Microsoft Sentinel Reviews

We use it for security. It's at the forefront of managing the security within our organization. We use the platform as our main SIEM for enterprise security whereby we have several tools that feed into Microsoft Sentinel and then from there, we have the use cases. It's a major tool for security monitoring within the enterprise.

Microsoft Sentinel provides the capability to integrate different log sources. On top of having several data connectors in place, you can also do integration with a threat intelligence platform to enhance and enrich the data that's available. You can collect as many logs and build all the use cases. 

Microsoft Sentinel helps to prioritize threats across the enterprise. We do threat categorization based on a risk-based approach. We categorize incidents as critical, high, and medium. The platform gives us the capability of categorizing the threats based on our assets' criticality and the type of data on our systems. At the end of the day, it does help in managing the threats within the organization. There are different levels of threats depending on the data that we have.

We also use Microsoft Defender for Endpoint. We have integrated Microsoft Defender for Endpoint with Microsoft Sentinel. Most of the alerts that come on our Microsoft Defender for Endpoint are fed into Microsoft Sentinel. We manage those alerts through Microsoft Sentinel, but when we are doing our investigations, we always leverage Microsoft Defender for Endpoint because we are able to do the investigation from the original source. Integrating a Microsoft product with other Microsoft products is not as difficult as compared to integrating Microsoft products with other vendor applications. With the inbuilt data connectors that already exist in Microsoft Sentinel, it's much easier to do the integrations with the Azure environment and other Microsoft products. If there's no data connector, it's somehow tricky. If we have a data connector in place, it's better. We also need to do some customization of the data that we ingest because we need to have the right size of the data that we feed into Microsoft Sentinel because of the cost aspect. At the end of the day, we managed to do an integration of on-prem AD with Microsoft Sentinel via a platform that acts as a bridge between them

Microsoft Sentinel and Microsoft Defender for Endpoint work together natively. The alerts are fed into Microsoft Sentinel seamlessly, but when it comes to investigations, you need to leverage Microsoft Defender for Endpoint to isolate a device and to see some of the timelines or actions that were done with that machine. You can't do that with Microsoft Sentinel.

Microsoft Sentinel allows us to investigate threats from one place, but it doesn't let us respond from one place. For responding, we need to narrow down the source of the threat. If it has been flagged from a Cisco perimeter solution that we use, such as Cisco Meraki, we need to go back and check in that platform. If it's flagging an issue that's happening on an endpoint, we need to go back to Microsoft Defender for Endpoint and do further investigation to respond.

Microsoft Sentinel helps to automate routine tasks. We have playbooks and once we establish a baseline or a routine task that needs to be done, we can just automate it through the playbook.

We have the Sentinel dashboard, but we still need other dashboards for other logs, such as from email. We can't see email logs from Sentinel. We still need a network security monitoring platform. It has helped us to secure 90% of our cloud environment.

With the integrations we have, its threat intelligence helps prepare us for potential threats before they hit and to take proactive steps. We get visibility into what's happening on the AD on a real-time basis. If there's any issue going on with the AD, we are able to fix that within the minimum time possible. It also helps with the visibility of different resources across the cloud environment. However, it can't do all that by itself. We also need other tools. 

It has saved us time. It has helped in handling most of the issues within the cloud environments or any misconfigurations done on the cloud environment. We are able to handle any issues within the shortest time possible. In terms of threat detection, I can give it a nine out of ten. If we didn't have Microsoft Sentinel, it would have taken us three to four days to discover a security incident that is happening or any security misconfiguration in the cloud environment. Within a week, it saves me about three days.

It has saved us money from a security risk perspective, but from a technology perspective, it hasn't saved much. The main value that it's giving to the organization is from a security perspective.

It has saved our time to detect, but that also depends on the original platform. If the original platform, such as Microsoft Defender, fails to detect incidents, then Microsoft Sentinel will definitely not flag anything. The feed that Microsoft Sentinel gets comes from other platforms. With better fine-tuning across the other platforms and with good integrations, it can really help.

Playbooks are valuable. When it comes to automation, it helps in terms of managing the logs. It brings the SOAR capability or the SOAR perspective to the platform with the high usage of Microsoft products within our environment. We are utilizing most of the Azure resources. Our AD runs on Azure. We have on-prem and Azure AD, so we have the integrations. At the end of the day, when we are managing the security, we have the capability of initiating some options from Microsoft Sentinel and directly to AD. We also have automation with Cisco Meraki. We have configured playbooks where if there is a suspicious IP, it blocks the IP.

Microsoft Sentinel needs to be improved on the metrics part. I've had an issue in the recent past while trying to do my metrics from it. It gives me an initial report, but sometimes an incident is created on Microsoft Sentinel, but you realize that when a lot of information is being fed from Microsoft Defender to Microsoft Sentinel, instead of feeding the existing alert, Microsoft Sentinel creates a new alert. So, metrics-wise, it can do better. It can also do better in terms of managing the endpoint notifications.

We do have in-built or out-of-the-box metrics that are shown on the dashboard, but it doesn't give the kind of metrics that we need from our environment whereby we need to check the meantime to detect and meantime to resolve an incident. I have to do it manually. I have to pull all the logs or all the alerts that are fed into Sentinel over a certain period. We do this on a monthly basis, so I go into Microsoft Sentinel and pull all the alerts or incidents we closed over a period of thirty days. I then calculate the meantime to detect and the mean time to resolve. I have to check when all the tickets were created, when they were handled by the analysts, and when they were closed. I do a manual metrics calculation after pulling all the data. I believe Microsoft can do better on the metrics side of Sentinel. They can provide monthly reports. If I want to submit the reports to my senior management, it will be much easier for me to pull the data as a report. Currently, you can't pull any reports from Sentinel. It would be helpful if they can build a reporting tool within it and allow me to have my own customization. I should be able to customize the reports based on my needs. For example, I should be able to generate a report only for incidents with high and medium severity.

It should also provide information on trends within the platform. There should be reports on specific alerts or security incidents.

They should build more analytics rules to assess key security threats. I have had to build a lot of custom analytics rules. There should be more of them out of the box.

There should be more information about how to utilize the notebooks. They can have a better approach to enlightening the end-users about the straightforward use of notebooks. The data point analysis rules and automation are straightforward compared to the way you utilize the notebooks. They can do better in terms of sharing how we can utilize the notebooks. 

