Microsoft Sentinel Reviews

We use it for our security operations center. We have private and multi-cloud environments.

It enables data integration within our hybrid, multi-cloud environment, and it makes this data integration very easy for our security operations center.

Sentinel has helped improve our visibility into user and network behavior. It helps in identifying risky users, creating a watch list for specific users and their activities, which is very important.

It has also been saving us time. It's a complete cloud-based solution, so there is no time wasted on setting up servers, infrastructure, et cetera.

It also reduces the work involved in event investigation because it puts together detection logic through detection rules. That helps in automating incident identification.

The features that stand out are the 

• detection engine
• integration with multiple data sources.

And while it does not give the tools to detect and investigate, it provides
the ability to integrate multiple tools together on the platform. This is very important for us. Sentinel provides very good integration with Microsoft Power Apps and Power Automate. That is a very handy feature.

It provides a good user interface for an operations analyst and makes it easy for an ops analyst to do incident analysis and investigations.

One key area that can be improved is by building a strong integration with our XDR platform.

I have been using Microsoft Sentinel for over a year. I'm a product manager, and I do not do hands-on deployment, but I do product definition, platform selection, and product feature definition.

It is a stable product.

The technical support team is good. They have account managers aligned with our customers. It is a good, scalable model.

Neutral

We started with Sentinel only. We have had some experience with Splunk, but Sentinel is more mature, flexible, and scalable.

The install or setup time is very small. Without Sentinel, it would usually take 15 to 30 days to set up a SIEM solution in an environment. With Sentinel, it is very easy. A completely production-grade environment can be set up within a week.

Setting up Sentinel is straightforward. Because it is a cloud-based solution, there is no infrastructure deployment involved. Much of the implementation can be done in automated ways. We leverage that automation for implementation. It doesn't require much staff. It is very automated.

It requires maintenance, and that is part of what we cover by providing our customers with managed services.

Our team does the deployment.

We have seen ROI.

The licensing cost is available on the Microsoft Azure calculator. It depends on the size of the deployment, the size of the data ingestion. It is consumption-based pricing. It is an affordable solution.

I work for a security operation center. We use Microsoft Sentinel to monitor the tenants of our customers and provide automated investigations and feedback and alerting.

If something happens or if we get an alert, we also use it to investigate further. We do a deep analysis of the logs that we ingest from our customers. We also have many automation rules built into Microsoft Sentinel to reduce the noise and not-true positive alerts.

There is the ease of setup and ease of use. When we get new customers, we do not need to go onsite, build a system inside their on-premise network, and spend a lot of time setting up the systems. We can easily deploy a new Sentinel solution for a customer with automated templates, which benefits a lot in onboarding new customers. Because we have integrated it with many other security solutions from Microsoft, we can also perform many actions for which we otherwise would have needed VPN access or would have had to go to the customer site. So, the main benefit is that we can easily do anything from anywhere without having to spend much time setting up and onboarding.

We have combined it with other tools such as Microsoft 365 Defender Suite. With all tools combined and the customization that we have developed, we get pretty good insights into possible threats. It all depends on the logs you ingest. If you ingest the right logs, you can get very meaningful insights.

It helps us to prioritize threats across the enterprise. It does that in a very good way. It prioritizes the threats based on multiple factors. If multiple similar incidents happen or suspicious related activities happen at the same time, the incident gets a high priority because that's likely to be a real threat, but it also ingests the priorities that come from the other tools. You also have the ability to adapt priorities because each customer is different. Each business is different. We give our customers a standby for tickets that come in with priority two or higher. Microsoft Sentinel also gives us the chance to lower priority on some cases or upper the priority on some cases depending on the business use case of the customer.

We are a Microsoft security company, so we try to use as many Microsoft security tools as possible. We have Microsoft Defender for Cloud and Microsoft Defender for Office 365 as well. They are integrated into Defender 365 currently. We use the compliance portal. We use Microsoft Purview. We use Microsoft Sentinel. We use Microsoft Defender for Key Vault. We try to use as many security solutions as possible.

We have integrated these products with each other, and we have succeeded in it as well. Each product is at least integrated with Microsoft Sentinel by either using the way provided by Microsoft or a custom way to ingest data. We have integrated Defender 365 and other tools as well. We try to ingest alerts only from one place, if possible. We have integrated everything into one portal, and we ingest the data only from that portal. The integration for Microsoft solutions mostly works natively, but some of our customers have third-party solutions that we can integrate as well.

It's very important that Microsoft solutions work natively. When they work natively, you can have more built-in functionality for them. They are much more maintainable, and it does not take as much time to set up versus when you have to make a custom integration to something.

Microsoft Sentinel enables us to ingest data from the entire ecosystem. We can make custom integrations. If you have Linux machines or on-premises networks, you can set up a log forwarder inside the network and ingest the data that way into Microsoft Sentinel. There are many possibilities to ingest data from all locations, which is necessary for an XDR/SIEM solution. This ingestion of data is one of the most important things for our security operations because if we cannot ingest any data, we are partially blind on that side.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place. You do have to learn the KQL language, but it's similar to many other languages that are created by Microsoft or adopted by Microsoft. It's not that hard to learn. If you know it well, you can easily perform analysis on a whole bunch of data, whereas without Microsoft Sentinel, you would have to perform the analysis at many different places. Microsoft Sentinel gives you the possibility to do it just in one place.

