I use Microsoft Sentinel in my work as an MSSP and as a threat detection engineer.
Director
Ability to scale virtually, but it is relatively expensive
Pros and Cons
- "One of the most valuable features of Microsoft Sentinel is that it's cloud-based."
- "Microsoft Sentinel is relatively expensive, and its cost should be improved."
What is our primary use case?
What is most valuable?
One of the most valuable features of Microsoft Sentinel is that it's cloud-based. I previously worked for a very long time with AXA since 2006, but Microsoft Sentinel's ability to scale virtually and budget-dependent is a huge advantage. Before that, everything was on-premise and required some forklift upgrades, and it was a bit of a nightmare.
What needs improvement?
Microsoft Sentinel is relatively expensive, and its cost should be improved. Although Microsoft has been working on providing additional discounts based on commitment tiers, it's still in the top three most expensive products out there. They are certainly trying to compete with the likes of Splunk.
For how long have I used the solution?
I have been using Microsoft Sentinel since April 2020.
Buyer's Guide
Microsoft Sentinel
November 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
817,354 professionals have used our research since 2012.
What do I think about the stability of the solution?
Since the time that I've been using Microsoft Sentinel, I've seen five or six serious outages. That's not uncommon with cloud providers. Generally, when it's a major outage, it's pretty catastrophic.
What do I think about the scalability of the solution?
The scalability of Microsoft Sentinel is pretty good.
How are customer service and support?
I have contacted Microsoft Sentinel's technical support a number of times, and my experience with them has been pretty good.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
Before we started using Microsoft Sentinel, we previously used Splunk and ArcSight. Having a brand name like Microsoft was one of the reasons we decided to switch to Microsoft Sentinel. I was working for an MSSP at the time, and at the start of the service, they decided to run their MSSP based on Microsoft Sentinel. So it was more of an environmental thing than a conscious decision to switch to Microsoft Sentinel.
How was the initial setup?
The deployment of Microsoft Sentinel is relatively simple, but the data onboarding is the complicated part.
What about the implementation team?
Two people are required for the deployment of Microsoft Sentinel.
What was our ROI?
Microsoft Sentinel's evolution, use of CI/CD, and automation capabilities have helped us see a return on investment.
What's my experience with pricing, setup cost, and licensing?
Microsoft Sentinel's pricing is relatively expensive and extremely confusing. I have raised this issue with Microsoft directly. It's not an easy thing to do, especially when you consider commitment tiers, discounts, and several variables that go along with it. It would be very difficult for the uninitiated to get a true reflection because you'd need to know about the product to get a cost. Suppose I go with the online pricing calculator. In that case, I need to know the difference between analytics and basic logs. I also need to understand the implications and limitations of selecting a particular option. And that's not clear from the pricing tool. So I think from that perspective, they should democratize it and make it a lot simpler and easier to do.
What other advice do I have?
The visibility that Microsoft Sentinel provides into threats is great. They got a lot of content out of the box and have an active community. I absolutely love the cluster functionality and the cluster query language. I definitely wouldn't want to go back to anything else. It's an incredible query language.
Microsoft Sentinel helps us to prioritize threats across our entire enterprise. The out-of-the-box content and behavior-analytic functionality that Microsoft Sentinel provides certainly help a lot.
There's a whole cloud stack like Defender for Endpoint, Defender for Cloud, and Defender for Cloud Apps that we interface with. I am not directly responsible for configuring and managing those different products within my company. However, we interface with each of them because we take their log data.
It was very easy to integrate other Microsoft security products with Microsoft Sentinel. The other Microsoft products I mentioned have done a great job of making it very simple to integrate. It's probably easier than all the other services. Being Microsoft products, there's a very tight integration, which is great.
I don't have any direct involvement with configuring Defender for Cloud. However, we take the logs from all the Defender suites like Defender for Identity, Defender for Cloud, Defender for Cloud Apps, Defender for Endpoint, etc.
Microsoft Sentinel enables us to ingest data from our entire ecosystem. It is more challenging regarding the on-premise stuff and unsupported SaaS services. You could leverage the available functionality, but it's certainly not as easy as the native Microsoft Cloud products it integrates with. There's a lot more to it in terms of being able to ingest data from an on-premise data source. This data is very important to our security operations.
Microsoft Sentinel enables us to investigate threats and respond holistically from one place.
The comprehensiveness of Microsoft Sentinel security protection is good. It is constantly evolving. I would like to see Microsoft add more automation, but they're on a journey to expanding their capability. I expect to see a change in that space. Since I started using the product, it has evolved, and the evolution of the product from two years ago or three years ago has been huge.
The cost and ease of use of Microsoft Sentinel against standalone SIEM and SOAR solutions are on par with Splunk in terms of costs. It's on par with what Splunk costs or slightly cheaper. It depends on how you set it up, but it's not always evident. Microsoft would prefer you to pay more than less. Certainly, from their perspective, it could probably put out more guidance on the optimization of cost. In terms of its use and functionality, it's definitely on its way to becoming a market leader. I can see that through the evolution that occurred in the last three years. There's always more and more functionality being added. I would like to see more expansion in terms of the provision of functionality in the dashboarding and work booking component. They could spend more time on expanding our capabilities. Splunk can easily plug into D3 libraries to create really good visualizations. The visualization capability within Microsoft Sentinel at the moment is somewhat rudimentary. You can always plug Power BI into it, but it's not a native product feature, and you need to buy and pay for Power BI.
From an overall management capability, Microsoft Sentinel has certainly made life easier. The introduction and addition of the CRC process are great. Historically, many SIMS haven't had that capability or ability to be integrated with the CRC system. So the automation component of that has allowed the deployment of infrastructure's code to speed up the process of the actual deployment massively in the MSSP environment. Historically, when it was on-premise, it would take two weeks to two months to get that all done. Whereas now, you can spin up a new instance and onboard all the cloud stack within a few days, which is huge.
Microsoft Sentinel has the hunting functionality. From that perspective, you could run a whole number of queries at the same time.
