Microsoft Sentinel Reviews

When Exchange email is outside the domain, we have found sometimes that there are phishing emails. With the help of Microsoft Defender only, without Sentinel, we would not be able to track them. A couple of times data was compromised. With Sentinel, what we have done is integrate Microsoft Endpoint for Defender, M365 Defender, and our Exchange Online for all the email communications in and out.

With the investigation and threat-hunting services in Sentinel, we have been able to track and map our complete traffic: Where it started from, where it was intercepted, and where the files were downloaded and exchanged. We have been able to see how a phishing email was entering our domain. Accordingly, we understood that we needed to develop or modify some rules in Exchange and now, we do not have any phishing emails.

Sentinel enables us to investigate threats and respond holistically from one place to all of the attack techniques, such as MITRE ATT&CK, manual, DDoS, and brute force attacks. They are quickly identified by Sentinel. That is of high importance because we don't use any other product with Microsoft. Our SOC team continuously analyzes and monitors Sentinel, the activities and events that are happening. That team needs to be equipped with all of the real-time data we are getting from our ecosystem.

We have also integrated our SIEM with multiple firewalls and proxies. The traffic in and out, coming from the firewalls and proxies, is intercepted by Sentinel. We are now getting granular visibility into our traffic. We can see the hits we are getting from various regions, such as the hits that recently came from Russia. We have multiple such attacks on our firewall front end and we have been able to develop more granular rules on our firewalls.

And for DLP we have the help of protection from Microsoft Information Protection labels that we have defined for our data. Whenever this labeled data is shared, the data is limited to the recipients who were specified in the email. Similarly, our OneDrive data has been secured with the MIP Labels. All of this tracking is happening on Sentinel, which is giving us a broader view of where our data is traveling within and outside our organization as well.

People tend to go with Microsoft because it provides you with 360-degree protection, protecting your files, network, infra, and cloud environment. Each of its products is linked and interacts with the others. Microsoft Defender for Cloud will interact with Microsoft Defender for Cloud Apps, for example. And both of them can interact with Sentinel. Sentinel is the central SIEM in Microsoft and has the ability to take all the instructions from all of these Microsoft products and it gives you a central dashboard view in Azure. That helps manage infrastructure and identify threats. It's a single pane of glass. That's why Microsoft is gaining compared to other products.

Eliminating our multiple dashboards was a little tough in the beginning, but the Microsoft support team's expertise helped us create our own dashboard. Previously, when we started integrating all the products, it was very hard for us to give a broader review to management. It was only something the technical guys could do because they know what all those events mean. But when it came to a dashboard and presenting the data to the stakeholders, it was very tough. With the help of Microsoft's expert engineers, we were able to create dashboards into Sentinel, as well as with the help of Azure dashboards and Microsoft Power BI, and we were able to present the data.

We got Sentinel to send the data to Microsoft Power BI and that helped us create some very useful and easy dashboards so that our stakeholders and senior-level management, who are non-technical guys, could understand much better how we are utilizing this product. They can see how much we are making use of it to investigate, hunt, and track the incidents and events, and the unnecessary accessing of applications in the environment. As a result, we started to put granular controls in place and restrict unnecessary websites.

The watchlist is one of the features that we have found to be very helpful. We had some manual data in our Excels that we used to upload to Sentinel. It gives us more insightful information out of that Excel information, including user identities, IP addresses, hostnames, and more. We relate that data with the existing data in Sentinel and we understand more.

Another important feature is the user behavior analytics, UEBA. We can see how our users are behaving and if there is malicious behavior such as an atypical travel alert or a user is somewhere where he is not regularly found. Or, for example, if a user does not generally log in at night but we suddenly find him active at night, the user behavior analytics feature is very useful. It contains information from Azure Identity as well as Office 365.

With the E5 license, we have Microsoft Defender for Cloud Apps, Microsoft Information Protection, Defender for Cloud, and Defender for Office 365. All of these products are integrated with Sentinel because it has those connectors. With both Microsoft and non-Microsoft products it can be integrated easily. We also have ASA on-premises firewalls and we have created a connector and have been sending those syslogs to Sentinel to analyze the traffic. That is the reason we are able to reverse-investigate and hunt threats going on in our network, end to end.

Sentinel enables us to ingest data from our entire ecosystem. In addition to integrating our Cisco ASA Firewall logs, we get our Palo Alto proxy logs and some on-premises data coming from our hardware devices. We also get our Azure Firewall logs, and the logs from the Microsoft 360 bunch of products, like MIP and Defender for Cloud, Defender for Cloud Apps, et cetera.

When I think about the kinds of attack techniques that you are not able to understand at eye level, the AI/ML logic being used by Sentinel helps an administrator understand them in layman's language. It tells you that something has been identified as a malicious event or activity being performed by a user. All of those details are mentioned in an understandable manner. That is very important and is one way Sentinel is playing a wider role in our environment.

We use Microsoft Defender for Cloud and from that we get our regulatory compliance, recommendations, CSPM recommendations, cost recommendations, cost-optimizing strategies, and techniques for things like purchasing reserve instances. It helps us reduce the number of unused VMs or turn off VMs if they're not in production, as well as DevOp VMs in the early hours. We also use it for applying multi-factor authentications for users and reducing the number of owner or administrator roles that are assigned to subscriptions.

And the bi-directional sync capabilities of Defender for Cloud with other Microsoft products is near real-time, taking a couple of seconds. Within a minute, the information is updated, always, for all of the products that are integrated. Some products have a latency of around 4 to 12 hours of latency to update.

The following would be a challenge for any product in the market, but we have some in-house apps in our environment. We were thinking of getting the activities of those apps into Sentinel so that it could apply user behavior analytics to them. But our apps were built with different parameters and the APIs for them are not present in Sentinel. We are working with Microsoft to build those custom APIs that we require. That is currently in progress. 

We are happy with the product, but when it comes to integrating more things, it is a never-ending task. Wherever we have a new application, we wish that Sentinel could also monitor and investigate it. But that's not possible for everything.

I have used Microsoft Sentinel for around two years now.

It is scalable, with the help of the log retention facility in Sentinel in the Log Analytics workspace. We can limit the data that is being retained in it and that limits the cost.

We have it deployed across multiple sites.