We do not use all the functionalities of Microsoft Sentinel. For example, hunting queries are something that we do not use often, but their threat intelligence is updated quite regularly. We have tried it in Purview, which is a separate threat intelligence license that you can buy from Microsoft, but Microsoft also provides basic rules that alert on multiple threat indicators they detected earlier. They are very useful at the beginning sometimes. You have to remove those rules yourself as soon as they get outdated. The alerting that we get out of the threat intelligence provided by Microsoft itself has been valuable many times for our use cases.

Microsoft Sentinel helps automate routine tasks and the finding of high-value alerts. If we see many recurring alerts that are always suspicious but not really malicious, we can build our own automation rules that auto-close these alerts or automatically lower the priority on those alerts so that we are not getting too many notifications from alerts that are not worth investigating. It's really easy to do that. You can do it in many ways. To do the automation, there is a user-friendly interface. There are just drag-and-drop steps. It helps a lot, and it's easy to implement as well.

It has helped to eliminate having to look at multiple dashboards and have one dashboard for the analysis part, but for the response actions, it hasn't eliminated that because we have to log on to the Microsoft Defender security portals to perform most of those actions. For the analysis part, the alerting part, and the automated investigation part, this is the solution.

Its threat intelligence helps prepare us for potential threats before they hit and take proactive steps. For example, as soon as the Log4j vulnerability was known to the public, we immediately got alerts. We were able to take immediate action and remediate the vulnerability. We immediately knew how to prioritize our customers because we knew which customers already had active exploitation. Most of the time, such attempts were blocked, and if they got through, then the machine was luckily not really vulnerable, but it has been very helpful at that point to immediately assess the criticality for our customers. The attempts were not successful for many reasons. It also blocked them immediately.

It has saved us time. Especially because of the automated investigation part, it saved us a lot of time. We also have automated reporting, which also saves a lot of time each month. We provide our customers with a monthly report. If we had to do it manually and gather data from many different places, it would take a lot of time. Even if we had to fill it in manually in Microsoft Sentinel, it would take a lot of time, but because Microsoft Sentinel already ingests all of the data we use in our reports, we were able to write an integration with Microsoft Sentinel, which takes care of 75% of our reporting, and then we only have to do our analysis part. The data is already filled in, which saves a lot of time each month. The time savings went from one day per customer to one hour or two hours. For nearly fifteen customers, it was fifteen days, and now, it's 30 hours, which is more or less four days. It saves a lot of time each month that can now be spent on improving our service or performing deeper investigations on newly known threats and proactively act on them.

It hasn't reduced our time to detect because we have been using Microsoft Sentinel from the beginning. So, we always had the same response time because we only used Microsoft Sentinel for our alerting. It integrates well with Atlassian tools and ServiceNow tools, which gives us the ability to be alerted very fast on something, and then we can act immediately.

It's easy to use. It's a very good product. It can easily ingest data from anywhere. It has an easily understandable language to perform actions. You can use the entire Azure cloud to perform automated actions and automate investigations. The possibilities are more or less limitless because you can integrate Microsoft Sentinel with many resources inside the Azure cloud. If you integrate the security tooling with it, you can also make use of the data that Microsoft gathers from all Windows operating systems about malware, for instance, or about possible attacks. They ingest that data from so many sources, and you can make use of it. It helps a lot in discovering new vulnerabilities. We can almost immediately investigate them because Microsoft is always on top of things.

Threat intelligence could be better because we have had some cases where we got alerted online for many things all of a sudden. It was because some updates happened in the background, and we didn't agree with the use cases or how they were built. That part of threat intelligence could be a little better.

We have also had incidents where other tooling got an update but Microsoft Sentinel didn't update.

Microsoft Sentinel is a simple and straightforward solution. It could have a better API to be able to automate many things more extensively and get more extensive data and more expensive deployment possibilities. It can gain some points on the automation part and the integration part. The API is very limited, and I would like to see it extended a bit more.

We have recently turned on the bi-directional sync capabilities of Microsoft Defender for Cloud. It works pretty well, but sometimes, it just syncs only the incidents and not the alerts behind them or the other way around. That was the only thing. That was a recent complaint we had. Other than that, it works well.

I've been using Microsoft Sentinel for nearly two years.

It's very stable. We have many different Microsoft Sentinel instances running. Apart from some cleanup and maintenance, they all are running without any issues.

It's very scalable. As long as you send the right logs, it can ingest them perfectly, but, of course, the more logs you ingest, the higher the price, so you have to be very careful and very concerned about the logs you are ingesting in Microsoft Sentinel. You have to make sure that the logs that you ingest provide value for your security and are not useless.

I have not contacted them regarding Microsoft Sentinel, but I have contacted them for other solutions. Sometimes, we can't figure something out ourselves or we have questions about the new features that are made public. If we have a question or need assistance in any way in providing support to our customers, we can count on support to help us. I have not had a bad experience with them. We are also a Microsoft partner, so we get quick replies and have direct contacts within Microsoft sometimes for some cases. If we need support, they always help us very well.

Overall, I would rate them a seven out of ten because sometimes, they take a long time or you get redirected many times to another colleague before the issue is resolved, but in the end, they always help us out, and everything is fixed.

Neutral

In my previous job, we worked with local or on-premise systems, but the security monitoring was not that strong at that time. This is my second job, and in this job, I've only worked with Microsoft Sentinel.

I worked on one of the deployment scripts we use for our customers, but I was not involved in its initial deployment. I deployed it once for a customer by using the Azure resource manager template that I built. It was rather complex because the documentation was not up to date or correct at that time. When working with Microsoft Sentinel, sometimes the documentation is not as up-to-date or complete as it should be in my opinion.

