Microsoft Sentinel Reviews

We are using Microsoft Office 365 E5 license right now, which means we are using Windows Defender ATP because of its cloud application security platform. We also have Exchange Online Protection. The main thing is we are replacing all of our on-prem solutions with Microsoft Office 365 and Azure solutions.

Our use case is for Azure Active Directory, Advanced Threat Protection, Windows Defender ATP, Microsoft cloud applications, Security as a Platform, Azure Firewall, and Azure Front Door. All of the Azure Front Doors logs are coming to Azure Sentinel and correlating. However, for our correlation rules that exist on the QRadar, we are still implementing these rules in Azure Sentinel because we have more than 300 different correlation rules that exist from the QRadar.  

It is always correlating to IOCs for normal attacks, using Azure-related resources. For example, if any illegitimate IP starts unusual activity on our Azure firewall, then it automatically generates an alarm for us. 

We do not get so many attacks, but if any attacks occur on our Azure Firewall site, then we are able to understand where the attack came from. Sentinel lets us know who introduced it.

It is perfect for Azure-native solutions. With just one click, integrations are complete. It also works great with some software platforms, such as Cloudflare and vScaler. 

The rule sets of Azure Sentinel work perfectly with our cloud resources. They have 200 to 300 rule sets, which is perfect for cloud resources.

They need to work with other security vendors. For example, we replaced our email gateway with Symantec, but we couldn't collect these logs with Azure Sentinel. Instead of collecting these logs with Azure Sentinel, we are collecting them on Qradar. We couldn't do it with Sentinel, which is a problem for us.

It is difficult right now because there are not so many consultants who exist for Azure Sentinel, like there are for QRadar. We are not able to find a Sentinel consultant right now.

In Turkey, we are the biggest energy generation company for the public sector. We head more than 20 power plants right now and have more than 1,000 people working in the energy sector. Two years ago, we started to work with Microsoft to shift our infrastructure and workloads to the Azure and Office 365 platforms. So, our story starts two years ago.

It is stable. We have had one or two issues, but those are related to QRadar. We are creating and pushing logs all the time to QRadar, because the Microsoft security API does not send these logs to QRadar.

One resource is enough for day-to-day maintenance of our environment, which has 1,000 clients and 200 or 300 servers. However, our servers are not integrated with Azure Sentinel, because most of our servers are still on-prem.

For Azure- and Office 365-related products, it is perfectly fine. It is scalable. However, if you want to integrate your on-prem sources with Azure Sentinel, then Azure will need to improve the solution. 

We are using Microsoft support for other Microsoft-related issues. They have been okay. They always respond to our issues on time. They know what to do. They solve our issues quickly, finding solutions for our problems.

Positive

Right now, we are using QRadar for on-prem devices. On the other hand, we have Azure Sentinel for log collecting in the cloud products. All of the Microsoft components give logs to Azure Sentinel, but all of the on-premises resources are being collected on IBM QRadar. So, Sentinel has been helping us because this is causing complications for us. While it is possible to collect logs from QRadar to Sentinel to QRadar, it is difficult to do. So, we are collecting incidents from our QRadar, then our associates monitor Azure Sentinel-related incidents from QRadar.

We have been starting to use Azure Kubernetes Service. However, our developers are afraid of shifting our production environment to the Azure Kubernetes so this whole process can continue. At the end of the day, our main goal is still completely replacing our on-premises sources with serverless architecture. 

We also started to use Azure Firewall and Azure Front Door as our web application firewall solutions. So, we are still replacing our on-prem sources. Azure Sentinel works perfectly in this case because we are using Microsoft resources. We have replaced half of our on-premises with Azure Firewalls. The other half exists in our physical data centers in Istanbul.

The initial setup is getting more complex since we are using two different solutions: One is located on-prem and the other one is Azure Sentinel. This means Azure Sentinel needs to inspect both SIEMs and correlate them. This increased our environment's complexity. So, our end goal is to have one SIEM solution and eliminate QRadar.

The initial setup process takes only one or two weeks. For the Azure-related and Office 365-related log sources, they were enabled for Azure Sentinel using drag and drop, which was easy. However, if you need to get some logs from Azure Sentinel to your on-prem or integrate your on-prem resources with Azure Sentinel, then it gets messy. 

This is still an ongoing process. We are still trying to improve our Azure Sentinel environment right now, but the initial process was so easy.

We had two three guys on our security team do the initial setup, which took one or two weeks. 

We are not seeing cost savings right now, because using Azure Sentinel tools has increased our costs.

Pricing and licensing are okay. On the E5 license, many components exist for this license, e.g., Azure Sentinel and Azure AD.

I am just paying for the log space with Azure Sentinel. It costs us about $2,000 a month. Most of the logs are free. We are only paying money for Azure Firewall logs because email logs or Azure AD logs are free to use for us.

In Turkey, Microsoft is more powerful than other vendors. There are not so many partners who exist for AWS or G Cloud. This is the reason why we have been proceeding with Microsoft.

QRadar rules are easier to create than on the Azure Sentinel. It is possible to create rules with Sentinel, but it is very difficult.

There have been no negative effects on our end users.

I would rate Azure Sentinel as seven out of 10.

I use Microsoft Sentinel in my work as an MSSP and as a threat detection engineer.

