Microsoft Sentinel Reviews

I support Microsoft Sentinel as a Microsoft partner. We work on various scenarios, such as emails and data connectors. I support licenses by helping them enroll and advising them on the prerequisites they need to meet. I show them how to get started with Microsoft Sentinel. 

I'm the technical lead for Microsoft, so I've worked on several Microsoft security products, including Sentinel, Cloud App Security, Defender, Azure Information Protection, and Azure Key Vault. These are now my significant areas. It wasn't easy to integrate Sentinel with other products initially, but we had a smooth experience once the data connectors and everything were in place.

We are from the support team, so we operate in multiple environments depending on the use case. It works smoothly in every environment, including hybrid ones.

I've seen scenarios where the customer's security score was at 60, but we managed to increase it to 80 or 90 based on the recommendations from Sentinel. We use Sentinel to investigate the activity logs and address the issues. The security score increases once we fix those. 

The benefit Sentinel provides depends on the organization and how they have recruited engineering staff. If the engineers can maintain two or three products, then it's easy for them, but it hasn't reduced any difficulty from my perspective. 

Sentinel saved us time. When this product was introduced, many customers used other SIEM and SOAR technologies separately. Now that we have Sentinel in place, customers only need to learn how to use this product, so it's 50% to 60% more efficient. It's also more cost-effective because you aren't paying separately for those security components. Sentinel is all-inclusive. 

Sentinel integrates seamlessly with Azure platform services, making it more reliable and cost-effective. I can't say with certainty because it's outside my department, but my best guess is that Sentinel can reduce costs by about 30% to 40%. I would also estimate that it reduces our response time by roughly that amount. 

The bidirectional sync capabilities ingest the data and show us alerts that help us prioritize our policy settings and secure our environment. Once we ingest the IP address, we can monitor the network traffic. It ingests everything from the IP address to the applications we use at the cloud level. Having every event, alert, and output from Log Analytics integrated into one platform is essential. We can ingest everything using the syslogs and data connectors. For example, I'm using Windows Server 2016. It will send the data to the cloud, and Microsoft Sentinel pulls it from there. It removes the sysadmin logs and the other logs, so we can easily see the DDoS attacks and other threats.

It ingests the networking stuff and other things, too. It collects everything the company needs to secure the data from data engineers, Log Analytics engineers, information production engineers, etc. It ingests data from everywhere and stores it in one place. You can pull whatever data you need. 

A security product must be integrated with multiple other technologies like SIEM and SOAR to give you the best results and analyze user behavior. Sentinel uses connectors to integrate all Azure products and third-party security tools.

Sentinel provides excellent threat visibility, enabling us to dig deep. It directly connects to Azure Log Analytics, allowing us to do research and pull logs. It uses SOAR intelligence to detect and fix issues using AI and machine learning algorithms.

The ability of all these solutions to work together natively is essential. We have an Azure subscription, including Log Analytics. This feature automatically acts as one of the security baselines and detects recommendations because it also integrates with Defender. We can pull the sysadmin logs from Azure. It's all seamless and native. 

Everything shares a common database so that every product can be integrated depending on your enterprise licenses. Microsoft is effortless from a customer's perspective. You get a wide range of features with one license, including threat detection, information protection, infrastructure solutions, and endpoint protection. One or two enterprise licenses cover everything. 

Sentinel is an excellent product with multiple dashboards if you want to look at something specific. It also has a centralized dashboard for everything if you want to see the overview of what's essential. I use multiple dashboards because it's easier for us as support team members. 

Microsoft Defender has a built-in threat expert option that enables you to contact an expert. That feature isn't available in Sentinel because it's a huge product that integrates all the technologies. I would like Microsoft to add the threat expert option so we can contact them. There are a few other features, like threat assessment that the PG team is working on. I expect them to release this feature in the next quarter.

I have been using Microsoft Sentinel for two-and-a-half years

Sentinel is stable. 

I rate Microsoft technical nine out of 10. 

Positive

Setting up Microsoft Sentinel is straightforward because it's a cloud platform. You can install it with a few clicks. It isn't like the on-premises solutions we have used in the past, where you need to spend a couple of hours. You can deploy Sentinel with one person in around five minutes if you have all the resources, permissions, and rules.

Like all products, Sentinel requires some maintenance. There are planned and unplanned outages. Depending on when Microsoft releases the updates, it can be challenging, but they usually notify us ahead of time.

Microsoft offers the best value from a customer perspective.  With a small amount of money, customers can take advantage of an array of technologies because everything is connected from the Microsoft perspective. The return on investment is massive. You don't need to recruit multiple engineers. One engineer who is familiar with Microsoft products can manage the solution. 

I think Sentinel's pricing is reasonable. It's more reliable if it can integrate with other enterprise technologies, so you have to pay for that. We have to consider the size of the organization. We might shift to other security products for a smaller company. Given the reliability of Microsoft support, Sentinel is cost-effective.  

Sentinel is one of the best products compared to other SIEM solutions like CyberArk. Microsoft's market share is enormous, and they have surpassed AWS, so more companies are adopting Sentinel. A company can centralize everything with Sentinel, and that's great from a cost perspective. 

I rate Microsoft Sentinel nine out of 10. I see a few areas of improvement, but they are already working on implementing these features. If someone asked me whether I would recommend an a la carte approach using the best-in-breed solutions or an all-in-one integrated package from a single vendor, I would say that both approaches have advantages. However, I think it's good to hand everything over to the vendor. A vendor will take the sole responsibility and do the work for you. 

I also recommend becoming an expert in Microsoft Sentinel because it has a bright future. You can earn a decent salary once you have hands-on experience with this product. Sentinel is not well known, but I think it will have 60 to 70 percent of the market share.

We're a managed security service provider using Sentinel for its primary SIEM capability. Our company looks after multiple Sentinel instances for a variety of customers. However, we don't do anything through Lighthouse because every customer we monitor wants everything in their own tenant space. 

The company ensures suitable detections are created and loaded into the Sentinel side, and we provide them with KQL to help them with some in-house use cases with a security focus. We also made some dashboards so they could visualize their data and what their issues would look like. We adopt different deployment models depending on the customer. It's usually a public cloud or hybrid in some instances.