The number of people involved in its deployment depends on the size of the customer, but usually, one or two people from the team do the deployment. One person works on the deployment of Microsoft Sentinel, and the other one usually works on the deployment of other components, such as analytics, automation, etc.

It does require maintenance. In order to stay up to date and keep evolving on the threat landscape, you have to keep looking for new analytic rules, new investigation techniques, and new automations. You have to constantly improve your Sentinel in order to stay on point and detect and have complete detection scenarios. Sometimes, the rules that are provided by Microsoft or the settings or conditions that are provided by Microsoft get deprecated or get a new update. You have to follow that up as well in order to stay up to date with the things Microsoft changes or recommends.

If you want to use Microsoft Sentinel, you should start thinking about the logs that you want to ingest. You should identify the ones that are important and also think of the use cases and what you want to detect from those logs. If you make the right choices on these two things, the setup and the integration with other tools will be very easy because you know from where you want to ingest logs and you know how to create analytics rules, automation rules, and things like that to detect the things that are critical or important to the security of your business.

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that with a single vendor, we can integrate everything like a single product. We use Azure Active Directory, so we can easily secure authentication across multiple products and manage access permissions. On top of that, we have a single pane of glass where we can investigate and perform analysis in a very easy and user-friendly way, which saves a lot of time. We don't have to click through many different portals and know where to look each time. We don't have to learn the configuration, the setup, and the actions we can perform in each system because everything has the same interface. We only have to learn the things that Microsoft provides and not different products. The single pane of glass saves time and makes it much easier to investigate and respond and secure the environment.

Overall, I would rate Microsoft Sentinel an eight out of ten. I'm very happy with it, but no product is perfect. It can improve on some points, but overall, it's very good.

Microsoft Defender for Cloud's bi-directional sync capabilities are important in the following way. If you have an issue that shows in Defender for Cloud, an incident on your dashboard, and you look into Sentinel and see the same alert has been triggered, after someone on your team looks into it and fixes it, if bi-directional is not enabled, you will still have the alert showing. If someone is looking at the Defender for Cloud dashboard, that alert will still show as active. That's why it's important to have bi-directional sync. It helps make sure that people work on the right cases.

Sentinel enables you to investigate threats and respond holistically in one place. It gives you a central repository where you can have a historical view and see the access point where something started, where it went, and how things were accessed. For instance, if someone was anomalously accessing keywords, with everything in one place you can see where it started, where it went, who was involved in it, what kind of endpoints were involved, what IP address was involved, and what devices were involved. In this way, you have complete historical data to investigate the root cause.

Previously, I worked with a number of different tools to pull the data. But having one pane of glass has obviously helped. When you consider the time it takes to go into each and every dashboard and look into alerts, and take the necessary actions, Sentinel saves me a minimum of 15 minutes for each dashboard. If you have three to four dashboards altogether, it saves you around one hour.

And when it comes to automating routine tasks, if you want to notify the right people so that they can look into a P-1 incident, for example, Sentinel can automatically tag the respective SOC or security incident teams through a team chart and they can directly jump into a call.

Another point to consider is multi-stage attack detection. We have a granular view into the incident. We can investigate which IPs, user entities, and endpoints are involved in the alert. If you have to look at multiple, separate points, it could take one hour to see what happened at a particular point in time. With Sentinel, we can directly look into a certain person and points and that saves a lot of time. And then we can take action on the incident.

Among the valuable features of Sentinel are that it 

• has seamless integration with Azure native tools 
• has out-of-the-box data connectors available
• is user-friendly
• is being expanded with more updates.

The visibility into threats that the solution provides is pretty good. We can see a live attack if something is going wrong; we can see the live data in Sentinel.

I work on the complete Azure/Microsoft stack. With Azure native, we can integrate the various products in a few clicks. It doesn't require configuring a server, pulling of logs, or other heavy work. It's very easy, plug-and-play. The data collectors are available with Azure native so you can deploy policies or it will take care of everything in the backend. If various tools have different priorities for issues, monitoring everything is a hectic task. You have to go into each tool and look into the alerts that have been triggered. It's a big task. If you can integrate them into a single pane of glass, that helps you to find out everything you need to know.

And in terms of the comprehensiveness of the threat protection that these products provide, I would give it a 10 out of 10.

Microsoft Sentinel enables you to ingest data from the entire ecosystem and that connection of data helps you to monitor critical resources and to know what's happening in the environment. At a minimum, we should monitor the servers that are critical in the environment.

It also has hunting capabilities so that you can proactively hunt for things, but a different team looks after that in our organization.

In terms of features I would like to see in future releases, I'm interested in a few more use cases around automation. I do believe a lot of automation is available, and more is in progress, but that would be my area of interest.

I have been using Microsoft Sentinel for more than two and a half years.

It's a stable solution.

It's a scalable model but as you scale up you pay for it.

Microsoft technical support is responsive and helpful. And their technical documents are pretty detailed and well-explained.

Positive

The initial deployment was pretty straightforward.

The number of people involved in the deployment is completely dependent upon the environment and the access we have. If there's something to be done with a third-party application—for instance, Cisco Meraki or ASA—for those, we require support from the networking team to open up ports and forwarding of logs from the firewalls to Sentinel. If it is a native Azure environment, we don't need any support.

