Microsoft Sentinel Reviews

We primarily use the solution for the surrounding management. 

The correlation is very useful.

We like that it is an integrated platform. 

It's very much an agile product.

Everything works very well across the product.

The initial setup is very simple and straightforward. 

It is a scalable solution. 

The performance has been good.

We'd like to see more connectors.

The solution needs to offer a bit more advancement, enhancement, and scalability with other products as well, including the market competitors.

The solution is stable. The performance is good. There are no bugs or glitches. 

The server is scalable.

We haven't really used support all that much. That said, we haven't really had issues with them.

Positive

I've worked with other solutions, including, for example, Splunk. For me, each solution has a limitation when it comes to some use cases. It all depends upon the business strategies. 

The initial implementation is very easy. It's straightforward. It's not complex or difficult at all. A company shouldn't have any problems executing a setup.

The deployment process itself is very quick. It only takes maybe 30 to 40 minutes. 

We don't really need any maintenance on the solution. We're usually required to do maintenance when the agent determines it.

We did not require any third parties when it came to setting it up. We didn't use any integrators or consultants. The implementation was handled by in-house personnel. 

There is a community version. Whether or not the pricing is expensive depends on what a company needs and if it covers its requirements. I've been satisfied with the pricing so far. I don't find it overly expensive. 

You do pay a subscription fee for the service if you aren't using the community version. 

We're always happy to evaluate any other products on the market.

We are a gold customer.

I would recommend the product if it made sense for an individual company's use case. 

For the people who are on the cloud, I would suggest they go for Sentinel regardless of any other SIEM. It will do a good integration with other solutions, and with other cloud providers while providing a holistic view as well.

I'd rate the solution an eight out of ten.

We use the solution as more of a security management tool. It's a combination of monitoring and security management.

The most valuable features of this solution are the analysis and the automation. The security automation and orchestrations are great. Other tools, which I can't really name right now, don't have the potential automation this has. They do to a certain extent, however, we have to go ahead and integrate other different solutions on top. On the other hand, with Azure Sentinel, we have out-of-box solutions within Azure using Azure playbooks, where we can automate, filter, and complete tasks that reduce the manual effort. That comes under security automation and orchestration. An incident or an alert can be generated, a playbook can be triggered and completed. The manual effort can be reduced via automation.

The analysis is an important feature. It gives us a deep analysis of not just the alert, but also checks on the dependent resources or to ensure dependency matching is correctly done. We can see, with any issue, how deep it's affecting us, for example.

Sentinel has features that have helped improve our security poster. It helped us in going ahead and identifying the gaps via analysis and focusing on the key elements.

Sentinel has not affected the end-user experience in any way. These are basically integrated with solutions from Microsoft or vendor solutions. Therefore, the end-user experience doesn’t change.

The solution could improve the playbooks. As of now, we are customizing those playbooks for our needs. However, if there were out-of-box solutions available, which could automate a few tasks by default, that would really be of great help.

I've used the solution for over two years.

Performance is not something that we need to worry about as this is a service from Microsoft, and the underlying infrastructure of Sentinel is fully managed by Microsoft. All we need to do is go ahead and get started with the service. Once we have enabled Sentinel, it's all about integrating it with other logs. That's it. 

Scalability is something that's pretty easy in terms of integrating it with other log workspaces. I know there is a cost involved, however, in terms of scaling, it's pretty easy.

We have huge applications with a user base of about 10,000 to 25,000 users for this application. In terms of the end-users who have resources like VDI solutions or other solutions, there are about 5,000 to 7,000. Therefore, end-users and application users are different. 

Technical support is pretty straightforward. It's a no-brainer around that. They have standard SOPs they follow. There's nothing out-of-box that they provide as a solution as such as that is something that needs to be customized. If there is any customization, support, they would not be able to help us. It's all about going ahead and following the standard SOP.

They know what they're doing. However, when it comes to Sentinel, a lot of customizations are required, which support doesn't provide any assistance around.

I've worked with various other SIM solutions. There are only a few other competitors or SIM tools, which also have AI-based analysis.

With Microsoft, the advantage is that it can correlate with a lot of other solutions as Azure itself is a cloud provider and they have a lot of environments that they go ahead and manage in terms of the SIM. They can go ahead and have correlation on alerts. The AI can go and learn from other infrastructure and can also analyze everything in a better way. That's not the same case with other vendors or other competing SIM tools.

