Try our new research platform with insights from 80,000+ expert users
reviewer1998054 - PeerSpot reviewer
Chief System Engineer
Real User
A straightforward setup that can simply integrate with other Microsoft solutions and is easily scalable
Pros and Cons
  • "The most valuable features in my experience are the UEBA, LDAP, the threat scheduler, and integration with third-party straight perform like the MISP."
  • "The product can be improved by reducing the cost to use AI machine learning."

What is our primary use case?

Our customers primarily use the solution to monitor their infrastructure locally.  Some of our customers want to monitor logs to find some abnormal instances, so, they use Microsoft Sentinel to identify threats or identify what is happening in their infrastructure.

How has it helped my organization?

Microsoft Sentinel is easy to use compared to some third-party solutions, for example, if we want to get a log using a lot of the third-party solutions it is very difficult because we have to configure it. But in Microsoft Sentinel, if you want to get a log, you just click next, next, next, and see the log. It's straightforward to use the solution. Microsoft Sentinel is on the cloud, so we don't need to maintain a lot of the OS issues we have with other products. Sometimes SIEM has problems that require a lot of maintenance to resolve the OS issues and that takes a lot of time to deal with, but the Microsoft Sentinel benefit is you're on the Cloud. We don't have to spend time dealing with OS issues. We can use that time to focus on critical incidents.

What is most valuable?

The most valuable features in my experience are the UEBA, LDAP, the threat scheduler, and integration with third-party straight perform like the MISP.

What needs improvement?

The product can be improved by reducing the cost to use AI machine learning. In my experience in Taiwan, if you want to use Microsoft machine learning for Microsoft Sentinel, the cost is high. The high cost keeps customers from using the feature.

Currently, I think that the customized log can be improved because I check some documents, and Microsoft Sentinel can only customize some file logs. If some logs can be in a database or some user Syslog for all the events in Microsoft Sentinel to be supported. I can't choose to parse the log. I hope Microsoft Sentinel can support more and more different event types for customization. The solution ends up passing a lot of the logs.

Buyer's Guide
Microsoft Sentinel
November 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
817,354 professionals have used our research since 2012.

For how long have I used the solution?

I have been using Microsoft Sentinel for 13 months.

What do I think about the stability of the solution?

The solution is very stable.

What do I think about the scalability of the solution?

The solution is easy to scale.

How are customer service and support?

Technical support uses a ticket system. We just use the portal and I can open a ticket for them, and they will respond back to us. The technical support team is very good they solve a lot of the issues for us, or help us solve a lot of issues, but sometimes the issues can be more complicated and they cannot help us. If I submit a complicated ticket to technical support and they still don't know how to resolve it we are required to use premium support and that option comes with an additional fee. If you have less complicated issues free technical support can resolve the ticket but with more complex tickets you need to use the premium service.

How would you rate customer service and support?

Positive

How was the initial setup?

The initial setup is very easy we just choose where to create, and then next, done, finished. Very easy. The deployment took less than five minutes and only required one person.

What about the implementation team?

The implementation was completed in-house on my own. I just studied Microsoft documents and trained myself. If I still don't know something, I open a ticket to Microsoft to get some help.

What's my experience with pricing, setup cost, and licensing?

The solution is expensive and there is a daily usage fee.

What other advice do I have?

I give the solution an eight out of ten.

I am a third-party user of the solution, but if I were an outside user of Microsoft Sentinel, I really like it because they have a lot of the functions that others don't have. Things like the UEBA and intelligence from Microsoft. Microsoft has already studied a lot of threat intelligence, and they have the capability to help us detect what kind of content will match Microsoft intelligence. I like this and also has a lot of AI machine learning. This will help me to review or, learn easily. I hope this product will help me with a lot of things.

The solution states that it provides good visibility into threats by identifying vulnerabilities. I'm not clear on the vulnerability feature. I am not sure if most customers are familiar with the feature. I believe the feature is used to detect a lot of threats, but what kind of vulnerability? I am still not familiar with the feature.

I think because our enterprise has a lot of different Standard Operating Procedures it depends on the customer, for example, the solution helps detect ransomware, and that helps the organization prioritize dealing with the ransomware situation above other threats.

We have one customer that has implemented Microsoft Security E5. That means they also have Microsoft Defender 365. They use this to detect their infrastructure and their endpoints as well as if they have a SaaS platform they can monitor abnormal behavior.

I have integrated Microsoft Sentinel and Microsoft Defender 365, and they are very easy to integrate. They also have a correlate function and they have rules called Fusion. This Fusion function helps us investigate the correlation between the products.

Because my job is to help the customer integrate, I don't know how well the solutions work together to deliver detection and response for our customers. I am not involved once the solutions are deployed.

In Taiwan, we don't have customers that use Microsoft Defender for Cloud but I use it in my lab.

Some of our customers have additional solutions that are not Mircosoft. I have some customers, who have some data from the Microsoft device, from Windows and maybe events, and others that are not Microsoft products. The customers use their own on-premise, third-party products and buy their solutions. Hence, it is difficult to say if Microsoft Sentinel enables us to ingest data from the whole enterprise.