One of the most valuable features of Microsoft Sentinel is that it's cloud-based. I previously worked for a very long time with AXA since 2006, but Microsoft Sentinel's ability to scale virtually and budget-dependent is a huge advantage. Before that, everything was on-premise and required some forklift upgrades, and it was a bit of a nightmare.

Microsoft Sentinel is relatively expensive, and its cost should be improved. Although Microsoft has been working on providing additional discounts based on commitment tiers, it's still in the top three most expensive products out there. They are certainly trying to compete with the likes of Splunk.

I have been using Microsoft Sentinel since April 2020.

Since the time that I've been using Microsoft Sentinel, I've seen five or six serious outages. That's not uncommon with cloud providers. Generally, when it's a major outage, it's pretty catastrophic.

The scalability of Microsoft Sentinel is pretty good.

I have contacted Microsoft Sentinel's technical support a number of times, and my experience with them has been pretty good.

Neutral

Before we started using Microsoft Sentinel, we previously used Splunk and ArcSight. Having a brand name like Microsoft was one of the reasons we decided to switch to Microsoft Sentinel. I was working for an MSSP at the time, and at the start of the service, they decided to run their MSSP based on Microsoft Sentinel. So it was more of an environmental thing than a conscious decision to switch to Microsoft Sentinel.

The deployment of Microsoft Sentinel is relatively simple, but the data onboarding is the complicated part.

Two people are required for the deployment of Microsoft Sentinel.

Microsoft Sentinel's evolution, use of CI/CD, and automation capabilities have helped us see a return on investment.

Microsoft Sentinel's pricing is relatively expensive and extremely confusing. I have raised this issue with Microsoft directly. It's not an easy thing to do, especially when you consider commitment tiers, discounts, and several variables that go along with it. It would be very difficult for the uninitiated to get a true reflection because you'd need to know about the product to get a cost. Suppose I go with the online pricing calculator. In that case, I need to know the difference between analytics and basic logs. I also need to understand the implications and limitations of selecting a particular option. And that's not clear from the pricing tool. So I think from that perspective, they should democratize it and make it a lot simpler and easier to do.

The visibility that Microsoft Sentinel provides into threats is great. They got a lot of content out of the box and have an active community. I absolutely love the cluster functionality and the cluster query language. I definitely wouldn't want to go back to anything else. It's an incredible query language.

Microsoft Sentinel helps us to prioritize threats across our entire enterprise. The out-of-the-box content and behavior-analytic functionality that Microsoft Sentinel provides certainly help a lot.

There's a whole cloud stack like Defender for Endpoint, Defender for Cloud, and Defender for Cloud Apps that we interface with. I am not directly responsible for configuring and managing those different products within my company. However, we interface with each of them because we take their log data.

It was very easy to integrate other Microsoft security products with Microsoft Sentinel. The other Microsoft products I mentioned have done a great job of making it very simple to integrate. It's probably easier than all the other services. Being Microsoft products, there's a very tight integration, which is great.

I don't have any direct involvement with configuring Defender for Cloud. However, we take the logs from all the Defender suites like Defender for Identity, Defender for Cloud, Defender for Cloud Apps, Defender for Endpoint, etc.

Microsoft Sentinel enables us to ingest data from our entire ecosystem. It is more challenging regarding the on-premise stuff and unsupported SaaS services. You could leverage the available functionality, but it's certainly not as easy as the native Microsoft Cloud products it integrates with. There's a lot more to it in terms of being able to ingest data from an on-premise data source. This data is very important to our security operations.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place.

The comprehensiveness of Microsoft Sentinel security protection is good. It is constantly evolving. I would like to see Microsoft add more automation, but they're on a journey to expanding their capability. I expect to see a change in that space. Since I started using the product, it has evolved, and the evolution of the product from two years ago or three years ago has been huge.

The cost and ease of use of Microsoft Sentinel against standalone SIEM and SOAR solutions are on par with Splunk in terms of costs. It's on par with what Splunk costs or slightly cheaper. It depends on how you set it up, but it's not always evident. Microsoft would prefer you to pay more than less. Certainly, from their perspective, it could probably put out more guidance on the optimization of cost. In terms of its use and functionality, it's definitely on its way to becoming a market leader. I can see that through the evolution that occurred in the last three years. There's always more and more functionality being added. I would like to see more expansion in terms of the provision of functionality in the dashboarding and work booking component. They could spend more time on expanding our capabilities. Splunk can easily plug into D3 libraries to create really good visualizations. The visualization capability within Microsoft Sentinel at the moment is somewhat rudimentary. You can always plug Power BI into it, but it's not a native product feature, and you need to buy and pay for Power BI.

From an overall management capability, Microsoft Sentinel has certainly made life easier. The introduction and addition of the CRC process are great. Historically, many SIMS haven't had that capability or ability to be integrated with the CRC system. So the automation component of that has allowed the deployment of infrastructure's code to speed up the process of the actual deployment massively in the MSSP environment. Historically, when it was on-premise, it would take two weeks to two months to get that all done. Whereas now, you can spin up a new instance and onboard all the cloud stack within a few days, which is huge.

Microsoft Sentinel has the hunting functionality. From that perspective, you could run a whole number of queries at the same time.

Microsoft Sentinel has not helped eliminate having to look at multiple dashboards. They need to expand that functionality.

