Microsoft Sentinel Reviews

We require a comprehensive, scalable solution for cyber threat protection. 

The interface is simple. It was easy to click through and to refer back and assess things. 

We can do frequent training sessions so that people or end users are able to get used to the system.

Microsoft Defender is proven to be able to incorporate with this product. We also utilize the Power BI dashboard. We wanted to monitor the logins. It's helpful for threat investigations. We're able to use the session queue report to identify the frameworks having issues.

The workflow is quite smart. Incidents alerts can be generated automatically. It has good automation capabilities and that helps us respond to incidents quickly.

Sentinel provide our customers with a unified set of tools to detect, investigate, and respond to incidents. It's actually a part of Defender. It's unified within the operating platform. This allows for the mobility of the end user.

Our customers use Sentinel to help secure hybrid cloud and multi-cloud environments. We do have a limited amount of space. Out of ten or so clients, five or six have adopted a cloud protection system.

We can use it with Microsoft Athena and we can manage compliance and see logs for analytics. Sentinel can correlate signals from first and third party sources into a single high-confidence incident. Since the process is automated, it makes our response times faster. This saves the team's time.

We do make use of the solution's AI capabilities. The machine learning is very mature. Its machine learning has been very good overall. It's also something that enhances response times and threat analysis. 

It's provided us with improved visibility into user and network behavior.

Sentinel has reduced the work involved in the event investigation by quite a lot.

From a client perspective, they'd like to see more cost savings. I'm not sure if Sentinel gives a POC for free.

I've been using the solution for two years.

The solution is very stable. We haven't received any complaints and haven't had outages.

The solution is easily scalable. Of course, we do have to do due diligence with our Oracle system architecture.

We have an SLA that says there will be a receiving engineer that will respond if the system is down. Technical support is great. They might have different tiers of service.

Positive

I did not personally deploy the product. I just work with it.

There is some maintenance. We do have a resident engineer that's certified on troubleshooting.

We have a technical partner that helps with deployment. 

The solution is less expensive than an APM option. If the client wants to have a complete solution that covers the whole big organization, a good option will be going with Microsoft Sentinel. For the features it has, the price is justified.

We are an SSI system integrator.

I'd rate the solution nine out of ten.

For those interested in adopting the solution, I'd suggest looking at the costing and billing and ensuring you have the budget and maybe doing a POC for 45 days or two months so that they can really experience the product.

We use Microsoft Sentinel for centralized log aggregation and security management. Our environment uses a variety of security products to strengthen its security. This has made it difficult for the SOC team to analyze logs from different consoles and products. To ease the team's workload and help them prioritize events and attacks, we decided to acquire a centralized console. We chose Sentinel because it provides a centralized console where we can ingest and analyze logs. The logs that Sentinel analyzes add value.

Sentinel's threat visibility is good. It has analytics and threat detection capabilities that we can add to our own playbooks. We can use the predefined log analytics to create our own custom rules. Using these custom rules with predefined logs further improves our environment's security posture.

Sentinel helps us prioritize threats across our enterprise. When we have a lot of alerts and incidents, it is better to understand if they are false positives, because the SOC team sometimes wastes time on false positives, which are not very relevant. We must prioritize positive alerts, which should be given the highest priority. In order to solve this problem.

The manufacturing environment I work in is not very critical, so a simple attack is unlikely to have a major impact on the business. However, data is important in any business, and a data breach can damage our reputation. Therefore, it is important to have a good security posture to avoid threats. Threats and attacks can happen even with the highest level of security. Therefore, we look for products that can give us visibility into our environment and help us to proactively solve problems. Microsoft proactively identifies threats and informs its peers and partners. This allows us to take action to assess the impact of these threats on our environment. By taking proactive measures, we can prevent threats from harming our environment.

We also use Microsoft Defender for Cloud and Microsoft Defender for Identity. We have integrated these solutions with Microsoft Sentinel, and their logs are ingested by Sentinel. We do not incur any costs for ingesting Office 365 logs because Microsoft provides a free login exchange for Microsoft Office 365 and, I believe, for Defender as well into our Sentinel for analysis.

Our Microsoft products work seamlessly together to provide coordinated detection and response in our environment. We use a lot of Microsoft products, and it is best to use them in the same environment. This makes integration and collaboration easier. We also have licensing agreements that give us discounts when we use multiple products together. For example, we use Microsoft 365, OneDrive, and security products. We are also migrating our workloads to Azure. We have already migrated many workloads to Azure, and we are in the process of migrating the remaining workloads. We are heavily dependent on Microsoft, so we believe it is best to use one cloud provider. This makes it easier to manage different services. Additionally, Microsoft provides us with a lot of help and benefits, which can save us money. Cost is one of the factors that businesses consider, and IT is a major investment for businesses. Even though our business is not in the IT industry, IT plays a vital role in driving the business forward. Therefore, our organization needs to ensure that their IT investments are having a positive impact.

The comprehensiveness of the threat protection provided by our Microsoft security products is good. They have a large number of predefined indicators of compromise and a comprehensive team that monitors threats around the world. We receive notifications and newsletters from Microsoft whenever a new threat emerges. When an organization does not have experts on its team, it is very difficult to identify zero-day vulnerabilities or attacks. This makes it difficult for them to identify and mitigate these threats. Microsoft, on the other hand, proactively identifies threats and informs its teams and partners so that they can mitigate or prevent them in their environments.

Sentinel allows us to ingest data from our entire IT ecosystem, including network devices, servers, endpoints, and firewalls. This is important because if we are not monitoring all of our devices, we cannot know what threats they are facing or what attacks they have already been subjected to. Sentinel scans every device in the environment because it is difficult to see how many devices are compromised by a threat when we have an inventory of thousands of devices. This is why we need a centralized console where we can ingest all of our important logs and correlate them to identify threats. We need to know when our environment has been attacked by zero-day vulnerabilities. If we see that two devices have been affected, we still do not know how many additional devices the attack has compromised. This can only be known if we have all of our logs in our console. Sentinel provides us with a valuable capability: we can simply identify the source, user, or affected machines, and Sentinel will tell us how many machines have already been compromised and how far the threat has spread. This information allows us to isolate or quarantine the affected machines so that they cannot access more of our environment or steal more data.

We can react and respond holistically from one place with Sentinel.

The best part of Sentinel is its built-in SOAR, user and entity behavior analytics, and threat intelligence capabilities, which collaborate with the SIEM. Other products typically sell these capabilities as separate products. When we automate tasks, we reduce the team's manual effort. Whenever we detect an attack or need to provide analytics, we generate a lot of events and alerts. If we don't correlate these events and automatically resolve them, repetitive tasks will have to be performed by team members. This is not an efficient use of resources. Repetitive tasks can be automated by writing scripts and putting them into the system. Sentinel correlates events and creates incidents for us. These incidents can be resolved by scripts, such as by informing users that their IDs have been compromised and they need to reset their passwords or their IDs will be blocked. This saves SOC time so that they can focus on more important tasks, such as detecting and responding to threats that are already impacting the environment. Sentinel's features help organizations reduce manual and repetitive effort.

Sentinel has helped our organization by providing seamless collection and correlation of all logs. It is important to correlate logs into alerts and then to incidents, as this prevents the team that receives the alerts from becoming overloaded. Sentinel's analytics capabilities are also beneficial, as they allow me to easily perform searches and analyses of incidents. I do not have to spend much effort to determine the source of an incident, its impact, or how far it has spread through our environment. Additionally, Sentinel's automation features, such as its playbooks, templates, and integrations, help us to reduce manual effort.

Automating routine tasks that help find high-value alerts reduces the cost and workload of our SOC team. We have created several automation use cases by discussing them with multiple stakeholders and analyzing how frequently we receive the same type of incident alerts. When we receive the same type of incident alerts, we can correlate them and create scripts or automate solutions to resolve them. This helps to reduce the team's workload and headaches. We have already incorporated this automation into our SOC processes. If an incident is created, it is automatically resolved without any user or machine interaction. If we receive an alert that the resolution failed, some team members investigate the cause, such as a missing or disabled user ID or a technical system issue.

Automation has reduced our manual tasks, saving us around 30 percent of our time so that we can focus on more important tasks.

Previously, when I joined the organization, they were using Splunk on-premises and other security tools, such as Trend Micro and Darktrace devices, to collect logs. The security operations center team had to log into each console to see the logs, investigate them, and determine how to mitigate the alerts. This process was slow and inefficient, especially in the event of a critical attack. Sentinel provides a centralized console for log collection and analysis which helps the SOC team respond to alerts more quickly and reduce the impact of threats.