As for maintenance, if there are any updates they will pop up in your alerts and you can then upgrade to the latest version. It doesn't take much effort and there is no downtime. You simply update and it takes a few seconds. If someone is experienced, that person can handle the maintenance. If the environment is very big and it requires injecting more logs, then it requires some helping hands.

The pricing is fair.

With a traditional SIEM, people are required for SOC operations and investigations and they require licenses. With Sentinel, people in SOC operations are still required to investigate, but we don't need any licenses for them. With a traditional SIEM, you pay a lump sum for licenses. But with Sentinel, it's pay-as-you-go according to the amount of data you inject.

I would recommend Microsoft Sentinel.

It's always good to compare against other tools when it comes to the value, to get an idea of what you are paying for. Compare the market strategies and the new capabilities that are coming out and whether you're able to unlock the full capabilities or not. Double-check that. As for best-of-breed versus one vendor, you should stick with one vendor only and take whatever they gave.

Our customers primarily use the solution to monitor their infrastructure locally.  Some of our customers want to monitor logs to find some abnormal instances, so, they use Microsoft Sentinel to identify threats or identify what is happening in their infrastructure.

Microsoft Sentinel is easy to use compared to some third-party solutions, for example, if we want to get a log using a lot of the third-party solutions it is very difficult because we have to configure it. But in Microsoft Sentinel, if you want to get a log, you just click next, next, next, and see the log. It's straightforward to use the solution. Microsoft Sentinel is on the cloud, so we don't need to maintain a lot of the OS issues we have with other products. Sometimes SIEM has problems that require a lot of maintenance to resolve the OS issues and that takes a lot of time to deal with, but the Microsoft Sentinel benefit is you're on the Cloud. We don't have to spend time dealing with OS issues. We can use that time to focus on critical incidents.

The most valuable features in my experience are the UEBA, LDAP, the threat scheduler, and integration with third-party straight perform like the MISP.

The product can be improved by reducing the cost to use AI machine learning. In my experience in Taiwan, if you want to use Microsoft machine learning for Microsoft Sentinel, the cost is high. The high cost keeps customers from using the feature.

Currently, I think that the customized log can be improved because I check some documents, and Microsoft Sentinel can only customize some file logs. If some logs can be in a database or some user Syslog for all the events in Microsoft Sentinel to be supported. I can't choose to parse the log. I hope Microsoft Sentinel can support more and more different event types for customization. The solution ends up passing a lot of the logs.

I have been using Microsoft Sentinel for 13 months.

The solution is very stable.

The solution is easy to scale.

Technical support uses a ticket system. We just use the portal and I can open a ticket for them, and they will respond back to us. The technical support team is very good they solve a lot of the issues for us, or help us solve a lot of issues, but sometimes the issues can be more complicated and they cannot help us. If I submit a complicated ticket to technical support and they still don't know how to resolve it we are required to use premium support and that option comes with an additional fee. If you have less complicated issues free technical support can resolve the ticket but with more complex tickets you need to use the premium service.

Positive

The initial setup is very easy we just choose where to create, and then next, done, finished. Very easy. The deployment took less than five minutes and only required one person.

The implementation was completed in-house on my own. I just studied Microsoft documents and trained myself. If I still don't know something, I open a ticket to Microsoft to get some help.

The solution is expensive and there is a daily usage fee.

I give the solution an eight out of ten.

I am a third-party user of the solution, but if I were an outside user of Microsoft Sentinel, I really like it because they have a lot of the functions that others don't have. Things like the UEBA and intelligence from Microsoft. Microsoft has already studied a lot of threat intelligence, and they have the capability to help us detect what kind of content will match Microsoft intelligence. I like this and also has a lot of AI machine learning. This will help me to review or, learn easily. I hope this product will help me with a lot of things.

The solution states that it provides good visibility into threats by identifying vulnerabilities. I'm not clear on the vulnerability feature. I am not sure if most customers are familiar with the feature. I believe the feature is used to detect a lot of threats, but what kind of vulnerability? I am still not familiar with the feature.

I think because our enterprise has a lot of different Standard Operating Procedures it depends on the customer, for example, the solution helps detect ransomware, and that helps the organization prioritize dealing with the ransomware situation above other threats.

We have one customer that has implemented Microsoft Security E5. That means they also have Microsoft Defender 365. They use this to detect their infrastructure and their endpoints as well as if they have a SaaS platform they can monitor abnormal behavior.

I have integrated Microsoft Sentinel and Microsoft Defender 365, and they are very easy to integrate. They also have a correlate function and they have rules called Fusion. This Fusion function helps us investigate the correlation between the products.

Because my job is to help the customer integrate, I don't know how well the solutions work together to deliver detection and response for our customers. I am not involved once the solutions are deployed.

In Taiwan, we don't have customers that use Microsoft Defender for Cloud but I use it in my lab.

Some of our customers have additional solutions that are not Mircosoft. I have some customers, who have some data from the Microsoft device, from Windows and maybe events, and others that are not Microsoft products. The customers use their own on-premise, third-party products and buy their solutions. Hence, it is difficult to say if Microsoft Sentinel enables us to ingest data from the whole enterprise.

You can investigate the threats and respond from one place using Microsoft Sentinel. We should report correlation too. It's effortless to investigate responses in Microsoft Sentinel.

In Taiwan, we don't believe in automating routine tasks. There are a lot of things we still do manually and are not using the automated function of Microsoft Sentinel except to send mail.

With Microsoft Sentinel, we use one unified dashboard that is very easy.

