are working on integrating mutual source AWS into Sentinel, which will provide us with more visibility. Apart from that, there is already a lot of visibility in case of any failures or anyone attempting large deployments across other companies or similar activities. Additionally, if someone attempts to use login information from a different location, it becomes apparent, as it is impossible to travel that quickly. Sentinel covers almost everything.

We are using Microsoft Office 365 for email security in our environment. Our infrastructure engineers have integrated Microsoft Office 365 with Sentinel. When we view the old connectors in the application, it mentions Microsoft Office 365. Currently, it also indicates this in terms of firmware.

Microsoft Sentinel can enable us to ingest data from our entire ecosystem. However, since we are currently receiving services from an external source, we are not integrating the tool right now. That's why we are looking for another tool that we can integrate with Microsoft Sentinel. Once we do that, I believe we will be able to see everything, including any malware-related issues, as well as other security and licensing concerns.

The ingestion of data into our security operations is of utmost importance. If we are not monitoring whether people are sending large documents to other companies, how will we realize it? We don't have any other tool for that. Of course, we have email security and EDR, which cover some aspects, but some of them are not effective or are too basic. Unlike them, Microsoft Sentinel is comprehensive. It records everything: every click, download, login, and search. Therefore, it is a necessary tool for our operations.

Microsoft Sentinel allows us to investigate threats and respond quickly from a unified dashboard. A couple of months ago, there was a concern with the AWS environment, and our director asked us to identify any relevant code-related alerts originating from the environment. Since we didn't have the rules at that time, I looked into the recommended analytics section, which turned out to be quite straightforward. When we write Python or work with any logs, cells, or Java-related elements, Microsoft Sentinel provides us with insights and a logical approach to integrating our environment. During my investigation, I discovered some configurations related to the Python code, and it appears to be functioning well now.

Microsoft Sentinel's built-in SOAR, UEBA, and threat intelligence capabilities work well and are further enhanced with the addition of a firewall for added protection.

Before our organization implemented Microsoft Sentinel, we only had an email security DLP solution and some other tools. While we could see the logs on our computer, they were often presented in a confusing manner, appearing like gibberish to us. However, with the introduction of Sentinel, we can now interpret and make sense of that information.

When I joined the organization, they were already in the process of implementing Microsoft Sentinel. However, I am familiar with other integrations with Sentinel, such as AWS, and the integration is not difficult. We simply create the necessary resources, and everything is well-documented, which is a huge plus. We can access all the information online, both in the AWS part and in Microsoft Sentinel. So, I believe it's not rocket science.

It helps automate routine tasks and aids in identifying high-value alerts. We have automated the tool to receive critical or high alerts and send us messages accordingly. This automation is currently active. Whenever a high alert is generated, it comes through direct messages. Even during non-working hours, I receive these alerts on my phone immediately. If it's an important alert, I can respond promptly. We had an incident where I had to work on weekends due to such an alert. However, if I'm not using the tool or haven't activated it, I generally don't turn on the computer after work hours. So, this feature has been beneficial for us. Some months ago, there was a Microsoft bug that created false positive alerts for every clean link, including company links. We made modifications to the alerts, and now we no longer receive those unnecessary alerts.

It helps eliminate the need to look at multiple dashboards by providing us with just one XDR dashboard. We no longer have to go to other places. However, there are instances when we receive alerts about failing servers, and we can't check them using Sentinel; instead, we have to use Azure Active Directory. It's not Sentinel's fault, and checking through Azure Active Directory is not difficult, but we still have to go somewhere else.

Sentinel's threat intelligence assists us in preparing for potential threats before they strike, allowing us to take necessary precautions. My weekly routine includes dedicating at least two hours to the accounting part. I am constantly searching for any threats in our environment that may have gone unnoticed. So far, I haven't found anything, but I'm always vigilant because we can never be entirely certain that there are no threats.

We have been enabled to save a significant amount of time. The log files consist of hundreds of pages, and to review them, we need to possess networking knowledge to identify the specific case. Without knowing what we are searching for, it's like trying to find a needle in a haystack. Sentinel migrates the logs and presents the visual information in a user-friendly manner, which has proven to be a time-saving solution for us.

Sentinel saves money by reducing the number of people required to monitor the alerts. For example, if there are normally 50 alerts per week, fine-tuning reduces them to just one.

Microsoft Sentinel helps decrease our time to detect and time to resolve. Sentinel provides a brief introduction to the events occurring in the environment when someone is causing instability in the AWS environment. Sentinel precisely identifies the issue and offers a link for accessing more information about the situation.

The dashboard that allows me to view all the incidents is the most valuable feature. Threat hunting is also valuable. Sentinel has a Microsoft framework, so we can experiment with numerous queries. There are almost 500 queries available that we can utilize based on our environment.