Microsoft Sentinel helped us eliminate the need for multiple dashboards by providing a single XDR dashboard. They have data connectors that can integrate with different security tools because they partner with other security companies to provide us with the functionality we need to integrate into our environment. Microsoft is at its best when we can integrate with our peers and security companies that are bringing new features to improve our security posture. We can then integrate these features with Sentinel, benefit from them, and ingest our logs into Sentinel as well. We no longer need to log in to multiple security tools; we can simply go to Sentinel, view the incidents and alerts that are being generated, and take action.

The automation feature is valuable. There are many events that happen, and we require manual effort from our SOC team to mitigate each one. When we started automating tasks, it helped us to reduce the time it takes to react to attacks. Attacks may not be able to penetrate our environment as easily because of this. Therefore, I believe that Sentinel's automation is the best.

The integration is not that difficult. The configuration is simple, but the data connector documentation is lacking in useful information. If Microsoft improves the documentation, we will be able to see how to complete the integration from start to finish. In the past, we have encountered problems during the integration process because the documentation was incomplete. For example, we recently deployed Microsoft Defender for Identity with the help of our Active Directory team. Initially, they told us that only a few ports were required, but later they said that more ports were needed. Our environment did not allow these additional ports, and we were not aware of this requirement. This delayed the project and caused frustration for our team members. The customer also expected the project to be completed sooner, but unexpected firewall rules and undocumented configuration requirements prevented us from doing so. We had to open a case with Microsoft for assistance, and we were eventually able to resolve the issue.

The playbook is a bit difficult and could be improved. For those who do not have a deep understanding of playbooks or programming languages, it would be better to have extensive documentation and information available online. When I started working with Sentinel, there were times when we had to refer to the documentation to get information about the configuration or implementation steps. If we encountered errors in the implementation, we had to rely on the internet to figure out how to fix them. The information available online is not that comprehensive and does not cover specific maintenance tasks. If the documentation were improved a bit, and the playbook and automation were made easier to use, it would be a great benefit for technical users.

The AI and Machine Learning can be improved.

I have been using Microsoft Sentinel for over one year.

I have not seen any downtime with Sentinel. Sentinel is stable.

Sentinel is highly scalable. We can easily integrate more devices without any effort. Microsoft has a large data center, and they are always ready to add our devices.

Microsoft technical support has declined in quality over the years. I have only been using Sentinel for a year, but I have experience with Microsoft technical support through Azure and other Microsoft products. In the past, we were able to resolve tickets quickly with minimal back-and-forth. However, recently, the quality of support has degraded. We had a few critical cases that directly impacted production, but Microsoft did not assign their senior engineers to these cases. This wasted a lot of our time, as we had to explain the problems to multiple support representatives.

Neutral

We previously used Splunk SOAR in conjunction with Trend Micro and Darktrace to ingest logs, but we switched to Sentinel because it is more seamless.

The initial setup was successful. The configuration is not difficult. There were some challenging areas. However, we had access to free tools and a Microsoft contact who was always available to help us if we encountered any knowledge gaps. When setting up Sentinel for the first time in our environment, we always have an expert with us to assist with the setup, as not everyone has extensive knowledge of implementing the product. The expert is there to help us with the implementation if we get stuck on a step.

We decided which devices and types of alerts or information we wanted to ingest. At that time, we were not using automation. Our environment was in poor condition, and we were not utilizing the automated features of Sentinel. We only required the basic features of Sentinel, which were to ingest logs from the devices we were interested in, correlate them, analyze them, and integrate them with our service tools and alerting. For alerting, we used ServiceNow as our ticketing system. We would receive a ticket from ServiceNow for the SOC team, and then the SOC team would investigate and mitigate the issue. However, as time went on, the number of events increased, and the time it took to investigate them also increased. If we did not automate our environment, we would have to keep increasing the size of our SOC team or the number of SOC members to handle the workload. We could not meet the priority requirements. That is when we proposed using some of the automation features to help with low-priority alerts.

The deployment required three to four people. I joined the team for the implementation phase. So, by the time I joined, a lot of decisions had already been made, and a low-level plan had been decided upon. This was a low-level design and plan that we had to follow.

We had help from our Microsoft representative for the implementation. This contact was provided to us by Microsoft from the initial trial period all the way through the implementation.

Currently, given our use case, the cost of Sentinel is justified, but it is expensive. It is not so cheap that any organization can afford it. However, if an organization has a requirement for good security posture and can invest in security tools, they should have at least a decent budget to afford Sentinel. Sentinel does offer good features, such as SIEM, SOAR, and automation. However, we need to monitor our budget because ingestion can increase at any time and exceed our budget. We can set alerts to notify us if our budget is increasing significantly on a monthly or yearly basis. We can then control our budget by adjusting what we ingest. We can ingest any amount of data because there is a lot of data flowing in. However, some data is not necessary to ingest because it is not valuable to our analytics. Therefore, being careful about what data we ingest through Sentinel will help us stay within our budget.

We evaluated IBM QRadar and Splunk. Splunk has been in the market for a long time and is trusted by many organizations. While it was once a leader in its field, it does not seem to be keeping up with new features and automation. However, I am not aware of their current state of development.

We saw good features in both Splunk and QRadar, but QRadar had more features that were relevant to us. However, we are moving more towards the cloud. Previously, we had on-premises infrastructure, but we migrated to Azure when a new management team came in.

When we evaluated Microsoft Sentinel, we found that it had good functionality and met our requirements. We also liked that it is a cloud-based solution, so we do not have to worry about underlying hardware, features, operating systems, or management. We simply need to configure the application, which is relatively straightforward. We also do not need to make any upfront capital expenditures.

However, we need to consider the cost of ingesting logs into our environment. Microsoft charges for the amount of data ingested per day, so we need to keep our costs within budget.

QRadar is more complex and difficult to configure than Sentinel. Sentinel is easy to expand. If we add new devices to our environment, we can simply connect them directly to Sentinel. We do not need to worry about additional hardware or configuration.

Overall, Sentinel is a good choice for us because it is cloud-based, easy to configure, and scalable.

I would rate Microsoft Sentinel an eight out of ten.

Whether to use separate SIEM and SOAR solutions or Microsoft Sentinel depends on each organization's specific needs. All SIEM and SOAR tools are expensive because they provide essential security features. Organizations with the resources to pay for these features may choose to purchase Sentinel or another SIEM or SOAR solution. However, small and medium-sized businesses may not be able to afford these tools. Instead, they may choose to use a third-party service provider that already has a license for an SIEM solution such as QRadar or Sentinel.

Sentinel ingests data from over 1,500 endpoints, including technical devices, Windows devices, and Linux devices in our environment.

There is no maintenance required on our end. Microsoft is doing everything for us. We only have to have our configurations in place.

Before using Sentinel, organizations should clearly understand their use cases and requirements. They can take a trial of Sentinel and collaborate with Microsoft to create use cases that demonstrate the value of the investment. Because there are thousands of SIEM and SOAR tools on the market, organizations should evaluate multiple solutions to see what benefits they offer. They can then create use cases for each solution in their environment and take trials to implement them. Organizations should compare the solutions based on visibility, budget, and additional features. Anyone who is considering using a SIEM or SOAR solution should evaluate multiple solutions. Budgeting is very important.

We utilize Microsoft Sentinel primarily to monitor our data storage software. Through the implementation of distinct connectors, we can accommodate multiple use cases for Sentinel. This solution also enables us to thwart failover attempts and prevent brute-force attacks. Moreover, we leverage the EDR tools to establish groups. For instance, if an unauthorized individual attempts to access a critical server from outside the designated group, we can promptly identify them by analyzing the event ID.

Using the Microsoft Sentinel Investigation tab, we can observe all activities related to access and unauthorized attempts taking place in our environment.

Sentinel assists us in prioritizing threats across our entire enterprise. When we receive high-priority alerts, we engage with the client to investigate whether they are conducting any testing first. If not, we identify the unknown activity and collaborate with them to resolve the issue as quickly as possible.

We also utilize Office 365. We have seamlessly integrated Office 365 with Sentinel, which is made easy through the provided connectors, especially when our API keys are associated with a cloud machine. All that is needed are the workspace ID, subscription ID, and API key.