We are able to ingest data across all our tenants and on-prem solutions, but we have been chasing Microsoft for the longest time possible for ingesting some data from Microsoft Dynamics 365. The kind of logs that we need or the kind of security monitoring that we need to do on Microsoft Dynamics 365 versus what's available through data connector tools is different. The best advice that they have managed to give us is to monitor the database logs, but we can't go into monitoring database logs because that's a different platform. There are several things that we want to address across Microsoft Dynamics 365, but the kind of logs that we get from the data connector are not of any significance. It would be better if they could give us customization for that one. That's the worst application from Microsoft to add because we can't monitor any business processes in that application, and there's no capability to do even customization. We are so frustrated with that.

It's quite comprehensive in threat intelligence capabilities, but it takes some time to establish a baseline. They can also improve the UEBA module so that it can help us address and have an overview of the risk. It's not yet that complete. It can establish a baseline for a user, but it doesn't inform how I can leverage the capability to address risks.

We can also have more integrations within Microsoft Sentinel with TI feeds out of the box. Currently, we don't have something out of the box for other TI feeds. Microsoft has its own TI feed, but we aren't utilizing that.

Microsoft Sentinel should provide more capability to end-users for customization of the logs they feed into Microsoft Sentinel.

It has been two years.

We haven't had any issues with it so far. It's very stable. 

It's scalable. There are data connectors for different technologies and products.

I've not contacted their support for Microsoft Sentinel.

I've used QRadar.

We are ingesting on-prem and cloud logs. The initial setup was a bit complex. It wasn't that straightforward because of the integrations.

We had help from a Microsoft partner for visibility and integrations. We had about five engineers involved in its implementation.

In terms of maintenance, it doesn't require any maintenance from our side.

Microsoft Sentinel is costly, but it provides value in terms of managing security or managing the threats within our organization.

The return on investment is in terms of better security, visibility, and management. If you don't know what's going on in the cloud environment or the on-prem environment, you might need to pay a huge price in terms of compliance or ransomware to restore your data. We have seen value in investing in Microsoft Sentinel because we are building a better security capability within our environment.

The current licensing is based on the logs that are being ingested on the platform. Most of the SIEM solutions utilize that pricing model, but Microsoft should give us a customization option for controlling the kind of logs that we feed into Microsoft Sentinel. That will be much better. Otherwise, the pricing is a bit higher.

We evaluated other solutions. The reason why we chose Microsoft Sentinel was because of the cloud visibility. We needed a lot of visibility across the cloud environment, and choosing another product that's not Microsoft native wouldn't have been easy in terms of integrations and shipping logs from Microsoft Sentinel to on-prem.

A good thing about Microsoft Sentinel as compared to the other platform is that most organizations run on Azure, and the integration of Microsoft Sentinel is much easier with other products, but when it comes to other SIEM solutions, integrating them with Microsoft sometimes becomes an issue.

You need to customize the kind of logs that you feed to Microsoft Sentinel. If you just plug-in data connectors and don't do any customization and feed everything to Microsoft Sentinel, it will be very expensive in terms of cost. You only need the traffic that assists you in addressing security issues within your environment. You only need the information that gives you visibility to address security issues.

Overall, I would rate Microsoft Sentinel an eight out of ten.

We utilize Microsoft Sentinel to monitor files for suspicious activities, such as unauthorized user login information, remote logins from outside the secure region, and primarily attachments.

Microsoft Sentinel offers good visibility into threats because we can integrate it with both Defender for Cloud and Defender for Endpoint. We conducted a test to determine the extent of visibility achievable through Sentinel integration, aiming to identify the primary sources of attacks.

We also use Microsoft Office 365, Defender for Cloud, and Defender for Endpoint.

When it concerns cybersecurity, particularly regarding zero-day attacks, Microsoft tends to promptly release TVEs. These updates enable us to patch systems that are susceptible to specific zero-day attacks.

Sentinel allows us to gather data from our entire ecosystem. We can install connectors or an agent on the user's system, or we can do it manually.

Sentinel enables us to investigate threats and respond promptly from a unified platform. Upon receiving alerts, we can navigate to the corresponding tab for analytics, where we can initiate an investigation to view comprehensive details about the threat's origin and its interactions.

It has assisted our organization in enhancing our preparedness and thwarting phishing emails and attacks. We encounter attacks on a daily basis from individuals attempting to execute scripts via websites. Every month, we can conduct simulations to train our personnel in recognizing and evading threats. Sentinel is particularly effective in mitigating risks posed by employees who click on dubious email attachments.

Sentinel assists in automating routine tasks and identifying high-value alerts. Although I haven't extensively used it, playbooks can be employed to create automated responses for alerts and to resolve them.

It assists in eliminating the need to utilize multiple dashboards. We configured one of our servers as a honeypot, enabling us to observe all access and related details from a unified dashboard.

The threat intelligence assists us in preparing for potential threats before they occur and taking any necessary proactive measures. When a potential threat is identified, we are also given recommendations on how to proceed.

Sentinel has helped decrease our time to detect and respond. The automation has reduced the time I spend on low-level threats, allowing me to focus on the priority threats.

Microsoft Sentinel comes preloaded with templates for teaching and analytics rules. we can also create our own.

We need to continually test and define analytics rules due to the possibility of triggering false positives if we simply use the preloaded templates and neglect them.

We attempted to integrate our Microsoft solutions, but we occasionally faced problems when connecting with other systems. While it functioned effectively with Linux and Unix systems, a Windows 11 update led to complications. Sentinel was unable to capture essential logs on certain computers. As a result, we were compelled to create two SIEMs using Splunk and QualysGuard. This was necessary because certain operating systems experienced issues, particularly after receiving updates.

Although Sentinel is a comprehensive security solution, it could be more user-friendly. When I started using it, it was a bit confusing. I think that certain features should be placed in separate tabs instead of being clustered together in one place.

The KQL query does not function effectively with Windows 11 machines, and in the majority of machine-based investigations, KQL queries are essential for organizing the data during investigations.

I have been using Microsoft Sentinel for two years.

I have not experienced any stability issues with Microsoft Sentinel.

Scaling is straightforward. For instance, if an organization opts to establish a new department and intends to add ten machines to that department, all that is required is to create a new load analysis workspace, incorporate the machines into that workspace, and subsequently link it to Sentinel.

