We primarily use the solution for the surrounding management.
Head of Security Operations at Edotco Group
Agile, integrates well with other solutions and offers fair pricing
Pros and Cons
- "The initial setup is very simple and straightforward."
- "We'd like to see more connectors."
What is our primary use case?
What is most valuable?
The correlation is very useful.
We like that it is an integrated platform.
It's very much an agile product.
Everything works very well across the product.
The initial setup is very simple and straightforward.
It is a scalable solution.
The performance has been good.
What needs improvement?
We'd like to see more connectors.
The solution needs to offer a bit more advancement, enhancement, and scalability with other products as well, including the market competitors.
What do I think about the stability of the solution?
The solution is stable. The performance is good. There are no bugs or glitches.
Buyer's Guide
Microsoft Sentinel
November 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
817,354 professionals have used our research since 2012.
What do I think about the scalability of the solution?
The server is scalable.
How are customer service and support?
We haven't really used support all that much. That said, we haven't really had issues with them.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I've worked with other solutions, including, for example, Splunk. For me, each solution has a limitation when it comes to some use cases. It all depends upon the business strategies.
How was the initial setup?
The initial implementation is very easy. It's straightforward. It's not complex or difficult at all. A company shouldn't have any problems executing a setup.
The deployment process itself is very quick. It only takes maybe 30 to 40 minutes.
We don't really need any maintenance on the solution. We're usually required to do maintenance when the agent determines it.
What about the implementation team?
We did not require any third parties when it came to setting it up. We didn't use any integrators or consultants. The implementation was handled by in-house personnel.
What's my experience with pricing, setup cost, and licensing?
There is a community version. Whether or not the pricing is expensive depends on what a company needs and if it covers its requirements. I've been satisfied with the pricing so far. I don't find it overly expensive.
You do pay a subscription fee for the service if you aren't using the community version.
Which other solutions did I evaluate?
We're always happy to evaluate any other products on the market.
What other advice do I have?
We are a gold customer.
I would recommend the product if it made sense for an individual company's use case.
For the people who are on the cloud, I would suggest they go for Sentinel regardless of any other SIEM. It will do a good integration with other solutions, and with other cloud providers while providing a holistic view as well.
I'd rate the solution an eight out of ten.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Network & Security Manager at SNP Technologies, Inc.
Great security automation and orchestrations with the capability to do deep analysis
Pros and Cons
- "Sentinel has features that have helped improve our security poster. It helped us in going ahead and identifying the gaps via analysis and focusing on the key elements."
- "The solution could improve the playbooks."
What is our primary use case?
We use the solution as more of a security management tool. It's a combination of monitoring and security management.
What is most valuable?
The most valuable features of this solution are the analysis and the automation. The security automation and orchestrations are great. Other tools, which I can't really name right now, don't have the potential automation this has. They do to a certain extent, however, we have to go ahead and integrate other different solutions on top. On the other hand, with Azure Sentinel, we have out-of-box solutions within Azure using Azure playbooks, where we can automate, filter, and complete tasks that reduce the manual effort. That comes under security automation and orchestration. An incident or an alert can be generated, a playbook can be triggered and completed. The manual effort can be reduced via automation.
The analysis is an important feature. It gives us a deep analysis of not just the alert, but also checks on the dependent resources or to ensure dependency matching is correctly done. We can see, with any issue, how deep it's affecting us, for example.
Sentinel has features that have helped improve our security poster. It helped us in going ahead and identifying the gaps via analysis and focusing on the key elements.
Sentinel has not affected the end-user experience in any way. These are basically integrated with solutions from Microsoft or vendor solutions. Therefore, the end-user experience doesn’t change.
What needs improvement?
The solution could improve the playbooks. As of now, we are customizing those playbooks for our needs. However, if there were out-of-box solutions available, which could automate a few tasks by default, that would really be of great help.
For how long have I used the solution?
I've used the solution for over two years.
What do I think about the stability of the solution?
Performance is not something that we need to worry about as this is a service from Microsoft, and the underlying infrastructure of Sentinel is fully managed by Microsoft. All we need to do is go ahead and get started with the service. Once we have enabled Sentinel, it's all about integrating it with other logs. That's it.
What do I think about the scalability of the solution?
Scalability is something that's pretty easy in terms of integrating it with other log workspaces. I know there is a cost involved, however, in terms of scaling, it's pretty easy.
We have huge applications with a user base of about 10,000 to 25,000 users for this application. In terms of the end-users who have resources like VDI solutions or other solutions, there are about 5,000 to 7,000. Therefore, end-users and application users are different.
How are customer service and support?
Technical support is pretty straightforward. It's a no-brainer around that. They have standard SOPs they follow. There's nothing out-of-box that they provide as a solution as such as that is something that needs to be customized. If there is any customization, support, they would not be able to help us. It's all about going ahead and following the standard SOP.