In terms of the automation part, for other vendor SIM tools, we'll have to go ahead and integrate it with a third-party provider and basically build a custom script for automation. With Sentinel, we have out-of-box solutions for automation where Azure playbooks really come in handy.

It's a service from Microsoft, so there is nothing else that needs to be deployed. We just go ahead and enable it. It hardly takes five minutes to get started by enabling Sentinel.

Sentinel is a pretty straightforward product. In terms of the advanced configurations, security automation and orchestration, that's a bit complex. That said, getting started with Sentinel is an easy process.

I would say that there's definitely a Return of Value. I can't really comment on Return on Investment yet.

We have seen a lot of manual codes being reduced and a focus on real issues, which are really impactful rather than going ahead and analyzing or monitoring each and every alert. With our Sentinel AI-based analysis, we can go ahead and focus on the critical issues rather than monitoring each and every alert or incident.

Licenses won't work as this is a pay-as-you-go model. Companies pay in terms of the number of logs being integrated within Sentinel, and the price is quoted that way. Sentinel is pretty pricey compared to the other competitors where they have licenses. For Sentinel, it's a bit pricey when it comes to big environments.

For those who want to adopt Sentinel, I'd advise that it's a really one-stop solution for all the security needs. It can be integrated with all solutions out there. It can be one single control where you can go ahead and manage the security from. You don't have to go ahead and log into different endpoint portals, or threat-protection portals, or any third-party vendor solutions as such. 

I would rate the solution at about a nine out of ten. There is definitely a scope of improvement in terms of the feature sets or the possibilities that we could go ahead and unlock.

Our clients use it for just an overall health check and security check for their deployments, whether it's on-prem or in Azure. Azure Sentinel basically collects the data from any kind of endpoint or server that is enrolled in the service, irrespective of whether they are on-prem or in the cloud. It can be laptop servers, virtual machines. It is a cloud solution, but it does extend to on-prem deployment.

I have been using the most up-to-date version. 

One of the most valuable features is that it creates a kind of a single pane of glass for organizations that already use Microsoft software. So, when they have things like Microsoft 365, it is very easy for them to kind of plug in or enroll those endpoints into the Azure Sentinel service.

I can't think of anything other than just getting the name out there. I think a lot of customers don't fully understand the full capabilities of Azure Sentinel yet. It is kind of like when they're first starting to use Azure, it might not be something they first think about. So, they should just kind of get to the point where it is more widely used.

I have been using Azure Sentinel since it came out, so it has been at least a couple of years.

It is very stable. It has been around for a while, and it is a Microsoft product. So, it is pretty secure and pretty stable.

Like all Azure services, it is definitely very scalable. You can very easily and very quickly enroll devices and other data points into Azure. 

Microsoft tech support is pretty good when it comes to Azure. It is really easy to open a ticket because you can do that right through the Azure portal. In addition, my company and other companies that kind of resell Azure services, oftentimes have our own help desk included with the consumption of Azure services. So, we have a 24/7 help desk that works on top of that. There are many managed services partners, like my company, that provide additional services in tech support on top of what Microsoft already has.

It is very straightforward.

It is kind of like a sliding scale. There are different tiers of pricing that go from $100 per day up to $3,500 per day. So, it just kind of depends on how much data is being stored. There can be additional costs to the standard license other than the additional data. It just kind of depends on what other services you're spinning up in Azure, or if you're using something like Azure log analytics.

For any customers who are either looking at Azure or already have Azure or Microsoft 365, this is a great service to look at because it does provide an additional layer of protection and security for all of their data points, whether they are on-prem or in the cloud.

I would rate Azure Sentinel a nine out of 10.

I work for a security operation center. We use Microsoft Sentinel to monitor the tenants of our customers and provide automated investigations and feedback and alerting.

If something happens or if we get an alert, we also use it to investigate further. We do a deep analysis of the logs that we ingest from our customers. We also have many automation rules built into Microsoft Sentinel to reduce the noise and not-true positive alerts.