The effectiveness of the protection offered by the integrated solutions is substantial. We are capable of preventing spam, tracking the complete trajectory of data transmitted by the end user, including its source, especially when originating from unauthorized URLs. Additionally, we can identify instances of unauthorized mail redirection. Furthermore, we can utilize SPF authentication to safeguard our domain against spoofing.

Microsoft Sentinel allows us to gather data from our entire ecosystem. We also have the capability to exclude non-suspicious or non-malicious data, such as daily reminders, from the daily logs in order to prevent system slowdown.

Sentinel allows us to investigate threats and respond promptly from a central location. We can gather all the necessary information for an investigation with a single click, which will provide us with a comprehensive overview of the actions taken by the suspicious user by reviewing the Event ID.

The built-in SOAR, UEBA, and threat intelligence capabilities of Sentinel are commendable. The UEBA can furnish a summary of all entities and discern unfamiliar ones that are not commonly associated with our system, subsequently tagging them for our review.

It aids in the automation of routine tasks and the identification of high-value alerts. For instance, if we need to compile a list of our administrative or high-profile users, we can establish rules based on high and medium security criteria, or any other specifications we might have. The entries will then correspond to the information aligned with our requirements. Furthermore, we have generated a watchlist of blacklisted users, which assists us in conveniently tracking activities originating from them. 

It provides the ability to create personalized dashboards that offer all the necessary information in a single location. It is important to mention that this feature comes with an extra cost, as is the case with all aspects of Sentinel.

Sentinel's threat intelligence helps prepare us for potential threats before they hit. By utilizing the event summary, we can proactively prepare for unauthorized entries and directly block IPs at the firewall level.

As a partner of Microsoft, they pay us for any POCs we create.

Sentinel has contributed to a reduction in our time for detecting and responding to incidents. As Sentinel operates in the cloud, it offers user-friendly accessibility, enabling us to swiftly access crucial information for responding to potential threats.

The automation rules that enable us to create playbooks for each individual are valuable.

The Identity Behavior tab furnishes us with the entire history linked to each IP or domain that has either accessed or attempted to access our system. By utilizing the data supplied by Sentinel, we can ascertain whether there are any attempts to breach our system. Numerous pre-defined queries are at our disposal, and we also have the option to craft custom queries as needed.

We are invoiced according to the amount of data generated within each log. For example, if I neglect to specify the time period in a search, Sentinel will retrieve all the logs, leading to charges for both pertinent and irrelevant data. This could potentially cause a substantial increase in costs. We incur lower charges for data under 100 GB, but anything surpassing that threshold becomes more expensive.

When setting up EDR for multiple endpoints, we need to create distinct rules for each one to monitor the devices effectively. 

I am currently using Microsoft Sentinel.

Microsoft Sentinel is stable. It is extremely rare that the solution is down.

Microsoft Sentinel is highly scalable. We can create any random custom playbooks. We can create any custom rules over there As per our requirements. We can enable and disable policies also as per our requirements. We can combine both policies accordingly.

The technical support is good.

Positive

Compared to IBM Security QRadar and Securonix, Microsoft Sentinel is more user-friendly. QRadar is quicker to respond but it has stability issues.

We are charged based on the amount of data used, which can become expensive.

I rate Microsoft Sentinel nine out of ten.

Maintenance is overseen by Microsoft. They announce periods of system downtime for maintenance. If we have anything critical that we require while the system is down, we can request it from Microsoft, and they promptly provide it to us.

Microsoft Sentinel offers us query update suggestions every three months. If we find a suggestion we like, we can simply click on it to automatically update our policy.

I believe it is better to choose a single-vendor security suite over a best-of-breed strategy.

I'm an IT consultant, and I use Sentinel with two of my clients to monitor all their security signals and get alerts when things are happening that might be suspicious.

The fact that the solution helps automate routine tasks and the finding of high-value alerts has made it possible for me to provide security operations. If I didn't have automation, I wouldn't be able to do that. Nobody is going to pay me to sit and stare at a screen for eight hours a day. But with the automation built in to let me know about and fix things, it becomes viable. The automations have an email option, and all the alerts show up as emails in my inbox. I'm busy with other things, and I'm not looking at Sentinel all day. And the automation in those emails is available to deal with things automatically. Automation is incredibly important.

Sentinel gives me one XDR dashboard. In terms of security operations, it's improved them and makes it easy for me to do my job.

It saves my clients time, on the order of 30 percent.

It also saves costs for me and my clients. If we didn't have Sentinel in place, and they were to get compromised, it could cost them tens of thousands of dollars due to ransomware, a BEC scam, or another type of attack. Without Sentinel in place, that could be a very big cost.

And it decreases the time it takes to detect and respond by days, if not weeks.

My clients are small businesses, and mine is also a small business. Traditionally, even the concept of using a SIEM in most small businesses was unheard of. It was an on-premises product, and you needed to install servers, and most normal IT consultants wouldn't even look at it because it would be very complex for them. The standout feature of Sentinel is that, because it's cloud-based and because it's from Microsoft, it integrates really well with all the other Microsoft products. It's really simple to set up and get going. You don't have to set up a server or do a lot of configuring and setting up storage. It just lives in the cloud, you turn it on, and connecting most things to it is really easy.

It's fantastic when it comes to integration with other Microsoft products. It's so easy. I've been in IT for 30 years, and integrating products was, up until a few years ago, something we would never want to do. It was so hard, we wouldn't want to touch it. We would have to write custom code and configure things. It was just horrible. Now, it's literally a couple of sliders in the interface, and you're done.

And once these solutions are integrated, they work natively together to deliver coordinated detection and response across my clients' environments. I follow this space very closely, but I am not an expert in any other solution. Still, at least for my clients, with the threats they are facing and the alerts we get from the real world, Sentinel's detection and response are very comprehensive.

Sentinel enables you to ingest data from the entire ecosystem. I have integrated some non-Microsoft products with Sentinel, and, predictably, it's not as simple as one click because these are third-party products. But it is definitely quite easy. For cloud products and services, it's still very simple. It might be three or four clicks. But for on-premises products, it's a bit more work.

My clients also use Defender for Cloud, and its bi-directional sync capabilities are very important. It makes things much easier.

Sentinel provides a clear view into the threats that are coming in, and, compared to what I had before, it is night and day. I heard somebody say on a podcast, "The solution we had prior to Sentinel was like a dark room and you had a torch, and you could shine the torch in different directions and see some things. Having Sentinel, combined with Microsoft 365 Defender, the XDR solution, is like turning on the lights and seeing everything." I completely agree. That's exactly what it feels like.

Another incredibly important factor is the solution's ability to investigate threats and respond holistically from one place. Again, as a small business, I wouldn't have the time and energy to look in several different places. I need one place where it all shows up, and that's what Sentinel provides.

And with built-in SOAR, UEBA, and threat intelligence, the comprehensiveness of Sentinel's security protection is good.

Given that I am in the small business space, I wish they would make it easier to operate Sentinel without being a Sentinel expert. Examples of things that could be easier are creating alerts and automations from scratch and designing workbooks. All of those are available as templates and community-produced content, but doing all that from scratch and keeping it up-to-date, is not easy. Because I have lots of other things on my plate, it would really improve things for me if they would make it more accessible for small businesses and non-experts.

I have been using Microsoft Sentinel since it was in public preview, so that's at least three and a half years.

It's a very stable solution—rock-solid.

It's also very scalable.

I have only ever contacted them about Sentinel once, but I have certainly dealt with Microsoft support in various ways. Their response time is pretty good. But they have a difficult time providing good support, at the level that would cause me to give them a higher score than six out of 10, because things change so fast. And it's so much wider than it used to be 10 years ago. There's so much to cover, and that's difficult for them.

Neutral

We used ESET for one client, but it wasn't a SIEM, it was just endpoint protection. We replaced that with Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, and Sentinel. It's not an apples-to-apples comparison.

The initial deployment is very straightforward. It took me four or five hours to set it up.

The product itself, obviously, does not require maintenance, but the alerts and rules require work.

Sentinel is fairly priced and pretty cost-effective. Compared to on-premises solutions, Sentinel is very cost-effective.

It's certainly possible, if you're not careful about what you connect, to shoot yourself in the foot by ending up with large data sources being ingested that cost you a fair bit of money. You do need to think about what data sources you actually need, which ones will lead to the detection of actual attackers, and how much of that data you need. You also have to consider how you're going to store it, because Sentinel has different levels. You don't have to store it all in the expensive "this will give me alerts" tiers. But, as I said, my clients are small businesses. They certainly don't have a budget for anything expensive, and they're very happy with the costs.