They know what they're doing. However, when it comes to Sentinel, a lot of customizations are required, which support doesn't provide any assistance around.
Which solution did I use previously and why did I switch?
I've worked with various other SIM solutions. There are only a few other competitors or SIM tools, which also have AI-based analysis.
With Microsoft, the advantage is that it can correlate with a lot of other solutions as Azure itself is a cloud provider and they have a lot of environments that they go ahead and manage in terms of the SIM. They can go ahead and have correlation on alerts. The AI can go and learn from other infrastructure and can also analyze everything in a better way. That's not the same case with other vendors or other competing SIM tools.
In terms of the automation part, for other vendor SIM tools, we'll have to go ahead and integrate it with a third-party provider and basically build a custom script for automation. With Sentinel, we have out-of-box solutions for automation where Azure playbooks really come in handy.
How was the initial setup?
It's a service from Microsoft, so there is nothing else that needs to be deployed. We just go ahead and enable it. It hardly takes five minutes to get started by enabling Sentinel.
Sentinel is a pretty straightforward product. In terms of the advanced configurations, security automation and orchestration, that's a bit complex. That said, getting started with Sentinel is an easy process.
What was our ROI?
I would say that there's definitely a Return of Value. I can't really comment on Return on Investment yet.
We have seen a lot of manual codes being reduced and a focus on real issues, which are really impactful rather than going ahead and analyzing or monitoring each and every alert. With our Sentinel AI-based analysis, we can go ahead and focus on the critical issues rather than monitoring each and every alert or incident.
What's my experience with pricing, setup cost, and licensing?
Licenses won't work as this is a pay-as-you-go model. Companies pay in terms of the number of logs being integrated within Sentinel, and the price is quoted that way. Sentinel is pretty pricey compared to the other competitors where they have licenses. For Sentinel, it's a bit pricey when it comes to big environments.
What other advice do I have?
For those who want to adopt Sentinel, I'd advise that it's a really one-stop solution for all the security needs. It can be integrated with all solutions out there. It can be one single control where you can go ahead and manage the security from. You don't have to go ahead and log into different endpoint portals, or threat-protection portals, or any third-party vendor solutions as such.
I would rate the solution at about a nine out of ten. There is definitely a scope of improvement in terms of the feature sets or the possibilities that we could go ahead and unlock.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Buyer's Guide
Microsoft Sentinel
November 2024
Learn what your peers think about Microsoft Sentinel. Get advice and tips from experienced pros sharing their opinions. Updated: November 2024.
817,354 professionals have used our research since 2012.
Cloud Security Analyst l at a tech services company with 11-50 employees
Ingests data from anywhere, is easy to use, and saves a lot of time
Pros and Cons
- "It's easy to use. It's a very good product. It can easily ingest data from anywhere. It has an easily understandable language to perform actions."
- "It could have a better API to be able to automate many things more extensively and get more extensive data and more expensive deployment possibilities. It can gain some points on the automation part and the integration part. The API is very limited, and I would like to see it extended a bit more."
What is our primary use case?
I work for a security operation center. We use Microsoft Sentinel to monitor the tenants of our customers and provide automated investigations and feedback and alerting.
If something happens or if we get an alert, we also use it to investigate further. We do a deep analysis of the logs that we ingest from our customers. We also have many automation rules built into Microsoft Sentinel to reduce the noise and not-true positive alerts.
How has it helped my organization?
There is the ease of setup and ease of use. When we get new customers, we do not need to go onsite, build a system inside their on-premise network, and spend a lot of time setting up the systems. We can easily deploy a new Sentinel solution for a customer with automated templates, which benefits a lot in onboarding new customers. Because we have integrated it with many other security solutions from Microsoft, we can also perform many actions for which we otherwise would have needed VPN access or would have had to go to the customer site. So, the main benefit is that we can easily do anything from anywhere without having to spend much time setting up and onboarding.
We have combined it with other tools such as Microsoft 365 Defender Suite. With all tools combined and the customization that we have developed, we get pretty good insights into possible threats. It all depends on the logs you ingest. If you ingest the right logs, you can get very meaningful insights.
It helps us to prioritize threats across the enterprise. It does that in a very good way. It prioritizes the threats based on multiple factors. If multiple similar incidents happen or suspicious related activities happen at the same time, the incident gets a high priority because that's likely to be a real threat, but it also ingests the priorities that come from the other tools. You also have the ability to adapt priorities because each customer is different. Each business is different. We give our customers a standby for tickets that come in with priority two or higher. Microsoft Sentinel also gives us the chance to lower priority on some cases or upper the priority on some cases depending on the business use case of the customer.