There is the ease of setup and ease of use. When we get new customers, we do not need to go onsite, build a system inside their on-premise network, and spend a lot of time setting up the systems. We can easily deploy a new Sentinel solution for a customer with automated templates, which benefits a lot in onboarding new customers. Because we have integrated it with many other security solutions from Microsoft, we can also perform many actions for which we otherwise would have needed VPN access or would have had to go to the customer site. So, the main benefit is that we can easily do anything from anywhere without having to spend much time setting up and onboarding.

We have combined it with other tools such as Microsoft 365 Defender Suite. With all tools combined and the customization that we have developed, we get pretty good insights into possible threats. It all depends on the logs you ingest. If you ingest the right logs, you can get very meaningful insights.

It helps us to prioritize threats across the enterprise. It does that in a very good way. It prioritizes the threats based on multiple factors. If multiple similar incidents happen or suspicious related activities happen at the same time, the incident gets a high priority because that's likely to be a real threat, but it also ingests the priorities that come from the other tools. You also have the ability to adapt priorities because each customer is different. Each business is different. We give our customers a standby for tickets that come in with priority two or higher. Microsoft Sentinel also gives us the chance to lower priority on some cases or upper the priority on some cases depending on the business use case of the customer.

We are a Microsoft security company, so we try to use as many Microsoft security tools as possible. We have Microsoft Defender for Cloud and Microsoft Defender for Office 365 as well. They are integrated into Defender 365 currently. We use the compliance portal. We use Microsoft Purview. We use Microsoft Sentinel. We use Microsoft Defender for Key Vault. We try to use as many security solutions as possible.

We have integrated these products with each other, and we have succeeded in it as well. Each product is at least integrated with Microsoft Sentinel by either using the way provided by Microsoft or a custom way to ingest data. We have integrated Defender 365 and other tools as well. We try to ingest alerts only from one place, if possible. We have integrated everything into one portal, and we ingest the data only from that portal. The integration for Microsoft solutions mostly works natively, but some of our customers have third-party solutions that we can integrate as well.

It's very important that Microsoft solutions work natively. When they work natively, you can have more built-in functionality for them. They are much more maintainable, and it does not take as much time to set up versus when you have to make a custom integration to something.

Microsoft Sentinel enables us to ingest data from the entire ecosystem. We can make custom integrations. If you have Linux machines or on-premises networks, you can set up a log forwarder inside the network and ingest the data that way into Microsoft Sentinel. There are many possibilities to ingest data from all locations, which is necessary for an XDR/SIEM solution. This ingestion of data is one of the most important things for our security operations because if we cannot ingest any data, we are partially blind on that side.

Microsoft Sentinel enables us to investigate threats and respond holistically from one place. You do have to learn the KQL language, but it's similar to many other languages that are created by Microsoft or adopted by Microsoft. It's not that hard to learn. If you know it well, you can easily perform analysis on a whole bunch of data, whereas without Microsoft Sentinel, you would have to perform the analysis at many different places. Microsoft Sentinel gives you the possibility to do it just in one place.

We do not use all the functionalities of Microsoft Sentinel. For example, hunting queries are something that we do not use often, but their threat intelligence is updated quite regularly. We have tried it in Purview, which is a separate threat intelligence license that you can buy from Microsoft, but Microsoft also provides basic rules that alert on multiple threat indicators they detected earlier. They are very useful at the beginning sometimes. You have to remove those rules yourself as soon as they get outdated. The alerting that we get out of the threat intelligence provided by Microsoft itself has been valuable many times for our use cases.

Microsoft Sentinel helps automate routine tasks and the finding of high-value alerts. If we see many recurring alerts that are always suspicious but not really malicious, we can build our own automation rules that auto-close these alerts or automatically lower the priority on those alerts so that we are not getting too many notifications from alerts that are not worth investigating. It's really easy to do that. You can do it in many ways. To do the automation, there is a user-friendly interface. There are just drag-and-drop steps. It helps a lot, and it's easy to implement as well.

It has helped to eliminate having to look at multiple dashboards and have one dashboard for the analysis part, but for the response actions, it hasn't eliminated that because we have to log on to the Microsoft Defender security portals to perform most of those actions. For the analysis part, the alerting part, and the automated investigation part, this is the solution.

Its threat intelligence helps prepare us for potential threats before they hit and take proactive steps. For example, as soon as the Log4j vulnerability was known to the public, we immediately got alerts. We were able to take immediate action and remediate the vulnerability. We immediately knew how to prioritize our customers because we knew which customers already had active exploitation. Most of the time, such attempts were blocked, and if they got through, then the machine was luckily not really vulnerable, but it has been very helpful at that point to immediately assess the criticality for our customers. The attempts were not successful for many reasons. It also blocked them immediately.