We work with a few Microsoft products, but it's mostly the Defender for Cloud Suite, including Defender for Endpoint and Defender for Cloud. It's undergone a rebrand from the Cloud Application Security side. We also use Azure Active Directory, Microsoft Cloud Security, and several other Azure and Office 365 applications.

Sentinel made it easier to put everything into one place instead of checking multiple tools, especially when working with Microsoft shops. They focus a lot of the efforts on the Sentinel side, so the data is being correctly pushed across and easily integrated with third-party capabilities. Palo Alto and Cisco feeds can work almost side by side with the native Microsoft feeds seamlessly.

Sentinel helps us automate routine tasks and findings of high-value alerts from a detection perspective. Still, I haven't made much use of the SOAR capabilities with the Logic Apps side of things because of the cost associated with them, especially at volume from an enterprise environment. It was felt that using those features might push some of the usage costs up a bit. We thought it was more of a nice-to-have than something essential for the core services we wanted to leverage. We avoided using that again, but it was more of a cost issue than anything. 

Instead of having to look at dashboards from multiple parties, we have one place to go to find all the information we want to know. This consolidation has simplified our security operations. 

Usually, it isn't good to have all your eggs in one basket. However, with Azure replicating across the data center, it's better to have all your eggs in one basket to effectively leverage the raw data that would typically be going into multiple other tools. Having everything in one place allows a nice, clear, concise view if you want to see all your network data, which you can do easily with Sentinel.

Some of the UEBA features helped us identify abnormal behaviors and challenge users to ensure it's undertaking particular activities. You can isolate accounts that may have been compromised a bit quicker.

Sentinel reduced implementation time and sped up our response. I can't give a precise figure for how much time we've saved. Onboarding an Azure feed to a third-party SIEM system might take a couple of days or weeks to get the relevant accounts, etc., in place. Onboarding is a matter of minutes with Sentinel if it's a Microsoft feed. Having everything in one place makes our response a little quicker and easier. The KQL can be easily transferred to support the threat-hunting side because all the information is just there.

Our threat visibility also improved. Sentinel changed a lot since I started using it. It's like a whole new product, especially with the tighter integrations on the Defender for Cloud. For customers heavily reliant on Microsoft and Azure, it's much cleaner and more accessible than logging in to multiple tools. 

I think some of the two-way integrations started to come through for the Defender for Cloud suite as well, so whenever you closed off notifications and threats, et cetera, that were being flagged up in Sentinel, it replicated that information further back to the source products as well, which I thought was a very nifty feature.

It helps us prioritize threats, especially with the way that the various signatures and alerts are deployed. You can flag priority values, and we leveraged Sentinel's capabilities to dynamically read values coming through from other threat vendors. We could assign similar alerts and incidents being created off the back of that. It was good at enabling that customizability.

The ability to prioritize threats is crucial because every business wants to treat threats differently. One organization might want to prioritize specific threats or signatures more than another customer based on how they've structured and layered their defense. It's useful from that perspective.

The native integration of the Microsoft Security solution has been essential because it helps reduce some false positives, especially with some of the impossible travel rules that may be configured in Microsoft 365. For some organizations, that might be benign because they use VPNs, etc.

Sentinel lets you ingest data from your entire ecosystem. When I started using it, there wasn't a third-party ingestion capability. We could get around that using Logstash. It was straightforward. The integration with the event hub side allowed us to bring in some stuff from other places and export some logs from Sentinel into Azure Data Explorer when we had legal requirements to retain logs longer. 

I've used  UEBA and the threat intel, which are about what I expect from those sorts of products, especially the threat intel. I like how the UEBA natively links to some Active Directory servers. It's excellent. Integration with the broader Microsoft infrastructure is painless if your account has the correct permissions. It was just ticking a box. It's clear from the connector screen what you need to do to integrate it.

The integration of all these solutions helped because they all feed into the same place. We can customize and monitor some of the alert data from these various products to create other derivative detections. It's like an alert for our alerts.  

For example, we could look at a particular user IP or similar entity attribute and set an alert if they've met specific conditions. If there are more than a given number of alerts from different products, we treat that as a higher priority. It's beneficial for that.

Sentinel could improve its ticketing and management. A few customers I have worked with liked to take the data created in Sentinel. You can make some basic efforts around that, but the customers wanted to push it to a third-party system so they could set up a proper ticketing management system, like ServiceNow, Jira, etc.  

It would be helpful for incident responders to be able to assign tickets and have permissions assigned to them. Once you have escalated tickets from Level 1 to Level 2, there may be areas where you want to control who has access to the raw Sentinel tool. 

I started using Sentinel in July of last year.

Sentinel's stability is great. We only had one outage for a couple of hours, but that was a global Azure issue. 

I think I've not had to worry too much about the scaling. It seems to be able to handle whatever has been thrown at it. I assume that's part of the SaaS piece that Sentinel falls under. Microsoft will worry about what's happening behind the scenes and spin up whatever resources are needed to make sure it can do what it needs to do.

I rate Microsoft support a ten out of ten. We had a few issues with certain filters working with some connectors. There were problems with certain bits of data being truncated and potentially lost. I spoke to some people from the Israeli team. They responded quickly and tried to be as helpful as they could. 

Support made a solid effort to understand the problem and resolve it. They maintained regular communications and provided reassurance that they were sorting out the problems.

Positive

I used Elasticsearch, Kibana, and Splunk. We switched to Sentinel because of the ease of use and integration. Microsoft infrastructure forms the backbone of our environment. We use Azure for hosting, Active Directory for user accounts, and Office 365 for communications and data storage. 

Sentinel made a lot of sense, especially given our difficulties getting our data onboarded into the Elasticsearch stack. We saw similar challenges with Splunk. Sentinel works natively with Microsoft, but we've still had some pain points with some of the data sources and feeds. I think that's just more about how the data has been structured, and I believe some of those issues have been rectified since they've been flagged with Microsoft support.

At the same time, Sentinel is a little more costly than Splunk and the Elasticsearch stack. However, it's easier to manage Sentinel and get it up and running. That's where a cost-benefit analysis comes in. You're paying more because it's easier to integrate with your environment than some of the other providers, but I'd say it is a little on the costly side.

I've spun up my instance of Sentinel for development purposes at home, and it was quick and easy to get through. The documentation was thorough. From the Azure portal, you click Sentinel to ensure all the prerequisites and dependencies are up and running. On the connector side, it's just a matter of onboarding the data. It's straightforward as long as you have the correct permissions in place.

