Be aware of the risks and requirements before implementing the solution. Every related feature needs to have the necessary configuration to prevent any disruptions. Microsoft Sentinel covers everything needed. We have not yet moved our logs to Microsoft Sentinel. They are still being collected inside Splunk. We are trying to move all these log files to Microsoft Sentinel. I am not sure how many systems are connected yet, but all the integrated services inside the Entra ID are completely coherent. I am not a direct user, so I do not have the exact inner comparison to other solutions. It covers everything we need. I would rate Microsoft Sentinel a ten out of ten.
I am still quite new to Microsoft Sentinel, so I can't provide specific advice or recommendations. It is a good product with capabilities that might not be found in other SIEM solutions. I'd rate the solution eight out of ten.
We are an SSI system integrator. I'd rate the solution nine out of ten. For those interested in adopting the solution, I'd suggest looking at the costing and billing and ensuring you have the budget and maybe doing a POC for 45 days or two months so that they can really experience the product.
I would rate Microsoft Sentinel eight out of ten. I've tried Splunk, QRadar, and Azure Sentinel. While Splunk requires knowledge of SPL for deeper exploration and QRadar's query language isn't powerful, Azure Sentinel strikes a great balance. It offers a user-friendly interface for basic investigations without needing a query language but also allows for custom queries and visualizations for advanced users. This makes it the most versatile of the three. Splunk requires users to learn SPL for full functionality, making it less accessible for basic investigations. Conversely, Microsoft Sentinel's intuitive UI allows even those without KQL knowledge to conduct basic security analysis through its built-in features and informative interface. Because our service is hosted on Microsoft's cloud, they completely manage all maintenance tasks, freeing us from infrastructure management responsibilities.
Security Ops Management at a manufacturing company with 1,001-5,000 employees
Real User
Top 20
2023-11-10T18:27:00Z
Nov 10, 2023
I would rate Microsoft Sentinel eight out of ten. We've got a user base globally of about 5,000 people. Microsoft Sentinel does require maintenance, which includes monitoring the incoming data and ensuring that everything is functioning as expected. While automation simplifies many tasks, it doesn't eliminate the need for oversight. We still need to verify that everything is working correctly. Part of the maintenance cycle involves ensuring that the automation agents are operational and performing their intended tasks and that events are being collected and evaluated properly. Users need to have a clear understanding of their goals before selecting a solution. I have encountered too many people who believe that simply choosing a solution will resolve all of their problems. It is crucial to understand the desired outcome and the specific requirements of the use case to determine whether or not Sentinel is the appropriate fit.
We use the tool to help secure our cloud-native security solutions. By enabling us to secure our cloud environments, it acts as a single solution for attack detection and threat visibility for proactive hunting. The solution gives us a library of customizable content that helps us address our unique needs. It also gives regular patch updates. It helps us to be updated with the latest threats happening across the world. We use the Microsoft Sentinel Content hub. Integration with Active Directory is also helpful for us. The content hub enables us to see the latest features. We have Extended Detection and Response in SentinelOne. It provides effective protection for the platform. It provides more cybersecurity by providing more visibility and protects our enterprise. The content hub helps us centralize out-of-the-box security information and event management content. It discovers and manages the built-in content. It provides an end-to-end security for us. Microsoft Sentinel correlates signals from first and third-party sources into a single high-confidence incident. It can extract the information through the respective APIs of the third parties. It has increased our threat intelligence, monitoring, and incident analysis efficiency. We use Microsoft Sentinel's AI in automation. The generative AI features enable real-time threat hunting and detection. The solution has helped improve our visibility into user and network behavior. The generative AI provides better detection and response capabilities and faster response times with actionable intelligence. The product has saved us time. It helps us get various log files. When there’s an incident, it enables us to do investigations faster. The tool saves us three days in a week. It reduces the work involved in our event investigation by streamlining the processes and making automation effective. Event investigation is much faster. If someone is looking for a comprehensive solution, Microsoft Sentinel is a good choice. It will fulfill all our needs, including attack detection, threat visibility, and response. Overall, I rate the solution an eight out of ten.
Cyber Security Engineer at a tech services company with 51-200 employees
Real User
Top 10
2023-10-31T11:30:00Z
Oct 31, 2023
I would rate Microsoft Sentinel seven out of ten. We have five people in our organization who utilize Sentinel. No maintenance is required from our end.