We don't use the threat intelligence from Microsoft Sentinel because it is not public, so when a threat is detected that matches the Microsoft database threat intelligence, they only send us an alert, but they don't provide the content inside. Instead, we use open-source threat intelligence and integrated it into the solution.

Using Microsoft Sentinel has reduced the time spent per incident from three hours to one and a half to two hours.

The solution has not saved any money because it is still expensive. We have a large customer demand but all the vendors are as expensive as Microsoft Sentinel. I think they are very expensive. The solution has a daily usage charge.

Depending on the rule being used the solution can save us time in detecting incidents or threats. I can say we just use the default, sometimes it's very long and doesn't really take a lot of time. We get the result to tell me, "Oh. You have an incident happen." But I still don't know why Microsoft usually misses the threats. I still don't know why they design it like this, because I have had some instances in my past experience where the rule is if a threat is detected we must immediately alert first. Perhaps the detection module for Microsoft Sentinel is old. It starts to already alert us and that is a default rule. So, I still don't know why Microsoft Sentinel was created like this. I still don't understand. If you use a UEBA, to detect some threats in some abnormal behavior it's very fast, but if you use the scheduler to detect a lot, sometimes it takes a long time.

In my experience, everything is working and the solution doesn't have any bugs.

The solution is only released on the cloud on Azure. You can't deploy the solution on-premise.

Currently, I only deploy in a single environment. I don't have another environment because almost all our customers use a single environment. Perhaps in the future, they will add another cloud that will use Microsoft Sentinel. That is a very long time in the future. In my experience, the solution is used only in a single environment. We have two people in our organization that use the solution and four to five large customers.

Since Microsoft Sentinel is cloud-based it updates automatically and requires no maintenance from our end.

I think I'm more likely to use a single vendor over using a best-of-breed strategy because a single vendor, integrates together all of the things. I don't need to customize. Trend Micro doesn't understand Microsoft products, and Microsoft products, don't know Trend Micro products. If I choose to use a single solution that means they will handle all of those things. I don't need to use or take the time to customize some functions. I don't need to do that. I prefer to use a single vendor.

If a customer is already using a lot of Microsoft solutions I would recommend Microsoft Sentinel because it is very easy to integrate, but if a customer is using multiple different third-party security solutions I would not recommend Microsoft Sentinel because it will take more time to integrate it and check everything.

We're a managed security service provider using Sentinel for its primary SIEM capability. Our company looks after multiple Sentinel instances for a variety of customers. However, we don't do anything through Lighthouse because every customer we monitor wants everything in their own tenant space. 

The company ensures suitable detections are created and loaded into the Sentinel side, and we provide them with KQL to help them with some in-house use cases with a security focus. We also made some dashboards so they could visualize their data and what their issues would look like. We adopt different deployment models depending on the customer. It's usually a public cloud or hybrid in some instances.

We work with a few Microsoft products, but it's mostly the Defender for Cloud Suite, including Defender for Endpoint and Defender for Cloud. It's undergone a rebrand from the Cloud Application Security side. We also use Azure Active Directory, Microsoft Cloud Security, and several other Azure and Office 365 applications.

Sentinel made it easier to put everything into one place instead of checking multiple tools, especially when working with Microsoft shops. They focus a lot of the efforts on the Sentinel side, so the data is being correctly pushed across and easily integrated with third-party capabilities. Palo Alto and Cisco feeds can work almost side by side with the native Microsoft feeds seamlessly.

Sentinel helps us automate routine tasks and findings of high-value alerts from a detection perspective. Still, I haven't made much use of the SOAR capabilities with the Logic Apps side of things because of the cost associated with them, especially at volume from an enterprise environment. It was felt that using those features might push some of the usage costs up a bit. We thought it was more of a nice-to-have than something essential for the core services we wanted to leverage. We avoided using that again, but it was more of a cost issue than anything. 

Instead of having to look at dashboards from multiple parties, we have one place to go to find all the information we want to know. This consolidation has simplified our security operations. 

Usually, it isn't good to have all your eggs in one basket. However, with Azure replicating across the data center, it's better to have all your eggs in one basket to effectively leverage the raw data that would typically be going into multiple other tools. Having everything in one place allows a nice, clear, concise view if you want to see all your network data, which you can do easily with Sentinel.

Some of the UEBA features helped us identify abnormal behaviors and challenge users to ensure it's undertaking particular activities. You can isolate accounts that may have been compromised a bit quicker.

Sentinel reduced implementation time and sped up our response. I can't give a precise figure for how much time we've saved. Onboarding an Azure feed to a third-party SIEM system might take a couple of days or weeks to get the relevant accounts, etc., in place. Onboarding is a matter of minutes with Sentinel if it's a Microsoft feed. Having everything in one place makes our response a little quicker and easier. The KQL can be easily transferred to support the threat-hunting side because all the information is just there.

Our threat visibility also improved. Sentinel changed a lot since I started using it. It's like a whole new product, especially with the tighter integrations on the Defender for Cloud. For customers heavily reliant on Microsoft and Azure, it's much cleaner and more accessible than logging in to multiple tools. 

I think some of the two-way integrations started to come through for the Defender for Cloud suite as well, so whenever you closed off notifications and threats, et cetera, that were being flagged up in Sentinel, it replicated that information further back to the source products as well, which I thought was a very nifty feature.

It helps us prioritize threats, especially with the way that the various signatures and alerts are deployed. You can flag priority values, and we leveraged Sentinel's capabilities to dynamically read values coming through from other threat vendors. We could assign similar alerts and incidents being created off the back of that. It was good at enabling that customizability.