You can investigate the threats and respond from one place using Microsoft Sentinel. We should report correlation too. It's effortless to investigate responses in Microsoft Sentinel.

In Taiwan, we don't believe in automating routine tasks. There are a lot of things we still do manually and are not using the automated function of Microsoft Sentinel except to send mail.

With Microsoft Sentinel, we use one unified dashboard that is very easy.

We don't use the threat intelligence from Microsoft Sentinel because it is not public, so when a threat is detected that matches the Microsoft database threat intelligence, they only send us an alert, but they don't provide the content inside. Instead, we use open-source threat intelligence and integrated it into the solution.

Using Microsoft Sentinel has reduced the time spent per incident from three hours to one and a half to two hours.

The solution has not saved any money because it is still expensive. We have a large customer demand but all the vendors are as expensive as Microsoft Sentinel. I think they are very expensive. The solution has a daily usage charge.

Depending on the rule being used the solution can save us time in detecting incidents or threats. I can say we just use the default, sometimes it's very long and doesn't really take a lot of time. We get the result to tell me, "Oh. You have an incident happen." But I still don't know why Microsoft usually misses the threats. I still don't know why they design it like this, because I have had some instances in my past experience where the rule is if a threat is detected we must immediately alert first. Perhaps the detection module for Microsoft Sentinel is old. It starts to already alert us and that is a default rule. So, I still don't know why Microsoft Sentinel was created like this. I still don't understand. If you use a UEBA, to detect some threats in some abnormal behavior it's very fast, but if you use the scheduler to detect a lot, sometimes it takes a long time.

In my experience, everything is working and the solution doesn't have any bugs.

The solution is only released on the cloud on Azure. You can't deploy the solution on-premise.

Currently, I only deploy in a single environment. I don't have another environment because almost all our customers use a single environment. Perhaps in the future, they will add another cloud that will use Microsoft Sentinel. That is a very long time in the future. In my experience, the solution is used only in a single environment. We have two people in our organization that use the solution and four to five large customers.

Since Microsoft Sentinel is cloud-based it updates automatically and requires no maintenance from our end.

I think I'm more likely to use a single vendor over using a best-of-breed strategy because a single vendor, integrates together all of the things. I don't need to customize. Trend Micro doesn't understand Microsoft products, and Microsoft products, don't know Trend Micro products. If I choose to use a single solution that means they will handle all of those things. I don't need to use or take the time to customize some functions. I don't need to do that. I prefer to use a single vendor.

If a customer is already using a lot of Microsoft solutions I would recommend Microsoft Sentinel because it is very easy to integrate, but if a customer is using multiple different third-party security solutions I would not recommend Microsoft Sentinel because it will take more time to integrate it and check everything.

Which deployment model are you using for this solution?

Private Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
CS engineer at AYACOM
Real User
Comes with the SOAR capability, integrates with Azure AD and other Microsoft solutions, and is easy to deploy
Pros and Cons
  • "The best functionality that you can get from Azure Sentinel is the SOAR capability. So, you can estimate any type of activity, such as when an alert was triggered or an incident was found."
  • "It would be good to have some connectors for third-party SIEM solutions. Many customers are struggling with the integration of Azure Sentinel with their on-premise SIEM. Microsoft is changing the log structure many times a year, which can corrupt a custom integration. It would be good to have some connectors developed by Microsoft or supply vendors, but they are not providing such functionality or tools."

What is our primary use case?

We are using mixed solutions. We are currently working with IBM solutions and Azure system services. We are using two SIEM solutions: Azure Sentinel and QRadar. Azure Sentinel is covering our cloud-based solutions, and QRadar is covering our on-premise solutions.

What is most valuable?

The best functionality that you can get from Azure Sentinel is the SOAR capability. So, you can estimate any type of activity, such as when an alert was triggered or an incident was found.

It integrates with Azure AD, Power BI, and other Microsoft solutions. It is very good in our view.

What needs improvement?

It would be good to have some connectors for third-party SIEM solutions. Many customers are struggling with the integration of Azure Sentinel with their on-premise SIEM. Microsoft is changing the log structure many times a year, which can corrupt a custom integration. It would be good to have some connectors developed by Microsoft or supply vendors, but they are not providing such functionality or tools.

It can be expensive for customers. Currently, we are not using Sentinel to collect logs from on-premise devices. The main reason for that is the budget because you need to pay for the internet traffic. You also need to calculate how much you can upload to the Azure site. 

For how long have I used the solution?

I have been using this solution for one year.

What do I think about the stability of the solution?

It is stable, but it is also related to your country. I'm working in Kazakhstan, and sometimes, we have some problems with the internet connection at the government level. Sometimes, for some reason, which could also be political, they disable the internet connection, and we lose the connection to the Azure environment. It might be good for our country to have a private link to the Azure cloud environment to avoid such cases.

How are customer service and support?