Microsoft Sentinel’s threat intelligence helps us prepare for potential threats before they hit and to take proactive steps. They’ve recently introduced the Microsoft Defender Threat Intelligence feed, which is a good step forward. It’s come out of the RiskIQ acquisition, which is great. However, I would like to see more native integrations with threat intelligence feeds from financial services, local country threat intelligence feeds, and CSC feeds from government institutions. They work quite closely with the government in many places already, and it would be a huge advantage to have really simple and easy integrations. They could do more in that space in terms of providing alternative threat intelligence with the ability to integrate seamlessly and easily with threat intelligence from other sources. They do already provide connectors, but it isn’t easy. In my experience working in the industry, I’ve seen a company that effectively had a threat intelligence marketplace built into it. So you could very easily and quickly select threat intelligence providers through a number of clicks and then onboard that data very quickly.

Microsoft Sentinel has helped us save time as opposed to our previous solution. Microsoft needs to add even more automation. If you look at their competitors like Palo Alto Cortex, they already have a lot more capability out of the box. Microsoft needs to expand further that out-of-the-box automation capability.

Based on previous experience, Microsoft Sentinel has decreased our time to detection or our time to respond.

Microsoft Sentinel does not need any maintenance because Microsoft does that. However, I have monitoring rules set in place to watch what's going on. For example, we've seen outages in the past, which caused delays in incident creation. There's very little out-of-the-box content to help monitor Microsoft Sentinel.

I would always go with a best-of-breed strategy rather than a single vendor’s security suite. The evolution of Microsoft Sentinel itself has been quite amazing to see. The solution has become more feature-rich in the last two years. I hope this evolution continues and will likely leave the others behind.

I suggest to those evaluating Microsoft Sentinel to do a proof of concept.

Overall, I rate Microsoft Sentinel a seven out of ten.

It's a SIEM tool. Our process right now is to put as much data as we possibly can from all of our network devices into it. We use it as a centralized logging mechanism and the feature that is nice there is that it's agnostic against the types of devices you're using. I have firewalls that can log onto it. I have Linux boxes that can log onto it. I have Windows boxes that can log to it and I can collect a variety of logs from around the organization into it. I can analyze those logs, I can get detections against those logs and use them to take a look at the security footprint of the organization.

All of the different security centers within Microsoft are alerting systems like Azure Defender ATP, the Security Centers, and Azure. All of those products, when they generate incidents and alerts, send feedback into this tool. With this product, you get a single dashboard for managing your security footprint, both from the 365 Azure environment, as well as your on-premise environment.

From a security perspective, it has clearly improved our alerting in our incident management processes. We've also been able to improve other processes for network monitoring and for trouble remediation within the environment. Our infrastructure team and some of our application team are now plugging into the data that's in that tool as they can use it to find issues within their applications rather quickly - a lot more easily than the other tools that they've got, which has been a huge boom. 

We also see that some of our help desk processes have now been informed by it. We have queries that run against the data set that's behind that same tool and they are built specifically for the help desk. For example, if a user's account has been locked out due to the fact that we have all of the data from all the different systems plugged into that tool, we can give the help desk a complete picture of authentication failures against that device so that they can quickly identify where the problem is and resolve the issue for the user.

This system has a list of data connectors and you choose what connects to it. By default, it has access to any of the core Azure data that you have access to, however, those are due to the fact that it lives in that environment. It would naturally have access to that data. Then, you choose which data sources you want to connect to it. Many of them are very easy to set up. They're within the 365 of the Azure portion and a point and click away with a lot of the third-party services. You click a button and do authentication and things connect right up. With some of the Linux, there are setups of Syslogs.

Microsoft has pretty good documentation. It doesn't take long. It's not hard to set up.

The biggest feature we've got out of it is visibility into our environment and what's going on across our estate. Being able to see, for example, anomalous RDP logins, to be able to see deviations from our standard traffic flows on the firewalls, things like that, give us insight into when we may have potential issues or a breach type situation.

The second thing you get is when you’re managing security within the Microsoft environment with Azure 365 you're on-premise you're bouncing between three or four or five, six different tools to do that. This centralizes the management of all of those. You get one pane of glass in all of those tools that give you a very easy way to see what's going on.

It also allows you to correlate between those tools. I can see if I have, for example, a low-priority incident in one tool. If I have another low-priority incident on the other tool made against the same user, that may force me to say, “Hey, maybe those things combined generate a higher level incident that I maybe need to put up for investigation.” That's the advantage of the tool.

The solution does not have specific features that have helped improve our security posture. Rather, the whole idea of making security a little bit easier while also being able to correlate data between multiple disparate systems has, as a whole, improved our security posture overall.

We’ve got process improvement that's happened across multiple different fronts within the organization and within our IT organization based on this tool being in place.

We were tracking in the neighborhood of 20 to 30 incidents a month coming out of one or two source systems within the environment. What Sentinel has given us the ability to do is move up. We're now evaluating somewhere in the neighborhood of 10 to 12 a day.

They're much more robust as a product. What we've been able to do is tune the alerts so that the things that are common, that are false positives that we see all the time, we've been able to filter those out and give ourselves this complete picture as things change and work but we're filtering out the standard data sets. There are things we’re going to look at and walk away from as we know they're false positives.

In terms of receiving false positives, it does take some work to tune the environment, to get it to get rid of all those false positives. It's not ridiculous work, however. I didn't find it to be the hardest problem. It took us a couple of months, doing an hour or so a day to clean them up. Going through that process offered a tremendous amount of learning about the environment. In looking at those false positives, you start to learn things about how people use the environment - things that we didn't realize before. That's extremely valuable for a security team to understand how your assets are used and what your users are doing.