Deployment requires two or three people at most. You probably don't even need that many. Two of the three were just shadowing to get experience, so they could run with their deployments.

It doesn't require much maintenance. Microsoft does a great job of building a SaaS solution. Any problems in the region where Sentinel is hosted are visible on the Azure portal. Once the initial configuration and data sources are deployed, it takes minimal upkeep.

The deployment was done in-house.

It's hard to say whether Sentinel saved us money because you only know the cost of a breach after the fact. We'll probably spend more on Sentinel than other products, but hopefully, we'll see a return by identifying and remediating threats before they've become an actual cost for our clients. 

Sentinel has made it a little easier to get the initial Level 1 analysts onboarded because they don't need to know how to use, say, Palo Alto's Panorama. They can focus their efforts on one query language that enables them to go across multiple different vendors, products, and tools. It's quicker for a Level 1 analyst to get up to speed and become useful if they don't need to learn five or six different ways to query various technologies.

Sentinel's pricing is on the higher side, but you can get a discount if you can predict your usage. You have to pay ingestion and storage fees. There are also fees for Logic Apps and particular features. It seems heavily focused on microtransactions, but they may be slightly optional. By contrast, Splunk requires no additional fee for their equivalent of Logic. You have a little more flexibility, but Sentinel's costs add up. 

I rate Sentinel an eight out of ten. My only issue is the cost. I would recommend Sentinel, but it depends on what you want to get from your investment. I've seen Sentinel deployed in everything from nonprofits to global enterprises. With multiple vendors, you're more at risk of causing analyst fatigue.

Microsoft has done a great job of integrating everything into one place. The setup and configuration of Azure's general hosting environments reduce the risk. Most services are on the cloud, so Sentinel makes it much quicker and easier to get up and running. You don't need to worry about training and getting multiple certifications to have an effective SOC.

I recommend sticking with Sentinel and putting in as many data sources as you can afford. Put it through its paces based on a defense-in-depth model. Take advantage of all the information Microsoft and others have made available in places like GitHub, where there is a vast repository of valuable detections that can be tweaked depending on your environment.

It makes it a lot easier to get started. Many people approaching security with a blank canvas aren't sure where to go. There are a lot of valuable resources and information available.

I'm into monitoring and deploying. When an incident occurs in Sentinel, we try to triage it then investigate it, then we try to gather more details about it through other blades in Sentinel. We try to gather more information about the IP address, and user details from the Sentinel itself, as well as Active Directory. 

They have good playbooks or logic apps to take action on behalf of the user. They're automated actions that we configure for when a particular condition occurs. It reduces human effort a lot and performs tasks on its own. 

There is an option wherein we can add multiple usernames or any details in multiple numbers, and we can just use that instead of manually adding all the names.

When it comes to threats, every environment is different, and the data connectors are different. So it depends on what data connectors are configured to your environment. It could be specific to that. However, Sentinel is a pretty good product. It does threat detection very well. Depending on the user, and how he configures it, Sentinel will do a good job in delivering the output.

We already have priority-based use cases which we set during the creation of any use cases for any threat detection. It also allows us to change the priority whenever a threat occurs. Currently, in the environment in which I am working, we don't manually change the severity or the priority whenever the threat occurs. We will deal with it in its original form. However, it could be a good feature for us to use and also very helpful to set the priority level whenever it is necessary. 

There is a specific incident blade that we can respond from. Or we have log analytics in Sentinel in which we can do threat hunting. We have various ways to gain visibility.

Threat intelligence is under development. It's not completely ready, however, it is a very good feature and can find multiple threats. It's completely managed by Micorosft. So far, it's a very good feature. 

The UI of Sentinel is very good and easy to use, even for beginners. 

It's very easy to deploy a new use case. We can create them very easily. Adding connectors is simple. 

The preview mode is good. Sometimes it helps us pick up on malicious threats. It can sometimes provide false positives as well. For the most part, we can deal with it; it's good. That said, it's a work in progress. 

There are good guides that allow us to easily add new features to our environment. 

Workbooks allow us to display charts and help us provide very useful visuals. 

Automation is very good.

The solution has helped us to save time. 

I'm aware that we can have one centralized dashboard. We can view multiple dashboards in one central place. We can merge all tables and visualizations into one single pane of glass. It's easy to configure. However, we do not really work with a consolidated dashboard. We have a few for the reports. 

The solution has decreased the time to detection and time to respond via custom use cases. However, I cannot quantify the exact amount of time saved. On average, it saves 30 to 40 minutes a day. 

We're satisfied with the comprehensiveness of the security protection. That said, we do have issues sometimes where there have been global outages and we need to raise a ticket with Microsoft. Those have become repetitive and happen more often. Still, there are many choices and features, which is useful.

There are some false positives.

When an incident occurs, it will just be displayed on your screen. However, if they had some sort of sound or tone to alert the analyst, that would be ideal. It would help them notice when something is triggered. 

I've been using the solution for two years and five months. 

There are no issues or outages. It's 90% to 95% stable. 

Our environment is mostly in Europe and there are multiple end-users.

Since this is just monitoring and threat detection, it can scale well. We can add new servers and increase the amount of logs flowing into Sentinel easily. There's no issue with that. 

Microsoft is quick to respond depending on the severity of the ticket. It's usually fixed within two to three hours maximum. The tech support understands the product well. 

Positive

I have not used any other products.

The maintenance is minimal. If there is a global issue, we'd have to raise a ticket with Microsoft. 

I'm not aware of the exact costs involved. 

I did not evaluate other options before using this solution. 

We do not use more than one Microsoft security product. We don't work with Defender, for example. 

We do not yet use it to ingest data from the rest of our ecosystem. We have seven to ten people that work directly with the product.

This is a good tool with a lot of good features. 

I'd recommend the product. The UI is good which makes it simple for new users. It will make it easy to train new engineers.

It's important to go with a best-in-breed rather than a single vendor. If there is any issue with the monitoring with one solution, it's good to have a backup option that might pick up what the other could miss. Having more than one solution - and different vendor options - allows you to have an "option B".

I'd rate the solution seven out of ten. There are still a lot of improvements that can be done. 

We have possible use cases for the solution. We have ten or 12 different use cases under this solution.

The Log analytics are useful. You can review many details. 