We have a lot of Microsoft partners who are helping us. Therefore, support is not a problem for us.

Which solution did I use previously and why did I switch?

We have QRadar for our on-premise solutions. QRadar has a lot of connectors out of the box. It has a lot of predefined and pre-deployed connectors that you can use. 

QRadar also has a lot of good correlation rules. From a customer's point of view, it is one of the best solutions because you don't need to create correlation rules from scratch. You just review them and customize them as you want.

QRadar supports using SQL queries. Sentinel uses KQL, but you need to learn it from scratch.

QRadar doesn't have a SOAR system by default. You need to purchase it additionally, which is the main problem with QRadar.

How was the initial setup?

It was easy.

What about the implementation team?

We had some introduction to the system from a Microsoft Partner, but most of the analytics and playbooks were created by us.

What's my experience with pricing, setup cost, and licensing?

For us, it is not expensive at this time, but if we start to collect all logs from our on-premise SIEM solutions, it will cost more than QRadar. If we calculate its cost over the next five or ten years, it will cost more than what we paid for QRadar.

What other advice do I have?

Microsoft is proposing an identity management solution for Azure Active Directory systems and the Azure Cloud system, but we need an on-premise solution that can help us achieve the same with, for example, IBM. I know that Microsoft has a cloud-based solution, and previously, Microsoft provided an on-premise solution, but it is deprecated or no longer supported. It will be good to have such a service on-premises.

I would rate it an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: partner
PeerSpot user
Buyer's Guide
Microsoft Sentinel
November 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
817,354 professionals have used our research since 2012.
reviewer1984098 - PeerSpot reviewer
Technical Lead at a tech services company with 11-50 employees
Real User
It provides excellent threat visibility, enabling us to dig deep
Pros and Cons
  • "The ability of all these solutions to work together natively is essential. We have an Azure subscription, including Log Analytics. This feature automatically acts as one of the security baselines and detects recommendations because it also integrates with Defender. We can pull the sysadmin logs from Azure. It's all seamless and native."
  • "Microsoft Defender has a built-in threat expert option that enables you to contact an expert. That feature isn't available in Sentinel because it's a huge product that integrates all the technologies. I would like Microsoft to add the threat expert option so we can contact them. There are a few other features, like threat assessment that the PG team is working on. I expect them to release this feature in the next quarter."

What is our primary use case?

I support Microsoft Sentinel as a Microsoft partner. We work on various scenarios, such as emails and data connectors. I support licenses by helping them enroll and advising them on the prerequisites they need to meet. I show them how to get started with Microsoft Sentinel. 

I'm the technical lead for Microsoft, so I've worked on several Microsoft security products, including Sentinel, Cloud App Security, Defender, Azure Information Protection, and Azure Key Vault. These are now my significant areas. It wasn't easy to integrate Sentinel with other products initially, but we had a smooth experience once the data connectors and everything were in place.

We are from the support team, so we operate in multiple environments depending on the use case. It works smoothly in every environment, including hybrid ones.

How has it helped my organization?

I've seen scenarios where the customer's security score was at 60, but we managed to increase it to 80 or 90 based on the recommendations from Sentinel. We use Sentinel to investigate the activity logs and address the issues. The security score increases once we fix those. 

The benefit Sentinel provides depends on the organization and how they have recruited engineering staff. If the engineers can maintain two or three products, then it's easy for them, but it hasn't reduced any difficulty from my perspective. 

Sentinel saved us time. When this product was introduced, many customers used other SIEM and SOAR technologies separately. Now that we have Sentinel in place, customers only need to learn how to use this product, so it's 50% to 60% more efficient. It's also more cost-effective because you aren't paying separately for those security components. Sentinel is all-inclusive. 

Sentinel integrates seamlessly with Azure platform services, making it more reliable and cost-effective. I can't say with certainty because it's outside my department, but my best guess is that Sentinel can reduce costs by about 30% to 40%. I would also estimate that it reduces our response time by roughly that amount. 

The bidirectional sync capabilities ingest the data and show us alerts that help us prioritize our policy settings and secure our environment. Once we ingest the IP address, we can monitor the network traffic. It ingests everything from the IP address to the applications we use at the cloud level. Having every event, alert, and output from Log Analytics integrated into one platform is essential. We can ingest everything using the syslogs and data connectors. For example, I'm using Windows Server 2016. It will send the data to the cloud, and Microsoft Sentinel pulls it from there. It removes the sysadmin logs and the other logs, so we can easily see the DDoS attacks and other threats.

It ingests the networking stuff and other things, too. It collects everything the company needs to secure the data from data engineers, Log Analytics engineers, information production engineers, etc. It ingests data from everywhere and stores it in one place. You can pull whatever data you need. 

What is most valuable?

A security product must be integrated with multiple other technologies like SIEM and SOAR to give you the best results and analyze user behavior. Sentinel uses connectors to integrate all Azure products and third-party security tools.