The end users are barely involved in the process. They see our security team more proactively reaching out to them when they may have a problem. For example, I may have a user who has got an excessive amount of login failures against their ID and it's coming from, say, a mobile phone. We'll see that in the SIEM and what we'll do is reach out to the user proactively. Maybe they've been seeing lockout events, or, most likely, they have been seeing lockout events but they haven't quite figured out what's going on and we'll be able to proactively go to them and say, “Hey, we're seeing this, here's the device it's coming from and here's the action you should take and see if we can fix the problem.” It's given us the ability to reach out to the user. In some cases, it's an incident where we want to reach out, get more information from the user to understand whether it was them or not. In other cases, we're reaching out to them proactively and helping solve problems for them that they may or may not even be aware they're having.

Microsoft has a number of detections that they bundle with the product and there's a number of detections that are out against GitHub that are available. We have more and more of those going out every day. Microsoft periodically is releasing more updates. I love the fact that they're giving it to us. They're giving us the queries so we can plug them right into Sentinel. 

We have to do very little editing of the plugins, however, I would love to see the ability to have those queries immediately, as Microsoft updates them. They need to have a streamlined process for updating them in the tool and knowing when things are updated and knowing when there are new detections available from Microsoft.

I've used the solution for two years.

The solution has been extremely stable. We haven't had any downtime that I can recall.

The scalability is great. It's all backed by the log analytics infrastructure. All of the data that we stuff in it is stuck with the log analytics retention times and data storage capabilities which scale wonderfully.

We are using it pretty heavily. At this point, we're plumbing pieces of data from all of our systems into it. We're actively in it every day.

We're constantly adding new data sets too.

I haven't used technical support yet.

In general, the Microsoft technical support unit is okay. There are times when you get help and it's wonderful and there are times when things are not as good. It's not what I would consider the best support I've ever received. That said, they're trying. They could work on their response times.

We did not previously use a different solution. We did a little bit of data consolidation, however, nothing at this level.

We adopted Sentinel as we were looking to mature our security footprint. We started looking at tools that could help us do that, and Sentinel was very easy to dig into, primarily due to the fact that you could bite little pieces off at a time. I didn't have to consume a massive cost. I could throw a little bit of data and consume at a pretty minor cost and prove its value before I started increasing my cost.

The initial setup is very easy.

It's a point-and-click Azure environment. You just click the button and say "yep, I want this."

The solution does not need a lot of maintenance. Once you have the log analytics infrastructure configured, as in your retention times, et cetera, there's your maintenance of the systems that becomes the analytics that you're using. There's a little bit of work that needs to be done there. That was the part that needed some streamlining, however, that's about it. It's managing your rules and your playbooks, et cetera, that needs to be handled.

It's hard to measure ROI on these types of processes. I can't give hard numbers on what the return is. What I can say is that the organization is much better off having this tool in place than not having it in place. The fact is we are improving processes around the organization and the visibility. We recently had some huge vulnerabilities in Exchange that were being breached, and knowing that we have tools like this in place that have detections to help us establish whether we were having an issue or not was useful. The product helps to make us aware of issues and we're not guessing and not spending too much time digging.

We did evaluate other options. Most had a larger acquisition cost associated with them. That was obviously a big factor. The other thing that helped the decision was that we live in a Microsoft-centric environment and most of the Microsoft tools were prebuilt and correctly connected very easily.

The product is part of the Azure platform - now the Microsoft platform. It's all fully managed by Microsoft at that level. We're using it as a SAFe solution.

I'd advise potential users to take a good look at your analytical rules and feed it with data. The more data you give it, the more valuable it becomes.

I'd rate the solution at an eight out of ten.

We provide managed security services to customers in Myanmar using Microsoft Sentinel as a cloud media SIEM. Most of the use cases involve retention, and we use all the features of Microsoft Sentinel. We also use other Microsoft security products like Defender for Endpoint, and most of them are integrated with Sentinel. 

Microsoft Sentinel is a cloud-native SIEM solution, so it helped us reduce our infrastructure costs and deliver better services to our customers. We don't need to pay upfront costs because it is in the cloud. We used an open-source SIEM solution before implementing Microsoft Sentinel, but that wasn't satisfactory for our customers. Sentinel helped us provide more robust managed security services to our customers.

It consolidated multiple dashboards into one and helped us be more proactive. However, our team is still trying to mature to a level that we can adopt a more preventative approach to security. Sentinel significantly reduced our detection time. Without Microsoft Sentinel, our SOC analyst might take 30 minutes to an hour to detect an issue, but now it's practically in real-time. 

The biggest advantage of Sentinel is scalability. In addition, we don't need to worry about paying for infrastructure costs upfront. It gives us the flexibility to choose the kind of infrastructure based on each client's needs. Sentinel is also much simpler than other SIEM solutions. The UI is smoother and easier to use.

Native integration with Microsoft security products or other Microsoft software is also crucial. For example, we can integrate Sentinel with Office 365 with one click. Other integrations aren't as easy. Sometimes, we have to do it manually. 

The bi-directional sync is helpful. For example, we have one client using our managed security service, but they don't want to use Microsoft Sentinel. If those products are not syncing or if the solution is not bi-directional, some alerts may be missed. It's essential for both portals and the two folders to be in the same channel it's pushing. The UEBA features are also perfect. We don't see the same caliber of user behavior analytics in other SIEM. Microsoft's UEBA is great for our SOC analysts. 