The ability to prioritize threats is crucial because every business wants to treat threats differently. One organization might want to prioritize specific threats or signatures more than another customer based on how they've structured and layered their defense. It's useful from that perspective.

The native integration of the Microsoft Security solution has been essential because it helps reduce some false positives, especially with some of the impossible travel rules that may be configured in Microsoft 365. For some organizations, that might be benign because they use VPNs, etc.

Sentinel lets you ingest data from your entire ecosystem. When I started using it, there wasn't a third-party ingestion capability. We could get around that using Logstash. It was straightforward. The integration with the event hub side allowed us to bring in some stuff from other places and export some logs from Sentinel into Azure Data Explorer when we had legal requirements to retain logs longer. 

I've used  UEBA and the threat intel, which are about what I expect from those sorts of products, especially the threat intel. I like how the UEBA natively links to some Active Directory servers. It's excellent. Integration with the broader Microsoft infrastructure is painless if your account has the correct permissions. It was just ticking a box. It's clear from the connector screen what you need to do to integrate it.

The integration of all these solutions helped because they all feed into the same place. We can customize and monitor some of the alert data from these various products to create other derivative detections. It's like an alert for our alerts.  

For example, we could look at a particular user IP or similar entity attribute and set an alert if they've met specific conditions. If there are more than a given number of alerts from different products, we treat that as a higher priority. It's beneficial for that.

Sentinel could improve its ticketing and management. A few customers I have worked with liked to take the data created in Sentinel. You can make some basic efforts around that, but the customers wanted to push it to a third-party system so they could set up a proper ticketing management system, like ServiceNow, Jira, etc.  

It would be helpful for incident responders to be able to assign tickets and have permissions assigned to them. Once you have escalated tickets from Level 1 to Level 2, there may be areas where you want to control who has access to the raw Sentinel tool. 

I started using Sentinel in July of last year.

Sentinel's stability is great. We only had one outage for a couple of hours, but that was a global Azure issue. 

I think I've not had to worry too much about the scaling. It seems to be able to handle whatever has been thrown at it. I assume that's part of the SaaS piece that Sentinel falls under. Microsoft will worry about what's happening behind the scenes and spin up whatever resources are needed to make sure it can do what it needs to do.

I rate Microsoft support a ten out of ten. We had a few issues with certain filters working with some connectors. There were problems with certain bits of data being truncated and potentially lost. I spoke to some people from the Israeli team. They responded quickly and tried to be as helpful as they could. 

Support made a solid effort to understand the problem and resolve it. They maintained regular communications and provided reassurance that they were sorting out the problems.

Positive

I used Elasticsearch, Kibana, and Splunk. We switched to Sentinel because of the ease of use and integration. Microsoft infrastructure forms the backbone of our environment. We use Azure for hosting, Active Directory for user accounts, and Office 365 for communications and data storage. 

Sentinel made a lot of sense, especially given our difficulties getting our data onboarded into the Elasticsearch stack. We saw similar challenges with Splunk. Sentinel works natively with Microsoft, but we've still had some pain points with some of the data sources and feeds. I think that's just more about how the data has been structured, and I believe some of those issues have been rectified since they've been flagged with Microsoft support.

At the same time, Sentinel is a little more costly than Splunk and the Elasticsearch stack. However, it's easier to manage Sentinel and get it up and running. That's where a cost-benefit analysis comes in. You're paying more because it's easier to integrate with your environment than some of the other providers, but I'd say it is a little on the costly side.

I've spun up my instance of Sentinel for development purposes at home, and it was quick and easy to get through. The documentation was thorough. From the Azure portal, you click Sentinel to ensure all the prerequisites and dependencies are up and running. On the connector side, it's just a matter of onboarding the data. It's straightforward as long as you have the correct permissions in place.

Deployment requires two or three people at most. You probably don't even need that many. Two of the three were just shadowing to get experience, so they could run with their deployments.

It doesn't require much maintenance. Microsoft does a great job of building a SaaS solution. Any problems in the region where Sentinel is hosted are visible on the Azure portal. Once the initial configuration and data sources are deployed, it takes minimal upkeep.

The deployment was done in-house.

It's hard to say whether Sentinel saved us money because you only know the cost of a breach after the fact. We'll probably spend more on Sentinel than other products, but hopefully, we'll see a return by identifying and remediating threats before they've become an actual cost for our clients. 

Sentinel has made it a little easier to get the initial Level 1 analysts onboarded because they don't need to know how to use, say, Palo Alto's Panorama. They can focus their efforts on one query language that enables them to go across multiple different vendors, products, and tools. It's quicker for a Level 1 analyst to get up to speed and become useful if they don't need to learn five or six different ways to query various technologies.

Sentinel's pricing is on the higher side, but you can get a discount if you can predict your usage. You have to pay ingestion and storage fees. There are also fees for Logic Apps and particular features. It seems heavily focused on microtransactions, but they may be slightly optional. By contrast, Splunk requires no additional fee for their equivalent of Logic. You have a little more flexibility, but Sentinel's costs add up. 

I rate Sentinel an eight out of ten. My only issue is the cost. I would recommend Sentinel, but it depends on what you want to get from your investment. I've seen Sentinel deployed in everything from nonprofits to global enterprises. With multiple vendors, you're more at risk of causing analyst fatigue.

Microsoft has done a great job of integrating everything into one place. The setup and configuration of Azure's general hosting environments reduce the risk. Most services are on the cloud, so Sentinel makes it much quicker and easier to get up and running. You don't need to worry about training and getting multiple certifications to have an effective SOC.