Do a proof of concept. It's really easy to set up and get started. You don't have to turn everything on to start. Do a small proof of concept, get familiar with it, and you'll see how easy it is.

Does it help prioritize threats across the enterprise? The short answer is, "Yes, it does." The slightly longer answer is that it is not a set-and-forget solution. And no SIEM is. You do need to configure Sentinel and fine-tune it. I have a calendar reminder every two weeks to go back in and make sure the right analytics rules are in place and change the ones that need changing, et cetera. It does prioritize threats, but it's not an automatic process that you never have to worry about again.

Sentinel's threat intelligence doesn't really help with proactive steps. The threat intelligence has indicators of compromise, such as IP addresses, URLs, and file hashes. They get detected, but that's not really proactive. Perhaps it's "proactive" in the sense that somebody else has figured out that those things are bad and let the system know. But Microsoft 365 Defender does the proactive part because it has threat intelligence in it. It will tell you, "A new threat that we have a report on seems to be targeting your type of client." That's proactive, but Sentinel isn't proactive. Meaning, if you read about a threat and then protect yourself before that threat reaches you, Sentinel doesn't really do that.

In the debate about best-of-breed versus a single-vendor security solution, if you pick best-of-breed individual security solutions and you have to integrate them, now you're an integrator. And that is hard. It's not easy to integrate different security products. And that's why, at least for my clients, Sentinel and Microsoft 365 Defender have been a huge shift. They're so easy to integrate. My clients could license separate products and then try to integrate them to get the same level of integration, but that would never work.

When Exchange email is outside the domain, we have found sometimes that there are phishing emails. With the help of Microsoft Defender only, without Sentinel, we would not be able to track them. A couple of times data was compromised. With Sentinel, what we have done is integrate Microsoft Endpoint for Defender, M365 Defender, and our Exchange Online for all the email communications in and out.

With the investigation and threat-hunting services in Sentinel, we have been able to track and map our complete traffic: Where it started from, where it was intercepted, and where the files were downloaded and exchanged. We have been able to see how a phishing email was entering our domain. Accordingly, we understood that we needed to develop or modify some rules in Exchange and now, we do not have any phishing emails.

Sentinel enables us to investigate threats and respond holistically from one place to all of the attack techniques, such as MITRE ATT&CK, manual, DDoS, and brute force attacks. They are quickly identified by Sentinel. That is of high importance because we don't use any other product with Microsoft. Our SOC team continuously analyzes and monitors Sentinel, the activities and events that are happening. That team needs to be equipped with all of the real-time data we are getting from our ecosystem.

We have also integrated our SIEM with multiple firewalls and proxies. The traffic in and out, coming from the firewalls and proxies, is intercepted by Sentinel. We are now getting granular visibility into our traffic. We can see the hits we are getting from various regions, such as the hits that recently came from Russia. We have multiple such attacks on our firewall front end and we have been able to develop more granular rules on our firewalls.

And for DLP we have the help of protection from Microsoft Information Protection labels that we have defined for our data. Whenever this labeled data is shared, the data is limited to the recipients who were specified in the email. Similarly, our OneDrive data has been secured with the MIP Labels. All of this tracking is happening on Sentinel, which is giving us a broader view of where our data is traveling within and outside our organization as well.

People tend to go with Microsoft because it provides you with 360-degree protection, protecting your files, network, infra, and cloud environment. Each of its products is linked and interacts with the others. Microsoft Defender for Cloud will interact with Microsoft Defender for Cloud Apps, for example. And both of them can interact with Sentinel. Sentinel is the central SIEM in Microsoft and has the ability to take all the instructions from all of these Microsoft products and it gives you a central dashboard view in Azure. That helps manage infrastructure and identify threats. It's a single pane of glass. That's why Microsoft is gaining compared to other products.

Eliminating our multiple dashboards was a little tough in the beginning, but the Microsoft support team's expertise helped us create our own dashboard. Previously, when we started integrating all the products, it was very hard for us to give a broader review to management. It was only something the technical guys could do because they know what all those events mean. But when it came to a dashboard and presenting the data to the stakeholders, it was very tough. With the help of Microsoft's expert engineers, we were able to create dashboards into Sentinel, as well as with the help of Azure dashboards and Microsoft Power BI, and we were able to present the data.

We got Sentinel to send the data to Microsoft Power BI and that helped us create some very useful and easy dashboards so that our stakeholders and senior-level management, who are non-technical guys, could understand much better how we are utilizing this product. They can see how much we are making use of it to investigate, hunt, and track the incidents and events, and the unnecessary accessing of applications in the environment. As a result, we started to put granular controls in place and restrict unnecessary websites.

The watchlist is one of the features that we have found to be very helpful. We had some manual data in our Excels that we used to upload to Sentinel. It gives us more insightful information out of that Excel information, including user identities, IP addresses, hostnames, and more. We relate that data with the existing data in Sentinel and we understand more.

Another important feature is the user behavior analytics, UEBA. We can see how our users are behaving and if there is malicious behavior such as an atypical travel alert or a user is somewhere where he is not regularly found. Or, for example, if a user does not generally log in at night but we suddenly find him active at night, the user behavior analytics feature is very useful. It contains information from Azure Identity as well as Office 365.

With the E5 license, we have Microsoft Defender for Cloud Apps, Microsoft Information Protection, Defender for Cloud, and Defender for Office 365. All of these products are integrated with Sentinel because it has those connectors. With both Microsoft and non-Microsoft products it can be integrated easily. We also have ASA on-premises firewalls and we have created a connector and have been sending those syslogs to Sentinel to analyze the traffic. That is the reason we are able to reverse-investigate and hunt threats going on in our network, end to end.

Sentinel enables us to ingest data from our entire ecosystem. In addition to integrating our Cisco ASA Firewall logs, we get our Palo Alto proxy logs and some on-premises data coming from our hardware devices. We also get our Azure Firewall logs, and the logs from the Microsoft 360 bunch of products, like MIP and Defender for Cloud, Defender for Cloud Apps, et cetera.

When I think about the kinds of attack techniques that you are not able to understand at eye level, the AI/ML logic being used by Sentinel helps an administrator understand them in layman's language. It tells you that something has been identified as a malicious event or activity being performed by a user. All of those details are mentioned in an understandable manner. That is very important and is one way Sentinel is playing a wider role in our environment.

We use Microsoft Defender for Cloud and from that we get our regulatory compliance, recommendations, CSPM recommendations, cost recommendations, cost-optimizing strategies, and techniques for things like purchasing reserve instances. It helps us reduce the number of unused VMs or turn off VMs if they're not in production, as well as DevOp VMs in the early hours. We also use it for applying multi-factor authentications for users and reducing the number of owner or administrator roles that are assigned to subscriptions.

And the bi-directional sync capabilities of Defender for Cloud with other Microsoft products is near real-time, taking a couple of seconds. Within a minute, the information is updated, always, for all of the products that are integrated. Some products have a latency of around 4 to 12 hours of latency to update.

The following would be a challenge for any product in the market, but we have some in-house apps in our environment. We were thinking of getting the activities of those apps into Sentinel so that it could apply user behavior analytics to them. But our apps were built with different parameters and the APIs for them are not present in Sentinel. We are working with Microsoft to build those custom APIs that we require. That is currently in progress. 

We are happy with the product, but when it comes to integrating more things, it is a never-ending task. Wherever we have a new application, we wish that Sentinel could also monitor and investigate it. But that's not possible for everything.

I have used Microsoft Sentinel for around two years now.

It is scalable, with the help of the log retention facility in Sentinel in the Log Analytics workspace. We can limit the data that is being retained in it and that limits the cost.

We have it deployed across multiple sites.

In the beginning, it was not so good, but when we switched from standard support to premium support, the support improved.

I have been using QRadar and Splunk, but they both only gave me a centralized SIEM solution, a SOAR, and a VAPT solution. But I wanted to reduce the efforts required when jumping into different portals at different points in time. The way things stood, I had to hire different engineers to maintain those different portals and products. With the help of Sentinel, I could integrate all of my applications with Sentinel, as the APIs were ready and the support for them from Microsoft was good. That's why we thought of moving to Sentinel.

It was pretty hard to convince the stakeholders to invest so much in protecting the ecosystem through investigating and hunting, which is mainly what Sentinel is for. The integration part comes later. But convincing the stakeholders about the cost we would be incurring was a big challenge.