In the beginning, it was not so good, but when we switched from standard support to premium support, the support improved.

I have been using QRadar and Splunk, but they both only gave me a centralized SIEM solution, a SOAR, and a VAPT solution. But I wanted to reduce the efforts required when jumping into different portals at different points in time. The way things stood, I had to hire different engineers to maintain those different portals and products. With the help of Sentinel, I could integrate all of my applications with Sentinel, as the APIs were ready and the support for them from Microsoft was good. That's why we thought of moving to Sentinel.

It was pretty hard to convince the stakeholders to invest so much in protecting the ecosystem through investigating and hunting, which is mainly what Sentinel is for. The integration part comes later. But convincing the stakeholders about the cost we would be incurring was a big challenge.

Slowly but surely, we started integrating many of our products into Sentinel and it started showing us things on the dashboard. And with the help of the Logic Apps, we were able to do multiple other things, like automatically creating tickets out of the incidents that are detected by Sentinel, and assigning them to the SOC team. It reduced the SOC team's workload because they used to manually investigate activities and events. Sentinel killed those manual tasks and started giving "ready-made" incidents to work on and mitigate. It has helped my SOC team because that team was facing a lot of issues with workload.

Then we also got visibility into different products, like Microsoft Defender, and Defender for Cloud Apps, whereas we used to have to jump into different portals to see and analyze the logs. Now, we don't have to go to any other product. All the integration is happening with Sentinel, and with the help of the AI/ML in Sentinel, investigating and threat-hunting have become easier.

It took around six months for us to realize these benefits because we were slowly integrating things, one by one, into it. We were a little late in identifying the awesome capabilities it has.

Most of our products are integrated but a few of our products are facing challenges getting connected. We are dealing with it with Microsoft and they are creating a few connectors for us.

We had to pay extra compared to what we would pay for other products in the market. But you have to lose something to gain something. Sentinel reduced the efforts we are putting into monitoring different products on different portals, and reduced the different kinds of expertise we needed for that process. Now, there are two to three people handling Sentinel.

The pricing was a big concern and it was very hard to explain to our stakeholders why they should bear the licensing cost and the Log Analytics cost. And the maintenance and use costs were on the higher side compared to other products. But the features and capabilities were going to ease things for my operations and SOC teams. Finally, the stakeholders had clarity.

Microsoft is costlier. Some organizations may not be able to afford the cost of Sentinel orchestration and the Log Analytics workspace. The transaction hosting cost is also a little bit on the high side, compared to AWS and GCP. But because it gives a 360-degree combination of security products that are linked with each other, Microsoft is getting more market share compared to Splunk, vScaler, or CrowdStrike.

But if I want to protect my files, to see where my files have been sent, or if the file I'm receiving is free of malware, or even if one of my users has tried to open it, Windows Defender would track it first. The ATP (Advanced Threat Protection) scans my emails and the attachments first. It determines if the attachment is safe and, if it is not safe, it will block it. I don't have to create any granular or manual settings. That connectivity across different products has a brighter future. That's the reason, even though we have a small budget, that we are shifting to Microsoft.

There are competitive applications in the market, like vScaler, Splunk, QRadar, and CrowdStrike. These are also good in terms of their features and capabilities. But these products only work as a SIEM or VAPT solution. They won't scan everything that we need to protect.

But if you are only considering SOAR, I prefer CrowdStrike because of cost and the features it provides. The AI/ML is also more developed compared to Sentinel.

But why Sentinel? Because it not only covers Microsoft products, but it also has API connectors to connect with any non-Microsoft products. It has inbound APIs for connectivity to QRadar, vScaler, or Splunk, so we can bring their data into Sentinel to be analyzed. Splunk is doing its job anyway, but Sentinel can filter the information and use it to investigate things. 

Those have great visibility and great potential over Sentinel. But for products that are out of the ecosystem, those competitive solutions might face issues in connecting or integrating with them.

We have created a logic app that creates tickets in our service desk. Whenever a ticket is raised, it is automatically assigned to one of the members of our SOC team. They investigate, or reverse-investigate, and track the incident.

Every solution requires continuous maintenance. We cannot rely on AI/ML for everything. Whenever there is a custom requirement or we want to do something differently, we do sit with the team to create the required analytic rules, et cetera. It doesn't involve more than three to four people.

In terms of the comprehensiveness of Sentinel when it comes to security, it plays a wide role in analysis, including geographical analysis, of our multiple sites. It is our centralized eye where we can have a complete analysis and view of our ecosystem.

Go with a single vendor security suite if you have the choice between that and a best-of-breed strategy. It is better to have a single vendor for security in such a complex environment of multiple vendors, a vendor who would understand all the requirements and give you a central contact. And the SLA for response should be on the low side in that situation, as Microsoft, with its premium support, gives an SLA of an immediate callback, within two to three minutes of creating a ticket.

We use Microsoft Sentinel to monitor many different environments for cybersecurity incidents, and we use it as our main alerting tool to let us know when this activity happens. It also interfaces with all of our other Defender products, such as Defender for Office 365, Defender for Endpoint, et cetera.

Almost all of our solutions are based in Azure. We use Defender for Endpoint, Defender for Office 365, Defender for cloud, Sentinel, and Azure Active Directory Identity Protection.

I use the latest version of Sentinel.

Sentinel is mostly used within our security operations center and our security team. We have about 50 endpoint users.

The backbone of our organization is built on Microsoft Sentinel, its abilities, and the abilities of our Defender stack. Ideally, we'd have more data, but a lot of data and functionality are in one place. The Lighthouse feature is outside Sentinel, but it allows us to have multiple environments integrated into one and to access lots of different Sentinel environments through that. It's very easy to manage a security workload with Sentinel. 

I would like to see better integration with CICD. It should be easier to use GitHub, Jenkins, or whatever our code management stack looks like. Whether or not you use Azure DevOps, being able to manage the code you have is fairly important.

Since using Sentinel, we've experienced a faster response time and easier development features. There aren't as many hurdles to moving a configuration.

I'm not sure how long it took to realize the benefits because it was deployed before my time here. It took me about three months to get familiar with what Sentinel has to offer and how we could leverage it, so it will be about three months before you start getting proper value from it.