Microsoft Sentinel has not helped eliminate having to look at multiple dashboards. They need to expand that functionality.
Microsoft Sentinel’s threat intelligence helps us prepare for potential threats before they hit and to take proactive steps. They’ve recently introduced the Microsoft Defender Threat Intelligence feed, which is a good step forward. It’s come out of the RiskIQ acquisition, which is great. However, I would like to see more native integrations with threat intelligence feeds from financial services, local country threat intelligence feeds, and CSC feeds from government institutions. They work quite closely with the government in many places already, and it would be a huge advantage to have really simple and easy integrations. They could do more in that space in terms of providing alternative threat intelligence with the ability to integrate seamlessly and easily with threat intelligence from other sources. They do already provide connectors, but it isn’t easy. In my experience working in the industry, I’ve seen a company that effectively had a threat intelligence marketplace built into it. So you could very easily and quickly select threat intelligence providers through a number of clicks and then onboard that data very quickly.
Microsoft Sentinel has helped us save time as opposed to our previous solution. Microsoft needs to add even more automation. If you look at their competitors like Palo Alto Cortex, they already have a lot more capability out of the box. Microsoft needs to expand further that out-of-the-box automation capability.
Based on previous experience, Microsoft Sentinel has decreased our time to detection or our time to respond.
Microsoft Sentinel does not need any maintenance because Microsoft does that. However, I have monitoring rules set in place to watch what's going on. For example, we've seen outages in the past, which caused delays in incident creation. There's very little out-of-the-box content to help monitor Microsoft Sentinel.
I would always go with a best-of-breed strategy rather than a single vendor’s security suite. The evolution of Microsoft Sentinel itself has been quite amazing to see. The solution has become more feature-rich in the last two years. I hope this evolution continues and will likely leave the others behind.
I suggest to those evaluating Microsoft Sentinel to do a proof of concept.
Overall, I rate Microsoft Sentinel a seven out of ten.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Lead Consultant at Trustsec Inc.
Well-defined KQL queries help make threat-hunting more automated and routine
Pros and Cons
- "There are some very powerful features to Sentinel, such as the integration of various connectors. We have a lot of departments that use both IaaS and SaaS services, including M365 as well as Azure services. The ability to leverage connectors into these environments allows for large-scale data injection."
- "If you're looking to use canned queries, the interface could be a little more straightforward. It's not immediately intuitive regarding how you use it. You have to take a canned query and paste it into an operational box and then you hit a button... They could improve the ease of deploying these queries."
What is our primary use case?
Our use cases range from more complex configurations, looking at things like playbooks, workbooks, and threat-hunting, for which we rolled out architectures in some departments in the Government of Canada, to a more streamlined functionality and looking at things from a correlation perspective.
We work in tandem with a couple of departments that have products called cloud sensors and those sensors feed telemetry into Sentinel. In its simplest form, we're using it for the ingestion of all that telemetry and looking for anomalies.
The anomalous behavior can include anonymous IPs and geolocation that might indicate bad actors are trying to access a system. If I'm located in Ottawa, Ontario and somebody from Russia is trying to access our tenant, that's going to be pretty suspicious.
Just like the US government has FedRAMP, there is a similar approach, here, for the Government of Canada where the funding for projects takes a cloud-first approach. Most of the departments in the government are now on some kind of cloud journey. When I look at the various projects I've worked on, every single one, to some degree, has an IaaS in Azure environment, and most of those deployments incorporate Sentinel and the log analytics workspace into the solution.
How has it helped my organization?
Sentinel helps automate the finding of important alerts as well as routine tasks. When your KQL queries are well-defined, and your threat hunting becomes more routine for parsing through a volume of ingested information, it becomes more of an established process. There would likely be some kind of documentation or procedures for how Sentinel would be managed. The idea is to catch any threat before it actually impacts your organization. Using Sentinel workbooks and playbooks and doing threat-hunting to find things before they actually affect a particular system is the optimal approach. It may depend on the size of the team that is supporting the tool and the knowledge level required to appropriately configure the tool.
I have one department that has quite a mature and robust Sentinel implementation, and they are absolutely doing that. They're using threat-hunting and the ability to create rules to be proactive.
A fully functioning Sentinel system configured properly so that you're doing advanced threat-hunting and trying to catch malware and other kinds of attacks before they impact your systems, could result in enormous cost savings if you're able to identify threats before they actually impact you. I'm sure that Sentinel has saved money for most departments in terms of forensic, digital investigations. But it would be hard for me to put a dollar figure on that. As the Government of Canada is becoming more capable of managing this system, the ability to leverage all of the bells and whistles to help to create a better security posture, and to catch things in advance, will absolutely result in dollar savings.
Similarly, for time to detection, a fully deployed Sentinel system that is properly managed and has a good, robust configuration, would absolutely save time in terms of pinpointing systems where a problem may exist, and employing alternative tools to do scans and configure reviews. But specific savings would depend on the department, the size of the team, and the configuration of the tool.
What is most valuable?
There are some very powerful features in Sentinel, such as the integration of various connectors. We have a lot of departments that use both IaaS and SaaS services, including M365 as well as Azure services. The ability to leverage connectors into these environments allows for large-scale data injection. We can then use KQL (Kusto Query Language) queries. It queries the telemetry for anomalies. The ability to parse out that information and do specific queries on it, and look for very specific things, is quite a valuable function.
The large-scale data ingestion and the ability to use KQL queries to establish connectors into various data sources provide very expansive visibility. With playbooks into which you incorporate rules, you can be very granular or specific about what you're looking for. It provides a great deal of visibility into that telemetry coming in from various services across your tenant.
In terms of data ingestion from an entire ecosystem, there might be some services for which Microsoft has not built a connector yet for Sentinel. But for most of the major services within Azure, including M365, those connectors do exist. That's a critical piece. As a SIEM, the way that it identifies anything anomalous is by correlating all those sources and searching the telemetry for anomalies. It's critical to ensure that you can ingest all that information and correlate it accordingly.