Microsoft threat intelligence and UEBA still have some room for improvement. There are currently only two connectors available for Microsoft threat intelligence. the threat intelligence platform and the FTIA commander.
Sentinel should offer another option for a third-party threat intelligence platform. There are lots of open-source threat intelligence solutions available. 

Threat handling could be great for our team and for our SOC analyst, but some are unusable depending on our SOC analytics.

Sentinel can ingest data from most of our ecosystem, but some data cannot be called up. For example, if an SAP product is hosted, it will do a specific version, but it cannot be called back to Sentinel. It cannot be directly connected to Sentinel.

Our team has been using Microsoft Sentinel for about two and a half years.

I rate Microsoft support a seven out of ten. They take too long to respond, but sometimes they are great. 

Neutral

We previously had an open-source SIEM, but it lacked the detection and automation capabilities of Sentinel.

The initial deployment was straightforward but configuring integration for some of our projects was challenging because there are few connectors for solutions like Cisco. I rate Sentinel a five out of ten for ease of setup. 

We performed our integration in-house, but sometimes we get support from Microsoft.

Sometimes, it is hard for us to estimate the costs of Microsoft Sentinel.

I rate Microsoft Sentinel a nine out of ten. I recommend it, but it takes time to evaluate because Sentinel is unlike other cloud solutions. 

Microsoft Sentinel is basically a major log, on top of which you can build queries that can analyze the data you get. It's used to build up security operations centers. In addition, it is a SIEM and SOAR solution.

The first benefit is that you have one place to close incidents. That's definitely an advantage. 

Another benefit is KQL, Kusto Query Language, and the analytic rules with which you can spot suspicious behavior of all kinds. It's definitely a step up when it comes to security. You see the benefits almost instantly.

In addition, automation helps prioritize what needs to be looked at, and what can just be closed and forgotten.

And when you combine the threat intelligence with Defender for Endpoint's recommendations, it's a really strong way to protect things or be proactive when it comes to security, with the CVEs, et cetera.

Overall, our Microsoft solution saves time. Without it, you might have to navigate six or seven portals, but with it, you only have to look at one place, and that saves some time. Most of the time, it eliminates having to look at multiple dashboards and gives you one XDR dashboard. Ideally, that should make working with IT security easier. It also decreases the time it takes to detect and respond.

As a consultant, none of the customers I work for has been hacked or has been close to being hacked. That would be the best way to judge if it saves money because just putting Sentinel on top of all these security products doesn't save you money. It's possible it saves you money. 

I like the unified security console. You can close incidents using Sentinel in all other Microsoft Security portals when it comes to incident response.

The solution helps prioritize threats across your enterprise and that is quite important. There is a concept called "alert fatigue," and Sentinel can also cause that because it detects so many false positives. But usually, the high and medium risks it identifies are things you need to take a look at. So prioritization is quite important.

We also use Defender for Cloud, Defender for Endpoint, and Defender for Cloud Apps. It's quite easy to integrate these Microsoft products because they can easily communicate with other Microsoft products. The tricky part is to integrate other vendors' products, like Cisco or Linux, with Microsoft Sentinel. The actual integration is easy, but they generate a lot of data. But with its entire Defender suite, Microsoft is trying to cover everything in Azure and that is a really strong point.

Sentinel enables you to ingest data from your entire ecosystem and that is vital, but sometimes it's a bit hard to figure out what data you actually need.

Also, the UEBA is a neat feature.

The built-in SOAR is not really good out-of-the-box. The SOAR relies on logic apps and you almost need to have some kind of developer background to be able to make these logic apps. Most security people cannot develop anything, but if you want to make full use of the SOAR part of Microsoft Sentinel, you need to be able to develop these logic apps. You can say, "Okay, that's simple," but it's not simple for someone who doesn't develop.

Also, the bi-directional sync in Microsoft Defender for Cloud should be enabled out-of-the-box. Otherwise, while you can close incidents in Sentinel, they will not be closed in all the other portals. That is really important.

In addition, the watch list could be improved. Microsoft could develop some analytic templates based on these watch lists, for example.

And if you don't have any KQL knowledge, Sentinel is actually quite hard to use or to get the most out of.

I have been working with Microsoft Sentinel for approximately one year.

It's a stable solution.

My clients are looking to increase their usage of Sentinel. Every time I look, there is a new data connector, so it seems like it's a product that is constantly in development.

I haven't used their technical support.

The initial deployment, for me, is not really complex. It takes one hour or less. But to be able to use Sentinel to its full capabilities, you must definitely know something.

In terms of an implementation strategy, you need to really think ahead about who should be able to do this, and who should be able to do that, and respond to that, et cetera. A proof of concept would include dealing with the architecture, gathering initial data sources and/or automation, and then learning how to navigate in Sentinel. One person can do it.

My clients are enterprise-level companies and the solution requires maintenance. It includes updating analytics, importing, and creating new analytics. It depends on the company. If you have 100 employees, one employee might be enough to maintain things, but if you have 10,000 employees and 10,000 devices, you might need more employees.

No license is required to make use of Sentinel, but you need to buy products to get the data. In general, the price of those products is comparable to similar products.