Sentinel provides excellent threat visibility, enabling us to dig deep. It directly connects to Azure Log Analytics, allowing us to do research and pull logs. It uses SOAR intelligence to detect and fix issues using AI and machine learning algorithms.

The ability of all these solutions to work together natively is essential. We have an Azure subscription, including Log Analytics. This feature automatically acts as one of the security baselines and detects recommendations because it also integrates with Defender. We can pull the sysadmin logs from Azure. It's all seamless and native. 

Everything shares a common database so that every product can be integrated depending on your enterprise licenses. Microsoft is effortless from a customer's perspective. You get a wide range of features with one license, including threat detection, information protection, infrastructure solutions, and endpoint protection. One or two enterprise licenses cover everything. 

Sentinel is an excellent product with multiple dashboards if you want to look at something specific. It also has a centralized dashboard for everything if you want to see the overview of what's essential. I use multiple dashboards because it's easier for us as support team members. 

What needs improvement?

Microsoft Defender has a built-in threat expert option that enables you to contact an expert. That feature isn't available in Sentinel because it's a huge product that integrates all the technologies. I would like Microsoft to add the threat expert option so we can contact them. There are a few other features, like threat assessment that the PG team is working on. I expect them to release this feature in the next quarter.

For how long have I used the solution?

I have been using Microsoft Sentinel for two-and-a-half years

What do I think about the stability of the solution?

Sentinel is stable. 

How are customer service and support?

I rate Microsoft technical nine out of 10. 

How would you rate customer service and support?

Positive

How was the initial setup?

Setting up Microsoft Sentinel is straightforward because it's a cloud platform. You can install it with a few clicks. It isn't like the on-premises solutions we have used in the past, where you need to spend a couple of hours. You can deploy Sentinel with one person in around five minutes if you have all the resources, permissions, and rules.

Like all products, Sentinel requires some maintenance. There are planned and unplanned outages. Depending on when Microsoft releases the updates, it can be challenging, but they usually notify us ahead of time.

What was our ROI?

Microsoft offers the best value from a customer perspective.  With a small amount of money, customers can take advantage of an array of technologies because everything is connected from the Microsoft perspective. The return on investment is massive. You don't need to recruit multiple engineers. One engineer who is familiar with Microsoft products can manage the solution. 

What's my experience with pricing, setup cost, and licensing?

I think Sentinel's pricing is reasonable. It's more reliable if it can integrate with other enterprise technologies, so you have to pay for that. We have to consider the size of the organization. We might shift to other security products for a smaller company. Given the reliability of Microsoft support, Sentinel is cost-effective.  

Sentinel is one of the best products compared to other SIEM solutions like CyberArk. Microsoft's market share is enormous, and they have surpassed AWS, so more companies are adopting Sentinel. A company can centralize everything with Sentinel, and that's great from a cost perspective. 

What other advice do I have?

I rate Microsoft Sentinel nine out of 10. I see a few areas of improvement, but they are already working on implementing these features. If someone asked me whether I would recommend an a la carte approach using the best-in-breed solutions or an all-in-one integrated package from a single vendor, I would say that both approaches have advantages. However, I think it's good to hand everything over to the vendor. A vendor will take the sole responsibility and do the work for you. 

I also recommend becoming an expert in Microsoft Sentinel because it has a bright future. You can earn a decent salary once you have hands-on experience with this product. Sentinel is not well known, but I think it will have 60 to 70 percent of the market share.

Which deployment model are you using for this solution?

Hybrid Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
reviewer2277912 - PeerSpot reviewer
Integrator, Microsoft Security Advisor at a tech consulting company with 5,001-10,000 employees
Real User
Top 20
Easy to integrate, offers good documentation, and the setup is simple
Pros and Cons
  • "The main benefit is the ease of integration."
  • "When it comes to ingesting Azure native log sources, some of the log sources are specific to the subscription, and it is not always very clear."

What is our primary use case?

The usual use cases would be starting from scratch, implementing Sentinel for clients, onboarding log sources, building analytical use case rules, and supporting the platform for operations.

How has it helped my organization?

The main benefit is the ease of integration. Having a cloud-based SIEM means scalability. We also received very good support and documentation from the vendor.

What is most valuable?

All of the features are great. In fact, when they add new features they are always valuable and interesting. There are so many features on offer.

I really appreciate that it is very well documented.

I also use Defender 365, including Defender for Endpoint. It's easy to integrate with Sentinel. In two clicks we can integrate them together.

I have experience with Defender for Cloud. I'm actually getting into the Center for Cloud right now, so I'm just Learning about it. 

Sentinel enables us to ingest data from our entire ecosystem.

It's important to have data visibility for our security operations. Sentinel enables us to investigate the threats and respond from one place. That is very important for operations. We need to be able to easily look and have visibility over what's happening.

Sentinel enabled us to automate routine tasks. It helps us automate the handling of trivial tasks related to alerts. 

With the solution, we no longer have to look at multiple dashboards. I wouldn't say it has completely eliminated looking at different dashboards. As it stands right now, there are two dashboards that we will have to look at. One is Sentinel, and the other one is a ticketing system.