IT Operation Manager at Orascom Construction Industries
Real User
Top 5
2023-08-17T12:58:00Z
Aug 17, 2023
We are a customer of Microsoft. During implementation, it's helpful to get the vendor engaged in the implementation. I'd rate the solution nine out of ten. It's good to go with a single-vendor strategy. I've recommended this product to others. The user experience should be the number one priority. Microsoft is working on this every day. It's very important to us that the user experience is maintained and there's no conflict between the products or connectors. Having one dashboard makes it easier for admins and businesses to be in touch, engage, and share. For example, my manager can see my reports even if he's not knowledgeable in the technology.
Do a proof of concept. It's really easy to set up and get started. You don't have to turn everything on to start. Do a small proof of concept, get familiar with it, and you'll see how easy it is. Does it help prioritize threats across the enterprise? The short answer is, "Yes, it does." The slightly longer answer is that it is not a set-and-forget solution. And no SIEM is. You do need to configure Sentinel and fine-tune it. I have a calendar reminder every two weeks to go back in and make sure the right analytics rules are in place and change the ones that need changing, et cetera. It does prioritize threats, but it's not an automatic process that you never have to worry about again. Sentinel's threat intelligence doesn't really help with proactive steps. The threat intelligence has indicators of compromise, such as IP addresses, URLs, and file hashes. They get detected, but that's not really proactive. Perhaps it's "proactive" in the sense that somebody else has figured out that those things are bad and let the system know. But Microsoft 365 Defender does the proactive part because it has threat intelligence in it. It will tell you, "A new threat that we have a report on seems to be targeting your type of client." That's proactive, but Sentinel isn't proactive. Meaning, if you read about a threat and then protect yourself before that threat reaches you, Sentinel doesn't really do that. In the debate about best-of-breed versus a single-vendor security solution, if you pick best-of-breed individual security solutions and you have to integrate them, now you're an integrator. And that is hard. It's not easy to integrate different security products. And that's why, at least for my clients, Sentinel and Microsoft 365 Defender have been a huge shift. They're so easy to integrate. My clients could license separate products and then try to integrate them to get the same level of integration, but that would never work.
Threat Detection Engineer at a healthcare company with 10,001+ employees
Real User
Top 20
2023-08-15T09:51:00Z
Aug 15, 2023
It's ideal to go with a best-in-breed strategy rather than a single vendor. You need to know what is available in the market. Companies should be free to use any security tool that they consider to fit their needs. For companies considering Sentinel, they need to ensure a threat detection engineer will be available to manage their detection rules, you shouldn't enable all of them blindly. You may get value from Microsoft Sentinel, however, you need to continuously invest time and ensure everything is set up and working as expected. I'd rate the solution nine out of ten.
SOC Analyst at a tech services company with 501-1,000 employees
Real User
Top 20
2023-08-07T08:38:00Z
Aug 7, 2023
I would rate Microsoft Sentinel nine out of ten. While Microsoft Sentinel offers SIEM capabilities for security information and event management, it doesn't fully replace the need for a separate SOAR solution, which specializes in security orchestration, automation, and response. In addition to Microsoft Sentinel, I've also used IBM Security QRadar, which I believe is a superior solution because it functions as both a SIEM and SOAR, offering a more comprehensive approach to handling complex security processes. I advise taking the course before using Microsoft Sentinel to have a better understanding of the solution. I recommend trying Microsoft Sentinel.