There are still elements of Sentinel that I haven't used to their fullest potential, like the Jupyter Notebooks and internet hunting queries.

The solution is good at automating routine tasks and alleviating the burden for analysts.

Automation has moderately affected our security operations, although there is scope for it to significantly affect SecOps. There is definitely the capability for Sentinel to do pretty much all of your first-line response, which would be a significant improvement. It's a moderate effect because we only use automation in a few areas.

There are a few different dashboards for each of the Microsoft tools. We have a dashboard for Defender, one for Sentinel, and one for Active Directory Identity Protection. It consolidated alerts in some aspects, but a lot of information is still scattered.

It's fairly good for being reactive and responding to threats and looking for indicators of compromise. Overall, it helped us prepare for potential threats before they hit.

Sentinel saves us time. The automation feature especially saves us time because we can automate a lot of menial tasks. If other businesses could do that, it would eliminate a lot of their first-line response.

Sentinel saves us about 20 hours per week, which is the equivalent of a part-time staff member.

It saved us money. It's a very cost-efficient SIEM to use and still provides a good level of coverage despite that. 

Sentinel saved us about 50% of the cost of Splunk. It decreased our time to detect and respond by about 10-15%.

The automation rules and playbooks are the most useful that I've seen. A number of other places segregate the automation and playbook as separate tools, whereas Microsoft is a SIEM and SOAR tool in one.

It provides us with very high visibility. It allows us to see a lot holistically across our environment in Azure. It integrates very well with other products like Defender.

It helps us prioritize threats across our enterprise. There are many things we can do to deal with prioritizing threats, such as having automation rules that automatically raise the priority of certain incidents. We're also able to make changes to the rule sets themselves and say, "I believe this to be a higher priority than is listed in the tool."

Prioritization is probably the most important thing to us because as an organization, we have a number of threats coming in at any moment, and each of them has its own valid investigation path. We need to know which ones are business critical and which ones need to be investigated and either ruled out or remediated as soon as possible. Prioritizing what to work on first is the biggest thing for us.

If you have the right licenses and access to all the products, it's fairly easy to integrate these products into Sentinel. Sometimes they don't pull as much information as possible, and I've noticed that there is a cross-functional issue where these tools will flag and alert themselves.

We can have it configured to create an alert in Microsoft Sentinel, but sometimes it doesn't create a bridge between them. When we finish our investigation and close the ticket on Sentinel, it sometimes doesn't go back to the tool and update that. That's the only issue that I have found with the integration. Everything else is straightforward and works well.

The solutions work natively together to deliver coordinated detection responses across our environment. It's probably one of the better-engineered suites. In other places, I've experienced an endpoint detection and response system that's completely different: proprietary coupled with a proprietary and different SIEM tool or maybe a different sort of tool. They are individual tools, and it can sometimes feel like they're engineered differently, but at the same time, they integrate better than anything else on the market as a suite of tools.

These solutions provide pretty comprehensive threat protection. A lot of them are technology agnostic, so you can have endpoints on Linux and Mac OS. It's pretty comprehensive. There's always a little oversight in any security program where you have to balance the cost of monitoring everything with the risk of having some stuff unmonitored, but that's probably an issue outside of this tool.

It enables us to ingest data from our entire ecosystem. It's difficult to ingest non-native data. It's not as easy as in Splunk because Splunk is probably the leading SIEM tool. If you have a native tool that's out of the Microsoft security stack, you can bring it into Sentinel and have an alert on it.

This ingestion of data is vital for our security operations. It's the driver behind everything we do. We can do threat hunting, but if we don't have logs or data to run queries, then we're pretty much blind. I've worked in places where compliance and regulatory adherence are paramount and having logs, log retention, and evidence of these capabilities is extremely important. One of the more vital things that our organization needs to operate well, is good data.

A lot of the alerts come in from other tools, so sometimes we have to actually use that tool to get the proper information. For example, if we get an alert through Defender for Office 365, to actually see an offending email or attachment or something like that, we have to go into the Defender console and dig that out, which is inconvenient. As an aggregator, it's not bad compared to the other solutions on the market. In an ideal scenario, having more information pulled through in the alerts would be an improvement.

A lot of Sentinel's data is pretty comprehensive. The overarching theme with Sentinel is that it's trying to be a lot of things in one. For a UEBA tool, people will usually have separate tools in their SIEM to do this, or they'll have to build their own complete framework from scratch. Already having it in Sentinel is pretty good, but I think it's just a maturity thing. Over the next few years, as these features get more fleshed out, they will get better and more usable. At the moment, it's a bit difficult to justify dropping a Microsoft-trained UEBA algorithm in an environment where it doesn't have too much information. It's good for information purposes and alerting, but we can't do a lot of automation or remediation on it straight away.

Although the integrations are good, it can sometimes be information overload. A number of the technologies run proprietary Microsoft algorithms, like machine learning algorithms and detection algorithms, as well as having out-of-the-box SIEM content developed by Microsoft. As an engineer that focuses on threat detection, it can sometimes be hard to see where all of the detections are coming from. Although the integrations are good, it can sometimes be information overload.

Documentation is the main thing that could be improved. In terms of product usage, the documentation is pretty good, but I'd like a lot more documentation on Kusto Query Language. They could replicate what Splunk has in terms of their query language documentation. Every operator and sub-operator has its own page. It really explains a lot about how to use the operators, what they're good for, and what they're not good for in terms of optimizing CPU usage.

In Splunk, I would like to see some more advanced visualization. There are only some basic ones in Sentinel.

I've been using Microsoft Sentinel for about one year, but more heavily over the past five months.

It's pretty stable. We don't have any performance or capacity issues with it.

It's scalable when using solutions like Lighthouse.

I haven't needed to use technical support yet, but the documentation in the community is very good.

I previously used Splunk. The move to Sentinel was definitely cost-based. A lot of people are moving away from Splunk to a more cost-effective SIEM like Sentinel. We also chose Sentinel because of the ease of maintenance. Splunk's enterprise security has some good queries out of the box, but if I were a small organization, I would use Sentinel because it has more out-of-the-box features.

The log collection facilities must be maintained. Maintaining the solution requires a team of fewer than five people. It mainly involves ensuring that the rules are up to date, the connectors and log collection mechanisms are working correctly, and that they're up to date. It also involves ensuring that the right rules are deployed and the automation rules are in place.