Compared to what's being used, it's saved us some time overall. The ease of use and the clear documentation are helpful in that regard. Someone who doesn't know how to use it can easily go in and find out.

What needs improvement?

When it comes to ingesting Azure native log sources, some of the log sources are specific to the subscription, and it is not always very clear. Sometimes, if the individual doesn't know what they are doing, they might enable it only on one subscription and not on everything that they need to monitor.

For how long have I used the solution?

I've used the solution for two and a half years. 

What do I think about the stability of the solution?

I haven't experienced any stability issues. I've experienced 100% uptime. 

What do I think about the scalability of the solution?

I've never seen it scale up or down. If necessary, it likely happens in the background. It's not visible to clients, however, I haven't noticed any issues. 

How are customer service and support?

My experience with technical support is good. It was an excellent experience. They were very, very responsive to the questions that we had. If they were not able to answer on the spot, during the call, they took it back and discussed the issue with their team. Getting an answer was fairly fast. Overall, I've had a good experience with support and I can't complain.

I'd like them even more if I was able to request support on behalf of clients without having to actually access the client's Azure or having to identify the client's tenants. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I've used Splunk, ArcSight, and QRadar. Sentinel is excellent compared to those solutions. It could always be easier, however, it's pretty much there.

How was the initial setup?

I was involved in the solution's deployment. The cloud deployment takes five minutes and is very easy. The on-premise portion on the other hand, when I first did it a year and a half ago, was a little bit more complex since it involved a lot of customization. However, now it's more streamlined.

There is no maintenance necessary. It's a managed service. There's no patching of any sort. The on-premises components may require a little bit of maintenance every now and then if they need a patch or upgrade. If there are any changes in the environment they would have to be reflected in the configurations. 

What about the implementation team?

I handled the implementation myself. 

What's my experience with pricing, setup cost, and licensing?

I know the price, however, I don't know how it compares with other SIEM solutions. I don't have that visibility. I overheard not too long ago that Sentinel is on the expensive side. However, there are some capabilities that are fairly new that Sentinel offers to lower the cost. 

What other advice do I have?

I'd rate the solution a nine out of ten. 

Which deployment model are you using for this solution?

Public Cloud
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
reviewer1720041 - PeerSpot reviewer
Technical Lead at a manufacturing company with 10,001+ employees
Real User
Powerful, with great performance and a seamless user experience
Pros and Cons
  • "It's pretty powerful and its performance is pretty good."
  • "If their UI was a bit more streamlined and easy to find when I need it, then that would be a great improvement."

What is our primary use case?

We primarily use many Microsoft products, including Microsoft 365 with a focus on the security aspect. We have Defender for endpoints and Defender for servers. We also use Azure Sentinel with these.

How has it helped my organization?

This product has improved the way our organization functions. I won't be able to provide exact metrics as I don't directly work with metrics, however, from an improvement perspective, it is just a more streamlined deployment. 

We also use Intune as part of the MDM. If there are any agents that need to be deployed, then we can use that or we can just configure Windows from MDM directly. A lot of things can be just set up out-of-the-box and are ready to go and it sends logs right to Azure Sentinel. Therefore, while I don't have hard numbers, it's definitely made deployments easier and is much less time-intensive for our organization.

What is most valuable?

Coming from other SIEM solutions, Sentinel seems to be pretty good. 

It's pretty powerful and its performance is good.

The most powerful aspect is the whole integration with the Microsoft ecosystem. If you have the Microsoft 365 subscription, E5, then it integrates pretty seamlessly with everything you're trying to do. 

You obviously have connectors with other third-party, non-Microsoft stuff as well. They have pretty good integration with those. 

Azure Sentinel has a lot of built-in analytics rules, that help us get started in terms of triggering anomalous activity. In terms of performance, they're pretty fast. I've used QRadar and Splunk. Compared to Azure Sentinel those are pretty slow. Some searches in Sentinel are pretty instantaneous. For bigger searches, it's a very noticeable and impressive turnaround.

There are a lot of features that I don't touch just because I'm in the SOC. That said, I know customers have deployed different items that are quite useful. 

The end-user experience is good. It's just pretty seamless. When I was onboarded, it was just a simple download and then a sign-in to my account. It'll basically configure everything for you and download the necessary stuff that the company has defined - including Defender, et cetera. 

What needs improvement?

Microsoft needs to stop renaming their stuff. A lot of their products are very confusing due to the names they choose. The first time I heard of Defender I assumed it's just their antivirus, anti-malware, or a package that covers those things. However, there's Defender, Windows Defender, and then there's Defender for Endpoint, and there's also Defender for servers, et cetera. That really needs to be streamlined. As far as Defender's concerned, they want just a protective device. The differences are confusing.

Maybe it's a transitional choice, however, they've been doing a lot of migrations to a new portal in the security center or office privacy center. There's a bunch of portals where some things are repeated or duplicated. You have the same features in the portals, yet, in some cases, there are some things that you have to go to one portal and not the other, as it hasn't been migrated or the feature is just not there.