Microsoft Sentinel requires an E5 license. When considering this from the perspective of a large enterprise organization, the cost might be justified. However, for smaller organizations, it is comparatively expensive when compared to other SIEM and SOAR solutions. Open-source SIEMs like OSSEC are also available. These can be integrated with other open-source tools to address similar issues as Microsoft Sentinel, often at minimal or no cost.

I would rate Microsoft Sentinel an eight out of ten.

Our Microsoft security solutions both cooperate and have limitations in working seamlessly together to provide coordinated detection and response across our environment. The individual who initially implemented these solutions did so in a manner that prevents us from accessing all the necessary information to effectively utilize Sentinel with a single administrative account, as intended.

Most of our servers are on-premises but we have two that are connected to Defender for Cloud. Those are mostly pickup servers.

Microsoft takes care of the maintenance for Sentinel.

Using a best-of-breed strategy is superior to relying on a single-vendor security suite. I have observed while working with Splunk and QualysGuard, that they are capable of detecting certain low-level threats more promptly than Sentinel. Occasionally, these threats manage to slip through when using Sentinel.

Microsoft Sentinel is a commendable solution, and its value justifies the cost. However, it should be noted that it comes with a significant price tag. Therefore, any organization considering implementing this solution should ensure they are financially prepared for it. I strongly advise obtaining certification and acquiring proficiency in using Sentinel. It is an excellent tool equipped with numerous features. Unfortunately, many users remain unaware of these features or lack the understanding of how to utilize them effectively. It's worth mentioning that Microsoft Defender and Intune serve to further enhance Sentinel's capabilities, elevating it into an even more powerful tool.

I work as a security team leader and consultant in the Netherlands. Additionally, I am the main architect for my organization. Our current focus is on building our own Security Operations Center for media entities, and we offer this service to our customers as well. Our solution ensures zero bypasses and integrates the XDR suite of our clients. Therefore, any customer looking for the same solution can benefit from our expertise.

Microsoft Sentinel has the potential to assist us in prioritizing threats across our entire enterprise. However, its effectiveness relies heavily on the quality of our analytics roles. If we have appropriate alerts in place, we can avoid unnecessary noise. If we can accurately prioritize incidents and assign the appropriate level, it will significantly aid us. Additionally, automation can help analysts make informed decisions by consolidating incidents and alerts.

I have completed many customer integrations. Currently, I am working with one of the largest healthcare retailers and a very large insurance company. They have a variety of other products, such as effective AI, Infoblocks, and Akamai as a last resort. Our goal is to consolidate all the alerts from these products into Sentinel, which sometimes requires processing or editing. We refer to this as social editing, which essentially means fixing issues. Ultimately, our objective is to have a comprehensive overview of everything in a single dashboard.

The effectiveness of the integrated solutions that work together natively varies. At times, a data connector may work well, while at other times, it may not. I have noticed that Sentinel has significant potential for the development of data connectors and passes. This observation is due to one of my customers requiring a considerable amount of additional processing for data connectors, which prompted us to make a request to Microsoft. Currently, we are pleased to see that Microsoft is integrating this functionality. On the other hand, we also have plans to work with a local collector that involves parsing logs and collecting log data using custom parsing services.

The effectiveness of integrated security products in providing comprehensive threat protection is improving. However, there is a risk of overlap in the functionalities of Microsoft's various products, leading to duplicate alerts or unwanted charges. Nonetheless, compliance is improving. Additionally, the endpoint portal is starting to function more like an application portal for multiple products. Using only the Defender portal instead of Sentinel would benefit many customers at present, though additional sources may provide added value. There are also many developments in this area worth exploring.

Microsoft Sentinel has the capability to collect data from our entire ecosystem, but it comes with a cost. As the head of IT, I would have the ability to obtain any sensitive data that I need. If there is a substantial amount of data, I can handle it. However, we need to establish a use case for the data before proceeding, as it could become too expensive for us to handle. Therefore, we will not be ingesting all the data available.

Microsoft Sentinel allows us to investigate and respond to threats holistically from a single platform. This capability is powerful because we can create our own queries, and the language used is user-friendly. However, we must ensure that the data in Sentinel is properly structured. This means ensuring that our timestamps are consistent and accurate and that the quality of our data is high. By doing so, querying becomes easy and effective.

If we have a background in Azure, then it's relatively easy to understand the SOAR capabilities since it's built on Azure foundations and logic apps. This makes it more powerful.

The cost of Microsoft Sentinel is reasonable when compared to other SIEM and SOAR solutions. While the cost of ingestion may be high, the platform offers numerous capabilities for automation, alerting, monitoring, and operations. Therefore, we are receiving good value for our investment, even though it may not be the cheapest option on the market. Microsoft Sentinel's ongoing development of new features justifies the price point. For example, I compared it to a customer who used Splunk last year, and Splunk was more expensive and had fewer features.

Sentinel assists in automating routine tasks and identifying high-value alerts. For instance, we can configure it to automatically detect risks on specific accounts and receive notifications through an automatic inbox. While we exercise caution in implementing automation, we can leverage it during hours when staffing is limited to ensure timely and appropriate actions.

Sentinel's threat intelligence helps us prepare for potential threats and take action before they can impact us. Obtaining threat intelligence feeds from Microsoft would also be beneficial. We may eventually need to acquire an Excel feed, either from Microsoft or another source, but we must ensure that these expenses provide tangible value. I believe that the machine learning used by Microsoft Infusionsoft provides valuable threat intelligence with reliable patterns.

I've noticed that some customers are using on-premises environments such as Oxite for this particular task. However, since we're on a cloud platform, we don't have to handle and operate the systems as much because they are cloud services. This allows us to focus on the platform, the content, and making it work. The integration with Microsoft works well, and we can use similar queries in Sentinel as we do in Defender for Endpoint, which saves us time.

If we compare the current situation to that of five years ago, we can see that every company was spending less on this type of product because the threat wasn't as significant. However, over time, we have witnessed a significant increase in cyberattacks. As a result, every budget has been increased to address this issue. Therefore, in my opinion, Sentinel is not merely saving money; rather, we are utilizing our resources more efficiently.

I believe one of the main advantages is Microsoft Sentinel's seamless integration with other Microsoft products. This means that if we need to work with customers who already use the entire defense suite, we can easily collaborate with them. Additionally, the KQL language created is very robust and has a manageable learning curve for those who already have some experience. Furthermore, we can use KQL in other Microsoft platforms, making it a versatile tool. The AI aspect is also noteworthy, as it utilizes existing resources in Azure. For instance, if we have previous experience building Azure functions or using wireless technology, we can incorporate these skills into our playbook development in Sentinel.