We are a Microsoft security company, so we try to use as many Microsoft security tools as possible. We have Microsoft Defender for Cloud and Microsoft Defender for Office 365 as well. They are integrated into Defender 365 currently. We use the compliance portal. We use Microsoft Purview. We use Microsoft Sentinel. We use Microsoft Defender for Key Vault. We try to use as many security solutions as possible.
We have integrated these products with each other, and we have succeeded in it as well. Each product is at least integrated with Microsoft Sentinel by either using the way provided by Microsoft or a custom way to ingest data. We have integrated Defender 365 and other tools as well. We try to ingest alerts only from one place, if possible. We have integrated everything into one portal, and we ingest the data only from that portal. The integration for Microsoft solutions mostly works natively, but some of our customers have third-party solutions that we can integrate as well.
It's very important that Microsoft solutions work natively. When they work natively, you can have more built-in functionality for them. They are much more maintainable, and it does not take as much time to set up versus when you have to make a custom integration to something.
Microsoft Sentinel enables us to ingest data from the entire ecosystem. We can make custom integrations. If you have Linux machines or on-premises networks, you can set up a log forwarder inside the network and ingest the data that way into Microsoft Sentinel. There are many possibilities to ingest data from all locations, which is necessary for an XDR/SIEM solution. This ingestion of data is one of the most important things for our security operations because if we cannot ingest any data, we are partially blind on that side.
Microsoft Sentinel enables us to investigate threats and respond holistically from one place. You do have to learn the KQL language, but it's similar to many other languages that are created by Microsoft or adopted by Microsoft. It's not that hard to learn. If you know it well, you can easily perform analysis on a whole bunch of data, whereas without Microsoft Sentinel, you would have to perform the analysis at many different places. Microsoft Sentinel gives you the possibility to do it just in one place.
We do not use all the functionalities of Microsoft Sentinel. For example, hunting queries are something that we do not use often, but their threat intelligence is updated quite regularly. We have tried it in Purview, which is a separate threat intelligence license that you can buy from Microsoft, but Microsoft also provides basic rules that alert on multiple threat indicators they detected earlier. They are very useful at the beginning sometimes. You have to remove those rules yourself as soon as they get outdated. The alerting that we get out of the threat intelligence provided by Microsoft itself has been valuable many times for our use cases.
Microsoft Sentinel helps automate routine tasks and the finding of high-value alerts. If we see many recurring alerts that are always suspicious but not really malicious, we can build our own automation rules that auto-close these alerts or automatically lower the priority on those alerts so that we are not getting too many notifications from alerts that are not worth investigating. It's really easy to do that. You can do it in many ways. To do the automation, there is a user-friendly interface. There are just drag-and-drop steps. It helps a lot, and it's easy to implement as well.
It has helped to eliminate having to look at multiple dashboards and have one dashboard for the analysis part, but for the response actions, it hasn't eliminated that because we have to log on to the Microsoft Defender security portals to perform most of those actions. For the analysis part, the alerting part, and the automated investigation part, this is the solution.
Its threat intelligence helps prepare us for potential threats before they hit and take proactive steps. For example, as soon as the Log4j vulnerability was known to the public, we immediately got alerts. We were able to take immediate action and remediate the vulnerability. We immediately knew how to prioritize our customers because we knew which customers already had active exploitation. Most of the time, such attempts were blocked, and if they got through, then the machine was luckily not really vulnerable, but it has been very helpful at that point to immediately assess the criticality for our customers. The attempts were not successful for many reasons. It also blocked them immediately.
It has saved us time. Especially because of the automated investigation part, it saved us a lot of time. We also have automated reporting, which also saves a lot of time each month. We provide our customers with a monthly report. If we had to do it manually and gather data from many different places, it would take a lot of time. Even if we had to fill it in manually in Microsoft Sentinel, it would take a lot of time, but because Microsoft Sentinel already ingests all of the data we use in our reports, we were able to write an integration with Microsoft Sentinel, which takes care of 75% of our reporting, and then we only have to do our analysis part. The data is already filled in, which saves a lot of time each month. The time savings went from one day per customer to one hour or two hours. For nearly fifteen customers, it was fifteen days, and now, it's 30 hours, which is more or less four days. It saves a lot of time each month that can now be spent on improving our service or performing deeper investigations on newly known threats and proactively act on them.
It hasn't reduced our time to detect because we have been using Microsoft Sentinel from the beginning. So, we always had the same response time because we only used Microsoft Sentinel for our alerting. It integrates well with Atlassian tools and ServiceNow tools, which gives us the ability to be alerted very fast on something, and then we can act immediately.
What is most valuable?
It's easy to use. It's a very good product. It can easily ingest data from anywhere. It has an easily understandable language to perform actions. You can use the entire Azure cloud to perform automated actions and automate investigations. The possibilities are more or less limitless because you can integrate Microsoft Sentinel with many resources inside the Azure cloud. If you integrate the security tooling with it, you can also make use of the data that Microsoft gathers from all Windows operating systems about malware, for instance, or about possible attacks. They ingest that data from so many sources, and you can make use of it. It helps a lot in discovering new vulnerabilities. We can almost immediately investigate them because Microsoft is always on top of things.