Our ROI is 50% over and above what we spend on it in terms of what we can get back from Microsoft Sentinel, everything we use it for, and the time we save.

Some of the licensing models can be a little bit difficult to understand and confusing at times, but overall it's a reasonable licensing model compared to some other SIEMs that charge you a lot per data.

There are additional fees for things like data usage and CPU cycles. When you're developing queries or working on queries, make sure that they're optimized so you don't use as much CPU when they run.

We spoke with Google about Chronicle Backstory. It looks pretty powerful, but it wasn't mature enough for what we were looking for at that time.

The only other real standalone solution I've had a good experience with is Splunk and Splunk Phantom. In terms of cost, it's astronomically different. Microsoft Sentinel can sometimes be expensive depending on how many logs you're taking, but it will never be in the same realm as Splunk. Sentinel is easy to use, but Splunk is so expensive because it's very easy to use.

Microsoft Sentinel is a better SOAR solution than Phantom. Phantom has good integrations, but it isn't really built for custom scripting. If you're going to be paying more, you would expect that to be better. Sentinel is better in that aspect. Sentinel's cost-effectiveness blows a lot of other solutions out of the water, especially if you're already in Azure and you can leverage some relationships to bring that cost down.

I would rate this solution eight out of ten. It's heading in the right direction, but it's already pretty good and mature.

If a security colleague said it's better to go with the best-of-breed strategy rather than a single vendor security suite, I would understand that completely. Some people see tying yourself into a single vendor as a vulnerability. It's not quite spread out, but I think you can manage a single vendor security solution if you have a good relationship with the vendor and you really leverage your connections within that business.

It's good to diversify your products and make sure that you have a suite of products available from different companies and that you use the best that's available. In terms of this technology stack, it's pretty good for what it does.

My advice is to really focus on what's possible and what you could do with the SIEM. There are a lot of features that don't get used and maximized for their purpose from day one. It takes a couple of months to properly deploy the solution to full maturity.

We are a security service provider, and we are using Microsoft Sentinel to provide managed security services to our customers.

The visibility that it provides is very good because Microsoft is a front runner in threat intelligence and cybersecurity operations. They have their own threat intel team that is very active. They are actively covering any new threats that are coming into the landscape. They are adding detections, queries, playbooks, and other things related to new threats. They have out-of-the-box integrations, and the coverage of new threats is very fast in Microsoft Sentinel.

It helps us to prioritize threats across our enterprise. Whenever we onboard new customers, after integrating all of their log sources, we actively check for any latest threats being present in their environment. Microsoft Sentinel is natively integrated with all the latest threat intel available, which makes it very valuable for us. It is a SaaS application. So, it is very easy to deploy this solution for new customers to cover their security needs.

In addition to Microsoft Sentinel, we use the EDR solution from Microsoft, which is Defender for Endpoint. We also use Office 365 for email purposes. We have integrated Microsoft Sentinel with these products. In Microsoft Sentinel, there are connectors specifically for this purpose. All the logs from these products are available in this SIEM tool, and it is easy to manage everything from a single pane of glass.

Even though Microsoft Sentinel is a cloud-native product, by using the connectors, you can easily integrate your on-prem and cloud resources with Microsoft Sentinel. Most of our tools including On-Prem are currently integrated with Microsoft Sentinel.

It is very helpful in automating tasks that otherwise require manual intervention. There are two ways to do automation. One is by using the automation rules, and the other one is through playbooks. Automation rules can be used to automate simple tasks, such as automatically assigning an incident to a particular analyst who should be monitoring the incident. By using automation rules, you can automate various tasks, such as setting the severity of the incident and automatically changing the status of the incident.

Playbooks can be used to automate high-value tasks, such as blocking a malicious IP in the firewall or blocking a particular user in Azure Active Directory. All such tasks can be automated through playbooks.

There are lots of things that we have found valuable in this solution. Mainly, this is a cloud-native product. So, there are zero concerns about managing the whole infrastructure on-premises.

Kusto Query Language that powers Microsoft Sentinel is another valuable feature. It is a very fast and powerful language.

The integration with different ticketing tools like Jira, ServiceNow, etc. is also a great plus point.

Besides that, the addition of new features to the product is very fast. The overall customer experience in terms of using their Cloud Security Private Community and being able to provide our feedback and suggestions is good. They take the feature requests on priority, and whenever possible, they add the new features in the next version of the product.

Currently, SPAN traffic monitoring is not available in Microsoft Sentinel. I have heard that it is available in Defender for Identity, which is a different product. It would be good if  SPAN traffic monitoring is available in Microsoft Sentinel. It would add a lot of value. It is available in some of the competitor products in the market.

Also Reporting feature is missing in Sentinel. Currently, we have to rely on PowerBI for reporting. It would be great if this feature is added. 

We have opted for the pay-as-you-go model, which doesn't come with free support. If some limited free support was available with the pay-as-you-go model, it would be good. 

I have been using this solution for about one year.

There is a great community for Microsoft Security, and we mostly rely on this Microsoft Security community and Microsoft Q&A forums for support. Currently, we are using the pay-as-you-go model which doesn't come with free on-call support. It would be good if some free support was available, even if in a limited way, with the pay-as-you-go model. So, we haven't used their on-call support yet, but their support from the community has been great. Because of that, I would rate their support an eight out of ten.

Positive

Before Microsoft Sentinel, we were not working with any other cloud-native SIEM solution. 

It's important to understand the daily data ingestion required for you or your customer (in case you're an MSSP). There are price tiers starting from 100 GB/day ingestion. But if your ingestion varies too much or your ingestion is lower than 100 GB, you may go for the pay-as-you-go (Per GB) Model. In the case of pay-as-you-go, it is about how closely you monitor the ingestion of each GB of data and how effectively you limit that ingestion. If you don't effectively monitor the ingestion, the price may be too much, and you may not be able to afford it. You should be very clear about your data usage. Sentinel provides great granular visibility into data ingestion. Some of the data might not be relevant to security. For example, basic metrics or other log data might not be very useful for monitoring the security of an enterprise. If you do the right things and limit the ingestion of data, its license plan is perfect, and you can save lots of money.