Microsoft Sentinel provides visibility into threats, and the incident alert display has improved. However, I don't believe it is efficient or pleasant to work with, especially for specialists who work with it all day. We are considering putting our incident alerts into ServiceNow first, which would improve instant handling, logging, and monitoring, and streamline the investigation process. This is a potential area for improvement, but currently, the system is workable and easy to use. I understand that improvements are in progress, and I expect the system to get even better with time.

When we look at external SOAR and orchestration platforms, we have a better overview of all the rules, their behavior, and the correlation between them. From a technical perspective, it works well, but from a functional overview, there's room for improvement. For example, we need a clear understanding of what playbooks we have in our SOAR capabilities. Currently, we have a long list, and we need to know what each playbook does. If we want to add some playbooks in Azure, we need to consider the playbooks that we have in Azure that are not related to any schedule. This can make the environment a bit messy. While building them ourselves, we can have a clear understanding of the why, what, and how, but it can be complicated to know which playbook does what at a given moment or what role it best fits.

Currently, the watchlist feature is being utilized, and although there have been improvements, it is still not fully optimized. When examining the watchlist, it appears that it is not adequately supported in Sentinel's repository feature. As a result, we are constantly having to find workarounds, which is functional but require more effort. It is possible for Microsoft to improve efficiency, but they have not done so yet. 

I have been using Microsoft Sentinel for three years.

Last year, there were some issues with Azure Sentinel, which is a specific service within the Azure platform. These issues affected the performance of Sentinel and caused some concerns. While the situation has improved, there may be further challenges as the platform continues to grow. As a cloud service, there is a risk of outages, which can be difficult to address. Overall, there are currently no complaints about the stability of Azure Sentinel, but it is important to stay vigilant about potential issues that may arise.

Sentinel's scalability is impressive. Currently, we have not encountered any limitations. While there may be a limit on the number of rules with a large amount of data, we have not reached that point. The system performs well, aided by the basic and archive loss features. In the event that those features are insufficient, we still have additional options available. Overall, I believe that Sentinel is highly scalable.

We used to utilize ArcSight Interset, an outdated on-premises product that wasn't suitable for our move to the cloud or offering services to our customers. Since we mainly use Microsoft products, we switched to Sentinel enthusiastically. Sentinel is a perfect fit for our organization.

The initial setup was straightforward and adoption was fast. Currently, our approach within the organization is, to begin with a simple implementation and ensure it is functional before incorporating more complex integrations. We started with basic tasks such as editing data files and integrating on-premises data responses. Once we have established a solid foundation, we will build upon it to create a more advanced version.

If we take all areas into account, we would need a considerable number of people for deployment. I believe we would need around 15 to 20 individuals, including engineering consultants, ServiceNow personnel, and others.

I give Microsoft Sentinel an eight out of ten.

We use the entire range of security measures except for Defender for IP. This is similar to how we use Defender for servers. In Azure, these measures are used on the front-end point, server, and callbacks. As for our customer implementations, I am responsible for carrying them out. For our own laptops, we have a strategy where we use Carbon Black instead of Defender for Endpoint. However, we still use Defender AV, and for other cloud applications, we use Defender for Office 365. The reason we continue to use Carbon Black is due to its legacy status.

Sentinel is a cloud service platform that is particularly useful for those who require sizable, scalable, and high-performing solutions.

Sentinel always requires some maintenance, which includes examining the ingested data to determine if it is being used for a specific purpose. It is important to evaluate the amount of data being stored and ensure that we are paying the correct price. Additionally, any necessary updates should be made to patch up any queries. These actions will result in improved efficiency and effectiveness.

The choice of the best-of-breed solution depends on the company's specific needs, but given the shortage of skilled personnel in many organizations, managing multiple products can be challenging. If we opt for a best-of-breed solution, we may end up having to maintain expertise in several different areas. On the other hand, choosing a single vendor, such as Microsoft, can be advantageous in terms of discounts, support, and skill maintenance. Our experience suggests that when evaluating a solution, it's essential to know the requirements, risks, and desired outcomes beforehand, rather than trying to ingest all available data, which can be costly and inefficient.

Our organization is a service company, therefore, we are proposing Microsoft Sentinel as an MSSP solution to our clients. Additionally, we are offering other solutions with Microsoft Sentinel. We have integrated Microsoft Sentinel with MISP, an open source intelligence trading platform, to create a deluxe solution. Furthermore, we use the five-year tool in conjunction with Microsoft Sentinel.

We pitched the solution for BFSI, healthcare, and ONG sectors.

The solution can be deployed based on the client's requirements.

Microsoft Sentinel provides visibility into threats by creating alerts, which will generate an instance and notify us. We can also view files and prioritize alerts using Microsoft Sentinel. Additionally, there is a tool with Sentinel that allows us to check alerts, which will help us identify false positives and false negatives, which is very beneficial for analysts.

Microsoft Sentinel helps us prioritize threats across our enterprise.

Microsoft Sentinel's ability to help us prioritize threats is a very important must-have feature for our organization.

Integrating Microsoft Sentinel with additional Microsoft solutions such as Microsoft Security Center is easy because we use a Microsoft agent. There is a default integration available with multiple connectors and we can use the agent to install data into Microsoft Sentinel.

The integrated solutions work natively together to deliver a coordinated detection and response across our environment. We use a playbook for the response process. We also integrated ServiceNow tools and Sentinel for ITSM. We are also designing the playbooks to meet our requirements.

Having the ability to integrate solutions with Microsoft Sentinel is an important feature.

Microsoft Sentinel provides comprehensive protection. 

Our organization has a strong partnership with Microsoft. Most of the services we receive are quite cost-effective. Microsoft provides market listings, allowing us to design our solution and place it on Microsoft's market listings, resulting in mutual benefits for both Microsoft and our organization.

We used Microsoft Defender for Cloud to get to the Azure security center for Sentinel. We wanted to work with a particular server but at the time the requirement was in order to use Defender we had to enable the solution across the subscription and not on one particular server.

Microsoft Sentinel enables us to ingest data from our entire system if we want.

Microsoft Sentinel enables us to investigate and respond to threats from one place. We can control everything from a single pane of glass.

Microsoft's built-in UEBA and threat intelligence capabilities play a major role in our security.