I believe one of the challenges I encountered was the absence of live training sessions, even with the option to pay for them. Microsoft insists that all information is available in the documentation, which I must admit is quite comprehensive and helpful. However, for someone without a coding background, learning solely from the documents can be challenging at times. It would be much easier to learn if there were practical exercises and instructional videos available. This aspect bothered me significantly. While I did come across a course, my preference was to access it through Sentinel since they are already providing us with their services. Having the team trained up would undoubtedly streamline my job and save a considerable amount of time.

I have been using Microsoft Sentinel for one year.

We have not had any scalability issues with Microsoft Sentinel.

Microsoft Sentinel is scalable. We can add as many services as we want, and Microsoft automatically increases the capacity by adding memory and storage.

I have used technical support many times. Sometimes, I have a really hard time understanding them. I am not sure if they are calling from India, but there was background noise at times. However, they are really helpful, even though they seem a bit indifferent. They frequently inquire whether we have addressed the issue and if it has been resolved—quite a lot, actually.

In a company, we are often very busy. They expect us to address the issues immediately, but sometimes it can take months. So, I inform them that I will follow up. They can be a little pushy, which is understandable from their perspective, but for us, it can be challenging because we have many other tasks to handle. Sentinel is just one of my priorities, and there are a lot of other things I need to take care of. That's why sometimes we need time, but to their credit, they are always responsive. Whenever we ask them a question, they promptly provide a response.

Positive

I had previously used Kibana, which is quite different from Microsoft Sentinel. When I used Microsoft Sentinel for the first time, I realized that this was the ideal solution. Microsoft Sentinel is user-friendly, unlike Kibana, which I found difficult to install and not very user-friendly. Microsoft Sentinel, on the other hand, is incredibly user-friendly, making it easy for everyone to understand and learn how to use it. It is a straightforward solution to comprehend.

I give Microsoft Sentinel a nine out of ten.

We are currently evaluating Microsoft Defender and CrowdStrike in our environment to determine which one is a better fit. As for Defender, I cannot claim to have a complete understanding of it since it's in a testing environment. I can monitor people's devices, but I have not yet received any alerts generated by the devices. It has only been around ten days.

I am responsible for creating documentation for all of our implementations, while other teams handle the infrastructure portion.

Maintenance is minimal for Microsoft Sentinel. There is a check button in the house. Sometimes I go there because we occasionally find that some things are not working properly. So we have to go there and address the issue, but it is not a common occurrence. Maybe it happens, like, three times a year which is not bad.

We primarily use the solution for analyzing logs, such as those from Azure AD. We have it integrated with Microsoft 365 and plan to integrate it with our firewalls so we can analyze those logs too. So, our main uses are for log analysis and to check for vulnerabilities in our system.

We use more than one Microsoft security product; we also use Defender for Cloud. 

Sentinel helps us to prioritize threats across our enterprise. 

The solution reduced our time to detect and respond. 

The log analysis is excellent; it can predict what can or will happen regarding use patterns and vulnerabilities.

Sentinel provides good visibility into threats. 

The product enables us to investigate threats and respond holistically from one place, and that's important to us. 

Given the solution's built-in SOAR, UEBA, and threat intelligence capabilities, it provides reasonably good comprehensive protection, and we are happy with it. 

Sentinel helps us automate routine tasks and find high-value alerts; the playbooks are beneficial and allow us to optimize automation.

The tool helped eliminate multiple dashboards and gave us one XDR dashboard. Having one dashboard is the reason we purchased Sentinel.  

Sentinel's threat intelligence helps us prepare for potential threats before they hit and to take proactive steps. It helps a lot, and that's another main reason we have the product.  

The solution could be more user-friendly; some query languages are required to operate it.

A welcome improvement would be integrations with more products and connectors. 

We've been using the solution for over a year. 

The solution is stable.

Sentinel is a scalable product. 

Microsoft support is good, I rate them seven out of ten. 

Neutral

We didn't previously use another solution of this type; when we moved to Azure, Sentinel was one of the products Microsoft recommended, so we started using it.

I was involved in the deployment of Sentinel, but my colleague did the majority. The setup was basic; some query language is required to implement it fully, and we could improve our configurations. Our implementation strategy was to cover the major products first, including Office 365 and Azure AD. We did that, and we're now adding the other tools we use in our environment.

Our setup is not particularly expansive, so we can deal with the maintenance requirements within our team; it only requires one team member. Our team consists of three or four admins; we manage the Azure AD logs, and Azure AD has 400 users.

The pricing is reasonable, and we think Sentinel is worth what we pay for it.

One of the main reasons we switched from on-prem to Azure Cloud was to save money, but at the same time, we kept adding on features and spent a lot doing so. We're now looking at cost optimization and removing unnecessary elements, as one of our primary goals is to reduce costs. I'm unsure if we are, but we are trying to get there.