The portal and the full integration and collaboration between the cloud workloads and multi-tenants have been useful. We can use it with Sharepoint and Exchange.

The solution helps us prioritize all of our threats. It's one of the most important and critical systems we have here. 

We have a lot of Microsoft solutions. For example, we also use Defender for endpoints and Microsoft Cloud. We mostly use Microsoft products, although we also use Crowdstrike. 

It was easy to integrate Defender for Endpoint. Each of these solutions works natively together. It's very crucial that they work together. 

Microsoft is very comprehensive. It helps protect us and offers very clear information. It's easy to assess everything. It's a good user experience. 

We make use of Microsoft Defender for Cloud's bi-directional sync capabilities. We have different customers under our umbrella and multiple subsidiaries. Not all have access to the same license. We don't have the same security exposure everywhere. We can pick and choose who needs access.

Sentinel does enable us to ingest data from our entire ecosystem. This is crucial. That said, it can cost us a lot of money. We try to get feature visibility and enhance the collected logs to be able to identify only certain logs that would need to be uploaded. That said, it's very crucial we can ingest data from anywhere.  

We can investigate threats and respond holistically from one place, one dashboard. Having one dashboard is important as it saves the team from headaches. We can collect all the information we need in one view.

The comprehensiveness of Sentinel is good in that it helps us identify most of our gaps in security. In the last few years, we have been able to fill in most of the gaps.

Once we enabled the connectors and started getting incident reports to our dashboard we were able to realize the benefits of the solution. It took about one month to begin to get the value of this product.

Sentinel helps automate routine tasks and helps automate the findings via high-value alerts. We've been able to automate a lot of the cycle and leave the investigation to humans. Support is very crucial and we can take the right actions fast.

The product helps us prepare for potential threats before they hit and we can take proactive steps. We're very satisfied in terms of security operations.

Before implementing the solution, we didn't know we were wasting a lot of time. Once the solution was in place, we discovered a lot of gaps across the traditional way we were handling security. 

I can't say if we are saving money. However, we're investing in the right places. We're now utilizing services we actually need. From a business perspective, although it does have a cost, it's saving the business since it's protecting us from any security breach.

I'd like to see more integration with other technologies beyond the Microsoft OS. 

I would like to see more AI used in processes.

I've been using the solution for three or four years. 

The stability is not an issue. 

We do have plans to increase usage. The solution has the ability to scale. 

We have not opened a ticket for technical support yet. So far, we haven't had any issues. 

My understanding is Microsoft does not have good support and has done a lot of outsourcing. In general, they used to be brilliant as they were focused on customer satisfaction and engaged with experts, however, the quality is not as good.

Neutral

We also use Crowdstrike as our EDR solution. However, before Sentinel, I did not use anything else in this category.

I took part in the initial deployment. The process was very straightforward. It took about one week to onboard all that we needed. We did it in three phases. First, we did a demo and looked for items that needed to be addressed. We then onboarded the device and put the analytics and logs in place. 

We had a team of three on hand that handled the deployment. They also handle support and maintenance. 

We initially had the assistance of Microsoft partners. However, we failed to get all of the information we needed. We found it more valuable to get assistance from the vendor directly. 

I can't speak to the exact cost.

We are a customer of Microsoft. 

During implementation, it's helpful to get the vendor engaged in the implementation. 

I'd rate the solution nine out of ten.

It's good to go with a single-vendor strategy. I've recommended this product to others.

The user experience should be the number one priority. Microsoft is working on this every day. It's very important to us that the user experience is maintained and there's no conflict between the products or connectors. Having one dashboard makes it easier for admins and businesses to be in touch, engage, and share. For example, my manager can see my reports even if he's not knowledgeable in the technology.

I work as a security team leader and consultant in the Netherlands. Additionally, I am the main architect for my organization. Our current focus is on building our own Security Operations Center for media entities, and we offer this service to our customers as well. Our solution ensures zero bypasses and integrates the XDR suite of our clients. Therefore, any customer looking for the same solution can benefit from our expertise.

Microsoft Sentinel has the potential to assist us in prioritizing threats across our entire enterprise. However, its effectiveness relies heavily on the quality of our analytics roles. If we have appropriate alerts in place, we can avoid unnecessary noise. If we can accurately prioritize incidents and assign the appropriate level, it will significantly aid us. Additionally, automation can help analysts make informed decisions by consolidating incidents and alerts.

I have completed many customer integrations. Currently, I am working with one of the largest healthcare retailers and a very large insurance company. They have a variety of other products, such as effective AI, Infoblocks, and Akamai as a last resort. Our goal is to consolidate all the alerts from these products into Sentinel, which sometimes requires processing or editing. We refer to this as social editing, which essentially means fixing issues. Ultimately, our objective is to have a comprehensive overview of everything in a single dashboard.

The effectiveness of the integrated solutions that work together natively varies. At times, a data connector may work well, while at other times, it may not. I have noticed that Sentinel has significant potential for the development of data connectors and passes. This observation is due to one of my customers requiring a considerable amount of additional processing for data connectors, which prompted us to make a request to Microsoft. Currently, we are pleased to see that Microsoft is integrating this functionality. On the other hand, we also have plans to work with a local collector that involves parsing logs and collecting log data using custom parsing services.

The effectiveness of integrated security products in providing comprehensive threat protection is improving. However, there is a risk of overlap in the functionalities of Microsoft's various products, leading to duplicate alerts or unwanted charges. Nonetheless, compliance is improving. Additionally, the endpoint portal is starting to function more like an application portal for multiple products. Using only the Defender portal instead of Sentinel would benefit many customers at present, though additional sources may provide added value. There are also many developments in this area worth exploring.

Microsoft Sentinel has the capability to collect data from our entire ecosystem, but it comes with a cost. As the head of IT, I would have the ability to obtain any sensitive data that I need. If there is a substantial amount of data, I can handle it. However, we need to establish a use case for the data before proceeding, as it could become too expensive for us to handle. Therefore, we will not be ingesting all the data available.

Microsoft Sentinel allows us to investigate and respond to threats holistically from a single platform. This capability is powerful because we can create our own queries, and the language used is user-friendly. However, we must ensure that the data in Sentinel is properly structured. This means ensuring that our timestamps are consistent and accurate and that the quality of our data is high. By doing so, querying becomes easy and effective.