Previously, it was a little bit difficult to find where an incident came from, including which IP address and which country. So in Sentinel, it's very easy to find where the incident came from since we can easily get the information from the dashboard, after which we take action quickly. Sentinel does provide me with the ability to set priorities on all the threats across your entire enterprise. So, it is very important because we were previously getting the service from the outside. It would be yes. Sentinel is a next-generation SOC. So, Sentinel also still develops some applications on Sentinel's site, so maybe in the next release, they will introduce a much more effective version for the company. I'm not sure how many companies use it right now. Maybe in the future, more companies will use Sentinel because its features are such that compared to the traditional SOC systems, they are not affected since the system is a cloud-based system. So it's easy to manage. Also, you don't need to care about it from an infrastructure point of view. Additionally, we don't need to take care of products, and we don't need to take care of maintenance. From a product point of view, we do not need to manage since we just need to focus on the incident event. Right now, we are using very traditional applications, so there is no use of native Microsoft applications right now. Sentinel enables me to ingest or collect data from my entire ecosystem, but not all of them, because some traditional applications cannot provide some data needed for export. It cannot allow you to get reports or logs from outside. It's a challenging point, so this might be an opportunity for us to change the traditional application. In traditional applications, and sometimes in IT systems, it might be very difficult to get data insight. In some cases, we need to change the application since, in traditional applications, you cannot get support. To fix it, you need to decide something, or maybe you need to decide on the application change. It might be an opportunity for you. But in the next-generation application, there is no problem. With a new application, you can easily integrate with Sentinel. In Sentinel, the negative point is just related to cloud applications. With cloud applications, maybe sometimes you cannot get data from the on-prem application. So if you use a cloud system, like Sentinel, which is a cloud system, then it's very easy. If you are using an on-prem system, Microsoft Sentinel sometimes may not be easy to integrate. Sentinel allows me to investigate threats and respond quickly and thoroughly from just one place. It accelerates our investigation, especially our event investigation and incident investigation. Using Sentinel, we take quick actions and get quick insights after its standard implementation. So it is time-efficient. Previously, we had no SOAR applications. In Sentinel, if you want to take action quickly, you need to create playbooks so that if something happens, you can just develop an application like a playbook in Sentinel so that if something happens, you can tell Sentinel to take action. You can freely create your own playbooks since it's very easy. In my opinion, this is the best feature of one product. Normally, you need to purchase two applications or two products. But in Sentinel, they combine everything together. This is the most beautiful feature for me. Sentinel helps automate routine tasks and help automate the finding of high-value alerts. We do not need to create manual operations like when our system engineers see the incident and they do a system analysis. So after Sentinel, the system analysis is not done by anyone since Sentinel can already make decisions and then take action by itself. So at this point, there's no human power. Sometimes human power is needed, but maybe eighty percent or ninety percent of the time, there is no human power needed. So, it has caused significant improvements in our entire company. Sentinel has helped eliminate having to look at multiple dashboards and giving us just one XDR dashboard. Previously, we had to check multiple dashboards, especially in relation to whether logs were coming and other things, like incidents and events. In Sentinel, you do not need to check many dashboards. So you are just designing one dashboard, and then, on the entire dashboard, you will see everything. So, it now saves time since previously there were multiple dashboards causing our engineers and our analysts to get confused at times. So they used to ask our managers to understand better. Currently, it is very easy to understand since one needs to check in on one dashboard, and there's no confusion among the engineers. But they do not need to ask anyone to understand. Apart from better understanding, it has improved our systems. From a security point of view, you need to go with multiple vendors, but this is a traditional system. But right now, if you want to create a good security system, you need to implement each product with one vendor. Because vendors currently state that, if you want to have a high-level security system. You need to implement each product on a security level from one vendor. Microsoft-level vendors offer many features, but people only just purchase or use one product, and that's all. It's not good for security infrastructure. So, you need to implement all security products from just one vendor. I think one vendor and the needed security products will be enough for a company. Sentinel is our next-generation SOC. Currently, I don't see any competitors at this level. I rate the overall solution a nine out of ten.
IT Senior Systems Administrator at Dubai Developments
Real User
Top 10
2023-05-17T10:46:00Z
May 17, 2023
I rate the solution seven out of ten. Sentinel allows us to ingest data from our entire ecosystem, though we are attempting to integrate all our products. It can ingest and analyze all the data, but we aren't using this functionality to its fullest extent yet. My advice to someone considering the product is to use it. Start by integrating your primary applications, then slowly move on to others in descending order of importance.
I give Microsoft Sentinel a seven out of ten. It has good capabilities, including a large number of native connectors. It is a well-known brand, so it is likely that many third-party vendors will integrate with it in the future. This will give Sentinel a wider range of data sources to collect from. In terms of data connectors, I think Microsoft Sentinel is one of the better options available. However, some of its competitors, such as Splunk and SentinelOne, have better interfaces and support. They may also have some proprietary capabilities that Microsoft Sentinel does not offer. I believe that duplicating security measures is a good thing. It is also important to have redundancy in tools. If we have multiple tools that cover the same thing, we will have more eyes and visibility, and we will be able to remediate issues as they arise. Therefore, using multiple vendors, platforms, and consoles is the way to go. If we use only one tool for everything, it will be like a Swiss Army knife. We will definitely run into problems. I believe that we should avoid single points of failure at all costs. We should have redundancy in tools, but not just in tools. It is also beneficial for our team to all know the same tool or a specific suite.
Senior Cyber Security Operations Analyst at a financial services firm with 5,001-10,000 employees
Real User
Top 20
2023-05-09T16:57:00Z
May 9, 2023
You need to customize the kind of logs that you feed to Microsoft Sentinel. If you just plug-in data connectors and don't do any customization and feed everything to Microsoft Sentinel, it will be very expensive in terms of cost. You only need the traffic that assists you in addressing security issues within your environment. You only need the information that gives you visibility to address security issues. Overall, I would rate Microsoft Sentinel an eight out of ten.