What needs improvement?
Threat intelligence could be better because we have had some cases where we got alerted online for many things all of a sudden. It was because some updates happened in the background, and we didn't agree with the use cases or how they were built. That part of threat intelligence could be a little better.
We have also had incidents where other tooling got an update but Microsoft Sentinel didn't update.
Microsoft Sentinel is a simple and straightforward solution. It could have a better API to be able to automate many things more extensively and get more extensive data and more expensive deployment possibilities. It can gain some points on the automation part and the integration part. The API is very limited, and I would like to see it extended a bit more.
We have recently turned on the bi-directional sync capabilities of Microsoft Defender for Cloud. It works pretty well, but sometimes, it just syncs only the incidents and not the alerts behind them or the other way around. That was the only thing. That was a recent complaint we had. Other than that, it works well.
For how long have I used the solution?
I've been using Microsoft Sentinel for nearly two years.
What do I think about the stability of the solution?
It's very stable. We have many different Microsoft Sentinel instances running. Apart from some cleanup and maintenance, they all are running without any issues.
What do I think about the scalability of the solution?
It's very scalable. As long as you send the right logs, it can ingest them perfectly, but, of course, the more logs you ingest, the higher the price, so you have to be very careful and very concerned about the logs you are ingesting in Microsoft Sentinel. You have to make sure that the logs that you ingest provide value for your security and are not useless.
How are customer service and support?
I have not contacted them regarding Microsoft Sentinel, but I have contacted them for other solutions. Sometimes, we can't figure something out ourselves or we have questions about the new features that are made public. If we have a question or need assistance in any way in providing support to our customers, we can count on support to help us. I have not had a bad experience with them. We are also a Microsoft partner, so we get quick replies and have direct contacts within Microsoft sometimes for some cases. If we need support, they always help us very well.
Overall, I would rate them a seven out of ten because sometimes, they take a long time or you get redirected many times to another colleague before the issue is resolved, but in the end, they always help us out, and everything is fixed.
How would you rate customer service and support?
Neutral
Which solution did I use previously and why did I switch?
In my previous job, we worked with local or on-premise systems, but the security monitoring was not that strong at that time. This is my second job, and in this job, I've only worked with Microsoft Sentinel.
How was the initial setup?
I worked on one of the deployment scripts we use for our customers, but I was not involved in its initial deployment. I deployed it once for a customer by using the Azure resource manager template that I built. It was rather complex because the documentation was not up to date or correct at that time. When working with Microsoft Sentinel, sometimes the documentation is not as up-to-date or complete as it should be in my opinion.
The number of people involved in its deployment depends on the size of the customer, but usually, one or two people from the team do the deployment. One person works on the deployment of Microsoft Sentinel, and the other one usually works on the deployment of other components, such as analytics, automation, etc.
It does require maintenance. In order to stay up to date and keep evolving on the threat landscape, you have to keep looking for new analytic rules, new investigation techniques, and new automations. You have to constantly improve your Sentinel in order to stay on point and detect and have complete detection scenarios. Sometimes, the rules that are provided by Microsoft or the settings or conditions that are provided by Microsoft get deprecated or get a new update. You have to follow that up as well in order to stay up to date with the things Microsoft changes or recommends.
What other advice do I have?
If you want to use Microsoft Sentinel, you should start thinking about the logs that you want to ingest. You should identify the ones that are important and also think of the use cases and what you want to detect from those logs. If you make the right choices on these two things, the setup and the integration with other tools will be very easy because you know from where you want to ingest logs and you know how to create analytics rules, automation rules, and things like that to detect the things that are critical or important to the security of your business.
To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that with a single vendor, we can integrate everything like a single product. We use Azure Active Directory, so we can easily secure authentication across multiple products and manage access permissions. On top of that, we have a single pane of glass where we can investigate and perform analysis in a very easy and user-friendly way, which saves a lot of time. We don't have to click through many different portals and know where to look each time. We don't have to learn the configuration, the setup, and the actions we can perform in each system because everything has the same interface. We only have to learn the things that Microsoft provides and not different products. The single pane of glass saves time and makes it much easier to investigate and respond and secure the environment.
Overall, I would rate Microsoft Sentinel an eight out of ten. I'm very happy with it, but no product is perfect. It can improve on some points, but overall, it's very good.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
System Engineer at a tech vendor with 5,001-10,000 employees
Provides visibility into threats by creating alerts and enables us to ingest data from our entire system if we want
Pros and Cons
- "The data connectors that Microsoft Sentinel provides are easy to integrate when we work with a Microsoft agent."
- "The troubleshooting has room for improvement."
What is our primary use case?