If we have a background in Azure, then it's relatively easy to understand the SOAR capabilities since it's built on Azure foundations and logic apps. This makes it more powerful.

The cost of Microsoft Sentinel is reasonable when compared to other SIEM and SOAR solutions. While the cost of ingestion may be high, the platform offers numerous capabilities for automation, alerting, monitoring, and operations. Therefore, we are receiving good value for our investment, even though it may not be the cheapest option on the market. Microsoft Sentinel's ongoing development of new features justifies the price point. For example, I compared it to a customer who used Splunk last year, and Splunk was more expensive and had fewer features.

Sentinel assists in automating routine tasks and identifying high-value alerts. For instance, we can configure it to automatically detect risks on specific accounts and receive notifications through an automatic inbox. While we exercise caution in implementing automation, we can leverage it during hours when staffing is limited to ensure timely and appropriate actions.

Sentinel's threat intelligence helps us prepare for potential threats and take action before they can impact us. Obtaining threat intelligence feeds from Microsoft would also be beneficial. We may eventually need to acquire an Excel feed, either from Microsoft or another source, but we must ensure that these expenses provide tangible value. I believe that the machine learning used by Microsoft Infusionsoft provides valuable threat intelligence with reliable patterns.

I've noticed that some customers are using on-premises environments such as Oxite for this particular task. However, since we're on a cloud platform, we don't have to handle and operate the systems as much because they are cloud services. This allows us to focus on the platform, the content, and making it work. The integration with Microsoft works well, and we can use similar queries in Sentinel as we do in Defender for Endpoint, which saves us time.

If we compare the current situation to that of five years ago, we can see that every company was spending less on this type of product because the threat wasn't as significant. However, over time, we have witnessed a significant increase in cyberattacks. As a result, every budget has been increased to address this issue. Therefore, in my opinion, Sentinel is not merely saving money; rather, we are utilizing our resources more efficiently.

I believe one of the main advantages is Microsoft Sentinel's seamless integration with other Microsoft products. This means that if we need to work with customers who already use the entire defense suite, we can easily collaborate with them. Additionally, the KQL language created is very robust and has a manageable learning curve for those who already have some experience. Furthermore, we can use KQL in other Microsoft platforms, making it a versatile tool. The AI aspect is also noteworthy, as it utilizes existing resources in Azure. For instance, if we have previous experience building Azure functions or using wireless technology, we can incorporate these skills into our playbook development in Sentinel.

Microsoft Sentinel provides visibility into threats, and the incident alert display has improved. However, I don't believe it is efficient or pleasant to work with, especially for specialists who work with it all day. We are considering putting our incident alerts into ServiceNow first, which would improve instant handling, logging, and monitoring, and streamline the investigation process. This is a potential area for improvement, but currently, the system is workable and easy to use. I understand that improvements are in progress, and I expect the system to get even better with time.

When we look at external SOAR and orchestration platforms, we have a better overview of all the rules, their behavior, and the correlation between them. From a technical perspective, it works well, but from a functional overview, there's room for improvement. For example, we need a clear understanding of what playbooks we have in our SOAR capabilities. Currently, we have a long list, and we need to know what each playbook does. If we want to add some playbooks in Azure, we need to consider the playbooks that we have in Azure that are not related to any schedule. This can make the environment a bit messy. While building them ourselves, we can have a clear understanding of the why, what, and how, but it can be complicated to know which playbook does what at a given moment or what role it best fits.

Currently, the watchlist feature is being utilized, and although there have been improvements, it is still not fully optimized. When examining the watchlist, it appears that it is not adequately supported in Sentinel's repository feature. As a result, we are constantly having to find workarounds, which is functional but require more effort. It is possible for Microsoft to improve efficiency, but they have not done so yet. 

I have been using Microsoft Sentinel for three years.

Last year, there were some issues with Azure Sentinel, which is a specific service within the Azure platform. These issues affected the performance of Sentinel and caused some concerns. While the situation has improved, there may be further challenges as the platform continues to grow. As a cloud service, there is a risk of outages, which can be difficult to address. Overall, there are currently no complaints about the stability of Azure Sentinel, but it is important to stay vigilant about potential issues that may arise.

Sentinel's scalability is impressive. Currently, we have not encountered any limitations. While there may be a limit on the number of rules with a large amount of data, we have not reached that point. The system performs well, aided by the basic and archive loss features. In the event that those features are insufficient, we still have additional options available. Overall, I believe that Sentinel is highly scalable.

We used to utilize ArcSight Interset, an outdated on-premises product that wasn't suitable for our move to the cloud or offering services to our customers. Since we mainly use Microsoft products, we switched to Sentinel enthusiastically. Sentinel is a perfect fit for our organization.

The initial setup was straightforward and adoption was fast. Currently, our approach within the organization is, to begin with a simple implementation and ensure it is functional before incorporating more complex integrations. We started with basic tasks such as editing data files and integrating on-premises data responses. Once we have established a solid foundation, we will build upon it to create a more advanced version.

If we take all areas into account, we would need a considerable number of people for deployment. I believe we would need around 15 to 20 individuals, including engineering consultants, ServiceNow personnel, and others.

I give Microsoft Sentinel an eight out of ten.

We use the entire range of security measures except for Defender for IP. This is similar to how we use Defender for servers. In Azure, these measures are used on the front-end point, server, and callbacks. As for our customer implementations, I am responsible for carrying them out. For our own laptops, we have a strategy where we use Carbon Black instead of Defender for Endpoint. However, we still use Defender AV, and for other cloud applications, we use Defender for Office 365. The reason we continue to use Carbon Black is due to its legacy status.

Sentinel is a cloud service platform that is particularly useful for those who require sizable, scalable, and high-performing solutions.

Sentinel always requires some maintenance, which includes examining the ingested data to determine if it is being used for a specific purpose. It is important to evaluate the amount of data being stored and ensure that we are paying the correct price. Additionally, any necessary updates should be made to patch up any queries. These actions will result in improved efficiency and effectiveness.

The choice of the best-of-breed solution depends on the company's specific needs, but given the shortage of skilled personnel in many organizations, managing multiple products can be challenging. If we opt for a best-of-breed solution, we may end up having to maintain expertise in several different areas. On the other hand, choosing a single vendor, such as Microsoft, can be advantageous in terms of discounts, support, and skill maintenance. Our experience suggests that when evaluating a solution, it's essential to know the requirements, risks, and desired outcomes beforehand, rather than trying to ingest all available data, which can be costly and inefficient.