Many organizations leverage the MITRE ATT&CK framework. Within MITRE there are all kinds of tactics that could be brought to bear on any unsuspecting department or target. Or they align with something like OWASP. But with Sentinel, you're able to delineate what categories you want to prioritize. For anything web-based, because everything is based on APIs and is based on a web interface, you might want to prioritize OWASP-based threats. But if you look at things like APTs, advanced, persistent threats, and various bad actors that MITRE categorizes, that gives you a really good source of information in terms of what to prioritize. There are a lot of Microsoft security products: Defender for Cloud, Security Center, Azure Monitor. On the SaaS side, we leverage Compliance Manager. And within the dashboards for M365, you've got the ability to leverage policies. For some clients I've worked on, we have things like DLP policies, to prevent unauthorized exfiltration of data. But for IaaS, where Azure typically resides, Defender for Cloud is a big one. With the use of connectors, if you're looking to provide data telemetry from various services back into Sentinel to do threat-hunting, it is quite a straightforward process. If you're looking to look at things like logging and auditing and how storage accounts integrate, that's a bit more complex, but it's not rocket science. It's certainly quite feasible. Because they're all services incorporated into Azure, and into IaaS from a broader perspective, there's fairly straightforward integration. Everything is API driven. As long as you can take advantage of that within your dashboard and your admin center, you can enable them very simply through that. If you're looking for historical data through login auditing, it's a matter of parsing through some of that information to get some of those key nuggets of information. But the broader ability to spin up a bunch of services through Azure and have them communicate and work together to build a better security posture is very straightforward. Cloud platforms, whether Microsoft or AWS or Google, are always in flux. There are always services coming down the line, as well as updates or upgrades, and refinements to these services. Very rarely do you find a static service. When I look at the comprehensiveness of Sentinel from when I started to use it back in 2018 and through to early 2023, there have been a fair number of changes to the functionality of the tool. There are more connectors coming online all the time. It's evolving to make it more and more comprehensive in terms of what kind of information you can pull into Sentinel. It's more and more comprehensive as time goes on; the tool just improves.
I would recommend Microsoft Sentinel. It's always good to compare against other tools when it comes to the value, to get an idea of what you are paying for. Compare the market strategies and the new capabilities that are coming out and whether you're able to unlock the full capabilities or not. Double-check that. As for best-of-breed versus one vendor, you should stick with one vendor only and take whatever they gave.
We have created a logic app that creates tickets in our service desk. Whenever a ticket is raised, it is automatically assigned to one of the members of our SOC team. They investigate, or reverse-investigate, and track the incident. Every solution requires continuous maintenance. We cannot rely on AI/ML for everything. Whenever there is a custom requirement or we want to do something differently, we do sit with the team to create the required analytic rules, et cetera. It doesn't involve more than three to four people. In terms of the comprehensiveness of Sentinel when it comes to security, it plays a wide role in analysis, including geographical analysis, of our multiple sites. It is our centralized eye where we can have a complete analysis and view of our ecosystem. Go with a single vendor security suite if you have the choice between that and a best-of-breed strategy. It is better to have a single vendor for security in such a complex environment of multiple vendors, a vendor who would understand all the requirements and give you a central contact. And the SLA for response should be on the low side in that situation, as Microsoft, with its premium support, gives an SLA of an immediate callback, within two to three minutes of creating a ticket.
Consultant Expert Microsoft at a tech services company with 1,001-5,000 employees
Real User
2022-11-11T19:42:00Z
Nov 11, 2022
Before using Sentinel, I recommend reading the documentation and watching the YouTube Ninja Training channel. They go through all options for Sentinel. In addition, I recommend knowing KQL—it's a requirement—and how to automate tasks in Azure. Other than these points, Sentinel is easy to enter because if you have a native connector, it's just "next, next, next." But when you want to do customization, it can sometimes be hard to do what you want. When you look at going with a best-of-breed strategy versus a single vendor's security stack, it depends on the strategy of the customer. Sometimes, the customer prefers to get all its security products from a single vendor because they get discounts when they do that. Other customers prefer to have several vendors for security reasons. From my point of view, there is no correct answer. If I were responsible for the security of a company, I think I would prefer to use an all-Microsoft security stack because it's easier to interconnect the solutions and you get more information as a result.