The comprehensiveness of Sentinel's security protection is highly effective and it scales well. It has the ability to do automated responses that are based on rules and on Sentinel's ability to learn more about the environment. The AI piece allows for behavioral and learning processes to take place, but the underlying logic is in the rules that you create via playbooks and workbooks. That whole functionality is highly effective, as long as you have good KQL literacy, how your alerts are configured, and where your alerts are configured. Are they via email or SMS? There are a lot of variables for how you want or expect Sentinel to behave. It's quite a comprehensive architecture to make sure that you've got all those pieces in place. When configured properly, Sentinel is a very powerful tool, and it's very beneficial.
What needs improvement?
My only complaint about Sentinel has to do with how you leverage queries. If you have good knowledge of KQL, things are fine. But if you're looking to use canned queries, the interface could be a little more straightforward. It's not immediately intuitive regarding how you use it. You have to take a canned query and paste it into an operational box and then you hit a button. Then it does the analysis of the telemetry. If things could be improved anywhere, it might be there. They could improve the ease of deploying these queries.
For how long have I used the solution?
I have been using Sentinel since 2018.
How are customer service and support?
Sentinel is very good if you have the right support tier in place. If you don't have the right support tier, then it can become quite laborious to find a technician who is knowledgeable, because the tier-one support might be out-of-country. You have to pay for the ability to get to a senior guy who is quite knowledgeable. That's an area of cost that may be impactful to the proper operation of the tool itself. But when you do talk to somebody who's knowledgeable, it's great.
How would you rate customer service and support?
Positive
What's my experience with pricing, setup cost, and licensing?
It's expensive, but it's beneficial.
Because of the way that the Government of Canada allows access to the Azure marketplace, we don't typically employ other cloud SIEMs. However, many departments of the government use on-prem SIEMs. When I consider the licensing and the functionality for those on-prem SIEMs, Sentinel is fairly pricey. That being said, for an Azure tenant, it's really the only game in town, unless you're pulling in information or you're exporting information from Sentinel to a third-party source on-prem for further analysis or storage.
Cost-wise, Sentinel is based on the volume of information being ingested, so it can be quite pricey. The ability to use strategies to control what data is being ingested is important.
Because it's expensive, I've seen other departments that have on-prem SIEMs that reanalyze telemetry that is exported from the Azure cloud. It's not like-for-like, though.
What other advice do I have?
Many organizations leverage the MITRE ATT&CK framework. Within MITRE there are all kinds of tactics that could be brought to bear on any unsuspecting department or target. Or they align with something like OWASP. But with Sentinel, you're able to delineate what categories you want to prioritize. For anything web-based, because everything is based on APIs and is based on a web interface, you might want to prioritize OWASP-based threats. But if you look at things like APTs, advanced, persistent threats, and various bad actors that MITRE categorizes, that gives you a really good source of information in terms of what to prioritize.
There are a lot of Microsoft security products: Defender for Cloud, Security Center, Azure Monitor. On the SaaS side, we leverage Compliance Manager. And within the dashboards for M365, you've got the ability to leverage policies. For some clients I've worked on, we have things like DLP policies, to prevent unauthorized exfiltration of data. But for IaaS, where Azure typically resides, Defender for Cloud is a big one.
With the use of connectors, if you're looking to provide data telemetry from various services back into Sentinel to do threat-hunting, it is quite a straightforward process. If you're looking to look at things like logging and auditing and how storage accounts integrate, that's a bit more complex, but it's not rocket science. It's certainly quite feasible.
Because they're all services incorporated into Azure, and into IaaS from a broader perspective, there's fairly straightforward integration. Everything is API driven. As long as you can take advantage of that within your dashboard and your admin center, you can enable them very simply through that. If you're looking for historical data through login auditing, it's a matter of parsing through some of that information to get some of those key nuggets of information. But the broader ability to spin up a bunch of services through Azure and have them communicate and work together to build a better security posture is very straightforward.
Cloud platforms, whether Microsoft or AWS or Google, are always in flux. There are always services coming down the line, as well as updates or upgrades, and refinements to these services. Very rarely do you find a static service. When I look at the comprehensiveness of Sentinel from when I started to use it back in 2018 and through to early 2023, there have been a fair number of changes to the functionality of the tool. There are more connectors coming online all the time. It's evolving to make it more and more comprehensive in terms of what kind of information you can pull into Sentinel. It's more and more comprehensive as time goes on; the tool just improves.
Disclosure: My company has a business relationship with this vendor other than being a customer: Implementer
Buyer's Guide
Microsoft Sentinel
November 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
817,354 professionals have used our research since 2012.
Good documentation, helps with our security posture and has a straightforward setup
Pros and Cons
- "We’ve got process improvement that's happened across multiple different fronts within the organization, within our IT organization based on this tool being in place."
- "They're giving us the queries so we can plug them right into Sentinel. They need to have a streamlined process for updating them in the tool and knowing when things are updated and knowing when there are new detections available from Microsoft."
What is our primary use case?
It's a SIEM tool. Our process right now is to put as much data as we possibly can from all of our network devices into it. We use it as a centralized logging mechanism and the feature that is nice there is that it's agnostic against the types of devices you're using. I have firewalls that can log onto it. I have Linux boxes that can log onto it. I have Windows boxes that can log to it and I can collect a variety of logs from around the organization into it. I can analyze those logs, I can get detections against those logs and use them to take a look at the security footprint of the organization.
All of the different security centers within Microsoft are alerting systems like Azure Defender ATP, the Security Centers, and Azure. All of those products, when they generate incidents and alerts, send feedback into this tool. With this product, you get a single dashboard for managing your security footprint, both from the 365 Azure environment, as well as your on-premise environment.
How has it helped my organization?
From a security perspective, it has clearly improved our alerting in our incident management processes. We've also been able to improve other processes for network monitoring and for trouble remediation within the environment. Our infrastructure team and some of our application team are now plugging into the data that's in that tool as they can use it to find issues within their applications rather quickly - a lot more easily than the other tools that they've got, which has been a huge boom.