It has saved us time. Especially because of the automated investigation part, it saved us a lot of time. We also have automated reporting, which also saves a lot of time each month. We provide our customers with a monthly report. If we had to do it manually and gather data from many different places, it would take a lot of time. Even if we had to fill it in manually in Microsoft Sentinel, it would take a lot of time, but because Microsoft Sentinel already ingests all of the data we use in our reports, we were able to write an integration with Microsoft Sentinel, which takes care of 75% of our reporting, and then we only have to do our analysis part. The data is already filled in, which saves a lot of time each month. The time savings went from one day per customer to one hour or two hours. For nearly fifteen customers, it was fifteen days, and now, it's 30 hours, which is more or less four days. It saves a lot of time each month that can now be spent on improving our service or performing deeper investigations on newly known threats and proactively act on them.

It hasn't reduced our time to detect because we have been using Microsoft Sentinel from the beginning. So, we always had the same response time because we only used Microsoft Sentinel for our alerting. It integrates well with Atlassian tools and ServiceNow tools, which gives us the ability to be alerted very fast on something, and then we can act immediately.

It's easy to use. It's a very good product. It can easily ingest data from anywhere. It has an easily understandable language to perform actions. You can use the entire Azure cloud to perform automated actions and automate investigations. The possibilities are more or less limitless because you can integrate Microsoft Sentinel with many resources inside the Azure cloud. If you integrate the security tooling with it, you can also make use of the data that Microsoft gathers from all Windows operating systems about malware, for instance, or about possible attacks. They ingest that data from so many sources, and you can make use of it. It helps a lot in discovering new vulnerabilities. We can almost immediately investigate them because Microsoft is always on top of things.

Threat intelligence could be better because we have had some cases where we got alerted online for many things all of a sudden. It was because some updates happened in the background, and we didn't agree with the use cases or how they were built. That part of threat intelligence could be a little better.

We have also had incidents where other tooling got an update but Microsoft Sentinel didn't update.

Microsoft Sentinel is a simple and straightforward solution. It could have a better API to be able to automate many things more extensively and get more extensive data and more expensive deployment possibilities. It can gain some points on the automation part and the integration part. The API is very limited, and I would like to see it extended a bit more.

We have recently turned on the bi-directional sync capabilities of Microsoft Defender for Cloud. It works pretty well, but sometimes, it just syncs only the incidents and not the alerts behind them or the other way around. That was the only thing. That was a recent complaint we had. Other than that, it works well.

I've been using Microsoft Sentinel for nearly two years.

It's very stable. We have many different Microsoft Sentinel instances running. Apart from some cleanup and maintenance, they all are running without any issues.

It's very scalable. As long as you send the right logs, it can ingest them perfectly, but, of course, the more logs you ingest, the higher the price, so you have to be very careful and very concerned about the logs you are ingesting in Microsoft Sentinel. You have to make sure that the logs that you ingest provide value for your security and are not useless.

I have not contacted them regarding Microsoft Sentinel, but I have contacted them for other solutions. Sometimes, we can't figure something out ourselves or we have questions about the new features that are made public. If we have a question or need assistance in any way in providing support to our customers, we can count on support to help us. I have not had a bad experience with them. We are also a Microsoft partner, so we get quick replies and have direct contacts within Microsoft sometimes for some cases. If we need support, they always help us very well.

Overall, I would rate them a seven out of ten because sometimes, they take a long time or you get redirected many times to another colleague before the issue is resolved, but in the end, they always help us out, and everything is fixed.

Neutral

In my previous job, we worked with local or on-premise systems, but the security monitoring was not that strong at that time. This is my second job, and in this job, I've only worked with Microsoft Sentinel.

I worked on one of the deployment scripts we use for our customers, but I was not involved in its initial deployment. I deployed it once for a customer by using the Azure resource manager template that I built. It was rather complex because the documentation was not up to date or correct at that time. When working with Microsoft Sentinel, sometimes the documentation is not as up-to-date or complete as it should be in my opinion.