Slowly but surely, we started integrating many of our products into Sentinel and it started showing us things on the dashboard. And with the help of the Logic Apps, we were able to do multiple other things, like automatically creating tickets out of the incidents that are detected by Sentinel, and assigning them to the SOC team. It reduced the SOC team's workload because they used to manually investigate activities and events. Sentinel killed those manual tasks and started giving "ready-made" incidents to work on and mitigate. It has helped my SOC team because that team was facing a lot of issues with workload.

Then we also got visibility into different products, like Microsoft Defender, and Defender for Cloud Apps, whereas we used to have to jump into different portals to see and analyze the logs. Now, we don't have to go to any other product. All the integration is happening with Sentinel, and with the help of the AI/ML in Sentinel, investigating and threat-hunting have become easier.

It took around six months for us to realize these benefits because we were slowly integrating things, one by one, into it. We were a little late in identifying the awesome capabilities it has.

Most of our products are integrated but a few of our products are facing challenges getting connected. We are dealing with it with Microsoft and they are creating a few connectors for us.

We had to pay extra compared to what we would pay for other products in the market. But you have to lose something to gain something. Sentinel reduced the efforts we are putting into monitoring different products on different portals, and reduced the different kinds of expertise we needed for that process. Now, there are two to three people handling Sentinel.

The pricing was a big concern and it was very hard to explain to our stakeholders why they should bear the licensing cost and the Log Analytics cost. And the maintenance and use costs were on the higher side compared to other products. But the features and capabilities were going to ease things for my operations and SOC teams. Finally, the stakeholders had clarity.

Microsoft is costlier. Some organizations may not be able to afford the cost of Sentinel orchestration and the Log Analytics workspace. The transaction hosting cost is also a little bit on the high side, compared to AWS and GCP. But because it gives a 360-degree combination of security products that are linked with each other, Microsoft is getting more market share compared to Splunk, vScaler, or CrowdStrike.

But if I want to protect my files, to see where my files have been sent, or if the file I'm receiving is free of malware, or even if one of my users has tried to open it, Windows Defender would track it first. The ATP (Advanced Threat Protection) scans my emails and the attachments first. It determines if the attachment is safe and, if it is not safe, it will block it. I don't have to create any granular or manual settings. That connectivity across different products has a brighter future. That's the reason, even though we have a small budget, that we are shifting to Microsoft.

There are competitive applications in the market, like vScaler, Splunk, QRadar, and CrowdStrike. These are also good in terms of their features and capabilities. But these products only work as a SIEM or VAPT solution. They won't scan everything that we need to protect.

But if you are only considering SOAR, I prefer CrowdStrike because of cost and the features it provides. The AI/ML is also more developed compared to Sentinel.

But why Sentinel? Because it not only covers Microsoft products, but it also has API connectors to connect with any non-Microsoft products. It has inbound APIs for connectivity to QRadar, vScaler, or Splunk, so we can bring their data into Sentinel to be analyzed. Splunk is doing its job anyway, but Sentinel can filter the information and use it to investigate things. 

Those have great visibility and great potential over Sentinel. But for products that are out of the ecosystem, those competitive solutions might face issues in connecting or integrating with them.

We have created a logic app that creates tickets in our service desk. Whenever a ticket is raised, it is automatically assigned to one of the members of our SOC team. They investigate, or reverse-investigate, and track the incident.

Every solution requires continuous maintenance. We cannot rely on AI/ML for everything. Whenever there is a custom requirement or we want to do something differently, we do sit with the team to create the required analytic rules, et cetera. It doesn't involve more than three to four people.

In terms of the comprehensiveness of Sentinel when it comes to security, it plays a wide role in analysis, including geographical analysis, of our multiple sites. It is our centralized eye where we can have a complete analysis and view of our ecosystem.

Go with a single vendor security suite if you have the choice between that and a best-of-breed strategy. It is better to have a single vendor for security in such a complex environment of multiple vendors, a vendor who would understand all the requirements and give you a central contact. And the SLA for response should be on the low side in that situation, as Microsoft, with its premium support, gives an SLA of an immediate callback, within two to three minutes of creating a ticket.

We use Microsoft Sentinel to monitor many different environments for cybersecurity incidents, and we use it as our main alerting tool to let us know when this activity happens. It also interfaces with all of our other Defender products, such as Defender for Office 365, Defender for Endpoint, et cetera.

Almost all of our solutions are based in Azure. We use Defender for Endpoint, Defender for Office 365, Defender for cloud, Sentinel, and Azure Active Directory Identity Protection.

I use the latest version of Sentinel.

Sentinel is mostly used within our security operations center and our security team. We have about 50 endpoint users.

The backbone of our organization is built on Microsoft Sentinel, its abilities, and the abilities of our Defender stack. Ideally, we'd have more data, but a lot of data and functionality are in one place. The Lighthouse feature is outside Sentinel, but it allows us to have multiple environments integrated into one and to access lots of different Sentinel environments through that. It's very easy to manage a security workload with Sentinel. 

I would like to see better integration with CICD. It should be easier to use GitHub, Jenkins, or whatever our code management stack looks like. Whether or not you use Azure DevOps, being able to manage the code you have is fairly important.

Since using Sentinel, we've experienced a faster response time and easier development features. There aren't as many hurdles to moving a configuration.

I'm not sure how long it took to realize the benefits because it was deployed before my time here. It took me about three months to get familiar with what Sentinel has to offer and how we could leverage it, so it will be about three months before you start getting proper value from it.

There are still elements of Sentinel that I haven't used to their fullest potential, like the Jupyter Notebooks and internet hunting queries.

The solution is good at automating routine tasks and alleviating the burden for analysts.

Automation has moderately affected our security operations, although there is scope for it to significantly affect SecOps. There is definitely the capability for Sentinel to do pretty much all of your first-line response, which would be a significant improvement. It's a moderate effect because we only use automation in a few areas.

There are a few different dashboards for each of the Microsoft tools. We have a dashboard for Defender, one for Sentinel, and one for Active Directory Identity Protection. It consolidated alerts in some aspects, but a lot of information is still scattered.

It's fairly good for being reactive and responding to threats and looking for indicators of compromise. Overall, it helped us prepare for potential threats before they hit.

Sentinel saves us time. The automation feature especially saves us time because we can automate a lot of menial tasks. If other businesses could do that, it would eliminate a lot of their first-line response.

Sentinel saves us about 20 hours per week, which is the equivalent of a part-time staff member.

It saved us money. It's a very cost-efficient SIEM to use and still provides a good level of coverage despite that. 

Sentinel saved us about 50% of the cost of Splunk. It decreased our time to detect and respond by about 10-15%.

The automation rules and playbooks are the most useful that I've seen. A number of other places segregate the automation and playbook as separate tools, whereas Microsoft is a SIEM and SOAR tool in one.

It provides us with very high visibility. It allows us to see a lot holistically across our environment in Azure. It integrates very well with other products like Defender.

It helps us prioritize threats across our enterprise. There are many things we can do to deal with prioritizing threats, such as having automation rules that automatically raise the priority of certain incidents. We're also able to make changes to the rule sets themselves and say, "I believe this to be a higher priority than is listed in the tool."

Prioritization is probably the most important thing to us because as an organization, we have a number of threats coming in at any moment, and each of them has its own valid investigation path. We need to know which ones are business critical and which ones need to be investigated and either ruled out or remediated as soon as possible. Prioritizing what to work on first is the biggest thing for us.

If you have the right licenses and access to all the products, it's fairly easy to integrate these products into Sentinel. Sometimes they don't pull as much information as possible, and I've noticed that there is a cross-functional issue where these tools will flag and alert themselves.

We can have it configured to create an alert in Microsoft Sentinel, but sometimes it doesn't create a bridge between them. When we finish our investigation and close the ticket on Sentinel, it sometimes doesn't go back to the tool and update that. That's the only issue that I have found with the integration. Everything else is straightforward and works well.

The solutions work natively together to deliver coordinated detection responses across our environment. It's probably one of the better-engineered suites. In other places, I've experienced an endpoint detection and response system that's completely different: proprietary coupled with a proprietary and different SIEM tool or maybe a different sort of tool. They are individual tools, and it can sometimes feel like they're engineered differently, but at the same time, they integrate better than anything else on the market as a suite of tools.

These solutions provide pretty comprehensive threat protection. A lot of them are technology agnostic, so you can have endpoints on Linux and Mac OS. It's pretty comprehensive. There's always a little oversight in any security program where you have to balance the cost of monitoring everything with the risk of having some stuff unmonitored, but that's probably an issue outside of this tool.