If their UI was a bit more streamlined and easy to find when I need it, then that would be a great improvement.

For how long have I used the solution?

I've been using the solution for one year.

What do I think about the stability of the solution?

The stability is pretty good. However, there is one flaw. We did have an issue where Microsoft had some issues with some components that caused issues with their cloud. It might have been an authentication issue or something like that, however, it basically took down everything. We weren't able to work. While integration is good if something comes from one vendor and if that vendor goes down, then everyone is pretty unhappy.

What do I think about the scalability of the solution?

While at my previous organization we had about 50 or 60 users, as a small company, we had customers that could have users in the thousands.

I didn't notice any scalability issues, and therefore I assume it's quite good. With respect to Azure Sentinel, I've never had an issue.

As far as I know, we're using pretty much everything that Microsoft has from a security perspective. I don't know how we can expand anymore.

How are customer service and support?

I've never had to call technical support or reach out to technical support, therefore, I can't speak to how they operate.

Which solution did I use previously and why did I switch?

I've previously used SentinelOne for endpoints and antimalware, et cetera, and Splunk for the SIEM.

How was the initial setup?

I was specifically working in SOC; I was more responsible for the day-to-day operations. Unfortunately, I cannot speak to the deployment so much. I would not have information on the implementation strategy, for example.

What about the implementation team?

We handled the deployment internally.

What's my experience with pricing, setup cost, and licensing?

I was in the SOC. I don't deal directly with that pricing. They do have multiple licensing levels. It's just about knowing what you need. One good thing about Microsoft is that they do have quite a few options depending on your needs. That said, sometimes it could be hard to pick because there are so many. 

As an organization, you need to understand the company's needs. For example, if you don't have a security team to look at your alerts or to set up all the stuff, then you probably don't need some of their most expensive services. You need to purchase the subscriptions accordingly if you're able to leverage them.

They have premium and enterprise subscription levels. I don't know what the standard would be. They have E3 and E5 level licensing. I don't know off the top of my head the differences, however, E5 likely has more security features. Companies need to be aware of all the differences.

Which other solutions did I evaluate?

I was not part of any evaluation process. I came to the company afterward. 

What other advice do I have?

I'm not sure which version of the solution we're on. We have another team that does the deployment and they would take care of the versioning, et cetera, however, we usually run the latest.

Microsoft makes Windows. They know their stuff. Having everything streamlined can be time-saving. It's good to have an integrated system rather than using something else. You don't need to jump through a lot of hoops or install additional software in order to get everything up and running.

I'd rate the solution at an eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Cloud and Security Transformation Specialist at Comtact
Reseller
Offers advanced threat-hunting, improves security posture, and is very scalable
Pros and Cons
  • "The solution has features that helped improve the security posture of our clients. It provides the ability to correlate a large variety of log sources very cost-effectively, especially for Microsoft sources."
  • "We do see continuous improvement all the time, however, I haven't got a specific feature that is lacking or not well designed."

What is our primary use case?

I work with Azure Sentinel from a commercial perspective. We use Azure Sentinel to provide services to our customers. We use it as a security analytics platform for our customer base.

How has it helped my organization?

About half of our customers that are using it have migrated from an alternative solution, and half of them are using it for the first time or using something like this for the first time. It enabled customers that previously found it difficult to justify the cost of a security-analytics platform to actually deploy one without enormous upfront costs. It’s been cost-effective and it's pay-as-you-go.

What is most valuable?

Its capability in the advanced threat-hunting area is its most valuable aspect.

The solution has features that helped improve the security posture of our clients. It provides the ability to correlate a large variety of log sources very cost-effectively, especially for Microsoft sources.

While the solution has affected our client’s security posture, it’s difficult to give a concise answer to how. All customers that have deployed our Azure-Sentinel-based services have quickly found situations that they weren't already aware of and therefore have been able to take appropriate action. They feel much more confident that potential threats will be discovered in a more timely fashion.

Sentinel affected the end-user experience, in that we get visibility of much more useful data in an easy-to-digest format that provides easy-to-understand value.

What needs improvement?

It is difficult for me to give a straight answer as to what needs improvement, being that I'm not one of the hands-on users. What we do find is that Microsoft is continuously introducing improvements to the platform. We do see continuous improvement all the time, however, I haven't got a specific feature that is lacking or not well designed.

For how long have I used the solution?

I've been using the solution for about one year.

What do I think about the stability of the solution?

I've not been aware of any issues or outages that we've experienced with it. We've been very pleased in that respect. There is nothing negative to report in that area.

What do I think about the scalability of the solution?

Scalability is one of the product's big strengths and one of the reasons that we are migrating. One of the issues with traditional platforms is that generally speaking, you have to be very careful sizing them, otherwise, if you undersize it, you're going to have expensive upgrade requirements, particularly if it's an on-premise solution. On the other hand, if you oversize it, you'll be paying too much. Whereas, with Azure Sentinel, it's pay-as-you-go. You don't really concern yourself too much with sizing, apart from budgeting for it. If you just size it for what you need today, and tomorrow, if you need more, it scales at cloud scale. It's one of its big strengths.