We also see that some of our help desk processes have now been informed by it. We have queries that run against the data set that's behind that same tool and they are built specifically for the help desk. For example, if a user's account has been locked out due to the fact that we have all of the data from all the different systems plugged into that tool, we can give the help desk a complete picture of authentication failures against that device so that they can quickly identify where the problem is and resolve the issue for the user.
What is most valuable?
This system has a list of data connectors and you choose what connects to it. By default, it has access to any of the core Azure data that you have access to, however, those are due to the fact that it lives in that environment. It would naturally have access to that data. Then, you choose which data sources you want to connect to it. Many of them are very easy to set up. They're within the 365 of the Azure portion and a point and click away with a lot of the third-party services. You click a button and do authentication and things connect right up. With some of the Linux, there are setups of Syslogs.
Microsoft has pretty good documentation. It doesn't take long. It's not hard to set up.
The biggest feature we've got out of it is visibility into our environment and what's going on across our estate. Being able to see, for example, anomalous RDP logins, to be able to see deviations from our standard traffic flows on the firewalls, things like that, give us insight into when we may have potential issues or a breach type situation.
The second thing you get is when you’re managing security within the Microsoft environment with Azure 365 you're on-premise you're bouncing between three or four or five, six different tools to do that. This centralizes the management of all of those. You get one pane of glass in all of those tools that give you a very easy way to see what's going on.
It also allows you to correlate between those tools. I can see if I have, for example, a low-priority incident in one tool. If I have another low-priority incident on the other tool made against the same user, that may force me to say, “Hey, maybe those things combined generate a higher level incident that I maybe need to put up for investigation.” That's the advantage of the tool.
The solution does not have specific features that have helped improve our security posture. Rather, the whole idea of making security a little bit easier while also being able to correlate data between multiple disparate systems has, as a whole, improved our security posture overall.
We’ve got process improvement that's happened across multiple different fronts within the organization and within our IT organization based on this tool being in place.
We were tracking in the neighborhood of 20 to 30 incidents a month coming out of one or two source systems within the environment. What Sentinel has given us the ability to do is move up. We're now evaluating somewhere in the neighborhood of 10 to 12 a day.
They're much more robust as a product. What we've been able to do is tune the alerts so that the things that are common, that are false positives that we see all the time, we've been able to filter those out and give ourselves this complete picture as things change and work but we're filtering out the standard data sets. There are things we’re going to look at and walk away from as we know they're false positives.
In terms of receiving false positives, it does take some work to tune the environment, to get it to get rid of all those false positives. It's not ridiculous work, however. I didn't find it to be the hardest problem. It took us a couple of months, doing an hour or so a day to clean them up. Going through that process offered a tremendous amount of learning about the environment. In looking at those false positives, you start to learn things about how people use the environment - things that we didn't realize before. That's extremely valuable for a security team to understand how your assets are used and what your users are doing.
The end users are barely involved in the process. They see our security team more proactively reaching out to them when they may have a problem. For example, I may have a user who has got an excessive amount of login failures against their ID and it's coming from, say, a mobile phone. We'll see that in the SIEM and what we'll do is reach out to the user proactively. Maybe they've been seeing lockout events, or, most likely, they have been seeing lockout events but they haven't quite figured out what's going on and we'll be able to proactively go to them and say, “Hey, we're seeing this, here's the device it's coming from and here's the action you should take and see if we can fix the problem.” It's given us the ability to reach out to the user. In some cases, it's an incident where we want to reach out, get more information from the user to understand whether it was them or not. In other cases, we're reaching out to them proactively and helping solve problems for them that they may or may not even be aware they're having.
What needs improvement?
Microsoft has a number of detections that they bundle with the product and there's a number of detections that are out against GitHub that are available. We have more and more of those going out every day. Microsoft periodically is releasing more updates. I love the fact that they're giving it to us. They're giving us the queries so we can plug them right into Sentinel.
We have to do very little editing of the plugins, however, I would love to see the ability to have those queries immediately, as Microsoft updates them. They need to have a streamlined process for updating them in the tool and knowing when things are updated and knowing when there are new detections available from Microsoft.
For how long have I used the solution?
I've used the solution for two years.
What do I think about the stability of the solution?
The solution has been extremely stable. We haven't had any downtime that I can recall.
What do I think about the scalability of the solution?
The scalability is great. It's all backed by the log analytics infrastructure. All of the data that we stuff in it is stuck with the log analytics retention times and data storage capabilities which scale wonderfully.
We are using it pretty heavily. At this point, we're plumbing pieces of data from all of our systems into it. We're actively in it every day.
We're constantly adding new data sets too.
How are customer service and support?
I haven't used technical support yet.
In general, the Microsoft technical support unit is okay. There are times when you get help and it's wonderful and there are times when things are not as good. It's not what I would consider the best support I've ever received. That said, they're trying. They could work on their response times.
Which solution did I use previously and why did I switch?
We did not previously use a different solution. We did a little bit of data consolidation, however, nothing at this level.
We adopted Sentinel as we were looking to mature our security footprint. We started looking at tools that could help us do that, and Sentinel was very easy to dig into, primarily due to the fact that you could bite little pieces off at a time. I didn't have to consume a massive cost. I could throw a little bit of data and consume at a pretty minor cost and prove its value before I started increasing my cost.
How was the initial setup?
The initial setup is very easy.
It's a point-and-click Azure environment. You just click the button and say "yep, I want this."
The solution does not need a lot of maintenance. Once you have the log analytics infrastructure configured, as in your retention times, et cetera, there's your maintenance of the systems that becomes the analytics that you're using. There's a little bit of work that needs to be done there. That was the part that needed some streamlining, however, that's about it. It's managing your rules and your playbooks, et cetera, that needs to be handled.
What was our ROI?
It's hard to measure ROI on these types of processes. I can't give hard numbers on what the return is. What I can say is that the organization is much better off having this tool in place than not having it in place. The fact is we are improving processes around the organization and the visibility. We recently had some huge vulnerabilities in Exchange that were being breached, and knowing that we have tools like this in place that have detections to help us establish whether we were having an issue or not was useful. The product helps to make us aware of issues and we're not guessing and not spending too much time digging.