It enables us to ingest data from our entire ecosystem. It's difficult to ingest non-native data. It's not as easy as in Splunk because Splunk is probably the leading SIEM tool. If you have a native tool that's out of the Microsoft security stack, you can bring it into Sentinel and have an alert on it.

This ingestion of data is vital for our security operations. It's the driver behind everything we do. We can do threat hunting, but if we don't have logs or data to run queries, then we're pretty much blind. I've worked in places where compliance and regulatory adherence are paramount and having logs, log retention, and evidence of these capabilities is extremely important. One of the more vital things that our organization needs to operate well, is good data.

A lot of the alerts come in from other tools, so sometimes we have to actually use that tool to get the proper information. For example, if we get an alert through Defender for Office 365, to actually see an offending email or attachment or something like that, we have to go into the Defender console and dig that out, which is inconvenient. As an aggregator, it's not bad compared to the other solutions on the market. In an ideal scenario, having more information pulled through in the alerts would be an improvement.

A lot of Sentinel's data is pretty comprehensive. The overarching theme with Sentinel is that it's trying to be a lot of things in one. For a UEBA tool, people will usually have separate tools in their SIEM to do this, or they'll have to build their own complete framework from scratch. Already having it in Sentinel is pretty good, but I think it's just a maturity thing. Over the next few years, as these features get more fleshed out, they will get better and more usable. At the moment, it's a bit difficult to justify dropping a Microsoft-trained UEBA algorithm in an environment where it doesn't have too much information. It's good for information purposes and alerting, but we can't do a lot of automation or remediation on it straight away.

Although the integrations are good, it can sometimes be information overload. A number of the technologies run proprietary Microsoft algorithms, like machine learning algorithms and detection algorithms, as well as having out-of-the-box SIEM content developed by Microsoft. As an engineer that focuses on threat detection, it can sometimes be hard to see where all of the detections are coming from. Although the integrations are good, it can sometimes be information overload.

Documentation is the main thing that could be improved. In terms of product usage, the documentation is pretty good, but I'd like a lot more documentation on Kusto Query Language. They could replicate what Splunk has in terms of their query language documentation. Every operator and sub-operator has its own page. It really explains a lot about how to use the operators, what they're good for, and what they're not good for in terms of optimizing CPU usage.

In Splunk, I would like to see some more advanced visualization. There are only some basic ones in Sentinel.

I've been using Microsoft Sentinel for about one year, but more heavily over the past five months.

It's pretty stable. We don't have any performance or capacity issues with it.

It's scalable when using solutions like Lighthouse.

I haven't needed to use technical support yet, but the documentation in the community is very good.

I previously used Splunk. The move to Sentinel was definitely cost-based. A lot of people are moving away from Splunk to a more cost-effective SIEM like Sentinel. We also chose Sentinel because of the ease of maintenance. Splunk's enterprise security has some good queries out of the box, but if I were a small organization, I would use Sentinel because it has more out-of-the-box features.

The log collection facilities must be maintained. Maintaining the solution requires a team of fewer than five people. It mainly involves ensuring that the rules are up to date, the connectors and log collection mechanisms are working correctly, and that they're up to date. It also involves ensuring that the right rules are deployed and the automation rules are in place.

Our ROI is 50% over and above what we spend on it in terms of what we can get back from Microsoft Sentinel, everything we use it for, and the time we save.

Some of the licensing models can be a little bit difficult to understand and confusing at times, but overall it's a reasonable licensing model compared to some other SIEMs that charge you a lot per data.

There are additional fees for things like data usage and CPU cycles. When you're developing queries or working on queries, make sure that they're optimized so you don't use as much CPU when they run.

We spoke with Google about Chronicle Backstory. It looks pretty powerful, but it wasn't mature enough for what we were looking for at that time.

The only other real standalone solution I've had a good experience with is Splunk and Splunk Phantom. In terms of cost, it's astronomically different. Microsoft Sentinel can sometimes be expensive depending on how many logs you're taking, but it will never be in the same realm as Splunk. Sentinel is easy to use, but Splunk is so expensive because it's very easy to use.

Microsoft Sentinel is a better SOAR solution than Phantom. Phantom has good integrations, but it isn't really built for custom scripting. If you're going to be paying more, you would expect that to be better. Sentinel is better in that aspect. Sentinel's cost-effectiveness blows a lot of other solutions out of the water, especially if you're already in Azure and you can leverage some relationships to bring that cost down.

I would rate this solution eight out of ten. It's heading in the right direction, but it's already pretty good and mature.

If a security colleague said it's better to go with the best-of-breed strategy rather than a single vendor security suite, I would understand that completely. Some people see tying yourself into a single vendor as a vulnerability. It's not quite spread out, but I think you can manage a single vendor security solution if you have a good relationship with the vendor and you really leverage your connections within that business.

It's good to diversify your products and make sure that you have a suite of products available from different companies and that you use the best that's available. In terms of this technology stack, it's pretty good for what it does.

My advice is to really focus on what's possible and what you could do with the SIEM. There are a lot of features that don't get used and maximized for their purpose from day one. It takes a couple of months to properly deploy the solution to full maturity.

We are a security service provider, and we are using Microsoft Sentinel to provide managed security services to our customers.

The visibility that it provides is very good because Microsoft is a front runner in threat intelligence and cybersecurity operations. They have their own threat intel team that is very active. They are actively covering any new threats that are coming into the landscape. They are adding detections, queries, playbooks, and other things related to new threats. They have out-of-the-box integrations, and the coverage of new threats is very fast in Microsoft Sentinel.

It helps us to prioritize threats across our enterprise. Whenever we onboard new customers, after integrating all of their log sources, we actively check for any latest threats being present in their environment. Microsoft Sentinel is natively integrated with all the latest threat intel available, which makes it very valuable for us. It is a SaaS application. So, it is very easy to deploy this solution for new customers to cover their security needs.

In addition to Microsoft Sentinel, we use the EDR solution from Microsoft, which is Defender for Endpoint. We also use Office 365 for email purposes. We have integrated Microsoft Sentinel with these products. In Microsoft Sentinel, there are connectors specifically for this purpose. All the logs from these products are available in this SIEM tool, and it is easy to manage everything from a single pane of glass.

Even though Microsoft Sentinel is a cloud-native product, by using the connectors, you can easily integrate your on-prem and cloud resources with Microsoft Sentinel. Most of our tools including On-Prem are currently integrated with Microsoft Sentinel.

It is very helpful in automating tasks that otherwise require manual intervention. There are two ways to do automation. One is by using the automation rules, and the other one is through playbooks. Automation rules can be used to automate simple tasks, such as automatically assigning an incident to a particular analyst who should be monitoring the incident. By using automation rules, you can automate various tasks, such as setting the severity of the incident and automatically changing the status of the incident.

Playbooks can be used to automate high-value tasks, such as blocking a malicious IP in the firewall or blocking a particular user in Azure Active Directory. All such tasks can be automated through playbooks.

There are lots of things that we have found valuable in this solution. Mainly, this is a cloud-native product. So, there are zero concerns about managing the whole infrastructure on-premises.

Kusto Query Language that powers Microsoft Sentinel is another valuable feature. It is a very fast and powerful language.

The integration with different ticketing tools like Jira, ServiceNow, etc. is also a great plus point.

Besides that, the addition of new features to the product is very fast. The overall customer experience in terms of using their Cloud Security Private Community and being able to provide our feedback and suggestions is good. They take the feature requests on priority, and whenever possible, they add the new features in the next version of the product.

Currently, SPAN traffic monitoring is not available in Microsoft Sentinel. I have heard that it is available in Defender for Identity, which is a different product. It would be good if  SPAN traffic monitoring is available in Microsoft Sentinel. It would add a lot of value. It is available in some of the competitor products in the market.

Also Reporting feature is missing in Sentinel. Currently, we have to rely on PowerBI for reporting. It would be great if this feature is added. 

We have opted for the pay-as-you-go model, which doesn't come with free support. If some limited free support was available with the pay-as-you-go model, it would be good. 

I have been using this solution for about one year.

There is a great community for Microsoft Security, and we mostly rely on this Microsoft Security community and Microsoft Q&A forums for support. Currently, we are using the pay-as-you-go model which doesn't come with free on-call support. It would be good if some free support was available, even if in a limited way, with the pay-as-you-go model. So, we haven't used their on-call support yet, but their support from the community has been great. Because of that, I would rate their support an eight out of ten.