My advice is to start out with a little bit of data and build on top of that. Don't enable too many data connectors in the beginning. Get familiar with the product, and remember to work with Sentinel every day. That's the only way the product gets better.

It comes with some out-of-the-box analytics, but to get the full and best usage out of it, you have to really keep developing it with hunting queries, analytics, et cetera. The visibility provided by the built-in analytics rules, what they detect, is rather good, but Microsoft Sentinel requires ongoing work. It helps automate routine tasks as well, but that's not something that comes "for free." It also requires ongoing work.

Threat intelligence is something that you must be more than just a novice in Sentinel to make use of.

Overall, I find Sentinel to be a really strong solution. Sentinel is where you can see the overall security status of your company. I really enjoy working with Microsoft Defender and the entire suite, combined with Microsoft Sentinel.

We use it to monitor the cloud for any security issues. We are using it as a SIEM for our cloud workspace.

The most valuable feature is the UEBA. It's very easy for a security operations analyst. It has a one-touch analysis where you can search for a particular entity, and you can get a complete overview of that entity or user.

There is also something called workbooks in Sentinel that help us to monitor the complete cloud data and it gives knowledge about, and visibility into, our security posture.

It integrates seamlessly with Microsoft products, especially Office 365 and our Azure workspace, whether it's the Application Gateway or Azure DDoS or Azure Firewall. It has native integration that works very well.

You can also monitor Zero Trust security from Microsoft Sentinel.

There are a number of points they can improve. For example, if I see an alert and I want to drill down and get more details about the alert, it's not just one click. In other SIEM tools, you just have to click the IP address of the entity and they give you the complete picture. In Sentinel, you have to write queries or use saved queries to get details. For a security analyst, when there is an incident, it takes a lot of time to write queries, investigate, and then execute.

For example, if you want to search a particular entity or an IP address, or search the complete log instead of just the security alerts, it takes time to write a query for that. The MTTR is a little high, as is the mean time to investigate, compared to other SIEM tools.

I would also like to have more resources on KQL queries.

And using the data connectors is not straightforward when you want to create a use case that is not out-of-the-box. Creating a custom use case is a challenging process. You need to understand KQL queries and the support for regex is limited.

I've been using Microsoft Sentinel for between six months and a year.

The availability is good. But when you compare the stability with Splunk or ELK or QRadar, it still needs to be more reliable and stable, not from an installation or administration perspective, but when it comes to security operations.

We collect data from between 3,000 and 4,000 users, and our cloud workspace is somewhere around 100 or 200 servers.

The scalability is good because it has Azure in the back end.

We are still deciding whether to migrate completely to Sentinel or not. We are using two SIEM solutions in parallel. The other solution is LogRhythm. From an analyst perspective, Sentinel has to evolve more. Once it does, we can think of migrating to it fully.

The installation was straightforward and easy. With Azure Resource Manager, it was easy to deploy, and it was a straightforward integration, in terms of configuration, to connect the Log Analytics workspace with Sentinel and the solutions that Sentinel has.

Deploying the solution hardly took four hours, and the initial configuration took a single person one day, meaning eight hours.

We used to have an on-prem solution and we moved our workload to the cloud. Our users did not face any challenges or difficulties as a result.

We are still in the process of getting our ROI. We are waiting for the solution to improve and mature.

Sentinel is pretty competitive. The pricing is at the level of other SIEM solutions.

I have experience with Splunk and QRadar and they are the best. They are equivalent, one with the other. Both the solutions are mature enough, having been in the market for quite some time. They know what they're doing and are easy to use from an analyst's perspective. Both are scalable solutions as well.

The drawback of these two solutions is that it takes a little bit of time to do integrations, especially for Azure workloads, as they're not in-built in Azure.

Always record your KQL queries and stick to the basics.

Sentinel is a solution called SIEM - security information event management. It's for monitoring an entire organization from a security point of view. Along with the monitoring, what happens in the SIEM is you have to raise incidents. If there are any kind of security issues or breaches or people are trying to get into the system, you have to raise an incident ticket. You collect the event information from the systems. You'll be able to see if it's, for example, a machine or account, or an active directory outage. You can process that information using machine learning AI, and then raise incidents. It's basically helping a security operations center team (SOC). With the help of Azure Sentinel, we can build a SOC.

There are plenty of use cases. You have to cover your entire security environment. For example, a brute force attack against your Azure Portal. If someone is trying to guess your password, you will see the incident. When somebody puts four, five wrong passwords, and then a correct password, it could mean someone is trying to guess your password and you would see that. Basically, there are a lot of use cases, however, all of them revolve around monitoring security. Whenever something happens, we should get alerted or we can proactively assess our environment.

With Sentinel, you can also do the hunting. It'll try to identify if your environment is compromised with any kind of attack. In most cases, it'll try to protect your organization before this attack can happen. If somebody is trying to snoop in your environment, we can track him. Or if somebody is trying to guess your password, we can protect the password. If somebody is injecting the malware, we can identify and protect the organization.

The solution has improved functionality as most of the organization will be in the cloud. If an organization is already on the Azure cloud, then they don't have to go for any other solution for the SIEM. They can easily integrate Sentinel. Most of us are on the Microsoft products, so it's very easy to deploy this with the Microsoft products as well as to the other products. 

In terms of Sentinel, it's a best-in-class solution. The SIEM solution is hosted in the cloud. When you compare it with the other tools, the on-premises tools may not be that great.