Our organization is a service company, therefore, we are proposing Microsoft Sentinel as an MSSP solution to our clients. Additionally, we are offering other solutions with Microsoft Sentinel. We have integrated Microsoft Sentinel with MISP, an open source intelligence trading platform, to create a deluxe solution. Furthermore, we use the five-year tool in conjunction with Microsoft Sentinel.
We pitched the solution for BFSI, healthcare, and ONG sectors.
The solution can be deployed based on the client's requirements.
How has it helped my organization?
Microsoft Sentinel provides visibility into threats by creating alerts, which will generate an instance and notify us. We can also view files and prioritize alerts using Microsoft Sentinel. Additionally, there is a tool with Sentinel that allows us to check alerts, which will help us identify false positives and false negatives, which is very beneficial for analysts.
Microsoft Sentinel helps us prioritize threats across our enterprise.
Microsoft Sentinel's ability to help us prioritize threats is a very important must-have feature for our organization.
Integrating Microsoft Sentinel with additional Microsoft solutions such as Microsoft Security Center is easy because we use a Microsoft agent. There is a default integration available with multiple connectors and we can use the agent to install data into Microsoft Sentinel.
The integrated solutions work natively together to deliver a coordinated detection and response across our environment. We use a playbook for the response process. We also integrated ServiceNow tools and Sentinel for ITSM. We are also designing the playbooks to meet our requirements.
Having the ability to integrate solutions with Microsoft Sentinel is an important feature.
Microsoft Sentinel provides comprehensive protection.
Our organization has a strong partnership with Microsoft. Most of the services we receive are quite cost-effective. Microsoft provides market listings, allowing us to design our solution and place it on Microsoft's market listings, resulting in mutual benefits for both Microsoft and our organization.
We used Microsoft Defender for Cloud to get to the Azure security center for Sentinel. We wanted to work with a particular server but at the time the requirement was in order to use Defender we had to enable the solution across the subscription and not on one particular server.
Microsoft Sentinel enables us to ingest data from our entire system if we want.
Microsoft Sentinel enables us to investigate and respond to threats from one place. We can control everything from a single pane of glass.
Microsoft's built-in UEBA and threat intelligence capabilities play a major role in our security.
We can automate routine tasks, prioritize alerts using the playbook, and use the analytical rule's default settings when creating an alert. This helps to reduce false positives so that we only receive one alert for each issue.
Microsoft's XDR enabled us to avoid having to view multiple dashboards. We can integrate a variety of tools with Sentinel, allowing us to monitor all relevant information from a single screen.
The integration into one dashboard reduced our analytical work because it reduces the time required to review and respond to threats.
The solution helped us prepare for potential threats proactively. Microsoft Sentinel helped our organization save money by preventing attacks. The solution helped reduce the threat detection time by up to 40 percent.
What is most valuable?
The data connectors that Microsoft Sentinel provides are easy to integrate when we work with a Microsoft agent.
The UI design for the investigation portion of Microsoft Sentinel is great.
The alerting of the queries works great and it is easy to develop a query around our requirements using Microsoft Sentinel.
What needs improvement?
The GUI functionality has room for improvement.
The playbook can sometimes be hefty and has room for improvement.
The troubleshooting has room for improvement.
For how long have I used the solution?
I have been using the solution for three years.
What do I think about the stability of the solution?
The solution is stable.
What do I think about the scalability of the solution?
The solution is scalable.
How are customer service and support?
The technical support depends on if we have upgraded our support or not. The basic support has a wait time but the premium support is great.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
We previously used IBM Security QRadar. The data connectors are more complicated and there are more configurations required with IBM Security QRadar compared to Microsoft Sentinel. The alerts are much better with Microsoft Sentinel.
How was the initial setup?
The initial setup is straightforward.
What about the implementation team?
The implementation is completed in-house with Microsoft documentation.
What's my experience with pricing, setup cost, and licensing?
In comparison to other security solutions, Microsoft Sentinel offers a reasonable price for the features included.
What other advice do I have?
I give the solution an eight out of ten.
The maintenance is completed by Microsoft.
I recommend Microsoft Sentinel to others.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor. The reviewer's company has a business relationship with this vendor other than being a customer: Partner
Security Architect at a tech services company with 10,001+ employees
Enables us to integrate multiple sources and provides results quickly
Pros and Cons
- "The analytics has a lot of advantages because there are 300 default use cases for rules and we can modify them per our environment. We can create other rules as well. Analytics is a useful feature."
- "Sentinel still has some anomalies. For example, sometimes when we write a query for log analysis with KQL, it doesn't give us the data in a proper way... Also, the fields or columns could be improved. Sometimes, it is not giving the desired results and there is a blank field."
What is our primary use case?
Log management is the primary purpose of Microsoft Sentinel to help us monitor the environment and detect threats. That way we can stop them at the first opportunity so that they do not impact the environment.