We considered AlienVault, QRadar, and other solutions, but we didn't try those solutions before opting for Microsoft Sentinel because Sentinel was having fantastic reviews and it was our perfect first choice for our Cloud-Native SIEM tool. So, we decided to first try Microsoft Sentinel. If we had not found it satisfactory, we would have tried other solutions. After doing the trial version for 30 days, we were very happy with Microsoft Sentinel. The addition of new features was also very fast. So, we decided to go ahead with the product.

Microsoft Sentinel is an awesome SIEM/SOAR tool for customers with active Cloud presence. Even for on-prem customers, it is providing great flexibility for integrations. 

I would rate Microsoft Sentinel a nine out of ten.

Sentinel is a solution called SIEM - security information event management. It's for monitoring an entire organization from a security point of view. Along with the monitoring, what happens in the SIEM is you have to raise incidents. If there are any kind of security issues or breaches or people are trying to get into the system, you have to raise an incident ticket. You collect the event information from the systems. You'll be able to see if it's, for example, a machine or account, or an active directory outage. You can process that information using machine learning AI, and then raise incidents. It's basically helping a security operations center team (SOC). With the help of Azure Sentinel, we can build a SOC.

There are plenty of use cases. You have to cover your entire security environment. For example, a brute force attack against your Azure Portal. If someone is trying to guess your password, you will see the incident. When somebody puts four, five wrong passwords, and then a correct password, it could mean someone is trying to guess your password and you would see that. Basically, there are a lot of use cases, however, all of them revolve around monitoring security. Whenever something happens, we should get alerted or we can proactively assess our environment.

With Sentinel, you can also do the hunting. It'll try to identify if your environment is compromised with any kind of attack. In most cases, it'll try to protect your organization before this attack can happen. If somebody is trying to snoop in your environment, we can track him. Or if somebody is trying to guess your password, we can protect the password. If somebody is injecting the malware, we can identify and protect the organization.

The solution has improved functionality as most of the organization will be in the cloud. If an organization is already on the Azure cloud, then they don't have to go for any other solution for the SIEM. They can easily integrate Sentinel. Most of us are on the Microsoft products, so it's very easy to deploy this with the Microsoft products as well as to the other products. 

In terms of Sentinel, it's a best-in-class solution. The SIEM solution is hosted in the cloud. When you compare it with the other tools, the on-premises tools may not be that great.

The best piece about it is when it comes to the traditional SIEM solutions, it's very hard to manage them. First of all, licensing will be there. Then you need to manage underlying infrastructure as well. You also need a big setup. All these things aren't necessary with Sentinel due to the fact that it's on the cloud. You just get a cloud subscription and do a pay-as-you-go model.

The machine learning and artificial intelligence on offer are great. These are the things that happen in the background that we do not see. Whenever you have an incident, it will provide you with all the options so that you can drill down. For example, I have identified one incident where somebody was trying to do a brute-force attack. When this incident was generated, I had a lot of data with which I could start to investigate things.

It provides the best-in-class hunting capabilities. It's very easy to write the hunting logic. You have to write some searching queries. It's very easy to write those all queries and identify the test.

It'll give you the capabilities of automation. Azure is not only about security or infrastructure. It has a lot of programming features, functions, logic apps, and automation. You can easily integrate. If you can do a little bit more programming, then you can integrate it with functions or automation, or anything else.

There is a different tool for security postures. That's called Azure Security Center. From November, it's going to be called Azure Defender. This tool does not do posture management, however, it can integrate with Azure Security Center. There is also this XDR tool, Microsoft Defender. It can easily integrate it. Once you set up the integration between these tools, then you will have the advantage of both the tools. You will have a unified ticketing system where you can view the alerts from XDR and you can view the alerts from the posture management and from the SIEM.

Every month there are new features in Sentinel and the tools are stable. All the features and functionality that those tools provide are slowly coming to the Azure Sentinel as well. So it's improving a lot day by day. 

Initially, we had the data connector that could bring the data from any of the platforms that we wanted to monitor. Now, Microsoft has improved the solutions and they're providing a lot of options. While you can (and now have) almost all the functionalities that are needed for SIEM capabilities, it's still adapting to new things as well. 

Azure Sentinel will be directly competing with tools such as Splunk or Qradar. These are very established kinds of a product that have been around for the last seven, eight years or more. They have a lot of good things going for them and are slightly ahead of Microsoft, which is new to the game. However, Microsoft is adapting. Microsoft keeps working on its solutions and offers feature request platforms as well. We have given them a lot of feedback in terms of some customizations - and they keep adding to it. There are a lot of new things that are in the pipeline. In the next four to six months, we will see more new features which will further enhance the existing tools.

For example, there were some custom fields that were missing. We wanted to do mapping of the custom fields and this capability wasn't there in the Sentinel. However, when we requested it they implemented it.

I have been on Sentinel for the last two to two and a half years. Initially, I was just doing it for my own self-interest, however, for the last one and a half years, it's been more of a professional relationship and I've been working with it for customers.

The solution is quite stable. I have not seen any downtime so far. It is working for customers as well. It's good. It's on a cloud and therefore we need not worry about maintaining the databases or maintaining the platforms, or wherever the data is stored. It's all Microsoft's responsibility.

The scalability is a unique selling proposition for Sentinel. Due to the fact that it's on the cloud, you can scale it up to any limit. Of course, you have to pay for whatever data you are storing. As compared to an on-premises tool the sometimes they may fail to scale, however, this is great. You don't have to bring up a lot of hardware with Sentinel. 

This solution is being used quite extensively right now.

Whether or not the usage will increase depends on the pricing that comes up the more you use it. We have to pay for whatever data, telemetry, that gets into the Sentinel. For example, let's say today I collected 1GB of data, tomorrow I'm going to collect 5GB of data. Microsoft can easily hold this, however, then they also provide you with some kind of plans. You can reserve the space. You can say "I will use 100GB of data per month." Microsoft will give you a discount and you have to pay for the reserved 100GB. It is a pay-as-you-go model.

The solution is used by the development team, which sets it up, and then by the SOC team, which takes over and starts monitoring for security incidents.