Which other solutions did I evaluate?
We did evaluate other options. Most had a larger acquisition cost associated with them. That was obviously a big factor. The other thing that helped the decision was that we live in a Microsoft-centric environment and most of the Microsoft tools were prebuilt and correctly connected very easily.
What other advice do I have?
The product is part of the Azure platform - now the Microsoft platform. It's all fully managed by Microsoft at that level. We're using it as a SAFe solution.
I'd advise potential users to take a good look at your analytical rules and feed it with data. The more data you give it, the more valuable it becomes.
I'd rate the solution at an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Delivery Analyst at a consultancy with 10,001+ employees
It has an intuitive, user-friendly way to visualize the data
Pros and Cons
- "Sentinel has an intuitive, user-friendly way to visualize the data properly. It gives me a solid overview of all the logs. We get a more detailed view that I can't get from the other SIEM tools. It has some IP and URL-specific allow listing"
- "Sentinel can be used in two ways. With other tools like QRadar, I don't need to run queries. Using Sentinel requires users to learn KQL to run technical queries and check things. If they don't know KQL, they can't fully utilize the solution."
How has it helped my organization?
Sentinel gathers data from the organization's entire ecosystem, not just the local network. I like having the ability to investigate and respond quickly to threats from one place. It's fun to use. Sentinel has an intuitive, user-friendly way to visualize the data properly. It gives me a solid overview of all the logs. We get a more detailed view that I can't get from the other SIEM tools. It has some IP and URL-specific allow listing
Sentinel comes with multiple good playbooks for automation and other valuable things that we use. It automatically gives us alerts in our ticketing platform, ServiceNow.
If you're using other Microsoft security tools, it's better to use Sentinel instead of other SIEM solutions. It reduces the time spent on threat hunting because it uses an SQL database and SQL custom query language. It helps me analyze the data properly because I can view all the events. Sentinel has helped me multitask.
What is most valuable?
The most valuable feature is the integration with other Microsoft security tools. It's an Azure product, so it integrates seamlessly with tools like Microsoft Defender for Endpoint, Defender for Cloud Apps Security, and Defender for Identity.
It collects all the logs from these solutions and correlates the data well. If I need to check a particular event or log, I can easily review this from one portal, which is something I can't do in another SIEM tool. Sentinel has a graphical view that shows every team the information they need.
It will easily give us the entities, events, or accounts that are directly involved in any particular security alerts. It has good usability. Sentinel comes with multiple different connectors. We only need to select the log sources, and the connectors automatically load.
We can customize the visibility based on the organization's rules and policies. We establish the desired rules and log sources. Most of them are from Azure-based products, not firewalls or point system-based accounts. Initially, most of the security alerts are false positives, and we need to do some fine-tuning.
What needs improvement?
Sentinel can be used in two ways. With other tools like QRadar, I don't need to run queries. Using Sentinel requires users to learn KQL to run technical queries and check things. If they don't know KQL, they can't fully utilize the solution.
When we're dealing with freelancers and new employees, they often have problems analyzing some things. An expert can realize all of Sentinel's advantages, but most organizations are constantly hiring new staff, who need to learn KQL before they can use this.
For how long have I used the solution?
I have used Sentinel for the last two years.
What do I think about the stability of the solution?
I've never experienced lag, but it crashes sometimes. One disadvantage is that it collects tons of logs, so when we create reports, it isn't easy to download a month of reports in one day. We have to spread it out across 15 days.
What do I think about the scalability of the solution?
The scalability is good. You can scale it out by adding other tools.
How are customer service and support?
We haven't needed to contact Microsoft support about Sentinel because we haven't had any significant downtime. Our other SIEM tools sometimes went down and we had to contact support multiple times. Sentinel always provides solid availability, and it's ready to take our logs.
Which solution did I use previously and why did I switch?
I have used IBM QRadar and Splunk. I prefer Sentinel for threat hunting because the process is more visual. QRadar and Splunk are better for user interaction.
What other advice do I have?
I rate Microsoft Sentinel eight out of 10. I think a single-vendor strategy makes sense if you're primarily using Microsoft tools. It simplifies things because you only have one support portal, and engineers are easily accessible. If I'm working with security tools from multiple vendors, it can be hectic because the tools are made differently and have different architectures.
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Cyber Security Analyst at a financial services firm with 1-10 employees
Includes preloaded templates, good visibility, and saves us time
Pros and Cons
- "Microsoft Sentinel comes preloaded with templates for teaching and analytics rules."
- "The KQL query does not function effectively with Windows 11 machines, and in the majority of machine-based investigations, KQL queries are essential for organizing the data during investigations."
What is our primary use case?
We utilize Microsoft Sentinel to monitor files for suspicious activities, such as unauthorized user login information, remote logins from outside the secure region, and primarily attachments.
How has it helped my organization?
Microsoft Sentinel offers good visibility into threats because we can integrate it with both Defender for Cloud and Defender for Endpoint. We conducted a test to determine the extent of visibility achievable through Sentinel integration, aiming to identify the primary sources of attacks.
We also use Microsoft Office 365, Defender for Cloud, and Defender for Endpoint.
When it concerns cybersecurity, particularly regarding zero-day attacks, Microsoft tends to promptly release TVEs. These updates enable us to patch systems that are susceptible to specific zero-day attacks.
Sentinel allows us to gather data from our entire ecosystem. We can install connectors or an agent on the user's system, or we can do it manually.
Sentinel enables us to investigate threats and respond promptly from a unified platform. Upon receiving alerts, we can navigate to the corresponding tab for analytics, where we can initiate an investigation to view comprehensive details about the threat's origin and its interactions.
It has assisted our organization in enhancing our preparedness and thwarting phishing emails and attacks. We encounter attacks on a daily basis from individuals attempting to execute scripts via websites. Every month, we can conduct simulations to train our personnel in recognizing and evading threats. Sentinel is particularly effective in mitigating risks posed by employees who click on dubious email attachments.