How are customer service and support?

Dealing with technical support is not something I do directly. I don't know specifically anything about it, although it's likely that our team has dealt with them in the past.

Which solution did I use previously and why did I switch?

The solutions that I've had personal experience with are AlienVault, Splunk, LogRhythm, and QRadar. I'm sure there's at least one other main one, however, they're the main ones I'm familiar with. We've seen migrations from quite a lot of different traditional platforms.

How was the initial setup?

The initial setup is reasonably straightforward, however, previous experience is very useful, which is why we offer to assist with setup. If customers are looking to do it themselves, it would probably be sensible to work with a partner who has previous experience to be able to deliver the value quickly and not waste time going down a dead end. That said, it's reasonably easy. I don't consider it a difficult platform to deploy.

We usually follow a specific implementation or deployment strategy. The first steps would include a thorough analysis of the clients' environment, understanding from them where the valuable log sources are, and making sure that we fine-tune the system to, again, only be including valuable, relevant information, not a whole load of noise. 

There isn't really much maintenance required. Microsoft maintains the platform. What we do, or what a customer will do if they're managing it themselves, is just manage it for their requirements. Maintenance is not an issue, as Microsoft provides that as part of the platform.

What about the implementation team?

We offer a range of services around Azure Sentinel. There are two main ones. Either we help a customer deploy and configure Azure Sentinel, which they then might manage themselves. However, for most of our customers, we actually provide a complete 24/7 managed service for it. This is due to the fact that the market that we target, which is typically medium-size organizations, would find it difficult to be able to justify the cost of setting up a 24/7 operation for this. We do the 24/7 bit and work as a partner providing the security services.

What was our ROI?

I don't have any specific numbers, however, we've seen customers that have switched from previous solutions have said that the ROI on this has been much quicker, within a couple of months, basically, due to the fact that there is no massive upfront investment. It's pay-as-you-go. We've seen a quick and impressive ROI.

Which other solutions did I evaluate?

I haven't personally evaluated any other solution, although chances are members of my team have.

What other advice do I have?

We are independent, however, we are a Microsoft gold partner. They supply us with the technology and we help customers use it. There's a relationship. That said, our company is not part of Microsoft or anything like that.

I would not necessarily call Azure Sentinel a SaaS solution, however, I suppose it is in a way as it's all provided as a service by Microsoft. PaaS might be the best way of describing it. 

The one thing I would advise new users is to make sure that Azure Sentinel is on the list of platforms to evaluate, and particularly if they are heavy Microsoft users. By that, I mean, Azure and Microsoft 365. Obviously, pretty much everyone's on Microsoft 365, however, particularly if a user is a heavy Azure user, then they should find the proposition pretty compelling. 

I'd rate the solution at a nine out of ten. We've been very impressed with it, and customers that have gone in this direction have been as well.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
PeerSpot user
Victor Obahor - PeerSpot reviewer
Cyber Security Specialist at TechForce Cyber
Real User
Top 10
Cloud-based solution streamlines incident response with powerful query language
Pros and Cons
  • "The query language of Microsoft Sentinel is easy to understand and use."
  • "The pricing could be improved."

What is our primary use case?

The primary use case of Microsoft Sentinel is for user and entity behaviors, detecting unauthorized access to services, identifying malicious IP addresses, and preventing brute force attacks on services. These are generic security use cases.

How has it helped my organization?

The AI-driven analytics of Microsoft Sentinel have significantly improved our customers' incident detection and response. It reduces the workload and decreases the number of tickets and incidents to triage.

What is most valuable?

The query language of Microsoft Sentinel is easy to understand and use. It allows querying across numerous agents quickly and efficiently. Being cloud-based, it does not require much hardware to utilize.

What needs improvement?

While I have not used Microsoft Sentinel extensively to suggest specific improvements, there is always room for improvement. The pricing could be improved, as it is considered quite expensive, especially considering the costs for workspace, Sentinel, and storage.

For how long have I used the solution?

I have been working with Microsoft Sentinel for a good three years.

What do I think about the stability of the solution?

The stability of Microsoft Sentinel is rated ten out of ten. It is considered highly stable.

What do I think about the scalability of the solution?

Microsoft Sentinel is very scalable because it is a cloud service and does not rely on our own resources. It depends on the payment capacity, however, it is considered very scalable overall.

How are customer service and support?

The customer service and support for Microsoft Sentinel are quite good. They provide numerous articles and training materials and are quick to respond, usually within an SLA of two to three hours.

How would you rate customer service and support?

Neutral

How was the initial setup?

The initial setup of Microsoft Sentinel can be challenging, with a learning curve. Configuring a workspace and adding connectors can be complex, especially for those not familiar with Azure or Microsoft. I would rate the setup around five or six out of ten.

What's my experience with pricing, setup cost, and licensing?