Technical support depends on what kind of agreement you have with Microsoft. If you are a premier customer, under the top 100, then they can provide you with some direct connection with the Microsoft program managers. You can have a conversation with them once every two weeks. If you are not in the premier tier, if you are just directly buying it from Azure, then technical support, again, depends. There are two types of technical service. One is the professional and the second one is the premier. Premier support is good. Obviously, you will be paying extra for it. Professional support is not that great. Often, I'd rather not involve them. They will simply mess up things. It's better to just post your questions on the forums and try to get some answers from the experts.

I use all kinds of support. If you are working for a customer who has a very good rapport with Microsoft and they are their top Azure consumer, then they can do things for you. If you give them feedback and you are potentially a big customer for Sentinel, then they will try to adjust things according to your environment. However, if you are not, you are just using Sentinel, then it's okay. It all depends on how much money you are paying and how much business you are doing with Microsoft. 

If a customer is planning to buy Sentinel, then they should initially negotiate with Microsoft for premier support. They can ask for 100 hours of premier support or the fast-track service. You can initially negotiate for a situation where, if some technical issues arise, then you will only work with premier support, and you can reserve your 100 or so hours for that. 

Initially, it's better to agree in advance with Microsoft that you will be needing X number of technical support or the fast-track service or engagement with the Sentinel development team.

I did not use a different solution. I'm from the Azure Log Analytics Monitoring part. I came from that side.

We directly jumped into Sentinel. I've heard that people are doing migrations from Splunk. That's the number one tool that's available for SIEM. However, I directly started from Sentinel.

The initial setup is very easy. You just need some basic knowledge of the monitoring platform called Azure Log Analytics. If you have the knowledge of Azure Log Analytics, then you can easily set up this.

If you just want to set up over the Azure Portal, then it will hardly take 15 to 20 minutes to deploy. Of course, this is not the final setup. The final setup is when you will be connecting it with different sources. For example, if you have 100 machines, you will have 100 Linux machines, you will have routers and switches too. Everything you want to monitor needs to be there. You have to implement these all solutions one by one as per your requirement. If your requirement is you will want Linux machine monitoring, you want firewall monitor, then it can take time, however, it is pretty easy to accomplish.

The pricing model is good. Microsoft does the reservations as well. Perfect planning is needed, as, once you reserve the space, you can save up to 30% or 40% of the cost. If you are not doing good planning, then it'll cost you a lot. However, from a costing point of view, it's fair and comparatively low. It's not a costly service.

I'm not the decision-maker. I was mostly from the Azure Log Analytics Monitoring background, however, when this was released, even the Microsoft CEO and CTO were touting its abilities. Initially, I looked at it for self-interest, and then we thought of implementing it for our labs, and then we found it fruitful. Then we started getting Sentinel projects. 

I'm a consultant and service provider.

It's hosted on a cloud. There is nothing like versioning or anything. It's just software as a service.

I would rate the solution at around eight out of ten. When we do the migration, there are still few people who are used to it. Not many have hands-on experience. Sometimes we struggle in maintaining gaps.

Microsoft Sentinel serves as a centralized hub for collecting and analyzing logs from various Microsoft tools and other sources. It eliminates the need to develop custom toolsets for detecting malicious activities across different Microsoft tools. Instead, Microsoft Sentinel provides standardized rules and playbooks to streamline the process of identifying and responding to potential threats.

For instance, consider a scenario where an employee clicks on a phishing link in an email, leading to the installation of malware on their system. While the endpoint detection and response tool on the endpoint might not detect malicious activity, Microsoft Sentinel, acting as a central log collector, receives the EDR logs and triggers an event based on pre-defined rules.

Upon detecting the suspicious activity, Microsoft Sentinel automatically executes a playbook, which may involve actions such as killing the malicious process or isolating the affected endpoint. This automated response helps expedite threat containment and reduces the burden on security analysts.

It is crucial that Sentinel empowers us to safeguard our hybrid, cloud, and multi-cloud environments. We employ a hybrid cloud setup, and securing our environment using Sentinel is significantly simpler than manual methods. We can gather events in the Central Point and develop playbooks and scripts to automate responses. This streamlines the process and enhances our overall security posture. Additionally, if an alert is triggered, we receive an incident notification via email, prompting us to take action and resolve the issue.

Sentinel provides a library of customizable content to address our company's needs.

Microsoft Sentinel has helped our organization with alerts. We'll receive alerts from Sentinel indicating that we're at risk. It's important to address these alerts promptly. We first need to review the information in the email, and then work on the issue in the office. After that, we'll contact the team members on the relevant shift. There's nothing particularly difficult about this process. It's based on our access privileges, which are determined by our role in the company. If we have a high-level role, we'll have access to all the necessary tools and resources. We'll even be able to receive alerts at home if there's a security issue. The company that provides this technology grants work-from-home access based on security considerations. If someone has a critical role, they'll also be equipped with the tools they need to work remotely and connect with their team members. So, the company that provided the technology can resolve the issue first, and then we can address it. Once we've taken care of the issue, everything will be much easier.

By leveraging Sentinel's AI in conjunction with our playbooks for automation, we can enhance the effectiveness of our security team, subject to the specific rules and policies we implement.

The logs provided by Sentinel have helped improve our visibility into our user's network behavior.

Sentinel has helped us save 60 percent of our time by prioritizing the severity of the alerts we receive. When we receive an alert with a high-risk level, we immediately address it to mitigate the potential security threat. Additionally, we have configured our anti-ransomware software, to further protect our systems from cyberattacks. In the event of a ransomware attack, our Halcyon system will generate an encryption key that can be used to unlock our system. This key is securely stored by Halcyon.

Sentinel has helped reduce our investigation times by enabling us to review an alert, generate a ticket, and resolve the issue simultaneously upon receiving the alert.

The most valuable feature is the alert notifications, which are categorized by severity levels: informational, low, medium, and high. This allows us to prioritize and address alerts based on their urgency. For instance, we would immediately address high-severity alerts. This feature, along with the ability to create playbooks, significantly enhances our workflow.

I would like Microsoft to add more connectors for Sentinel.

Microsoft Sentinel should provide an alternative query language to KQL for users who lack KQL expertise. 

I have been using Microsoft Sentinel for one and a half years.

Microsoft Sentinel is a stable solution. 

Microsoft Sentinel is scalable.

We have to write playbooks to resolve our issues.