The number of people involved in its deployment depends on the size of the customer, but usually, one or two people from the team do the deployment. One person works on the deployment of Microsoft Sentinel, and the other one usually works on the deployment of other components, such as analytics, automation, etc.

It does require maintenance. In order to stay up to date and keep evolving on the threat landscape, you have to keep looking for new analytic rules, new investigation techniques, and new automations. You have to constantly improve your Sentinel in order to stay on point and detect and have complete detection scenarios. Sometimes, the rules that are provided by Microsoft or the settings or conditions that are provided by Microsoft get deprecated or get a new update. You have to follow that up as well in order to stay up to date with the things Microsoft changes or recommends.

If you want to use Microsoft Sentinel, you should start thinking about the logs that you want to ingest. You should identify the ones that are important and also think of the use cases and what you want to detect from those logs. If you make the right choices on these two things, the setup and the integration with other tools will be very easy because you know from where you want to ingest logs and you know how to create analytics rules, automation rules, and things like that to detect the things that are critical or important to the security of your business.

To a security colleague who says it’s better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that with a single vendor, we can integrate everything like a single product. We use Azure Active Directory, so we can easily secure authentication across multiple products and manage access permissions. On top of that, we have a single pane of glass where we can investigate and perform analysis in a very easy and user-friendly way, which saves a lot of time. We don't have to click through many different portals and know where to look each time. We don't have to learn the configuration, the setup, and the actions we can perform in each system because everything has the same interface. We only have to learn the things that Microsoft provides and not different products. The single pane of glass saves time and makes it much easier to investigate and respond and secure the environment.

Overall, I would rate Microsoft Sentinel an eight out of ten. I'm very happy with it, but no product is perfect. It can improve on some points, but overall, it's very good.

Our organization is a service company, therefore, we are proposing Microsoft Sentinel as an MSSP solution to our clients. Additionally, we are offering other solutions with Microsoft Sentinel. We have integrated Microsoft Sentinel with MISP, an open source intelligence trading platform, to create a deluxe solution. Furthermore, we use the five-year tool in conjunction with Microsoft Sentinel.

We pitched the solution for BFSI, healthcare, and ONG sectors.

The solution can be deployed based on the client's requirements.

Microsoft Sentinel provides visibility into threats by creating alerts, which will generate an instance and notify us. We can also view files and prioritize alerts using Microsoft Sentinel. Additionally, there is a tool with Sentinel that allows us to check alerts, which will help us identify false positives and false negatives, which is very beneficial for analysts.

Microsoft Sentinel helps us prioritize threats across our enterprise.

Microsoft Sentinel's ability to help us prioritize threats is a very important must-have feature for our organization.

Integrating Microsoft Sentinel with additional Microsoft solutions such as Microsoft Security Center is easy because we use a Microsoft agent. There is a default integration available with multiple connectors and we can use the agent to install data into Microsoft Sentinel.

The integrated solutions work natively together to deliver a coordinated detection and response across our environment. We use a playbook for the response process. We also integrated ServiceNow tools and Sentinel for ITSM. We are also designing the playbooks to meet our requirements.

Having the ability to integrate solutions with Microsoft Sentinel is an important feature.

Microsoft Sentinel provides comprehensive protection. 

Our organization has a strong partnership with Microsoft. Most of the services we receive are quite cost-effective. Microsoft provides market listings, allowing us to design our solution and place it on Microsoft's market listings, resulting in mutual benefits for both Microsoft and our organization.

We used Microsoft Defender for Cloud to get to the Azure security center for Sentinel. We wanted to work with a particular server but at the time the requirement was in order to use Defender we had to enable the solution across the subscription and not on one particular server.

Microsoft Sentinel enables us to ingest data from our entire system if we want.

Microsoft Sentinel enables us to investigate and respond to threats from one place. We can control everything from a single pane of glass.

Microsoft's built-in UEBA and threat intelligence capabilities play a major role in our security.

We can automate routine tasks, prioritize alerts using the playbook, and use the analytical rule's default settings when creating an alert. This helps to reduce false positives so that we only receive one alert for each issue.

Microsoft's XDR enabled us to avoid having to view multiple dashboards. We can integrate a variety of tools with Sentinel, allowing us to monitor all relevant information from a single screen.

The integration into one dashboard reduced our analytical work because it reduces the time required to review and respond to threats. 