The best piece about it is when it comes to the traditional SIEM solutions, it's very hard to manage them. First of all, licensing will be there. Then you need to manage underlying infrastructure as well. You also need a big setup. All these things aren't necessary with Sentinel due to the fact that it's on the cloud. You just get a cloud subscription and do a pay-as-you-go model.

The machine learning and artificial intelligence on offer are great. These are the things that happen in the background that we do not see. Whenever you have an incident, it will provide you with all the options so that you can drill down. For example, I have identified one incident where somebody was trying to do a brute-force attack. When this incident was generated, I had a lot of data with which I could start to investigate things.

It provides the best-in-class hunting capabilities. It's very easy to write the hunting logic. You have to write some searching queries. It's very easy to write those all queries and identify the test.

It'll give you the capabilities of automation. Azure is not only about security or infrastructure. It has a lot of programming features, functions, logic apps, and automation. You can easily integrate. If you can do a little bit more programming, then you can integrate it with functions or automation, or anything else.

There is a different tool for security postures. That's called Azure Security Center. From November, it's going to be called Azure Defender. This tool does not do posture management, however, it can integrate with Azure Security Center. There is also this XDR tool, Microsoft Defender. It can easily integrate it. Once you set up the integration between these tools, then you will have the advantage of both the tools. You will have a unified ticketing system where you can view the alerts from XDR and you can view the alerts from the posture management and from the SIEM.

Every month there are new features in Sentinel and the tools are stable. All the features and functionality that those tools provide are slowly coming to the Azure Sentinel as well. So it's improving a lot day by day. 

Initially, we had the data connector that could bring the data from any of the platforms that we wanted to monitor. Now, Microsoft has improved the solutions and they're providing a lot of options. While you can (and now have) almost all the functionalities that are needed for SIEM capabilities, it's still adapting to new things as well. 

Azure Sentinel will be directly competing with tools such as Splunk or Qradar. These are very established kinds of a product that have been around for the last seven, eight years or more. They have a lot of good things going for them and are slightly ahead of Microsoft, which is new to the game. However, Microsoft is adapting. Microsoft keeps working on its solutions and offers feature request platforms as well. We have given them a lot of feedback in terms of some customizations - and they keep adding to it. There are a lot of new things that are in the pipeline. In the next four to six months, we will see more new features which will further enhance the existing tools.

For example, there were some custom fields that were missing. We wanted to do mapping of the custom fields and this capability wasn't there in the Sentinel. However, when we requested it they implemented it.

I have been on Sentinel for the last two to two and a half years. Initially, I was just doing it for my own self-interest, however, for the last one and a half years, it's been more of a professional relationship and I've been working with it for customers.

The solution is quite stable. I have not seen any downtime so far. It is working for customers as well. It's good. It's on a cloud and therefore we need not worry about maintaining the databases or maintaining the platforms, or wherever the data is stored. It's all Microsoft's responsibility.

The scalability is a unique selling proposition for Sentinel. Due to the fact that it's on the cloud, you can scale it up to any limit. Of course, you have to pay for whatever data you are storing. As compared to an on-premises tool the sometimes they may fail to scale, however, this is great. You don't have to bring up a lot of hardware with Sentinel. 

This solution is being used quite extensively right now.

Whether or not the usage will increase depends on the pricing that comes up the more you use it. We have to pay for whatever data, telemetry, that gets into the Sentinel. For example, let's say today I collected 1GB of data, tomorrow I'm going to collect 5GB of data. Microsoft can easily hold this, however, then they also provide you with some kind of plans. You can reserve the space. You can say "I will use 100GB of data per month." Microsoft will give you a discount and you have to pay for the reserved 100GB. It is a pay-as-you-go model.

The solution is used by the development team, which sets it up, and then by the SOC team, which takes over and starts monitoring for security incidents.

Technical support depends on what kind of agreement you have with Microsoft. If you are a premier customer, under the top 100, then they can provide you with some direct connection with the Microsoft program managers. You can have a conversation with them once every two weeks. If you are not in the premier tier, if you are just directly buying it from Azure, then technical support, again, depends. There are two types of technical service. One is the professional and the second one is the premier. Premier support is good. Obviously, you will be paying extra for it. Professional support is not that great. Often, I'd rather not involve them. They will simply mess up things. It's better to just post your questions on the forums and try to get some answers from the experts.

I use all kinds of support. If you are working for a customer who has a very good rapport with Microsoft and they are their top Azure consumer, then they can do things for you. If you give them feedback and you are potentially a big customer for Sentinel, then they will try to adjust things according to your environment. However, if you are not, you are just using Sentinel, then it's okay. It all depends on how much money you are paying and how much business you are doing with Microsoft. 

If a customer is planning to buy Sentinel, then they should initially negotiate with Microsoft for premier support. They can ask for 100 hours of premier support or the fast-track service. You can initially negotiate for a situation where, if some technical issues arise, then you will only work with premier support, and you can reserve your 100 or so hours for that. 

Initially, it's better to agree in advance with Microsoft that you will be needing X number of technical support or the fast-track service or engagement with the Sentinel development team.

I did not use a different solution. I'm from the Azure Log Analytics Monitoring part. I came from that side.

We directly jumped into Sentinel. I've heard that people are doing migrations from Splunk. That's the number one tool that's available for SIEM. However, I directly started from Sentinel.