Neutral

The configuration of Microsoft Sentinel involved a complex process that required thorough familiarity with the available connectors and the policies to be implemented.

We have seen a 30 percent return on investment.

Sentinel is costly.

I would rate Microsoft Sentinel seven out of ten.

We have five people in our organization who utilize Sentinel.

No maintenance is required from our end.

We internally do not use this solution. We provide advisory for Azure Sentinel because we are Microsoft's partner.

Our clients use it for Security Operations Centers. Some of the clients wish to build a Security Operation Center. They want to perform threat analysis and see that the environment is secure and monitor it. That's why we deploy SIEM solutions.

In terms of deployment, what we see here in Asia, specifically in Malaysia, are hybrid and public cloud deployments.

It helps our clients in enhancing their security. 

It is quite efficient. It helps our clients in identifying their security issues and respond quickly. Our clients want to automate incident response and all those things.

Its documentation is not so simple. It is easy for somebody who is Microsoft certified or more closely attached to Microsoft solutions. It is not easy for those who are working on open-source platforms. There isn't a central point where everything is documented, and there is no specific training or certification.

It has been almost three years.

It is stable. Those who have adopted it are okay with it.

It is a cloud solution, so it is scalable.

Most of us know how Microsoft operates. They are quite good at that.

Its setup is of moderate complexity for me, but I have heard it is complex for others because of the query language and other things.

There is documentation, but I don't think Microsoft is providing a central point where everything is documented. In fact, there is no specific training or certification. There is Microsoft Secure training, but it is not so dedicated. All these things make it moderate.

I have had mixed feedback. At one point, I heard a client say that it sometimes seems more expensive. Most of the clients are on Office 365 or M365, and they are forced to take Azure SIEM because of the integration.

We see that a lot of clients are trying to explore more apart from Azure. Some of the clients are interested in Splunk. Some of the clients are interested in seeing what's available from AWS. This year is quite different in Malaysia because the government has opened up the adoption of public cloud in all sectors, especially in the financial sector. So, we are seeing new requirements coming up. 

I would rate Azure Sentinel a seven out of 10.

Our team uses Microsoft Sentinel to monitor all security incidents. Security analysts working the intake process configure rules that trigger alerts based on specific criteria and route them to the appropriate team based on the event ID. This unified view within Sentinel allows me to investigate each incident, tracing its origin, path, and endpoint. By analyzing the information gathered, I can then determine whether the alert is a true positive or a false positive.

The visibility into threats that Microsoft Sentinel provides is excellent.

Microsoft Sentinel prioritizes threats across our organization, with levels P1, P2, and P3. This helps me determine how to investigate since some alerts, especially P1s, might seem critical at first glance. However, further investigation may reveal non-critical situations, like a P1 triggered by an authorized user's access from an unfamiliar IP or location. Analyzing logs can help identify these scenarios and ensure appropriate responses.

Microsoft Sentinel and Defender seamlessly integrate to provide a unified system for detecting and responding to security threats across our entire environment. This is crucial for meeting compliance standards and informing client communication. By investigating all security events and summarizing key findings in reports, we can not only highlight critical incidents but also demonstrate the steps we're taking to reduce the overall number of high, medium, and low-severity threats for our clients.

I would rate the comprehensiveness of the threat-protection that Microsoft Sentinel provides an eight out of ten.

Once data is ingested, the process begins with reviewing the ticket information. This can then lead us to Sentinel, where we can view logs. The depth of our investigation determines the next step: a login to Defender, which provides the full range of investigation tools to pinpoint the root cause of the incident.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place.

I would rate the comprehensiveness of Microsoft Sentinel eight out of ten.

Microsoft Sentinel helps automate routine tasks and the finding of high-value alerts.

Microsoft Sentinel simplifies security management by offering a single, unified XDR dashboard, eliminating the need to switch between and monitor multiple disconnected security tools.

The threat intelligence gives us a proactive advantage by anticipating potential threats, allowing us to prioritize and swiftly address critical incidents before they cause harm.

Microsoft Sentinel has helped save us time.

The detection is in real-time with Microsoft Sentinel. 

While Microsoft Sentinel provides a log of security events, its true power lies in its integration with Microsoft Defender. Defender extends Sentinel's capabilities by allowing for in-depth investigation. Imagine investigating a phishing email: through Defender within Sentinel, we can view the email itself, block the malicious email address and its domain, and even take down its IP address – all within a unified platform.

I would like Microsoft Sentinel to enhance its SOAR capabilities. 

I have been using Microsoft Sentinel for two years.

I would rate the stability of Microsoft Sentinel ten out of ten.

I would rate the scalability of Microsoft Sentinel ten out of ten.

I evaluated a few other SIEM solutions but I prefer Microsoft Sentinel because it is straightforward and I can also use Defender to investigate.

I would rate Microsoft Sentinel nine out of ten.

While Microsoft Sentinel offers SIEM capabilities for security information and event management, it doesn't fully replace the need for a separate SOAR solution, which specializes in security orchestration, automation, and response.

In addition to Microsoft Sentinel, I've also used IBM Security QRadar, which I believe is a superior solution because it functions as both a SIEM and SOAR, offering a more comprehensive approach to handling complex security processes.

I advise taking the course before using Microsoft Sentinel to have a better understanding of the solution.

I recommend trying Microsoft Sentinel.

I use Microsoft Sentinel in my work as an MSSP and as a threat detection engineer.

One of the most valuable features of Microsoft Sentinel is that it's cloud-based. I previously worked for a very long time with AXA since 2006, but Microsoft Sentinel's ability to scale virtually and budget-dependent is a huge advantage. Before that, everything was on-premise and required some forklift upgrades, and it was a bit of a nightmare.

Microsoft Sentinel is relatively expensive, and its cost should be improved. Although Microsoft has been working on providing additional discounts based on commitment tiers, it's still in the top three most expensive products out there. They are certainly trying to compete with the likes of Splunk.

I have been using Microsoft Sentinel since April 2020.

Since the time that I've been using Microsoft Sentinel, I've seen five or six serious outages. That's not uncommon with cloud providers. Generally, when it's a major outage, it's pretty catastrophic.

The scalability of Microsoft Sentinel is pretty good.

I have contacted Microsoft Sentinel's technical support a number of times, and my experience with them has been pretty good.