We can automate routine tasks, prioritize alerts using the playbook, and use the analytical rule's default settings when creating an alert. This helps to reduce false positives so that we only receive one alert for each issue.

Microsoft's XDR enabled us to avoid having to view multiple dashboards. We can integrate a variety of tools with Sentinel, allowing us to monitor all relevant information from a single screen.

The integration into one dashboard reduced our analytical work because it reduces the time required to review and respond to threats. 

The solution helped us prepare for potential threats proactively. Microsoft Sentinel helped our organization save money by preventing attacks. The solution helped reduce the threat detection time by up to 40 percent.

The data connectors that Microsoft Sentinel provides are easy to integrate when we work with a Microsoft agent.

The UI design for the investigation portion of Microsoft Sentinel is great.

The alerting of the queries works great and it is easy to develop a query around our requirements using Microsoft Sentinel.

The GUI functionality has room for improvement.

The playbook can sometimes be hefty and has room for improvement.

The troubleshooting has room for improvement.

I have been using the solution for three years.

The solution is stable.

The solution is scalable.

The technical support depends on if we have upgraded our support or not. The basic support has a wait time but the premium support is great.

Positive

We previously used IBM Security QRadar. The data connectors are more complicated and there are more configurations required with IBM Security QRadar compared to Microsoft Sentinel. The alerts are much better with Microsoft Sentinel.

The initial setup is straightforward.

The implementation is completed in-house with Microsoft documentation.

In comparison to other security solutions, Microsoft Sentinel offers a reasonable price for the features included.

I give the solution an eight out of ten.

The maintenance is completed by Microsoft.

I recommend Microsoft Sentinel to others.

I support Microsoft Sentinel as a Microsoft partner. We work on various scenarios, such as emails and data connectors. I support licenses by helping them enroll and advising them on the prerequisites they need to meet. I show them how to get started with Microsoft Sentinel. 

I'm the technical lead for Microsoft, so I've worked on several Microsoft security products, including Sentinel, Cloud App Security, Defender, Azure Information Protection, and Azure Key Vault. These are now my significant areas. It wasn't easy to integrate Sentinel with other products initially, but we had a smooth experience once the data connectors and everything were in place.

We are from the support team, so we operate in multiple environments depending on the use case. It works smoothly in every environment, including hybrid ones.

I've seen scenarios where the customer's security score was at 60, but we managed to increase it to 80 or 90 based on the recommendations from Sentinel. We use Sentinel to investigate the activity logs and address the issues. The security score increases once we fix those. 

The benefit Sentinel provides depends on the organization and how they have recruited engineering staff. If the engineers can maintain two or three products, then it's easy for them, but it hasn't reduced any difficulty from my perspective. 

Sentinel saved us time. When this product was introduced, many customers used other SIEM and SOAR technologies separately. Now that we have Sentinel in place, customers only need to learn how to use this product, so it's 50% to 60% more efficient. It's also more cost-effective because you aren't paying separately for those security components. Sentinel is all-inclusive. 

Sentinel integrates seamlessly with Azure platform services, making it more reliable and cost-effective. I can't say with certainty because it's outside my department, but my best guess is that Sentinel can reduce costs by about 30% to 40%. I would also estimate that it reduces our response time by roughly that amount. 

The bidirectional sync capabilities ingest the data and show us alerts that help us prioritize our policy settings and secure our environment. Once we ingest the IP address, we can monitor the network traffic. It ingests everything from the IP address to the applications we use at the cloud level. Having every event, alert, and output from Log Analytics integrated into one platform is essential. We can ingest everything using the syslogs and data connectors. For example, I'm using Windows Server 2016. It will send the data to the cloud, and Microsoft Sentinel pulls it from there. It removes the sysadmin logs and the other logs, so we can easily see the DDoS attacks and other threats.

It ingests the networking stuff and other things, too. It collects everything the company needs to secure the data from data engineers, Log Analytics engineers, information production engineers, etc. It ingests data from everywhere and stores it in one place. You can pull whatever data you need. 

A security product must be integrated with multiple other technologies like SIEM and SOAR to give you the best results and analyze user behavior. Sentinel uses connectors to integrate all Azure products and third-party security tools.

Sentinel provides excellent threat visibility, enabling us to dig deep. It directly connects to Azure Log Analytics, allowing us to do research and pull logs. It uses SOAR intelligence to detect and fix issues using AI and machine learning algorithms.

The ability of all these solutions to work together natively is essential. We have an Azure subscription, including Log Analytics. This feature automatically acts as one of the security baselines and detects recommendations because it also integrates with Defender. We can pull the sysadmin logs from Azure. It's all seamless and native. 

Everything shares a common database so that every product can be integrated depending on your enterprise licenses. Microsoft is effortless from a customer's perspective. You get a wide range of features with one license, including threat detection, information protection, infrastructure solutions, and endpoint protection. One or two enterprise licenses cover everything. 

Sentinel is an excellent product with multiple dashboards if you want to look at something specific. It also has a centralized dashboard for everything if you want to see the overview of what's essential. I use multiple dashboards because it's easier for us as support team members. 

Microsoft Defender has a built-in threat expert option that enables you to contact an expert. That feature isn't available in Sentinel because it's a huge product that integrates all the technologies. I would like Microsoft to add the threat expert option so we can contact them. There are a few other features, like threat assessment that the PG team is working on. I expect them to release this feature in the next quarter.

I have been using Microsoft Sentinel for two-and-a-half years

Sentinel is stable. 

I rate Microsoft technical nine out of 10. 

Positive

Setting up Microsoft Sentinel is straightforward because it's a cloud platform. You can install it with a few clicks. It isn't like the on-premises solutions we have used in the past, where you need to spend a couple of hours. You can deploy Sentinel with one person in around five minutes if you have all the resources, permissions, and rules.

Like all products, Sentinel requires some maintenance. There are planned and unplanned outages. Depending on when Microsoft releases the updates, it can be challenging, but they usually notify us ahead of time.

Microsoft offers the best value from a customer perspective.  With a small amount of money, customers can take advantage of an array of technologies because everything is connected from the Microsoft perspective. The return on investment is massive. You don't need to recruit multiple engineers. One engineer who is familiar with Microsoft products can manage the solution. 

I think Sentinel's pricing is reasonable. It's more reliable if it can integrate with other enterprise technologies, so you have to pay for that. We have to consider the size of the organization. We might shift to other security products for a smaller company. Given the reliability of Microsoft support, Sentinel is cost-effective.  