I recommend sticking with Sentinel and putting in as many data sources as you can afford. Put it through its paces based on a defense-in-depth model. Take advantage of all the information Microsoft and others have made available in places like GitHub, where there is a vast repository of valuable detections that can be tweaked depending on your environment.

It makes it a lot easier to get started. Many people approaching security with a blank canvas aren't sure where to go. There are a lot of valuable resources and information available.

Our team uses Microsoft Sentinel to monitor all security incidents. Security analysts working the intake process configure rules that trigger alerts based on specific criteria and route them to the appropriate team based on the event ID. This unified view within Sentinel allows me to investigate each incident, tracing its origin, path, and endpoint. By analyzing the information gathered, I can then determine whether the alert is a true positive or a false positive.

The visibility into threats that Microsoft Sentinel provides is excellent.

Microsoft Sentinel prioritizes threats across our organization, with levels P1, P2, and P3. This helps me determine how to investigate since some alerts, especially P1s, might seem critical at first glance. However, further investigation may reveal non-critical situations, like a P1 triggered by an authorized user's access from an unfamiliar IP or location. Analyzing logs can help identify these scenarios and ensure appropriate responses.

Microsoft Sentinel and Defender seamlessly integrate to provide a unified system for detecting and responding to security threats across our entire environment. This is crucial for meeting compliance standards and informing client communication. By investigating all security events and summarizing key findings in reports, we can not only highlight critical incidents but also demonstrate the steps we're taking to reduce the overall number of high, medium, and low-severity threats for our clients.

I would rate the comprehensiveness of the threat-protection that Microsoft Sentinel provides an eight out of ten.

Once data is ingested, the process begins with reviewing the ticket information. This can then lead us to Sentinel, where we can view logs. The depth of our investigation determines the next step: a login to Defender, which provides the full range of investigation tools to pinpoint the root cause of the incident.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place.

I would rate the comprehensiveness of Microsoft Sentinel eight out of ten.

Microsoft Sentinel helps automate routine tasks and the finding of high-value alerts.

Microsoft Sentinel simplifies security management by offering a single, unified XDR dashboard, eliminating the need to switch between and monitor multiple disconnected security tools.

The threat intelligence gives us a proactive advantage by anticipating potential threats, allowing us to prioritize and swiftly address critical incidents before they cause harm.

Microsoft Sentinel has helped save us time.

The detection is in real-time with Microsoft Sentinel. 

While Microsoft Sentinel provides a log of security events, its true power lies in its integration with Microsoft Defender. Defender extends Sentinel's capabilities by allowing for in-depth investigation. Imagine investigating a phishing email: through Defender within Sentinel, we can view the email itself, block the malicious email address and its domain, and even take down its IP address – all within a unified platform.

I would like Microsoft Sentinel to enhance its SOAR capabilities. 

I have been using Microsoft Sentinel for two years.

I would rate the stability of Microsoft Sentinel ten out of ten.

I would rate the scalability of Microsoft Sentinel ten out of ten.

I evaluated a few other SIEM solutions but I prefer Microsoft Sentinel because it is straightforward and I can also use Defender to investigate.

I would rate Microsoft Sentinel nine out of ten.

While Microsoft Sentinel offers SIEM capabilities for security information and event management, it doesn't fully replace the need for a separate SOAR solution, which specializes in security orchestration, automation, and response.

In addition to Microsoft Sentinel, I've also used IBM Security QRadar, which I believe is a superior solution because it functions as both a SIEM and SOAR, offering a more comprehensive approach to handling complex security processes.

I advise taking the course before using Microsoft Sentinel to have a better understanding of the solution.

I recommend trying Microsoft Sentinel.

We are a security service provider, and we are using Microsoft Sentinel to provide managed security services to our customers.

The visibility that it provides is very good because Microsoft is a front runner in threat intelligence and cybersecurity operations. They have their own threat intel team that is very active. They are actively covering any new threats that are coming into the landscape. They are adding detections, queries, playbooks, and other things related to new threats. They have out-of-the-box integrations, and the coverage of new threats is very fast in Microsoft Sentinel.

It helps us to prioritize threats across our enterprise. Whenever we onboard new customers, after integrating all of their log sources, we actively check for any latest threats being present in their environment. Microsoft Sentinel is natively integrated with all the latest threat intel available, which makes it very valuable for us. It is a SaaS application. So, it is very easy to deploy this solution for new customers to cover their security needs.

In addition to Microsoft Sentinel, we use the EDR solution from Microsoft, which is Defender for Endpoint. We also use Office 365 for email purposes. We have integrated Microsoft Sentinel with these products. In Microsoft Sentinel, there are connectors specifically for this purpose. All the logs from these products are available in this SIEM tool, and it is easy to manage everything from a single pane of glass.

Even though Microsoft Sentinel is a cloud-native product, by using the connectors, you can easily integrate your on-prem and cloud resources with Microsoft Sentinel. Most of our tools including On-Prem are currently integrated with Microsoft Sentinel.

It is very helpful in automating tasks that otherwise require manual intervention. There are two ways to do automation. One is by using the automation rules, and the other one is through playbooks. Automation rules can be used to automate simple tasks, such as automatically assigning an incident to a particular analyst who should be monitoring the incident. By using automation rules, you can automate various tasks, such as setting the severity of the incident and automatically changing the status of the incident.