We take data from the data connectors. Some of the devices are default devices in Microsoft Sentinel, but we can easily add others. For some, we need to use an API or we need some extra help to add them into our security solution. At times, we need an agent.
How has it helped my organization?
It is a great tool for log management. It uses KQL (Kusto Query Language) which makes it very easy to find out anything in the environment by writing code.
If we have found some threat intel apart from Microsoft, we can add that to the watchlist category. We have a MITRE ATT&CK framework category and we can map the new threat method methodology into our environment through Microsoft Sentinel. There are multiple features in Microsoft Sentinel that help us add threats into the environment and detect threats easily and quickly.
There are multiple things integrated with it, like CrowdStrike, Carbon Black, Windows and Linux devices, and Oracle. We can see threats from all the environments. If an attack happens on the AD side, we can see that things are signed off. All those sources are integrated and that's a good thing.
On a weekly basis, it is saving us 10 hours, because we get results from the solution very fast.
What is most valuable?
There are many features, including watchlists and analytics. We can also use it to find out multiple things related to log management and heartbeat. All the features have different importance in those processes.
The analytics have a lot of advantages because there are 300 default use cases for rules and we can modify them per our environment. We can create other rules as well. Analytics is a useful feature.
Another good feature is the data connectors, where we are collecting the logs from external devices and mapping them into the security solution. That feature is helpful.
The information Sentinel provides is of great use. Microsoft has its own threat intelligence team and they are mapping the threats per the IoCs. It lets us see multiple things that are happening. These things are a starting point for any type of attack and they are already in the solution's threat intelligence. Once something has been mapped, meaning whenever we get an alert from a threat actor, based on IoCs, we can analyze things and block them. There are multiple use cases and we can modify them for our environment.
We need to map things through the MITRE ATT&CK framework. Sentinel is a detection tool. Once it detects things, that is where human intervention comes in and we do an analysis. It is giving us ideas because it is generating events. We can see what events are happening, such as what packets are being analyzed, and what processes are being created. We can analyze all these aspects, including EDR cloud, because they are integrated with Microsoft Sentinel. It lets us see third-party sources. It is a very nice security monitoring tool.
The comprehensiveness of Sentinel's security protection is really great. I don't think it has SOAR capabilities, but it has UEBA.
What needs improvement?
Sentinel still has some anomalies. For example, sometimes when we write a query for log analysis with KQL, it doesn't give us the data in a proper way. We are trying to improve it and write the query in a manner that will give the desired results. We're trying to put in the conditions based on the events we want to look at, and for the log sources from which we are getting them. For that, we are working on modifications of our KQL queries. Sentinel could be improved by Microsoft because sometimes queries are not giving the desired results. This is something they should look into.
Also, the fields or columns could be improved. Sometimes, it is not giving the desired results and there is a blank field.
In addition, while the graphical user interface of Microsoft Sentinel is good, there is some lag in the user interface.
For how long have I used the solution?
I have been using Microsoft Sentinel for the last year. I have been more into the analysis part and the creation of use cases by using the analytics.
What do I think about the stability of the solution?
It's a stable solution.
What's my experience with pricing, setup cost, and licensing?
The combination of the ease of accessibility and the free cost of the service is great. But we buy storage based on our events per second and on how many sources are integrated into the solution. We have to store the data in our environment to do analysis on past events or to check past threats.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
System Engineer at Metsys
Enables us to protect the entire environment because it's based on machine learning
Pros and Cons
- "The most valuable features are its threat handling and detection. It's a powerful tool because it's based on machine learning and on the behavior of malware."
What is our primary use case?
We use it to protect our Office 365 environment. We can also deploy it for the entire infrastructure, including on-premises, firewalls, and also users' devices.
I'm a partner with many customers using Sentinel. Some are small companies but I also have many banks that have implemented the solution.
How has it helped my organization?
It has helped to improve security posture because it's based on machine learning. You can protect the whole environment. While other solutions are based on rules, and you have to put rules in place to protect things, Sentinel is smarter because of the machine learning.
For example, one of my customers is a bank that was attacked by ransomware. They were using Symantec and it could not detect the attack. When we put in Sentinel, within 15 minutes it detected the malware and stopped the attack.
What is most valuable?
The most valuable features are its threat handling and detection. It's a powerful tool because it's based on machine learning and on the behavior of malware.
For how long have I used the solution?
I have been using Microsoft Sentinel for one and a half years.
What do I think about the stability of the solution?
It's a stable solution.
What do I think about the scalability of the solution?
It's a cloud solution so Microsoft handles the scaling. We haven't had a problem with performance because Microsoft is in charge. It's done automatically.
How are customer service and support?
It's definitely the best technical support. When you open a new ticket you get a response within a maximum of one hour. You can open a case with Microsoft 24/7.