I rate the solution seven out of ten. 

Sentinel allows us to ingest data from our entire ecosystem, though we are attempting to integrate all our products. It can ingest and analyze all the data, but we aren't using this functionality to its fullest extent yet.

My advice to someone considering the product is to use it. Start by integrating your primary applications, then slowly move on to others in descending order of importance. 

The company I work for delivers SOC-as-a-Service, so I set up Sentinel in the customer's Azure environment and then connect it to our central Sentinel through Azure Lighthouse.

Microsoft Sentinel has made it easier for us to sell SOC-as-a-Service to, more or less, any customer and not just the big ones.

A lot of our customers run Microsoft products, and integrating those with Sentinel is simple and easy. Sentinel can be quickly deployed as well.

As long as the customers are licensed correctly and have, for example, the E5 security package, then the insights into threats provided by Sentinel are pretty good.

Sentinel helps prioritize threats well. The option to dig deeper and go into the different portals is good as well.

Our customers are very happy with incidents being closed in Sentinel and across the tenant.

We are able to fetch data from almost any source with Sentinel. There are some customers who try to customize, but we try to keep it to the out-of-the-box preconfigured data connectors or to what we can find in the Microsoft content hub.

In terms of the importance of data ingestion to our customers' security operations, they only have access to what is in Sentinel. Therefore, it's pretty important for them to have all of their data stored in one location. If it's stored on-premises in Microsoft 365 Defender, then the SOC team won't be able to access that data. Giving a good analysis will then be harder.

It's very important to us to be able to investigate threats and respond holistically from one place. We don't create several accounts for each customer. We utilize one account and then get insight into the Sentinel environments of different customers. It's great that we can do all this in one place.

The comprehensiveness of Sentinel's security protection is pretty good. The effectiveness of the web part of this depends on how well the customer has configured their Azure AD and what information they have included for each user, such as the phone number and the part of the organization where the user works.

One of the big issues for our customers is the need to look at multiple dashboards. Sentinel has eliminated this and made it a lot easier by having everything in one place.

Sentinel has definitely saved us time. It has also decreased our time to detection and our time to respond. We try to have an analysis ready within 30 minutes of an incident coming in.

Some of the data connectors are outdated, at least the ones that utilize Linux machines for log forwarding. I believe that Microsoft is already working on improving this.

I would like Microsoft Sentinel to have out-of-the-box threat intelligence because right now, the only option is to add your own threat intelligence.

I've been using Microsoft Sentinel for approximately one and a half years.

Sentinel has only been down once, as far as I know, as a result of Microsoft doing something with Azure Kubernetes, which affected log analytics and Sentinel. It was down for about 10 hours. Other than that, it's always been up.

The scalability is great. You can put unlimited logs in, as long as you can pay for it. There are commitment tiers, up to six terabytes per day, which is nowhere close to what any one of our customers is running.

I might be more fortunate than others, given the fact that I have easy access to Microsoft support. The only downside is that the support staff are not that technical, but there is a big community around Sentinel. I can ask the question on the forums instead, and I usually get an answer there. All in all, I'd rate technical support at eight out of ten.

Positive

The initial deployment is straightforward. We try to utilize a baseline of analytics rules in addition to connecting any security products already owned by the customer.

We usually deploy one Sentinel per Azure tenant. Maintenance-wise, Microsoft updates the analytics rules and the engine behind Sentinel, and it may require some tuning if it creates a lot of noise. Other than that, it's pretty straightforward. Thus, in comparison to other SIEM solutions that you need to upgrade and then turn off for the functionality to be updated, Sentinel saves us time.

My colleague and I usually work with someone at the customer's location to deploy the solution.

Compared to standalone SIEM and SOAR solutions, it is easy to start off with Sentinel. For example, with QRadar there are minimum licensing requirements, EPS costs compared to how many logs are being ingested, etc.

It can become costly with Sentinel if you try to run all of the raw logs for an entire organization. If you prioritize, however, you can have a cheaper SIEM solution compared to the ones that have a starting price of 50,000 US dollars.

The pricing is based on how much you ingest, so it's pretty straightforward. There are no tiers, and you pay for what you use, unlike with other types of SIEM solutions that are usually based on tiers.

It's a great way to get insight into exactly how much you're using. If you connect a log source that utilizes too much, you could turn it off or tune it down. You could also buy tiers in Sentinel and can save money with tier commitments.

Overall, I'm satisfied with Sentinel and would give it a rating of eight out of ten.

As far as going with a best-of-breed strategy versus a single vendor's suite, Microsoft gives a pretty good solution, especially when you get the E5 security package. It gives you a good view of the security across the organization, so I don't mind going for a single vendor's suite and opting to go completely with Microsoft.