Sentinel is one of the best products compared to other SIEM solutions like CyberArk. Microsoft's market share is enormous, and they have surpassed AWS, so more companies are adopting Sentinel. A company can centralize everything with Sentinel, and that's great from a cost perspective. 

I rate Microsoft Sentinel nine out of 10. I see a few areas of improvement, but they are already working on implementing these features. If someone asked me whether I would recommend an a la carte approach using the best-in-breed solutions or an all-in-one integrated package from a single vendor, I would say that both approaches have advantages. However, I think it's good to hand everything over to the vendor. A vendor will take the sole responsibility and do the work for you. 

I also recommend becoming an expert in Microsoft Sentinel because it has a bright future. You can earn a decent salary once you have hands-on experience with this product. Sentinel is not well known, but I think it will have 60 to 70 percent of the market share.

Azure Sentinel is a next-generation SIEM, which is purely cloud-based. There is no on-premises deployment. We primarily use it to leverage the machine learning and AI capabilities that are embedded in the solution.

This solution has helped to improve our security posture in several ways. It includes machine learning and AI capabilities, but it's also got the functionality to ingest threat intelligence into the platform. Doing so can further enrich the events and the data that's in the backend, stored in the Sentinel database. Not only does that improve your detection capability, but also when it comes to threat hunting, you can leverage that threat intelligence and it gives you a much wider scope to be able to threat hunt against.

The fact that this is a next-generation SIEM is important because everybody's going through a digital transformation at the moment, and there is actually only one true next-generation SIEM. That is Azure Sentinel. There are no competing products at the moment.

The main benefit is that as companies migrate their systems and services into the Cloud, especially if they're migrating into Azure, they've got a native SIEM available to them immediately. With the market being predominately Microsoft, where perhaps 90% of the market uses Microsoft products, there are a lot of Microsoft houses out there and migration to Azure is common.

Legacy SIEMs used to take time in planning and looking at the specifications that were required from the hardware. It could be the case that to get an on-premises SIEM in place could take a month, whereas, with Azure Sentinel, you can have that available within two minutes. 

This product improves our end-user experience because of the enhanced ability to detect problems. What you've got is Microsoft Defender installed on all of the Windows devices, for instance, and the telemetry from Defender is sent to the Azure Defender portal. All of that analysis in Defender, including the alerts and incidents, can be forwarded into Sentinel. This improves the detection methods for the security monitoring team to be able to detect where a user has got malicious software or files or whatever it may be on their laptop, for instance.

It gives you that single pane of glass view for all of your security incidents, whether they're coming from Azure, AWS, or even GCP. You can actually expand the toolset from Azure Sentinel out to other Azure services as well.

The most valuable feature is the performance because unlike legacy SIEMs that were on-premises, it does not require as much maintenance. With an on-premises SIEM, you needed to maintain the hardware and you needed to upgrade the hardware, whereas, with Azure Sentinel, it's auto-scaling. This means that there is no need to worry about any performance impact. You can send very large volumes of data to Azure Sentinel and still have the performance that you need.

When you ingest data into Azure Sentinel, not all of the events are received. The way it works is that they're written to a native Sentinel table, but some events haven't got a native table available to them. In this case, what happens is that anything Sentinel doesn't recognize, it puts it into a custom table. This is something that you need to create. What would be good is the extension of the Azure Sentinel schema to cover a lot more technologies, so that you don't have to have custom tables.

If Azure Sentinel had the ability to ingest Azure services from different tenants into another tenant that was hosting Azure Sentinel, and not lose any metadata, that would be a huge benefit to a lot of companies.

I have been using Azure Sentinel for between 18 months and two years.

I work in the UK South region and it very rarely has not been available. I'd say its availability is probably 99.9%.

This is an extremely scalable product and you don't have to worry about that because as a SaaS, it auto-scales.

We have been 20 and 30 people who use it. I lead the delivery team, who are the engineers, and we've got some KQL programmers for developing the use cases. Then, we hand that over to the security monitoring team, who actually use the tool and monitor it. They deal with the alerts and incidents, as well as doing threat hunting and related tasks.

We use this solution extensively and our usage will only increase.

I would rate the Microsoft technical support a nine out of ten.

Support is very good but there is always room for improvement.

I have personally used ArcSight, Splunk, and LogRythm.

Comparing Azure Sentinel with these other solutions, the first thing to consider is scalability. That is something that you don't have to worry about anymore. It's excellent.

ArcSight was very good, although it had its problems the way all SIEMs do.

Azure Sentinel is very good but as it matures, I think it will probably be one of the best SIEMs that we've had available to us. There are too many pros and cons to adequately compare all of these products.

The actual standard Azure Sentinel setup is very easy. It is just a case where you create a log analytics workspace and then you enable Azure Sentinel to sit over the top. It's very easy except the challenge is actually getting the events into Azure Sentinel. That's the tricky part.

If you are talking about the actual platform itself, the initial setup is really simple. Onboarding is where the challenge is. Then, once you've onboarded, the other challenge is that you need to develop your use cases using KQL as the query language. You need to have expertise in KQL, which is a very new language.

The actual platform will take approximately 10 minutes to deploy. The onboarding, however, is something that we're still doing now. It's use case development and it's an ongoing process that never ends. You are always onboarding.

It's a little bit like setting up a configuration management platform and you're only using one push-up configuration.

We are getting to the point where we see a return on our investment. We're not 100% yet but getting there.

Azure Sentinel is very costly, or at least it appears to be very costly. The costs vary based on your ingestion and your retention charges. Although it's very costly to ingest and store data, what you've got to remember is that you don't have on-premises maintenance, you don't have hardware replacement, you don't have the software licensing that goes with that, you don't have the configuration management, and you don't have the licensing management. All of these costs that you incur with an on-premises deployment are taken away.

This is not to mention running data centers and the associated costs, including powering them and cooling them. All of those expenses are removed. So, when you consider those costs and you compare them to Azure Sentinel, you can see that it's comparative, or if not, Azure Sentinel offers better value for money.

All things considered, it really depends on how much you ingest into the solution and how much you retain.

There are no competitors. Azure Sentinel is the only next-generation SIEM.

This is a product that I highly recommend, for all of the positives that I've mentioned. The transition from an on-premises to a cloud-based SIEM is something that I've actually done, and it's not overly complicated. It doesn't have to be a complex migration, which is something that a lot of companies may be reluctant about.