Positive

Before Microsoft Sentinel, we were not working with any other cloud-native SIEM solution. 

It's important to understand the daily data ingestion required for you or your customer (in case you're an MSSP). There are price tiers starting from 100 GB/day ingestion. But if your ingestion varies too much or your ingestion is lower than 100 GB, you may go for the pay-as-you-go (Per GB) Model. In the case of pay-as-you-go, it is about how closely you monitor the ingestion of each GB of data and how effectively you limit that ingestion. If you don't effectively monitor the ingestion, the price may be too much, and you may not be able to afford it. You should be very clear about your data usage. Sentinel provides great granular visibility into data ingestion. Some of the data might not be relevant to security. For example, basic metrics or other log data might not be very useful for monitoring the security of an enterprise. If you do the right things and limit the ingestion of data, its license plan is perfect, and you can save lots of money.

We considered AlienVault, QRadar, and other solutions, but we didn't try those solutions before opting for Microsoft Sentinel because Sentinel was having fantastic reviews and it was our perfect first choice for our Cloud-Native SIEM tool. So, we decided to first try Microsoft Sentinel. If we had not found it satisfactory, we would have tried other solutions. After doing the trial version for 30 days, we were very happy with Microsoft Sentinel. The addition of new features was also very fast. So, we decided to go ahead with the product.

Microsoft Sentinel is an awesome SIEM/SOAR tool for customers with active Cloud presence. Even for on-prem customers, it is providing great flexibility for integrations. 

I would rate Microsoft Sentinel a nine out of ten.

We needed a SIEM solution that could integrate with our Microsoft 365 stack. Being a Microsoft product, that was the first SIEM we looked at, and we haven't looked back. We're still growing with the product over the last couple of years. It is phenomenal.

We're mainly focused on the cloud, but one of our selling points is that you can integrate with on-prem. We push to get the Azure Arc implementation done on top of Sentinel so that we can ingest data from your on-prem environment into Azure Monitor, which is then exposed to Sentinel. That's how we drive that integration, but we mainly have the cloud. We have 80% cloud and 20% on-prem.

The specific focus on entity behavior is where the gold is within Sentinel. The machine learning and AI capabilities that Microsoft already provides within their toolset are exposed through entity behavior analytics. That really is magic. It is something we don't live without. We have specific key metrics we measure against, and this information is very relevant information to our security approach. That's because not everything is an alert and not everything is a threat. In some cases, the anomalous sign or the anomalous behavior is more important than the actual alert coming up and saying that something has been infected. It could be those sign-ins a week before or a month before into a database that you don't always look into that end up being the actual threat. The entity behavior or the overall feature that Sentinel has is absolute gold for us.

In terms of the visibility into threats, because I set up the product, I'm very much aware of the fact that you see what you configure. That's probably a plus in terms of if you have an appetite only for product one, you ingest and you consume only product one. In our company, we have the full E5 solution, and we tend to have a lot of endpoints or metrics that we can pull into one space. So, each and every sub-component, such as Defender for Endpoint, Defender for Identity, and all the incidents end up within Sentinel. It is one spot from where we can manage everything. That works very well for us. We do have small customers with one or two Microsoft solutions, and even third-party solutions, and we can still integrate or expose those product-specific incidents within Sentinel. For me, that's a big plus.

It definitely helps us to prioritize threats across our enterprise. There is not just a clear classification of severity but also the ability to team certain alerts together. It can chain events and bring you a bigger picture to tell you this is something that you need to take care of or look at because it is tied or chained to multiple events or alerts. That ability is again a big plus.

We probably use all of the Microsoft products. We use Azure Active Directory, and we use Defender for pretty much everything, such as Defender for Identity, Defender for Endpoint, Defender for Cloud, and Defender for Cloud Apps. As a senior cloud infrastructure consultant, it is a part of my role to provide or customize and configure these products on behalf of our customers. We have integrated these products for multiple customers. One of my favorite benefits of Sentinel is its integration with the entire stack. I am yet to find a Microsoft product with which it does not integrate well. All of the Microsoft products are fairly simple to integrate with it. Anyone can set up their own environment. It is only third-party products where you tend to have a bit of technicality to configure, but even that is not a difficult process. It is fairly straightforward and easy to follow.

All these solutions work natively together to deliver coordinated detection and response across our environment. Microsoft Defender stack does that quite well. One of the reasons why Microsoft personally favors the Microsoft Defender stack is because of the integration with the rest of the products.

I'm a big fan of the layered approach, and it should be in every environment. Microsoft does a good job of providing you with that layered approach without too much of an oversight or a combination of a bunch of products. They work well individually, and they stack together quite well based on the individual requirements or the needs of each.

We use Microsoft Defender for Cloud. Our footprint in the cloud is limited. We only have two or three customers that fully make use of the product, but it is something that I do make use of and will. We do make use of its bi-directional sync capabilities. Especially within the organization, we have a very small team dedicated to assisting in our cloud-managed servers. If one person has to run around and duplicate these efforts in multiple portals, that wouldn't be an effective use of their time. So, the simple ability to just be in one portal or one place and apply the remediation or the management of an item is a big plus for us.

It allows us to ingest data from our ecosystem. I have found only one or two third-party antivirus products that still don't integrate fully with Sentinel, but for my use case within my own environment, as well as the environments we manage through our inSOC offering, there hasn't been any case or instance I know of where we could not find a solution to ingest necessary logs.

I work with security, and I also work with compliance. On the compliance side, the ability to have an audit trail and all your logs in one central location is important. The data is queryable. The KQL language is not a difficult language to get under. So, for me, having it all in one place and being able to query it and slice the data to what I need to provide or expose is a key feature of a SIEM solution.

It enables us to investigate threats and respond holistically from one place. It is very important, and bidirectional ties into this. We have a small team. So, the following capabilities are critical to our managed solution:

• The ability to hunt from one location or one stream.
• The ability to integrate with multiple sources and data tables for ingestion.
• The ability to expose information from those tables from one stream or portal.

We probably would end up having to hire twice as many people to accomplish what we can do simply by integrating Sentinel with the rest of our product stack.

It helps automate routine tasks and the finding of high-value alerts. Being able to automate routine tasks or routine alerts is a big save for us because our analysts are not bogged down trying to just close alerts in a portal. This freeing up of time alone is a big save for us.

It helps eliminate having to look at multiple dashboards and gives us one XDR dashboard. The workbooks already integrate well with Azure Lighthouse. So, right out the bat, we had that multitenant capability from one dashboard or one screen. It is just absolutely brilliant.

It saves time on a daily basis. For example, as a desktop engineer, if I have to go through 20,000 devices, it would take a long time to go one device at a time. To make sure everything is fine, if I have to log in, upload some logs, do some metrics, log off, and go to the next office, it would take us a good part of a year to be able to work on each of these devices. With Sentinel, once your logs are configured and analytics rules are in place, a simple hunting query could accomplish exactly the same in a month.

Previously, four hours of my day were spent on just dashboards here and there, logging into tenants one time to the next, running the same view in the same portals, and looking through, for example, the alerts for the day or the threats for the day. With Sentinel, all that is in one place. I can just log on with my company-provided credentials, do MFA once, and through a portal with multiple links, seamlessly go through entity after entity. My whole exercise of four hours per day is now probably down to half an hour just because everything is in one place.

It has decreased our time to detection and time to respond. In the past, we would have to get someone to physically log onto a portal once there is an alert, and if that alert was in multiple places or multiple customers, it would mean multiple portals and multiple logins. The ability to manage from one screen and run an effective service has alone saved us 60% of our day.

I work with the Microsoft 365 products stack quite a bit, and I'm a big fan of the granularity that the products have. For example, the Defender stack is very focused on endpoints, identities, and so forth. With Sentinel, we have the ability to integrate with each of these components and enhance the view that we would have through the Defender portal. It also gives us the ability to customize our queries and workbooks to provide the solution that we have in mind on behalf of our team to our customers.

The part that was very unexpected was Sentinel's ability to integrate with Azure Lighthouse, which, as a managed services solution provider, gives us the ability to also manage our customers' Sentinel environments or Sentinel workspaces. It is a big plus for us. With its integration with Lighthouse, we get the ability to monitor multiple workspaces from one portal. A lot of the Microsoft Sentinel workbooks already integrate with that capability, and we save countless amounts of money by simply being able to almost immediately realize multitenant capabilities. That alone is a big plus for us. Never mind everything else, such as the security benefits, visibility, and the ability to query the data. They all are great, but the ability to see multiple workspaces is a big money saver and a big time saver for our team.