I work for a security operation center. We use Microsoft Sentinel to monitor the tenants of our customers and provide automated investigations and feedback and alerting.

If something happens or if we get an alert, we also use it to investigate further. We do a deep analysis of the logs that we ingest from our customers. We also have many automation rules built into Microsoft Sentinel to reduce the noise and not-true positive alerts.

There is the ease of setup and ease of use. When we get new customers, we do not need to go onsite, build a system inside their on-premise network, and spend a lot of time setting up the systems. We can easily deploy a new Sentinel solution for a customer with automated templates, which benefits a lot in onboarding new customers. Because we have integrated it with many other security solutions from Microsoft, we can also perform many actions for which we otherwise would have needed VPN access or would have had to go to the customer site. So, the main benefit is that we can easily do anything from anywhere without having to spend much time setting up and onboarding.

We have combined it with other tools such as Microsoft 365 Defender Suite. With all tools combined and the customization that we have developed, we get pretty good insights into possible threats. It all depends on the logs you ingest. If you ingest the right logs, you can get very meaningful insights.

It helps us to prioritize threats across the enterprise. It does that in a very good way. It prioritizes the threats based on multiple factors. If multiple similar incidents happen or suspicious related activities happen at the same time, the incident gets a high priority because that's likely to be a real threat, but it also ingests the priorities that come from the other tools. You also have the ability to adapt priorities because each customer is different. Each business is different. We give our customers a standby for tickets that come in with priority two or higher. Microsoft Sentinel also gives us the chance to lower priority on some cases or upper the priority on some cases depending on the business use case of the customer.

We are a Microsoft security company, so we try to use as many Microsoft security tools as possible. We have Microsoft Defender for Cloud and Microsoft Defender for Office 365 as well. They are integrated into Defender 365 currently. We use the compliance portal. We use Microsoft Purview. We use Microsoft Sentinel. We use Microsoft Defender for Key Vault. We try to use as many security solutions as possible.

We have integrated these products with each other, and we have succeeded in it as well. Each product is at least integrated with Microsoft Sentinel by either using the way provided by Microsoft or a custom way to ingest data. We have integrated Defender 365 and other tools as well. We try to ingest alerts only from one place, if possible. We have integrated everything into one portal, and we ingest the data only from that portal. The integration for Microsoft solutions mostly works natively, but some of our customers have third-party solutions that we can integrate as well.

It's very important that Microsoft solutions work natively. When they work natively, you can have more built-in functionality for them. They are much more maintainable, and it does not take as much time to set up versus when you have to make a custom integration to something.

Microsoft Sentinel enables us to ingest data from the entire ecosystem. We can make custom integrations. If you have Linux machines or on-premises networks, you can set up a log forwarder inside the network and ingest the data that way into Microsoft Sentinel. There are many possibilities to ingest data from all locations, which is necessary for an XDR/SIEM solution. This ingestion of data is one of the most important things for our security operations because if we cannot ingest any data, we are partially blind on that side.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place. You do have to learn the KQL language, but it's similar to many other languages that are created by Microsoft or adopted by Microsoft. It's not that hard to learn. If you know it well, you can easily perform analysis on a whole bunch of data, whereas without Microsoft Sentinel, you would have to perform the analysis at many different places. Microsoft Sentinel gives you the possibility to do it just in one place.

We do not use all the functionalities of Microsoft Sentinel. For example, hunting queries are something that we do not use often, but their threat intelligence is updated quite regularly. We have tried it in Purview, which is a separate threat intelligence license that you can buy from Microsoft, but Microsoft also provides basic rules that alert on multiple threat indicators they detected earlier. They are very useful at the beginning sometimes. You have to remove those rules yourself as soon as they get outdated. The alerting that we get out of the threat intelligence provided by Microsoft itself has been valuable many times for our use cases.

Microsoft Sentinel helps automate routine tasks and the finding of high-value alerts. If we see many recurring alerts that are always suspicious but not really malicious, we can build our own automation rules that auto-close these alerts or automatically lower the priority on those alerts so that we are not getting too many notifications from alerts that are not worth investigating. It's really easy to do that. You can do it in many ways. To do the automation, there is a user-friendly interface. There are just drag-and-drop steps. It helps a lot, and it's easy to implement as well.

It has helped to eliminate having to look at multiple dashboards and have one dashboard for the analysis part, but for the response actions, it hasn't eliminated that because we have to log on to the Microsoft Defender security portals to perform most of those actions. For the analysis part, the alerting part, and the automated investigation part, this is the solution.

Its threat intelligence helps prepare us for potential threats before they hit and take proactive steps. For example, as soon as the Log4j vulnerability was known to the public, we immediately got alerts. We were able to take immediate action and remediate the vulnerability. We immediately knew how to prioritize our customers because we knew which customers already had active exploitation. Most of the time, such attempts were blocked, and if they got through, then the machine was luckily not really vulnerable, but it has been very helpful at that point to immediately assess the criticality for our customers. The attempts were not successful for many reasons. It also blocked them immediately.

It has saved us time. Especially because of the automated investigation part, it saved us a lot of time. We also have automated reporting, which also saves a lot of time each month. We provide our customers with a monthly report. If we had to do it manually and gather data from many different places, it would take a lot of time. Even if we had to fill it in manually in Microsoft Sentinel, it would take a lot of time, but because Microsoft Sentinel already ingests all of the data we use in our reports, we were able to write an integration with Microsoft Sentinel, which takes care of 75% of our reporting, and then we only have to do our analysis part. The data is already filled in, which saves a lot of time each month. The time savings went from one day per customer to one hour or two hours. For nearly fifteen customers, it was fifteen days, and now, it's 30 hours, which is more or less four days. It saves a lot of time each month that can now be spent on improving our service or performing deeper investigations on newly known threats and proactively act on them.

It hasn't reduced our time to detect because we have been using Microsoft Sentinel from the beginning. So, we always had the same response time because we only used Microsoft Sentinel for our alerting. It integrates well with Atlassian tools and ServiceNow tools, which gives us the ability to be alerted very fast on something, and then we can act immediately.