How would you rate customer service and support?
Positive
Which solution did I use previously and why did I switch?
I used QRadar. I switched because QRadar is not smart and there was too much manual work.
How was the initial setup?
It's easy to implement and not very hard to put it into production.
The deployment time depends on the customer's needs. It can be deployed in one hour. But if they have many end users and many servers, it can take one week. After that, you have to wait for the machine learning to learn the environment and start the detection.
The implementation strategy also depends on the environment. If it is an Office 365 environment, we can start by protecting email, the shares, and the docs. After that, we can move to the end-user machines. But it depends on the project.
Deployment and maintenance requires a maximum of three people. One would be an admin, one would be a security leader to maintain the solution, and the third would be a project manager. It also depends on the project, but in general, there will be two or three people involved.
What's my experience with pricing, setup cost, and licensing?
It is certainly the most expensive solution. The cost is very high. We need to do an assessment using the one-month trial so that we can study the cost side. Before implementing it, we must do a careful calculation.
Something that could be improved is the documentation of the cost because there is none. All the other features are documented, but the pricing is not very clear.
The Office 365 connectors to Sentinel are free, as is the support.
Which other solutions did I evaluate?
Sentinel is generally the last option we go with because of the cost. Customers have their solutions but they contact us and say, "Okay, we have our solution but it's not smart. Can we move to Sentinel?"
What other advice do I have?
I recommend implementing Sentinel because it's certainly the most powerful SIEM tool. It detects all malware based on the behavior of many things, including the files and anomalies. It detects things automatically.
Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Senior Security Specialist at a healthcare company with 1,001-5,000 employees
Workbooks help us to monitor complete cloud data, but writing KQL queries takes time
Pros and Cons
- "The most valuable feature is the UEBA. It's very easy for a security operations analyst. It has a one-touch analysis where you can search for a particular entity, and you can get a complete overview of that entity or user."
- "If I see an alert and I want to drill down and get more details about the alert, it's not just one click. In other SIEM tools, you just have to click the IP address of the entity and they give you the complete picture. In Sentinel, you have to write queries or use saved queries to get details."
What is our primary use case?
We use it to monitor the cloud for any security issues. We are using it as a SIEM for our cloud workspace.
What is most valuable?
The most valuable feature is the UEBA. It's very easy for a security operations analyst. It has a one-touch analysis where you can search for a particular entity, and you can get a complete overview of that entity or user.
There is also something called workbooks in Sentinel that help us to monitor the complete cloud data and it gives knowledge about, and visibility into, our security posture.
It integrates seamlessly with Microsoft products, especially Office 365 and our Azure workspace, whether it's the Application Gateway or Azure DDoS or Azure Firewall. It has native integration that works very well.
You can also monitor Zero Trust security from Microsoft Sentinel.
What needs improvement?
There are a number of points they can improve. For example, if I see an alert and I want to drill down and get more details about the alert, it's not just one click. In other SIEM tools, you just have to click the IP address of the entity and they give you the complete picture. In Sentinel, you have to write queries or use saved queries to get details. For a security analyst, when there is an incident, it takes a lot of time to write queries, investigate, and then execute.
For example, if you want to search a particular entity or an IP address, or search the complete log instead of just the security alerts, it takes time to write a query for that. The MTTR is a little high, as is the mean time to investigate, compared to other SIEM tools.
I would also like to have more resources on KQL queries.
And using the data connectors is not straightforward when you want to create a use case that is not out-of-the-box. Creating a custom use case is a challenging process. You need to understand KQL queries and the support for regex is limited.
For how long have I used the solution?
I've been using Microsoft Sentinel for between six months and a year.
What do I think about the stability of the solution?
The availability is good. But when you compare the stability with Splunk or ELK or QRadar, it still needs to be more reliable and stable, not from an installation or administration perspective, but when it comes to security operations.
We collect data from between 3,000 and 4,000 users, and our cloud workspace is somewhere around 100 or 200 servers.
What do I think about the scalability of the solution?
The scalability is good because it has Azure in the back end.
Which solution did I use previously and why did I switch?
We are still deciding whether to migrate completely to Sentinel or not. We are using two SIEM solutions in parallel. The other solution is LogRhythm. From an analyst perspective, Sentinel has to evolve more. Once it does, we can think of migrating to it fully.
How was the initial setup?
The installation was straightforward and easy. With Azure Resource Manager, it was easy to deploy, and it was a straightforward integration, in terms of configuration, to connect the Log Analytics workspace with Sentinel and the solutions that Sentinel has.
Deploying the solution hardly took four hours, and the initial configuration took a single person one day, meaning eight hours.
We used to have an on-prem solution and we moved our workload to the cloud. Our users did not face any challenges or difficulties as a result.
What was our ROI?
We are still in the process of getting our ROI. We are waiting for the solution to improve and mature.