We offer a managed service where we are geared toward a proactive approach rather than a reactive one. Sentinel obviously covers quite a lot of the proactive approach, but if you engage all of your Microsoft products, especially around the Microsoft endpoint stack, you also gain the ability to manage your vulnerability. For us, gaining the ability to realize a full managed service or managed solution in one product stack has been valuable.

Its threat intelligence helps us prepare for potential threats before they hit and take proactive steps. It highlights items that are not really an alert yet. They are items that are running around in the wild that Microsoft or other threat intelligence providers have picked up and would expose to you through Sentinel by running a query. This ability to integrate with those kinds of signals is a big plus. Security is not only about the alerts but also about what else is going on within your environment and what is going on unnoticed. Threat intelligence helps in highlighting that kind of information.

Improvement-wise, I would like to see more integration with third-party solutions or old-school antivirus products that have some kind of logging capability. I wouldn't mind having that exposed within Sentinel. We do have situations where certain companies have bought licensing or have made an investment in a product, and that product will be there for the next two or three years. To be able to view information from those legacy products would be great. We can then better leverage the Sentinel solution and its capabilities. It is being enhanced, and it has been growing day to day. It has gone a long way since it started, but I would like to see some more improvement on the integration with those third parties or old products that some companies still have an investment in.

In terms of additional features, one thing that I was hoping for is now being introduced through Microsoft Defender Threat Intelligence. I believe that is going to be integrated with Sentinel completely. That's what I've been waiting for.

I have been working with this solution for close to two years.

It is very much stable. We've had one or two issues in the last two years where we had a Microsoft-reported incident, and there were data flow issues, but overall, they are 99.9999% available. We've not had an unrecoverable event across the solution. We've had incidents where users ended up not paying the subscription and the subscription got disabled. It simply required just turning it back on and paying your bill, and you were back up and running. It is quite robust.

It definitely is scalable. It will adapt to your needs. It is really about how much you're willing to spend or what your investment is like. That's basically the only limitation. We've seen customers or deployed to customers with thousands of endpoints across the world, ingesting tons and tons of data. We're talking 200, 300 gigabytes per day, and the product is able to cope with that. It does a great job all the way up there at 200, 300 gigs per day to all the way down to the 10, 20 megs per day. It is really scalable. I am quite a fan of the product.

It is being used at multiple locations and multiple departments, and in our case, multiple companies as well. In terms of user entities, the number is probably close to 40,000 in total across our state. In terms of endpoints, we probably are looking at close to 30,000 endpoints.

I've dealt with Microsoft technical support in the recent past, and I'm overall quite happy with it. Being a big company with big solutions and lots of moving parts, overall, their approach to troubleshooting or fault finding is great. I'm going to give them an eight out of ten. There is always some room for improvement, but they're doing well.

Positive

We didn't really use a full SIEM solution at the time. We hovered between dashboards and certain portals. We didn't have a SIEM in place. The first solution we looked at was Sentinel, and we fell in love. It does everything we want and everything we need, and we haven't looked back. We're not even looking at any other solutions right now. For us, it is unnecessary. We're very happy with Sentinel and what Sentinel can do.

It is very straightforward. As a service provider, we'd love to be part of that integration or setup. That's where we make our bread and butter. It is simple enough for the average IT enthusiast to get going, but if you do want to get the best out of your product and if you want to start with some customization, reaching out to a service provider or to a specialist does make sense because they have learned a few things on your behalf. Other than that, it is easy enough to get going on your own. It is a very straightforward configuration, and it does make sense. It is easy to follow.

If you already have a subscription in place, you could be fully operational in less than one business day.

For its deployment, it is a one consultant kind of approach. What is important is that everyone from within the company that is part of the decision-making chain is present as part of it. That's because the main pushback is not the implementation of Sentinel, but the connection to it for the data. So, you would have your firewall guys push back and say, "I don't want to give my data to you." You have your Defender guys saying, "No, I don't want to give my data to you." That's more important in terms of the deployment. One person can easily manage the deployment in terms of the workload.

There is some maintenance. There are some daily, monthly, and weekly tasks that we set out for ourselves. It is normally in the form of query updates, workbook updates, or playbook updates. If some schema update has happened to the underlying data, that needs to be deployed within your environment. Microsoft does a great job of alerting you, if you are within the portal, as to what element needs updating. We have 16 customers in total, and we have one person dedicated to maintenance.

We could realize its benefits very early from the time of deployment. Probably within the first three months, we realized that this tool was a lot more than just a simple SIEM, SOAR solution.

It has absolutely saved us money. Of course, there is an upfront investment in Sentinel, which has to be kept in mind, but overall, after two years, the return on investment has been absolutely staggering. In security, you don't always have people available 24/7. You don't have people awake at two o'clock in the morning. By deploying Sentinel, we pretty much have a 24/7 AI that's looking at signals, metrics, and alerts coming in, making decisions on those, and applying automated actions. It is like a 24-hour help desk service from a solution that is completely customizable. We have programmatic access to the likes of playbooks to be able to further enhance that capability. The savings on that alone have been astronomical. If we did not have Sentinel, we would have had to double the amount of staff that we have now. There is about a 40% reduction in costs.

I'm not happy with the pricing on the integration with Defender for Endpoint. Defender for Endpoint is log-rich. There is a lot of information coming through, and it is needed information. The price point at which you ingest those logs has made a lot of my customers make the decision to leave that within the Defender stack. The big challenge for me right now is having to query data with the Microsoft Defender API and then querying a similar structure. That's a simple cost decision. If that cost can be brought down, I'm sure more of my clients would be interested in ingesting more of the Defender for Endpoint data, and that alone will obviously drive up ingestion. They are very willing to look at that, but right now, it is at such a price point that it is not cost-effective. Most of them are relying on us to recreate our solution, to integrate with two portals rather than having the data integrator Sentinel. If we can make a way there, it'll be a big one.

We have had some assessments where we were asked to do a comparison with the likes of Splunk and other similar tools. What I love about Sentinel is the granularity. You can configure what you need. Whether it just logs from a server or logs from any of the Microsoft solutions, you have the ability to limit data depending on your use or your need. You can couple that with the ability to archive data, as well as retain data, on a set schedule.

Its cost is comparable to the other products that we've had, but we get much more control. If you have a large appetite for security, you can ingest a lot of information right down to a server event type of log. That obviously would be costly, but for ingesting from the Microsoft stack itself, a lot of the key logs are free to use. So, you could get up and running for a very small amount per month or very small investment demand, and then grow your appetite over time, whereas with some of the other solutions, I believe you buy a commitment. So, you are in it for a certain price from the beginning. Whether you consume that, whether you have an appetite for that, or whether there are actual people in your company who can make use of that tool is separate from that commitment. That commitment is upfront, whereas Sentinel is much more granular. You have much more control, and you can grow into a fully-fledged product. You don't need to switch everything on from day one and then run and see what it will cost. You can grow based on your needs, appetite, and budget until you find that sweet spot between what you ingest and what you can afford.

Having worked with the product and knowing the capabilities of the product, it is worth investing in a product that Microsoft has spent a great deal on integrating with the rest of its product stack. Now, we can argue how far along the third-party vendors are in terms of integration with the rest of the security landscape, but if you're a Microsoft house, there is literally no better solution right now in terms of integration and highlighting the best out of your investment. Of course, every use case is different, but I'm happy to look at any challenge in terms of what a third-party solution can bring and what they reckon Sentinel can't.

My advice to others evaluating the solution is that Sentinel isn't a silver bullet solution. It is not something you deploy and set up, and it is going to work 100% well and you're going to be happy. There is going to be some upfront investment. You're going to have to spend some time getting the product in place and getting it configured to your needs. To showcase in a PoC environment is quick and easy, but to realize real-world day-to-day benefits from this product, there is going to be some investment. Keep that in mind. If you're willing to spend that time upfront within the first couple of days or a couple of weeks of you deploying the solution, you'll immediately realize the benefit, but you have to have that mindset. It is not going to just be next, next, next, where it is deployed, and congratulations, you are now secure. That's never going to be the case, but after spending a bit of time on this product, there is nothing it can't do.

I want to give it a 10 out of 10 just because I'm very passionate about this product. I've seen it grow from a very basic SIEM solution to a fully-fledged SIEM, SOAR solution. Some of the capabilities that are built in right now make my day so much easier. Overall, it is a brilliant product, and I love what Microsoft is doing to it. It is a great product.