Sentinel assists in automating routine tasks and identifying high-value alerts. Although I haven't extensively used it, playbooks can be employed to create automated responses for alerts and to resolve them.
It assists in eliminating the need to utilize multiple dashboards. We configured one of our servers as a honeypot, enabling us to observe all access and related details from a unified dashboard.
The threat intelligence assists us in preparing for potential threats before they occur and taking any necessary proactive measures. When a potential threat is identified, we are also given recommendations on how to proceed.
Sentinel has helped decrease our time to detect and respond. The automation has reduced the time I spend on low-level threats, allowing me to focus on the priority threats.
What is most valuable?
Microsoft Sentinel comes preloaded with templates for teaching and analytics rules. we can also create our own.
What needs improvement?
We need to continually test and define analytics rules due to the possibility of triggering false positives if we simply use the preloaded templates and neglect them.
We attempted to integrate our Microsoft solutions, but we occasionally faced problems when connecting with other systems. While it functioned effectively with Linux and Unix systems, a Windows 11 update led to complications. Sentinel was unable to capture essential logs on certain computers. As a result, we were compelled to create two SIEMs using Splunk and QualysGuard. This was necessary because certain operating systems experienced issues, particularly after receiving updates.
Although Sentinel is a comprehensive security solution, it could be more user-friendly. When I started using it, it was a bit confusing. I think that certain features should be placed in separate tabs instead of being clustered together in one place.
The KQL query does not function effectively with Windows 11 machines, and in the majority of machine-based investigations, KQL queries are essential for organizing the data during investigations.
For how long have I used the solution?
I have been using Microsoft Sentinel for two years.
What do I think about the stability of the solution?
I have not experienced any stability issues with Microsoft Sentinel.
What do I think about the scalability of the solution?
Scaling is straightforward. For instance, if an organization opts to establish a new department and intends to add ten machines to that department, all that is required is to create a new load analysis workspace, incorporate the machines into that workspace, and subsequently link it to Sentinel.
What's my experience with pricing, setup cost, and licensing?
Microsoft Sentinel requires an E5 license. When considering this from the perspective of a large enterprise organization, the cost might be justified. However, for smaller organizations, it is comparatively expensive when compared to other SIEM and SOAR solutions. Open-source SIEMs like OSSEC are also available. These can be integrated with other open-source tools to address similar issues as Microsoft Sentinel, often at minimal or no cost.
What other advice do I have?
I would rate Microsoft Sentinel an eight out of ten.
Our Microsoft security solutions both cooperate and have limitations in working seamlessly together to provide coordinated detection and response across our environment. The individual who initially implemented these solutions did so in a manner that prevents us from accessing all the necessary information to effectively utilize Sentinel with a single administrative account, as intended.
Most of our servers are on-premises but we have two that are connected to Defender for Cloud. Those are mostly pickup servers.
Microsoft takes care of the maintenance for Sentinel.
Using a best-of-breed strategy is superior to relying on a single-vendor security suite. I have observed while working with Splunk and QualysGuard, that they are capable of detecting certain low-level threats more promptly than Sentinel. Occasionally, these threats manage to slip through when using Sentinel.
Microsoft Sentinel is a commendable solution, and its value justifies the cost. However, it should be noted that it comes with a significant price tag. Therefore, any organization considering implementing this solution should ensure they are financially prepared for it. I strongly advise obtaining certification and acquiring proficiency in using Sentinel. It is an excellent tool equipped with numerous features. Unfortunately, many users remain unaware of these features or lack the understanding of how to utilize them effectively. It's worth mentioning that Microsoft Defender and Intune serve to further enhance Sentinel's capabilities, elevating it into an even more powerful tool.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
Security delivery analyst at a consultancy with 10,001+ employees
Good playbooks and threat detection but sometimes has false positives
Pros and Cons
- "The UI of Sentinel is very good and easy to use, even for beginners."
- "We're satisfied with the comprehensiveness of the security protection. That said, we do have issues sometimes where there have been global outages and we need to raise a ticket with Microsoft."
What is our primary use case?
I'm into monitoring and deploying. When an incident occurs in Sentinel, we try to triage it then investigate it, then we try to gather more details about it through other blades in Sentinel. We try to gather more information about the IP address, and user details from the Sentinel itself, as well as Active Directory.
What is most valuable?
They have good playbooks or logic apps to take action on behalf of the user. They're automated actions that we configure for when a particular condition occurs. It reduces human effort a lot and performs tasks on its own.
There is an option wherein we can add multiple usernames or any details in multiple numbers, and we can just use that instead of manually adding all the names.
When it comes to threats, every environment is different, and the data connectors are different. So it depends on what data connectors are configured to your environment. It could be specific to that. However, Sentinel is a pretty good product. It does threat detection very well. Depending on the user, and how he configures it, Sentinel will do a good job in delivering the output.
We already have priority-based use cases which we set during the creation of any use cases for any threat detection. It also allows us to change the priority whenever a threat occurs. Currently, in the environment in which I am working, we don't manually change the severity or the priority whenever the threat occurs. We will deal with it in its original form. However, it could be a good feature for us to use and also very helpful to set the priority level whenever it is necessary.
There is a specific incident blade that we can respond from. Or we have log analytics in Sentinel in which we can do threat hunting. We have various ways to gain visibility.
Threat intelligence is under development. It's not completely ready, however, it is a very good feature and can find multiple threats. It's completely managed by Micorosft. So far, it's a very good feature.
The UI of Sentinel is very good and easy to use, even for beginners.
It's very easy to deploy a new use case. We can create them very easily. Adding connectors is simple.
The preview mode is good. Sometimes it helps us pick up on malicious threats. It can sometimes provide false positives as well. For the most part, we can deal with it; it's good. That said, it's a work in progress.
There are good guides that allow us to easily add new features to our environment.
Workbooks allow us to display charts and help us provide very useful visuals.
Automation is very good.
The solution has helped us to save time.
I'm aware that we can have one centralized dashboard. We can view multiple dashboards in one central place. We can merge all tables and visualizations into one single pane of glass. It's easy to configure. However, we do not really work with a consolidated dashboard. We have a few for the reports.