It's easy to use. It's a very good product. It can easily ingest data from anywhere. It has an easily understandable language to perform actions. You can use the entire Azure cloud to perform automated actions and automate investigations. The possibilities are more or less limitless because you can integrate Microsoft Sentinel with many resources inside the Azure cloud. If you integrate the security tooling with it, you can also make use of the data that Microsoft gathers from all Windows operating systems about malware, for instance, or about possible attacks. They ingest that data from so many sources, and you can make use of it. It helps a lot in discovering new vulnerabilities. We can almost immediately investigate them because Microsoft is always on top of things.

Threat intelligence could be better because we have had some cases where we got alerted online for many things all of a sudden. It was because some updates happened in the background, and we didn't agree with the use cases or how they were built. That part of threat intelligence could be a little better.

We have also had incidents where other tooling got an update but Microsoft Sentinel didn't update.

Microsoft Sentinel is a simple and straightforward solution. It could have a better API to be able to automate many things more extensively and get more extensive data and more expensive deployment possibilities. It can gain some points on the automation part and the integration part. The API is very limited, and I would like to see it extended a bit more.

We have recently turned on the bi-directional sync capabilities of Microsoft Defender for Cloud. It works pretty well, but sometimes, it just syncs only the incidents and not the alerts behind them or the other way around. That was the only thing. That was a recent complaint we had. Other than that, it works well.

I've been using Microsoft Sentinel for nearly two years.

It's very stable. We have many different Microsoft Sentinel instances running. Apart from some cleanup and maintenance, they all are running without any issues.

It's very scalable. As long as you send the right logs, it can ingest them perfectly, but, of course, the more logs you ingest, the higher the price, so you have to be very careful and very concerned about the logs you are ingesting in Microsoft Sentinel. You have to make sure that the logs that you ingest provide value for your security and are not useless.

I have not contacted them regarding Microsoft Sentinel, but I have contacted them for other solutions. Sometimes, we can't figure something out ourselves or we have questions about the new features that are made public. If we have a question or need assistance in any way in providing support to our customers, we can count on support to help us. I have not had a bad experience with them. We are also a Microsoft partner, so we get quick replies and have direct contacts within Microsoft sometimes for some cases. If we need support, they always help us very well.

Overall, I would rate them a seven out of ten because sometimes, they take a long time or you get redirected many times to another colleague before the issue is resolved, but in the end, they always help us out, and everything is fixed.

Neutral

In my previous job, we worked with local or on-premise systems, but the security monitoring was not that strong at that time. This is my second job, and in this job, I've only worked with Microsoft Sentinel.

I worked on one of the deployment scripts we use for our customers, but I was not involved in its initial deployment. I deployed it once for a customer by using the Azure resource manager template that I built. It was rather complex because the documentation was not up to date or correct at that time. When working with Microsoft Sentinel, sometimes the documentation is not as up-to-date or complete as it should be in my opinion.

The number of people involved in its deployment depends on the size of the customer, but usually, one or two people from the team do the deployment. One person works on the deployment of Microsoft Sentinel, and the other one usually works on the deployment of other components, such as analytics, automation, etc.

It does require maintenance. In order to stay up to date and keep evolving on the threat landscape, you have to keep looking for new analytic rules, new investigation techniques, and new automations. You have to constantly improve your Sentinel in order to stay on point and detect and have complete detection scenarios. Sometimes, the rules that are provided by Microsoft or the settings or conditions that are provided by Microsoft get deprecated or get a new update. You have to follow that up as well in order to stay up to date with the things Microsoft changes or recommends.

If you want to use Microsoft Sentinel, you should start thinking about the logs that you want to ingest. You should identify the ones that are important and also think of the use cases and what you want to detect from those logs. If you make the right choices on these two things, the setup and the integration with other tools will be very easy because you know from where you want to ingest logs and you know how to create analytics rules, automation rules, and things like that to detect the things that are critical or important to the security of your business.

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that with a single vendor, we can integrate everything like a single product. We use Azure Active Directory, so we can easily secure authentication across multiple products and manage access permissions. On top of that, we have a single pane of glass where we can investigate and perform analysis in a very easy and user-friendly way, which saves a lot of time. We don't have to click through many different portals and know where to look each time. We don't have to learn the configuration, the setup, and the actions we can perform in each system because everything has the same interface. We only have to learn the things that Microsoft provides and not different products. The single pane of glass saves time and makes it much easier to investigate and respond and secure the environment.

Overall, I would rate Microsoft Sentinel an eight out of ten. I'm very happy with it, but no product is perfect. It can improve on some points, but overall, it's very good.

Our organization is a service company, therefore, we are proposing Microsoft Sentinel as an MSSP solution to our clients. Additionally, we are offering other solutions with Microsoft Sentinel. We have integrated Microsoft Sentinel with MISP, an open source intelligence trading platform, to create a deluxe solution. Furthermore, we use the five-year tool in conjunction with Microsoft Sentinel.

We pitched the solution for BFSI, healthcare, and ONG sectors.

The solution can be deployed based on the client's requirements.

Microsoft Sentinel provides visibility into threats by creating alerts, which will generate an instance and notify us. We can also view files and prioritize alerts using Microsoft Sentinel. Additionally, there is a tool with Sentinel that allows us to check alerts, which will help us identify false positives and false negatives, which is very beneficial for analysts.

Microsoft Sentinel helps us prioritize threats across our enterprise.

Microsoft Sentinel's ability to help us prioritize threats is a very important must-have feature for our organization.

Integrating Microsoft Sentinel with additional Microsoft solutions such as Microsoft Security Center is easy because we use a Microsoft agent. There is a default integration available with multiple connectors and we can use the agent to install data into Microsoft Sentinel.

The integrated solutions work natively together to deliver a coordinated detection and response across our environment. We use a playbook for the response process. We also integrated ServiceNow tools and Sentinel for ITSM. We are also designing the playbooks to meet our requirements.

Having the ability to integrate solutions with Microsoft Sentinel is an important feature.

Microsoft Sentinel provides comprehensive protection. 

Our organization has a strong partnership with Microsoft. Most of the services we receive are quite cost-effective. Microsoft provides market listings, allowing us to design our solution and place it on Microsoft's market listings, resulting in mutual benefits for both Microsoft and our organization.

We used Microsoft Defender for Cloud to get to the Azure security center for Sentinel. We wanted to work with a particular server but at the time the requirement was in order to use Defender we had to enable the solution across the subscription and not on one particular server.