Playbooks can be used to automate high-value tasks, such as blocking a malicious IP in the firewall or blocking a particular user in Azure Active Directory. All such tasks can be automated through playbooks.

There are lots of things that we have found valuable in this solution. Mainly, this is a cloud-native product. So, there are zero concerns about managing the whole infrastructure on-premises.

Kusto Query Language that powers Microsoft Sentinel is another valuable feature. It is a very fast and powerful language.

The integration with different ticketing tools like Jira, ServiceNow, etc. is also a great plus point.

Besides that, the addition of new features to the product is very fast. The overall customer experience in terms of using their Cloud Security Private Community and being able to provide our feedback and suggestions is good. They take the feature requests on priority, and whenever possible, they add the new features in the next version of the product.

Currently, SPAN traffic monitoring is not available in Microsoft Sentinel. I have heard that it is available in Defender for Identity, which is a different product. It would be good if  SPAN traffic monitoring is available in Microsoft Sentinel. It would add a lot of value. It is available in some of the competitor products in the market.

Also Reporting feature is missing in Sentinel. Currently, we have to rely on PowerBI for reporting. It would be great if this feature is added. 

We have opted for the pay-as-you-go model, which doesn't come with free support. If some limited free support was available with the pay-as-you-go model, it would be good. 

I have been using this solution for about one year.

There is a great community for Microsoft Security, and we mostly rely on this Microsoft Security community and Microsoft Q&A forums for support. Currently, we are using the pay-as-you-go model which doesn't come with free on-call support. It would be good if some free support was available, even if in a limited way, with the pay-as-you-go model. So, we haven't used their on-call support yet, but their support from the community has been great. Because of that, I would rate their support an eight out of ten.

Positive

Before Microsoft Sentinel, we were not working with any other cloud-native SIEM solution. 

It's important to understand the daily data ingestion required for you or your customer (in case you're an MSSP). There are price tiers starting from 100 GB/day ingestion. But if your ingestion varies too much or your ingestion is lower than 100 GB, you may go for the pay-as-you-go (Per GB) Model. In the case of pay-as-you-go, it is about how closely you monitor the ingestion of each GB of data and how effectively you limit that ingestion. If you don't effectively monitor the ingestion, the price may be too much, and you may not be able to afford it. You should be very clear about your data usage. Sentinel provides great granular visibility into data ingestion. Some of the data might not be relevant to security. For example, basic metrics or other log data might not be very useful for monitoring the security of an enterprise. If you do the right things and limit the ingestion of data, its license plan is perfect, and you can save lots of money.

We considered AlienVault, QRadar, and other solutions, but we didn't try those solutions before opting for Microsoft Sentinel because Sentinel was having fantastic reviews and it was our perfect first choice for our Cloud-Native SIEM tool. So, we decided to first try Microsoft Sentinel. If we had not found it satisfactory, we would have tried other solutions. After doing the trial version for 30 days, we were very happy with Microsoft Sentinel. The addition of new features was also very fast. So, we decided to go ahead with the product.

Microsoft Sentinel is an awesome SIEM/SOAR tool for customers with active Cloud presence. Even for on-prem customers, it is providing great flexibility for integrations. 

I would rate Microsoft Sentinel a nine out of ten.

We require a comprehensive, scalable solution for cyber threat protection. 

The interface is simple. It was easy to click through and to refer back and assess things. 

We can do frequent training sessions so that people or end users are able to get used to the system.

Microsoft Defender is proven to be able to incorporate with this product. We also utilize the Power BI dashboard. We wanted to monitor the logins. It's helpful for threat investigations. We're able to use the session queue report to identify the frameworks having issues.

The workflow is quite smart. Incidents alerts can be generated automatically. It has good automation capabilities and that helps us respond to incidents quickly.

Sentinel provide our customers with a unified set of tools to detect, investigate, and respond to incidents. It's actually a part of Defender. It's unified within the operating platform. This allows for the mobility of the end user.

Our customers use Sentinel to help secure hybrid cloud and multi-cloud environments. We do have a limited amount of space. Out of ten or so clients, five or six have adopted a cloud protection system.

We can use it with Microsoft Athena and we can manage compliance and see logs for analytics. Sentinel can correlate signals from first and third party sources into a single high-confidence incident. Since the process is automated, it makes our response times faster. This saves the team's time.

We do make use of the solution's AI capabilities. The machine learning is very mature. Its machine learning has been very good overall. It's also something that enhances response times and threat analysis. 

It's provided us with improved visibility into user and network behavior.

Sentinel has reduced the work involved in the event investigation by quite a lot.

From a client perspective, they'd like to see more cost savings. I'm not sure if Sentinel gives a POC for free.

I've been using the solution for two years.

The solution is very stable. We haven't received any complaints and haven't had outages.

The solution is easily scalable. Of course, we do have to do due diligence with our Oracle system architecture.

We have an SLA that says there will be a receiving engineer that will respond if the system is down. Technical support is great. They might have different tiers of service.

Positive

I did not personally deploy the product. I just work with it.

There is some maintenance. We do have a resident engineer that's certified on troubleshooting.

We have a technical partner that helps with deployment. 

The solution is less expensive than an APM option. If the client wants to have a complete solution that covers the whole big organization, a good option will be going with Microsoft Sentinel. For the features it has, the price is justified.

We are an SSI system integrator.

I'd rate the solution nine out of ten.

For those interested in adopting the solution, I'd suggest looking at the costing and billing and ensuring you have the budget and maybe doing a POC for 45 days or two months so that they can really experience the product.