The solution has decreased the time to detection and time to respond via custom use cases. However, I cannot quantify the exact amount of time saved. On average, it saves 30 to 40 minutes a day.
What needs improvement?
We're satisfied with the comprehensiveness of the security protection. That said, we do have issues sometimes where there have been global outages and we need to raise a ticket with Microsoft. Those have become repetitive and happen more often. Still, there are many choices and features, which is useful.
There are some false positives.
When an incident occurs, it will just be displayed on your screen. However, if they had some sort of sound or tone to alert the analyst, that would be ideal. It would help them notice when something is triggered.
For how long have I used the solution?
I've been using the solution for two years and five months.
What do I think about the stability of the solution?
There are no issues or outages. It's 90% to 95% stable.
What do I think about the scalability of the solution?
Our environment is mostly in Europe and there are multiple end-users.
Since this is just monitoring and threat detection, it can scale well. We can add new servers and increase the amount of logs flowing into Sentinel easily. There's no issue with that.
How are customer service and support?
Microsoft is quick to respond depending on the severity of the ticket. It's usually fixed within two to three hours maximum. The tech support understands the product well.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I have not used any other products.
How was the initial setup?
The maintenance is minimal. If there is a global issue, we'd have to raise a ticket with Microsoft.
What's my experience with pricing, setup cost, and licensing?
I'm not aware of the exact costs involved.
Which other solutions did I evaluate?
I did not evaluate other options before using this solution.
What other advice do I have?
We do not use more than one Microsoft security product. We don't work with Defender, for example.
We do not yet use it to ingest data from the rest of our ecosystem. We have seven to ten people that work directly with the product.
This is a good tool with a lot of good features.
I'd recommend the product. The UI is good which makes it simple for new users. It will make it easy to train new engineers.
It's important to go with a best-in-breed rather than a single vendor. If there is any issue with the monitoring with one solution, it's good to have a backup option that might pick up what the other could miss. Having more than one solution - and different vendor options - allows you to have an "option B".
I'd rate the solution seven out of ten. There are still a lot of improvements that can be done.
Which deployment model are you using for this solution?
Hybrid Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Security Engineer at a tech services company with 51-200 employees
Great connectivity, integration capabilities, and analytics
Pros and Cons
- "The connectivity and analytics are great."
- "They only classify alerts into three categories: high, medium, and low. So, from the user's point of view, having another critical category would be awesome."
What is our primary use case?
As a security engineer, I help onboard with Sentinel. I enable all the connectors and tune the analytics to minimize the number of false positives.
How has it helped my organization?
We're a Microsoft house and it provides very good visibility into all the threats a company might be facing.
What is most valuable?
The connectivity and analytics are great.
It allows people to connect to different data sources under a single pane of glass.
The visibility is great in terms of having the notebook features. By using the notebook features, people can generate different graphs, which helps create greater visibility on the front end.
We've been able to integrate other products, including Defender. It's super easy to integrate them. All Microsoft products easily connect with each other. They coordinate together to help with detection and response across our network. This is critical.
This allows me to have better visibility to understand what is happening on each endpoint.
The threat protection is pretty comprehensive across Microsoft products. Having dependable endpoints and other security tools ensures good security overall. In terms of compliance, you have a lot of data that can help ensure comprehensive information is available and transparent.
We like that it's on the cloud.
Sentinel does allow us to ingest data from our entire ecosystem. This plays an important security role.
We can investigate threats holistically from one place. Having everything centralized makes security easier and helps us better understand what is happening.
Sentinel's security protection helps us to better identify anomalies or erratic user behavior. It helps me minimize false positives.
There is good automation. They do an okay job.
Consolidating into one dashboard has made it possible to have a holistic view of security. I can investigate issues and have better visibility.
Overall, the solution has saved me time. I'm not sure if I can quantify it, as I'm on the engineering side.
The product has helped save the organization money.
It has decreased our time to detect and time to respond.
What needs improvement?
They only classify alerts into three categories: high, medium, and low. So, from the user's point of view, having another critical category would be awesome. That would minimize the level of high alerts and break them down so we understand which are truly critical. We should be able to prioritize more effectively. Right now, this doesn't necessarily help users to prioritize when it comes to the alert or triage.
The bi-directional capabilities are okay. However, sometimes I need to fall back on Defender for cloud.
For how long have I used the solution?
I've been using the solution for two or three years now.
What do I think about the stability of the solution?
The stability is okay. I've only experienced one outage.
What do I think about the scalability of the solution?
We have about 200 staff on the solution.
The scalability is very good. All I have to do is enable data sources in order to expand.
How are customer service and support?
I haven't had much contact with technical support. My one experience was okay.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
I did not previously use a different solution.
How was the initial setup?
The initial deployment is straightforward. The entire process was as simple as following clear steps. We basically create a workspace and push the pipeline.
As long as a person has relevant access to Azure, one person would be enough in terms of handling the deployment.
We did a deployment in a single location, not across multiple locations.
There is a bit of maintenance, in terms of ensuring logs are being digested. The number of people involved depends on the situation. We have two to three people who may check logs or connectors.
What about the implementation team?
We are consultants for clients. We help SMEs deploy the solution.
What was our ROI?
We have witnessed an ROI while using the solution, however, I cannot quantify the amount exactly.
What's my experience with pricing, setup cost, and licensing?
Sentinel charges based on ingestion. If Microsoft would allow us to view the logs before ingesting something we don't want, that would make the pricing better. Sometimes we don't want to pass illegitimate data into Sentinel, yet I don't have a choice.
It's not cheap. However, it's okay pricing.
Which other solutions did I evaluate?
I did not evaluate any other options previously.
What other advice do I have?
I'd rate the solution eight out of ten.
I'd tend to go with a single vendor over best of breed. A company like Microsoft allows everything to easily link various products together.
If you are using Microsoft Sentinel, go for the XDR solutions as well.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer:
Sr. Cloud Security Analyst at SNP
With Bi-directional sync, people work on active issues; resolved issues are updated across the board
Pros and Cons
- "Microsoft Sentinel enables you to ingest data from the entire ecosystem and that connection of data helps you to monitor critical resources and to know what's happening in the environment."