The initial setup is very easy. You just need some basic knowledge of the monitoring platform called Azure Log Analytics. If you have the knowledge of Azure Log Analytics, then you can easily set up this.

If you just want to set up over the Azure Portal, then it will hardly take 15 to 20 minutes to deploy. Of course, this is not the final setup. The final setup is when you will be connecting it with different sources. For example, if you have 100 machines, you will have 100 Linux machines, you will have routers and switches too. Everything you want to monitor needs to be there. You have to implement these all solutions one by one as per your requirement. If your requirement is you will want Linux machine monitoring, you want firewall monitor, then it can take time, however, it is pretty easy to accomplish.

The pricing model is good. Microsoft does the reservations as well. Perfect planning is needed, as, once you reserve the space, you can save up to 30% or 40% of the cost. If you are not doing good planning, then it'll cost you a lot. However, from a costing point of view, it's fair and comparatively low. It's not a costly service.

I'm not the decision-maker. I was mostly from the Azure Log Analytics Monitoring background, however, when this was released, even the Microsoft CEO and CTO were touting its abilities. Initially, I looked at it for self-interest, and then we thought of implementing it for our labs, and then we found it fruitful. Then we started getting Sentinel projects. 

I'm a consultant and service provider.

It's hosted on a cloud. There is nothing like versioning or anything. It's just software as a service.

I would rate the solution at around eight out of ten. When we do the migration, there are still few people who are used to it. Not many have hands-on experience. Sometimes we struggle in maintaining gaps.

I'm into monitoring and deploying. When an incident occurs in Sentinel, we try to triage it then investigate it, then we try to gather more details about it through other blades in Sentinel. We try to gather more information about the IP address, and user details from the Sentinel itself, as well as Active Directory. 

They have good playbooks or logic apps to take action on behalf of the user. They're automated actions that we configure for when a particular condition occurs. It reduces human effort a lot and performs tasks on its own. 

There is an option wherein we can add multiple usernames or any details in multiple numbers, and we can just use that instead of manually adding all the names.

When it comes to threats, every environment is different, and the data connectors are different. So it depends on what data connectors are configured to your environment. It could be specific to that. However, Sentinel is a pretty good product. It does threat detection very well. Depending on the user, and how he configures it, Sentinel will do a good job in delivering the output.

We already have priority-based use cases which we set during the creation of any use cases for any threat detection. It also allows us to change the priority whenever a threat occurs. Currently, in the environment in which I am working, we don't manually change the severity or the priority whenever the threat occurs. We will deal with it in its original form. However, it could be a good feature for us to use and also very helpful to set the priority level whenever it is necessary. 

There is a specific incident blade that we can respond from. Or we have log analytics in Sentinel in which we can do threat hunting. We have various ways to gain visibility.

Threat intelligence is under development. It's not completely ready, however, it is a very good feature and can find multiple threats. It's completely managed by Micorosft. So far, it's a very good feature. 

The UI of Sentinel is very good and easy to use, even for beginners. 

It's very easy to deploy a new use case. We can create them very easily. Adding connectors is simple. 

The preview mode is good. Sometimes it helps us pick up on malicious threats. It can sometimes provide false positives as well. For the most part, we can deal with it; it's good. That said, it's a work in progress. 

There are good guides that allow us to easily add new features to our environment. 

Workbooks allow us to display charts and help us provide very useful visuals. 

Automation is very good.

The solution has helped us to save time. 

I'm aware that we can have one centralized dashboard. We can view multiple dashboards in one central place. We can merge all tables and visualizations into one single pane of glass. It's easy to configure. However, we do not really work with a consolidated dashboard. We have a few for the reports. 

The solution has decreased the time to detection and time to respond via custom use cases. However, I cannot quantify the exact amount of time saved. On average, it saves 30 to 40 minutes a day. 

We're satisfied with the comprehensiveness of the security protection. That said, we do have issues sometimes where there have been global outages and we need to raise a ticket with Microsoft. Those have become repetitive and happen more often. Still, there are many choices and features, which is useful.

There are some false positives.

When an incident occurs, it will just be displayed on your screen. However, if they had some sort of sound or tone to alert the analyst, that would be ideal. It would help them notice when something is triggered. 

I've been using the solution for two years and five months. 

There are no issues or outages. It's 90% to 95% stable. 

Our environment is mostly in Europe and there are multiple end-users.

Since this is just monitoring and threat detection, it can scale well. We can add new servers and increase the amount of logs flowing into Sentinel easily. There's no issue with that. 

Microsoft is quick to respond depending on the severity of the ticket. It's usually fixed within two to three hours maximum. The tech support understands the product well. 

Positive

I have not used any other products.

The maintenance is minimal. If there is a global issue, we'd have to raise a ticket with Microsoft. 

I'm not aware of the exact costs involved. 

I did not evaluate other options before using this solution. 

We do not use more than one Microsoft security product. We don't work with Defender, for example. 

We do not yet use it to ingest data from the rest of our ecosystem. We have seven to ten people that work directly with the product.

This is a good tool with a lot of good features. 

I'd recommend the product. The UI is good which makes it simple for new users. It will make it easy to train new engineers.

It's important to go with a best-in-breed rather than a single vendor. If there is any issue with the monitoring with one solution, it's good to have a backup option that might pick up what the other could miss. Having more than one solution - and different vendor options - allows you to have an "option B".

I'd rate the solution seven out of ten. There are still a lot of improvements that can be done.