The solution helped us prepare for potential threats proactively. Microsoft Sentinel helped our organization save money by preventing attacks. The solution helped reduce the threat detection time by up to 40 percent.

The data connectors that Microsoft Sentinel provides are easy to integrate when we work with a Microsoft agent.

The UI design for the investigation portion of Microsoft Sentinel is great.

The alerting of the queries works great and it is easy to develop a query around our requirements using Microsoft Sentinel.

The GUI functionality has room for improvement.

The playbook can sometimes be hefty and has room for improvement.

The troubleshooting has room for improvement.

I have been using the solution for three years.

The solution is stable.

The solution is scalable.

The technical support depends on if we have upgraded our support or not. The basic support has a wait time but the premium support is great.

Positive

We previously used IBM Security QRadar. The data connectors are more complicated and there are more configurations required with IBM Security QRadar compared to Microsoft Sentinel. The alerts are much better with Microsoft Sentinel.

The initial setup is straightforward.

The implementation is completed in-house with Microsoft documentation.

In comparison to other security solutions, Microsoft Sentinel offers a reasonable price for the features included.

I give the solution an eight out of ten.

The maintenance is completed by Microsoft.

I recommend Microsoft Sentinel to others.

We use it to protect our Office 365 environment. We can also deploy it for the entire infrastructure, including on-premises, firewalls, and also users' devices.

I'm a partner with many customers using Sentinel. Some are small companies but I also have many banks that have implemented the solution.

It has helped to improve security posture because it's based on machine learning. You can protect the whole environment. While other solutions are based on rules, and you have to put rules in place to protect things, Sentinel is smarter because of the machine learning.

For example, one of my customers is a bank that was attacked by ransomware. They were using Symantec and it could not detect the attack. When we put in Sentinel, within 15 minutes it detected the malware and stopped the attack.

The most valuable features are its threat handling and detection. It's a powerful tool because it's based on machine learning and on the behavior of malware.

I have been using Microsoft Sentinel for one and a half years.

It's a stable solution.

It's a cloud solution so Microsoft handles the scaling. We haven't had a problem with performance because Microsoft is in charge. It's done automatically.

It's definitely the best technical support. When you open a new ticket you get a response within a maximum of one hour. You can open a case with Microsoft 24/7.

Positive

I used QRadar. I switched because QRadar is not smart and there was too much manual work.

It's easy to implement and not very hard to put it into production.

The deployment time depends on the customer's needs. It can be deployed in one hour. But if they have many end users and many servers, it can take one week. After that, you have to wait for the machine learning to learn the environment and start the detection.

The implementation strategy also depends on the environment. If it is an Office 365 environment, we can start by protecting email, the shares, and the docs. After that, we can move to the end-user machines. But it depends on the project.

Deployment and maintenance requires a maximum of three people. One would be an admin, one would be a security leader to maintain the solution, and the third would be a project manager. It also depends on the project, but in general, there will be two or three people involved.

It is certainly the most expensive solution. The cost is very high. We need to do an assessment using the one-month trial so that we can study the cost side. Before implementing it, we must do a careful calculation.

Something that could be improved is the documentation of the cost because there is none. All the other features are documented, but the pricing is not very clear.

The Office 365 connectors to Sentinel are free, as is the support.

Sentinel is generally the last option we go with because of the cost. Customers have their solutions but they contact us and say, "Okay, we have our solution but it's not smart. Can we move to Sentinel?"

I recommend implementing Sentinel because it's certainly the most powerful SIEM tool. It detects all malware based on the behavior of many things, including the files and anomalies. It detects things automatically.

We use it to monitor the cloud for any security issues. We are using it as a SIEM for our cloud workspace.

The most valuable feature is the UEBA. It's very easy for a security operations analyst. It has a one-touch analysis where you can search for a particular entity, and you can get a complete overview of that entity or user.

There is also something called workbooks in Sentinel that help us to monitor the complete cloud data and it gives knowledge about, and visibility into, our security posture.

It integrates seamlessly with Microsoft products, especially Office 365 and our Azure workspace, whether it's the Application Gateway or Azure DDoS or Azure Firewall. It has native integration that works very well.

You can also monitor Zero Trust security from Microsoft Sentinel.