Overall, this is a good product but there are parts of Sentinel that need improvement. There are some things that need to be more adaptable and more versatile.

I would rate this solution a nine out of ten.

We use it for our security operations center. We have private and multi-cloud environments.

It enables data integration within our hybrid, multi-cloud environment, and it makes this data integration very easy for our security operations center.

Sentinel has helped improve our visibility into user and network behavior. It helps in identifying risky users, creating a watch list for specific users and their activities, which is very important.

It has also been saving us time. It's a complete cloud-based solution, so there is no time wasted on setting up servers, infrastructure, et cetera.

It also reduces the work involved in event investigation because it puts together detection logic through detection rules. That helps in automating incident identification.

The features that stand out are the 

• detection engine
• integration with multiple data sources.

And while it does not give the tools to detect and investigate, it provides
the ability to integrate multiple tools together on the platform. This is very important for us. Sentinel provides very good integration with Microsoft Power Apps and Power Automate. That is a very handy feature.

It provides a good user interface for an operations analyst and makes it easy for an ops analyst to do incident analysis and investigations.

One key area that can be improved is by building a strong integration with our XDR platform.

I have been using Microsoft Sentinel for over a year. I'm a product manager, and I do not do hands-on deployment, but I do product definition, platform selection, and product feature definition.

It is a stable product.

The technical support team is good. They have account managers aligned with our customers. It is a good, scalable model.

Neutral

We started with Sentinel only. We have had some experience with Splunk, but Sentinel is more mature, flexible, and scalable.

The install or setup time is very small. Without Sentinel, it would usually take 15 to 30 days to set up a SIEM solution in an environment. With Sentinel, it is very easy. A completely production-grade environment can be set up within a week.

Setting up Sentinel is straightforward. Because it is a cloud-based solution, there is no infrastructure deployment involved. Much of the implementation can be done in automated ways. We leverage that automation for implementation. It doesn't require much staff. It is very automated.

It requires maintenance, and that is part of what we cover by providing our customers with managed services.

Our team does the deployment.

We have seen ROI.

The licensing cost is available on the Microsoft Azure calculator. It depends on the size of the deployment, the size of the data ingestion. It is consumption-based pricing. It is an affordable solution.

I work for a security operation center. We use Microsoft Sentinel to monitor the tenants of our customers and provide automated investigations and feedback and alerting.

If something happens or if we get an alert, we also use it to investigate further. We do a deep analysis of the logs that we ingest from our customers. We also have many automation rules built into Microsoft Sentinel to reduce the noise and not-true positive alerts.

There is the ease of setup and ease of use. When we get new customers, we do not need to go onsite, build a system inside their on-premise network, and spend a lot of time setting up the systems. We can easily deploy a new Sentinel solution for a customer with automated templates, which benefits a lot in onboarding new customers. Because we have integrated it with many other security solutions from Microsoft, we can also perform many actions for which we otherwise would have needed VPN access or would have had to go to the customer site. So, the main benefit is that we can easily do anything from anywhere without having to spend much time setting up and onboarding.

We have combined it with other tools such as Microsoft 365 Defender Suite. With all tools combined and the customization that we have developed, we get pretty good insights into possible threats. It all depends on the logs you ingest. If you ingest the right logs, you can get very meaningful insights.

It helps us to prioritize threats across the enterprise. It does that in a very good way. It prioritizes the threats based on multiple factors. If multiple similar incidents happen or suspicious related activities happen at the same time, the incident gets a high priority because that's likely to be a real threat, but it also ingests the priorities that come from the other tools. You also have the ability to adapt priorities because each customer is different. Each business is different. We give our customers a standby for tickets that come in with priority two or higher. Microsoft Sentinel also gives us the chance to lower priority on some cases or upper the priority on some cases depending on the business use case of the customer.

We are a Microsoft security company, so we try to use as many Microsoft security tools as possible. We have Microsoft Defender for Cloud and Microsoft Defender for Office 365 as well. They are integrated into Defender 365 currently. We use the compliance portal. We use Microsoft Purview. We use Microsoft Sentinel. We use Microsoft Defender for Key Vault. We try to use as many security solutions as possible.

We have integrated these products with each other, and we have succeeded in it as well. Each product is at least integrated with Microsoft Sentinel by either using the way provided by Microsoft or a custom way to ingest data. We have integrated Defender 365 and other tools as well. We try to ingest alerts only from one place, if possible. We have integrated everything into one portal, and we ingest the data only from that portal. The integration for Microsoft solutions mostly works natively, but some of our customers have third-party solutions that we can integrate as well.

It's very important that Microsoft solutions work natively. When they work natively, you can have more built-in functionality for them. They are much more maintainable, and it does not take as much time to set up versus when you have to make a custom integration to something.

Microsoft Sentinel enables us to ingest data from the entire ecosystem. We can make custom integrations. If you have Linux machines or on-premises networks, you can set up a log forwarder inside the network and ingest the data that way into Microsoft Sentinel. There are many possibilities to ingest data from all locations, which is necessary for an XDR/SIEM solution. This ingestion of data is one of the most important things for our security operations because if we cannot ingest any data, we are partially blind on that side.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place. You do have to learn the KQL language, but it's similar to many other languages that are created by Microsoft or adopted by Microsoft. It's not that hard to learn. If you know it well, you can easily perform analysis on a whole bunch of data, whereas without Microsoft Sentinel, you would have to perform the analysis at many different places. Microsoft Sentinel gives you the possibility to do it just in one place.

We do not use all the functionalities of Microsoft Sentinel. For example, hunting queries are something that we do not use often, but their threat intelligence is updated quite regularly. We have tried it in Purview, which is a separate threat intelligence license that you can buy from Microsoft, but Microsoft also provides basic rules that alert on multiple threat indicators they detected earlier. They are very useful at the beginning sometimes. You have to remove those rules yourself as soon as they get outdated. The alerting that we get out of the threat intelligence provided by Microsoft itself has been valuable many times for our use cases.

Microsoft Sentinel helps automate routine tasks and the finding of high-value alerts. If we see many recurring alerts that are always suspicious but not really malicious, we can build our own automation rules that auto-close these alerts or automatically lower the priority on those alerts so that we are not getting too many notifications from alerts that are not worth investigating. It's really easy to do that. You can do it in many ways. To do the automation, there is a user-friendly interface. There are just drag-and-drop steps. It helps a lot, and it's easy to implement as well.