- "In terms of features I would like to see in future releases, I'm interested in a few more use cases around automation. I do believe a lot of automation is available, and more is in progress, but that would be my area of interest."
How has it helped my organization?
Microsoft Defender for Cloud's bi-directional sync capabilities are important in the following way. If you have an issue that shows in Defender for Cloud, an incident on your dashboard, and you look into Sentinel and see the same alert has been triggered, after someone on your team looks into it and fixes it, if bi-directional is not enabled, you will still have the alert showing. If someone is looking at the Defender for Cloud dashboard, that alert will still show as active. That's why it's important to have bi-directional sync. It helps make sure that people work on the right cases.
Sentinel enables you to investigate threats and respond holistically in one place. It gives you a central repository where you can have a historical view and see the access point where something started, where it went, and how things were accessed. For instance, if someone was anomalously accessing keywords, with everything in one place you can see where it started, where it went, who was involved in it, what kind of endpoints were involved, what IP address was involved, and what devices were involved. In this way, you have complete historical data to investigate the root cause.
Previously, I worked with a number of different tools to pull the data. But having one pane of glass has obviously helped. When you consider the time it takes to go into each and every dashboard and look into alerts, and take the necessary actions, Sentinel saves me a minimum of 15 minutes for each dashboard. If you have three to four dashboards altogether, it saves you around one hour.
And when it comes to automating routine tasks, if you want to notify the right people so that they can look into a P-1 incident, for example, Sentinel can automatically tag the respective SOC or security incident teams through a team chart and they can directly jump into a call.
Another point to consider is multi-stage attack detection. We have a granular view into the incident. We can investigate which IPs, user entities, and endpoints are involved in the alert. If you have to look at multiple, separate points, it could take one hour to see what happened at a particular point in time. With Sentinel, we can directly look into a certain person and points and that saves a lot of time. And then we can take action on the incident.
What is most valuable?
Among the valuable features of Sentinel are that it
- has seamless integration with Azure native tools
- has out-of-the-box data connectors available
- is user-friendly
- is being expanded with more updates.
The visibility into threats that the solution provides is pretty good. We can see a live attack if something is going wrong; we can see the live data in Sentinel.
I work on the complete Azure/Microsoft stack. With Azure native, we can integrate the various products in a few clicks. It doesn't require configuring a server, pulling of logs, or other heavy work. It's very easy, plug-and-play. The data collectors are available with Azure native so you can deploy policies or it will take care of everything in the backend. If various tools have different priorities for issues, monitoring everything is a hectic task. You have to go into each tool and look into the alerts that have been triggered. It's a big task. If you can integrate them into a single pane of glass, that helps you to find out everything you need to know.
And in terms of the comprehensiveness of the threat protection that these products provide, I would give it a 10 out of 10.
Microsoft Sentinel enables you to ingest data from the entire ecosystem and that connection of data helps you to monitor critical resources and to know what's happening in the environment. At a minimum, we should monitor the servers that are critical in the environment.
It also has hunting capabilities so that you can proactively hunt for things, but a different team looks after that in our organization.
What needs improvement?
In terms of features I would like to see in future releases, I'm interested in a few more use cases around automation. I do believe a lot of automation is available, and more is in progress, but that would be my area of interest.
For how long have I used the solution?
I have been using Microsoft Sentinel for more than two and a half years.
What do I think about the stability of the solution?
It's a stable solution.
What do I think about the scalability of the solution?
It's a scalable model but as you scale up you pay for it.
How are customer service and support?
Microsoft technical support is responsive and helpful. And their technical documents are pretty detailed and well-explained.
How would you rate customer service and support?
Positive
How was the initial setup?
The initial deployment was pretty straightforward.
The number of people involved in the deployment is completely dependent upon the environment and the access we have. If there's something to be done with a third-party application—for instance, Cisco Meraki or ASA—for those, we require support from the networking team to open up ports and forwarding of logs from the firewalls to Sentinel. If it is a native Azure environment, we don't need any support.
As for maintenance, if there are any updates they will pop up in your alerts and you can then upgrade to the latest version. It doesn't take much effort and there is no downtime. You simply update and it takes a few seconds. If someone is experienced, that person can handle the maintenance. If the environment is very big and it requires injecting more logs, then it requires some helping hands.
What's my experience with pricing, setup cost, and licensing?
The pricing is fair.
With a traditional SIEM, people are required for SOC operations and investigations and they require licenses. With Sentinel, people in SOC operations are still required to investigate, but we don't need any licenses for them. With a traditional SIEM, you pay a lump sum for licenses. But with Sentinel, it's pay-as-you-go according to the amount of data you inject.
What other advice do I have?
I would recommend Microsoft Sentinel.
It's always good to compare against other tools when it comes to the value, to get an idea of what you are paying for. Compare the market strategies and the new capabilities that are coming out and whether you're able to unlock the full capabilities or not. Double-check that. As for best-of-breed versus one vendor, you should stick with one vendor only and take whatever they gave.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Security Information and Event Management (SIEM) Security Orchestration Automation and Response (SOAR) Microsoft Security Suite AI-Powered Cybersecurity PlatformsPopular Comparisons
Splunk Enterprise Security
IBM Security QRadar
Elastic Security
LogRhythm SIEM
Sumo Logic Security
Rapid7 InsightIDR
Fortinet FortiSIEM
AlienVault OSSIM
Cortex XSIAM
Securonix Next-Gen SIEM
USM Anywhere
ManageEngine Log360
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What are your approaches on Azure Sentinel content deployment automation?
- Which is better - Azure Sentinel or AWS Security Hub?
- What is a better choice, Splunk or Azure Sentinel?
- Which solution do you prefer: Microsoft Sentinel or Palo Alto Networks Cortex XSOAR?
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- Which is the best SIEM solution for a government organization?
- What is the difference between IT event correlation and aggregation?
- What Is SIEM Used For?