Neutral

Before we started using Microsoft Sentinel, we previously used Splunk and ArcSight. Having a brand name like Microsoft was one of the reasons we decided to switch to Microsoft Sentinel. I was working for an MSSP at the time, and at the start of the service, they decided to run their MSSP based on Microsoft Sentinel. So it was more of an environmental thing than a conscious decision to switch to Microsoft Sentinel.

The deployment of Microsoft Sentinel is relatively simple, but the data onboarding is the complicated part.

Two people are required for the deployment of Microsoft Sentinel.

Microsoft Sentinel's evolution, use of CI/CD, and automation capabilities have helped us see a return on investment.

Microsoft Sentinel's pricing is relatively expensive and extremely confusing. I have raised this issue with Microsoft directly. It's not an easy thing to do, especially when you consider commitment tiers, discounts, and several variables that go along with it. It would be very difficult for the uninitiated to get a true reflection because you'd need to know about the product to get a cost. Suppose I go with the online pricing calculator. In that case, I need to know the difference between analytics and basic logs. I also need to understand the implications and limitations of selecting a particular option. And that's not clear from the pricing tool. So I think from that perspective, they should democratize it and make it a lot simpler and easier to do.

The visibility that Microsoft Sentinel provides into threats is great. They got a lot of content out of the box and have an active community. I absolutely love the cluster functionality and the cluster query language. I definitely wouldn't want to go back to anything else. It's an incredible query language.

Microsoft Sentinel helps us to prioritize threats across our entire enterprise. The out-of-the-box content and behavior-analytic functionality that Microsoft Sentinel provides certainly help a lot.

There's a whole cloud stack like Defender for Endpoint, Defender for Cloud, and Defender for Cloud Apps that we interface with. I am not directly responsible for configuring and managing those different products within my company. However, we interface with each of them because we take their log data.

It was very easy to integrate other Microsoft security products with Microsoft Sentinel. The other Microsoft products I mentioned have done a great job of making it very simple to integrate. It's probably easier than all the other services. Being Microsoft products, there's a very tight integration, which is great.

I don't have any direct involvement with configuring Defender for Cloud. However, we take the logs from all the Defender suites like Defender for Identity, Defender for Cloud, Defender for Cloud Apps, Defender for Endpoint, etc.

Microsoft Sentinel enables us to ingest data from our entire ecosystem. It is more challenging regarding the on-premise stuff and unsupported SaaS services. You could leverage the available functionality, but it's certainly not as easy as the native Microsoft Cloud products it integrates with. There's a lot more to it in terms of being able to ingest data from an on-premise data source. This data is very important to our security operations.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place.

The comprehensiveness of Microsoft Sentinel security protection is good. It is constantly evolving. I would like to see Microsoft add more automation, but they're on a journey to expanding their capability. I expect to see a change in that space. Since I started using the product, it has evolved, and the evolution of the product from two years ago or three years ago has been huge.

The cost and ease of use of Microsoft Sentinel against standalone SIEM and SOAR solutions are on par with Splunk in terms of costs. It's on par with what Splunk costs or slightly cheaper. It depends on how you set it up, but it's not always evident. Microsoft would prefer you to pay more than less. Certainly, from their perspective, it could probably put out more guidance on the optimization of cost. In terms of its use and functionality, it's definitely on its way to becoming a market leader. I can see that through the evolution that occurred in the last three years. There's always more and more functionality being added. I would like to see more expansion in terms of the provision of functionality in the dashboarding and work booking component. They could spend more time on expanding our capabilities. Splunk can easily plug into D3 libraries to create really good visualizations. The visualization capability within Microsoft Sentinel at the moment is somewhat rudimentary. You can always plug Power BI into it, but it's not a native product feature, and you need to buy and pay for Power BI.

From an overall management capability, Microsoft Sentinel has certainly made life easier. The introduction and addition of the CRC process are great. Historically, many SIMS haven't had that capability or ability to be integrated with the CRC system. So the automation component of that has allowed the deployment of infrastructure's code to speed up the process of the actual deployment massively in the MSSP environment. Historically, when it was on-premise, it would take two weeks to two months to get that all done. Whereas now, you can spin up a new instance and onboard all the cloud stack within a few days, which is huge.

Microsoft Sentinel has the hunting functionality. From that perspective, you could run a whole number of queries at the same time.

Microsoft Sentinel has not helped eliminate having to look at multiple dashboards. They need to expand that functionality.

Microsoft Sentinel’s threat intelligence helps us prepare for potential threats before they hit and to take proactive steps. They’ve recently introduced the Microsoft Defender Threat Intelligence feed, which is a good step forward. It’s come out of the RiskIQ acquisition, which is great. However, I would like to see more native integrations with threat intelligence feeds from financial services, local country threat intelligence feeds, and CSC feeds from government institutions. They work quite closely with the government in many places already, and it would be a huge advantage to have really simple and easy integrations. They could do more in that space in terms of providing alternative threat intelligence with the ability to integrate seamlessly and easily with threat intelligence from other sources. They do already provide connectors, but it isn’t easy. In my experience working in the industry, I’ve seen a company that effectively had a threat intelligence marketplace built into it. So you could very easily and quickly select threat intelligence providers through a number of clicks and then onboard that data very quickly.

Microsoft Sentinel has helped us save time as opposed to our previous solution. Microsoft needs to add even more automation. If you look at their competitors like Palo Alto Cortex, they already have a lot more capability out of the box. Microsoft needs to expand further that out-of-the-box automation capability.

Based on previous experience, Microsoft Sentinel has decreased our time to detection or our time to respond.

Microsoft Sentinel does not need any maintenance because Microsoft does that. However, I have monitoring rules set in place to watch what's going on. For example, we've seen outages in the past, which caused delays in incident creation. There's very little out-of-the-box content to help monitor Microsoft Sentinel.

I would always go with a best-of-breed strategy rather than a single vendor’s security suite. The evolution of Microsoft Sentinel itself has been quite amazing to see. The solution has become more feature-rich in the last two years. I hope this evolution continues and will likely leave the others behind.

I suggest to those evaluating Microsoft Sentinel to do a proof of concept.

Overall, I rate Microsoft Sentinel a seven out of ten.