It has helped to eliminate having to look at multiple dashboards and have one dashboard for the analysis part, but for the response actions, it hasn't eliminated that because we have to log on to the Microsoft Defender security portals to perform most of those actions. For the analysis part, the alerting part, and the automated investigation part, this is the solution.

Its threat intelligence helps prepare us for potential threats before they hit and take proactive steps. For example, as soon as the Log4j vulnerability was known to the public, we immediately got alerts. We were able to take immediate action and remediate the vulnerability. We immediately knew how to prioritize our customers because we knew which customers already had active exploitation. Most of the time, such attempts were blocked, and if they got through, then the machine was luckily not really vulnerable, but it has been very helpful at that point to immediately assess the criticality for our customers. The attempts were not successful for many reasons. It also blocked them immediately.

It has saved us time. Especially because of the automated investigation part, it saved us a lot of time. We also have automated reporting, which also saves a lot of time each month. We provide our customers with a monthly report. If we had to do it manually and gather data from many different places, it would take a lot of time. Even if we had to fill it in manually in Microsoft Sentinel, it would take a lot of time, but because Microsoft Sentinel already ingests all of the data we use in our reports, we were able to write an integration with Microsoft Sentinel, which takes care of 75% of our reporting, and then we only have to do our analysis part. The data is already filled in, which saves a lot of time each month. The time savings went from one day per customer to one hour or two hours. For nearly fifteen customers, it was fifteen days, and now, it's 30 hours, which is more or less four days. It saves a lot of time each month that can now be spent on improving our service or performing deeper investigations on newly known threats and proactively act on them.

It hasn't reduced our time to detect because we have been using Microsoft Sentinel from the beginning. So, we always had the same response time because we only used Microsoft Sentinel for our alerting. It integrates well with Atlassian tools and ServiceNow tools, which gives us the ability to be alerted very fast on something, and then we can act immediately.

It's easy to use. It's a very good product. It can easily ingest data from anywhere. It has an easily understandable language to perform actions. You can use the entire Azure cloud to perform automated actions and automate investigations. The possibilities are more or less limitless because you can integrate Microsoft Sentinel with many resources inside the Azure cloud. If you integrate the security tooling with it, you can also make use of the data that Microsoft gathers from all Windows operating systems about malware, for instance, or about possible attacks. They ingest that data from so many sources, and you can make use of it. It helps a lot in discovering new vulnerabilities. We can almost immediately investigate them because Microsoft is always on top of things.

Threat intelligence could be better because we have had some cases where we got alerted online for many things all of a sudden. It was because some updates happened in the background, and we didn't agree with the use cases or how they were built. That part of threat intelligence could be a little better.

We have also had incidents where other tooling got an update but Microsoft Sentinel didn't update.

Microsoft Sentinel is a simple and straightforward solution. It could have a better API to be able to automate many things more extensively and get more extensive data and more expensive deployment possibilities. It can gain some points on the automation part and the integration part. The API is very limited, and I would like to see it extended a bit more.

We have recently turned on the bi-directional sync capabilities of Microsoft Defender for Cloud. It works pretty well, but sometimes, it just syncs only the incidents and not the alerts behind them or the other way around. That was the only thing. That was a recent complaint we had. Other than that, it works well.

I've been using Microsoft Sentinel for nearly two years.

It's very stable. We have many different Microsoft Sentinel instances running. Apart from some cleanup and maintenance, they all are running without any issues.

It's very scalable. As long as you send the right logs, it can ingest them perfectly, but, of course, the more logs you ingest, the higher the price, so you have to be very careful and very concerned about the logs you are ingesting in Microsoft Sentinel. You have to make sure that the logs that you ingest provide value for your security and are not useless.

I have not contacted them regarding Microsoft Sentinel, but I have contacted them for other solutions. Sometimes, we can't figure something out ourselves or we have questions about the new features that are made public. If we have a question or need assistance in any way in providing support to our customers, we can count on support to help us. I have not had a bad experience with them. We are also a Microsoft partner, so we get quick replies and have direct contacts within Microsoft sometimes for some cases. If we need support, they always help us very well.

Overall, I would rate them a seven out of ten because sometimes, they take a long time or you get redirected many times to another colleague before the issue is resolved, but in the end, they always help us out, and everything is fixed.

Neutral

In my previous job, we worked with local or on-premise systems, but the security monitoring was not that strong at that time. This is my second job, and in this job, I've only worked with Microsoft Sentinel.

I worked on one of the deployment scripts we use for our customers, but I was not involved in its initial deployment. I deployed it once for a customer by using the Azure resource manager template that I built. It was rather complex because the documentation was not up to date or correct at that time. When working with Microsoft Sentinel, sometimes the documentation is not as up-to-date or complete as it should be in my opinion.

The number of people involved in its deployment depends on the size of the customer, but usually, one or two people from the team do the deployment. One person works on the deployment of Microsoft Sentinel, and the other one usually works on the deployment of other components, such as analytics, automation, etc.

It does require maintenance. In order to stay up to date and keep evolving on the threat landscape, you have to keep looking for new analytic rules, new investigation techniques, and new automations. You have to constantly improve your Sentinel in order to stay on point and detect and have complete detection scenarios. Sometimes, the rules that are provided by Microsoft or the settings or conditions that are provided by Microsoft get deprecated or get a new update. You have to follow that up as well in order to stay up to date with the things Microsoft changes or recommends.

If you want to use Microsoft Sentinel, you should start thinking about the logs that you want to ingest. You should identify the ones that are important and also think of the use cases and what you want to detect from those logs. If you make the right choices on these two things, the setup and the integration with other tools will be very easy because you know from where you want to ingest logs and you know how to create analytics rules, automation rules, and things like that to detect the things that are critical or important to the security of your business.

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that with a single vendor, we can integrate everything like a single product. We use Azure Active Directory, so we can easily secure authentication across multiple products and manage access permissions. On top of that, we have a single pane of glass where we can investigate and perform analysis in a very easy and user-friendly way, which saves a lot of time. We don't have to click through many different portals and know where to look each time. We don't have to learn the configuration, the setup, and the actions we can perform in each system because everything has the same interface. We only have to learn the things that Microsoft provides and not different products. The single pane of glass saves time and makes it much easier to investigate and respond and secure the environment.

Overall, I would rate Microsoft Sentinel an eight out of ten. I'm very happy with it, but no product is perfect. It can improve on some points, but overall, it's very good.