The pricing of Microsoft Sentinel is considered expensive, particularly due to the cloud-related costs for workspace, Sentinel, and storage.

What other advice do I have?

I am still quite new to Microsoft Sentinel, so I can't provide specific advice or recommendations. It is a good product with capabilities that might not be found in other SIEM solutions.

I'd rate the solution eight out of ten.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: My company has a business relationship with this vendor other than being a customer: consultant
Flag as inappropriate
PeerSpot user
reviewer2153655 - PeerSpot reviewer
Cyber Security Analyst at a tech services company with 11-50 employees
Real User
It creates a focal point for incidents, so it's much easier to get a comprehensive view of our security posture
Pros and Cons
  • "I like the ability to run custom KQL queries. I don't know if that feature is specific to Sentinel. As far as I know, they are using technology built into Azure's Log Analytics app. Sentinel integrates with that, and we use this functionality heavily."
  • "When we pass KPIs to the governance department, there's no option to provide rights to the data or dashboard to colleagues. We can use Power BI for this, but it isn't easy or convenient. They should just come up with a way to provide limited role-based access to auditing personnel"

What is our primary use case?

We use Sentinel to monitor logs, build alarms, correlate events, and fire up specific automation boards in the event of a security incident. 

How has it helped my organization?

Sentinel creates a focal point for cybersecurity incidents, so it's much easier to correlate logs and incidents to get a more comprehensive view of our security posture. Microsoft provides many educational resources, so onboarding new people is easy. 

It took us about a month to realize the benefits of Sentinel. Integrating all the Microsoft security products into the solution was straightforward. It seamlessly integrates with Microsoft Logic Apps, so it's easy to develop custom playbooks and automate many manual tasks. 

Automation has made us more efficient and effective because we're free to focus on priority alerts. Sentinel has reduced the time spent on menial security tasks by 30-40 percent. Sentinel consolidates our dashboards into a single XDR console, one of our strategic goals. We're moving all of the data into Microsoft Sentinel to create a single point of truth for security incidents.

Microsoft provides some threat intelligence for significant incidents. They provide us with remediation and mitigation controls we can implement to react to these potential threats much faster.

What is most valuable?

I like the ability to run custom KQL queries. I don't know if that feature is specific to Sentinel. As far as I know, they use technology built into Azure's Log Analytics app. Sentinel integrates with that, and we use this functionality heavily.

Threat prioritization is a crucial feature. It already has them in order, so we know we should investigate high alerts first and move down the line to the less urgent ones. 

We use all of the other Microsoft security solutions in addition to Sentinel. They all can be integrated together seamlessly to deliver comprehensive threat detection and response. 

What needs improvement?

I would like to see additional artificial intelligence capabilities. They're already working on this with new features like Microsoft Security Copilot. This will help us investigate incidents much faster. 

When we pass KPIs to the governance department, there's no option to provide rights to the data or dashboard to colleagues. We can use Power BI for this, but it isn't easy or convenient. They should just come up with a way to provide limited role-based access to auditing personnel 

For how long have I used the solution?

I have used Sentinel for two years.

What do I think about the stability of the solution?

We haven't experienced any downtime, so I think Sentinel is highly stable. 

What do I think about the scalability of the solution?

Sentinel runs on the cloud, so it scales automatically. 

How are customer service and support?

I rate Microsoft's support a 10 out of 10. They can connect you with the developers, and you get answers quickly. 

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

I also worked with RSA enVision at my previous company. Sentinel has advantages because of its tight integration with the Microsoft ecosystem. It's effortless to set up because you don't need specific connectors. Sentinel works out of the box. It makes sense for a company that primarily works with Microsoft products to use Sentinel for security monitoring.

How was the initial setup?

Sentinel runs on the Microsoft Azure Cloud, so it was easy to set up. It took about two days to set it up. You start by integrating the Microsoft security solutions using the available connectors and move on to the firewall, SysTalk databases, and application-specific logs. 

It's a bit more complicated to come up with custom rules and alarms, so that's the last part of our implementation strategy. We completed the deployment with two or three people and the help of Microsoft support. Because Sentinel is deployed in the cloud, it doesn't require any maintenance. 

What was our ROI?

Our ROI comes from automating lots of tasks. 

What's my experience with pricing, setup cost, and licensing?

Microsoft Sentinel is pretty expensive, and they recently announced that they will increase the price of all Microsoft services running in Azure by 11 percent. Luckily, I'm not responsible for the financial side. For one of my clients, the estimated cost is 880,000 euros for one year. There are additional costs for the service agreement. 

What other advice do I have?

I rate Microsoft Sentinel an eight out of ten. I recommend taking advantage of the virtual training before you implement Sentinel. Familiarize yourself with the product, dashboards, features, integration, etc., before you decide to use it. 

A single-vendor strategy is preferable because it's easier to integrate them. Otherwise, it can get complicated.

Which deployment model are you using for this solution?

Public Cloud

If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?

Microsoft Azure
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.
Updated: November 2024
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros sharing their opinions.