Microsoft Sentinel enables us to ingest data from our entire system if we want.

Microsoft Sentinel enables us to investigate and respond to threats from one place. We can control everything from a single pane of glass.

Microsoft's built-in UEBA and threat intelligence capabilities play a major role in our security.

We can automate routine tasks, prioritize alerts using the playbook, and use the analytical rule's default settings when creating an alert. This helps to reduce false positives so that we only receive one alert for each issue.

Microsoft's XDR enabled us to avoid having to view multiple dashboards. We can integrate a variety of tools with Sentinel, allowing us to monitor all relevant information from a single screen.

The integration into one dashboard reduced our analytical work because it reduces the time required to review and respond to threats. 

The solution helped us prepare for potential threats proactively. Microsoft Sentinel helped our organization save money by preventing attacks. The solution helped reduce the threat detection time by up to 40 percent.

The data connectors that Microsoft Sentinel provides are easy to integrate when we work with a Microsoft agent.

The UI design for the investigation portion of Microsoft Sentinel is great.

The alerting of the queries works great and it is easy to develop a query around our requirements using Microsoft Sentinel.

The GUI functionality has room for improvement.

The playbook can sometimes be hefty and has room for improvement.

The troubleshooting has room for improvement.

I have been using the solution for three years.

The solution is stable.

The solution is scalable.

The technical support depends on if we have upgraded our support or not. The basic support has a wait time but the premium support is great.

Positive

We previously used IBM Security QRadar. The data connectors are more complicated and there are more configurations required with IBM Security QRadar compared to Microsoft Sentinel. The alerts are much better with Microsoft Sentinel.

The initial setup is straightforward.

The implementation is completed in-house with Microsoft documentation.

In comparison to other security solutions, Microsoft Sentinel offers a reasonable price for the features included.

I give the solution an eight out of ten.

The maintenance is completed by Microsoft.

I recommend Microsoft Sentinel to others.

Microsoft Defender for Cloud's bi-directional sync capabilities are important in the following way. If you have an issue that shows in Defender for Cloud, an incident on your dashboard, and you look into Sentinel and see the same alert has been triggered, after someone on your team looks into it and fixes it, if bi-directional is not enabled, you will still have the alert showing. If someone is looking at the Defender for Cloud dashboard, that alert will still show as active. That's why it's important to have bi-directional sync. It helps make sure that people work on the right cases.

Sentinel enables you to investigate threats and respond holistically in one place. It gives you a central repository where you can have a historical view and see the access point where something started, where it went, and how things were accessed. For instance, if someone was anomalously accessing keywords, with everything in one place you can see where it started, where it went, who was involved in it, what kind of endpoints were involved, what IP address was involved, and what devices were involved. In this way, you have complete historical data to investigate the root cause.

Previously, I worked with a number of different tools to pull the data. But having one pane of glass has obviously helped. When you consider the time it takes to go into each and every dashboard and look into alerts, and take the necessary actions, Sentinel saves me a minimum of 15 minutes for each dashboard. If you have three to four dashboards altogether, it saves you around one hour.

And when it comes to automating routine tasks, if you want to notify the right people so that they can look into a P-1 incident, for example, Sentinel can automatically tag the respective SOC or security incident teams through a team chart and they can directly jump into a call.

Another point to consider is multi-stage attack detection. We have a granular view into the incident. We can investigate which IPs, user entities, and endpoints are involved in the alert. If you have to look at multiple, separate points, it could take one hour to see what happened at a particular point in time. With Sentinel, we can directly look into a certain person and points and that saves a lot of time. And then we can take action on the incident.

Among the valuable features of Sentinel are that it 

• has seamless integration with Azure native tools 
• has out-of-the-box data connectors available
• is user-friendly
• is being expanded with more updates.

The visibility into threats that the solution provides is pretty good. We can see a live attack if something is going wrong; we can see the live data in Sentinel.

I work on the complete Azure/Microsoft stack. With Azure native, we can integrate the various products in a few clicks. It doesn't require configuring a server, pulling of logs, or other heavy work. It's very easy, plug-and-play. The data collectors are available with Azure native so you can deploy policies or it will take care of everything in the backend. If various tools have different priorities for issues, monitoring everything is a hectic task. You have to go into each tool and look into the alerts that have been triggered. It's a big task. If you can integrate them into a single pane of glass, that helps you to find out everything you need to know.

And in terms of the comprehensiveness of the threat protection that these products provide, I would give it a 10 out of 10.

Microsoft Sentinel enables you to ingest data from the entire ecosystem and that connection of data helps you to monitor critical resources and to know what's happening in the environment. At a minimum, we should monitor the servers that are critical in the environment.

It also has hunting capabilities so that you can proactively hunt for things, but a different team looks after that in our organization.

In terms of features I would like to see in future releases, I'm interested in a few more use cases around automation. I do believe a lot of automation is available, and more is in progress, but that would be my area of interest.

I have been using Microsoft Sentinel for more than two and a half years.

It's a stable solution.

It's a scalable model but as you scale up you pay for it.

Microsoft technical support is responsive and helpful. And their technical documents are pretty detailed and well-explained.

Positive

The initial deployment was pretty straightforward.

The number of people involved in the deployment is completely dependent upon the environment and the access we have. If there's something to be done with a third-party application—for instance, Cisco Meraki or ASA—for those, we require support from the networking team to open up ports and forwarding of logs from the firewalls to Sentinel. If it is a native Azure environment, we don't need any support.

As for maintenance, if there are any updates they will pop up in your alerts and you can then upgrade to the latest version. It doesn't take much effort and there is no downtime. You simply update and it takes a few seconds. If someone is experienced, that person can handle the maintenance. If the environment is very big and it requires injecting more logs, then it requires some helping hands.

The pricing is fair.

With a traditional SIEM, people are required for SOC operations and investigations and they require licenses. With Sentinel, people in SOC operations are still required to investigate, but we don't need any licenses for them. With a traditional SIEM, you pay a lump sum for licenses. But with Sentinel, it's pay-as-you-go according to the amount of data you inject.

I would recommend Microsoft Sentinel.

It's always good to compare against other tools when it comes to the value, to get an idea of what you are paying for. Compare the market strategies and the new capabilities that are coming out and whether you're able to unlock the full capabilities or not. Double-check that. As for best-of-breed versus one vendor, you should stick with one vendor only and take whatever they gave.