There are a number of points they can improve. For example, if I see an alert and I want to drill down and get more details about the alert, it's not just one click. In other SIEM tools, you just have to click the IP address of the entity and they give you the complete picture. In Sentinel, you have to write queries or use saved queries to get details. For a security analyst, when there is an incident, it takes a lot of time to write queries, investigate, and then execute.

For example, if you want to search a particular entity or an IP address, or search the complete log instead of just the security alerts, it takes time to write a query for that. The MTTR is a little high, as is the mean time to investigate, compared to other SIEM tools.

I would also like to have more resources on KQL queries.

And using the data connectors is not straightforward when you want to create a use case that is not out-of-the-box. Creating a custom use case is a challenging process. You need to understand KQL queries and the support for regex is limited.

I've been using Microsoft Sentinel for between six months and a year.

The availability is good. But when you compare the stability with Splunk or ELK or QRadar, it still needs to be more reliable and stable, not from an installation or administration perspective, but when it comes to security operations.

We collect data from between 3,000 and 4,000 users, and our cloud workspace is somewhere around 100 or 200 servers.

The scalability is good because it has Azure in the back end.

We are still deciding whether to migrate completely to Sentinel or not. We are using two SIEM solutions in parallel. The other solution is LogRhythm. From an analyst perspective, Sentinel has to evolve more. Once it does, we can think of migrating to it fully.

The installation was straightforward and easy. With Azure Resource Manager, it was easy to deploy, and it was a straightforward integration, in terms of configuration, to connect the Log Analytics workspace with Sentinel and the solutions that Sentinel has.

Deploying the solution hardly took four hours, and the initial configuration took a single person one day, meaning eight hours.

We used to have an on-prem solution and we moved our workload to the cloud. Our users did not face any challenges or difficulties as a result.

We are still in the process of getting our ROI. We are waiting for the solution to improve and mature.

Sentinel is pretty competitive. The pricing is at the level of other SIEM solutions.

I have experience with Splunk and QRadar and they are the best. They are equivalent, one with the other. Both the solutions are mature enough, having been in the market for quite some time. They know what they're doing and are easy to use from an analyst's perspective. Both are scalable solutions as well.

The drawback of these two solutions is that it takes a little bit of time to do integrations, especially for Azure workloads, as they're not in-built in Azure.

Always record your KQL queries and stick to the basics.

We are running an MDR service for our customers and use Azure Sentinel as the SIEM product to allow us to have an overview of all our customers, but also to easily push configurations to different customers.

We use Azure Sentinel as an alert aggregator to import all of the incidents/alerts from the different (Microsoft) security products in order to have a single pane of glass. On top of that, we create our own custom Analytics Rule that can be used to add our own added value. This enables us to create our own IP to protect customers. 

It's really convenient for us to aggregate the logs/alerts from all our customers into a single pane of glass. By using the automation capabilities, it's relatively easy to sync all incidents to our ITSM tool which we can use to follow up on incidents. As it's based on the Microsoft stack, it's convenient for our engineers to learn the product. As Azure Sentinel is also a big focus for Microsoft, we have the ability to work with them on certain products. This creates visibility within the community and for new customers.

There are three valuable aspects of the solution: MSSP support, integration with Microsoft, and Automation. By using Azure Lighthouse, an MSSP can easily integrate their applications into their own baseline of policies/configurations.

Because Sentinel is built as an MS-first product, it integrates natively with other Microsoft products, which is really convenient as we are standardized on it. Without much work, you can connect any Microsoft product to it. 

Last, but not least, Sentinel uses Azure Logic Apps for automation, which is really powerful. This allows us to easily automate responses to incidents.

Azure Sentinel is constantly growing. Throughout the two years we have been using it, we have seen it expand tremendously. A lot of the limitations we had originally seen have already been mitigated. A couple of potential improvements could be: allow for a streamlined CI/CD procedure. Now it's a combination of using API/Powershell and ARM which is not ideal. Also, it should allow us to ingest on-prem logs by using a SaaS platform to ingest CEF/Syslog logs that also allow for prefiltering. This would allow us to minimize the cost of the solution.

I've been using the solution for 1.5 years.

We didn't use another SIEM product before Azure Sentinel. 

The cost can be a little confusing at first, but the Azure calculator is a great place to start. I would advise to start with integrating Microsoft products first, as this is the most convenient way forward and allows you to learn the product as you go.

In general, Azure Sentinel can be set up really quickly.