What's my experience with pricing, setup cost, and licensing?
Sentinel is pretty competitive. The pricing is at the level of other SIEM solutions.
Which other solutions did I evaluate?
I have experience with Splunk and QRadar and they are the best. They are equivalent, one with the other. Both the solutions are mature enough, having been in the market for quite some time. They know what they're doing and are easy to use from an analyst's perspective. Both are scalable solutions as well.
The drawback of these two solutions is that it takes a little bit of time to do integrations, especially for Azure workloads, as they're not in-built in Azure.
What other advice do I have?
Always record your KQL queries and stick to the basics.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Senior Microsoft 365 Consultant at The Collective Consulting
Quick to set up with good automation and integrates well with Microsoft products
Pros and Cons
- "Sentinel uses Azure Logic Apps for automation, which is really powerful. This allows us to easily automate responses to incidents."
- "The solution should allow for a streamlined CI/CD procedure."
What is our primary use case?
We are running an MDR service for our customers and use Azure Sentinel as the SIEM product to allow us to have an overview of all our customers, but also to easily push configurations to different customers.
We use Azure Sentinel as an alert aggregator to import all of the incidents/alerts from the different (Microsoft) security products in order to have a single pane of glass. On top of that, we create our own custom Analytics Rule that can be used to add our own added value. This enables us to create our own IP to protect customers.
How has it helped my organization?
It's really convenient for us to aggregate the logs/alerts from all our customers into a single pane of glass. By using the automation capabilities, it's relatively easy to sync all incidents to our ITSM tool which we can use to follow up on incidents. As it's based on the Microsoft stack, it's convenient for our engineers to learn the product. As Azure Sentinel is also a big focus for Microsoft, we have the ability to work with them on certain products. This creates visibility within the community and for new customers.
What is most valuable?
There are three valuable aspects of the solution: MSSP support, integration with Microsoft, and Automation. By using Azure Lighthouse, an MSSP can easily integrate their applications into their own baseline of policies/configurations.
Because Sentinel is built as an MS-first product, it integrates natively with other Microsoft products, which is really convenient as we are standardized on it. Without much work, you can connect any Microsoft product to it.
Last, but not least, Sentinel uses Azure Logic Apps for automation, which is really powerful. This allows us to easily automate responses to incidents.
What needs improvement?
Azure Sentinel is constantly growing. Throughout the two years we have been using it, we have seen it expand tremendously. A lot of the limitations we had originally seen have already been mitigated. A couple of potential improvements could be: allow for a streamlined CI/CD procedure. Now it's a combination of using API/Powershell and ARM which is not ideal. Also, it should allow us to ingest on-prem logs by using a SaaS platform to ingest CEF/Syslog logs that also allow for prefiltering. This would allow us to minimize the cost of the solution.
For how long have I used the solution?
I've been using the solution for 1.5 years.
Which solution did I use previously and why did I switch?
We didn't use another SIEM product before Azure Sentinel.
What's my experience with pricing, setup cost, and licensing?
The cost can be a little confusing at first, but the Azure calculator is a great place to start. I would advise to start with integrating Microsoft products first, as this is the most convenient way forward and allows you to learn the product as you go.
In general, Azure Sentinel can be set up really quickly.
Which deployment model are you using for this solution?
Public Cloud
If public cloud, private cloud, or hybrid cloud, which cloud provider do you use?
Microsoft Azure
Disclosure: My company has a business relationship with this vendor other than being a customer: We are a Microsoft partner
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros
sharing their opinions.
Updated: November 2024
Product Categories
Security Information and Event Management (SIEM) Security Orchestration Automation and Response (SOAR) Microsoft Security Suite AI-Powered Cybersecurity PlatformsPopular Comparisons
Splunk Enterprise Security
IBM Security QRadar
Elastic Security
LogRhythm SIEM
Sumo Logic Security
Rapid7 InsightIDR
Fortinet FortiSIEM
AlienVault OSSIM
Cortex XSIAM
Securonix Next-Gen SIEM
USM Anywhere
ManageEngine Log360
Buyer's Guide
Download our free Microsoft Sentinel Report and get advice and tips from experienced pros
sharing their opinions.
Quick Links
Learn More: Questions:
- What are your approaches on Azure Sentinel content deployment automation?
- Which is better - Azure Sentinel or AWS Security Hub?
- What is a better choice, Splunk or Azure Sentinel?
- Which solution do you prefer: Microsoft Sentinel or Palo Alto Networks Cortex XSOAR?
- What Solution for SIEM is Best To Be NIST 800-171 Compliant?
- When evaluating Security Information and Event Management (SIEM), what aspect do you think is the most important feature to look for?
- What are the main differences between Nessus and Arcsight?
- Which is the best SIEM solution for a government organization?
- What is the difference between IT event correlation and aggregation?
- What Is SIEM Used For?