Microsoft is proactive in helping you be ready for potential threats, but I'm not involved in that part. It's something my counterpart takes care of. But I have heard from them that it is proactive. We also use Microsoft's CASB solution, Microsoft Defender for Cloud, and Defender for Endpoint. There is some complexity when it comes to integration of Defender for Endpoint. This is the feedback I have submitted to Microsoft. When we do the integration of Defender for Endpoint, we have more than 12,000 machines, with different OSs. Onboarding all those machines into the environment is a challenge because of the large number of machines. Although it's not creating any kind of mess, compared with Sentinel or the CASB product, Defender for Endpoint is something Microsoft can work on to create an option where we don't need to onboard all these machines into Intune and then into Defender for Endpoint. If that step can be omitted, Defender for Point will also be a good solution because it is also working on an AI basis. These Microsoft products do work together to deliver coordinated detection and response. We simultaneously get the benefits of all these products. We are also using Microsoft Defender for Cloud to see the security posture of our environment and it also has some great features. It helps us understand vulnerability issues and, on the top of that, we get recommendations for resolving those issues. The security posture is based on the policies it has, as well as third-party CIS benchmarks that people are using in the backend to provide the recommendations. It's good. We have created an automation rule, but not directly using Defender for Cloud's bi-directional feature. The automation we have created is logic using a bidirectional aspect for Sentinel incidents. When we get incidents in Sentinel, we can trigger those same incidents in ServiceNow as well. We have a SOC team that manages our incident response plan and ServiceNow. Once they take an action in ServiceNow, they don't need to go to Microsoft Sentinel again and take action on the incident. It will automatically reflect the action they have taken. Between best-of-breed versus a single vendor for security, Microsoft is on top. They are continuously enhancing their product and other cloud platforms don't have a direct SIEM solution. We need to customize other solutions every time if we want to opt for another cloud vendor. This is the advantage of Microsoft Sentinel at this point in time. I would recommend Microsoft Sentinel to anybody. I and my colleagues feel that Microsoft Sentinel is the number-one product for anyone considering something similar. We have other tools as well, but none compare with Sentinel.
Senior Cyber Security Consultant at a financial services firm with 10,001+ employees
Real User
2022-10-08T05:40:00Z
Oct 8, 2022
I would rate this solution as nine out of ten. My advice is that colleagues who have worked on different solutions, whether on-premises or cloud, should use the Ninja training. Microsoft provides this training directly. It is publicly available and provides a better understanding of how to utilize the solution more effectively. I think it's ideal to go with different vendors across our environment rather than a single vendor for security purposes.
Senior Cloud Infrastructure Consultant at a tech services company with 201-500 employees
Consultant
2022-09-03T21:49:00Z
Sep 3, 2022
Having worked with the product and knowing the capabilities of the product, it is worth investing in a product that Microsoft has spent a great deal on integrating with the rest of its product stack. Now, we can argue how far along the third-party vendors are in terms of integration with the rest of the security landscape, but if you're a Microsoft house, there is literally no better solution right now in terms of integration and highlighting the best out of your investment. Of course, every use case is different, but I'm happy to look at any challenge in terms of what a third-party solution can bring and what they reckon Sentinel can't. My advice to others evaluating the solution is that Sentinel isn't a silver bullet solution. It is not something you deploy and set up, and it is going to work 100% well and you're going to be happy. There is going to be some upfront investment. You're going to have to spend some time getting the product in place and getting it configured to your needs. To showcase in a PoC environment is quick and easy, but to realize real-world day-to-day benefits from this product, there is going to be some investment. Keep that in mind. If you're willing to spend that time upfront within the first couple of days or a couple of weeks of you deploying the solution, you'll immediately realize the benefit, but you have to have that mindset. It is not going to just be next, next, next, where it is deployed, and congratulations, you are now secure. That's never going to be the case, but after spending a bit of time on this product, there is nothing it can't do. I want to give it a 10 out of 10 just because I'm very passionate about this product. I've seen it grow from a very basic SIEM solution to a fully-fledged SIEM, SOAR solution. Some of the capabilities that are built in right now make my day so much easier. Overall, it is a brilliant product, and I love what Microsoft is doing to it. It is a great product.
Consultant at a tech services company with 11-50 employees
Real User
2022-08-23T11:28:00Z
Aug 23, 2022
My advice is to start out with a little bit of data and build on top of that. Don't enable too many data connectors in the beginning. Get familiar with the product, and remember to work with Sentinel every day. That's the only way the product gets better. It comes with some out-of-the-box analytics, but to get the full and best usage out of it, you have to really keep developing it with hunting queries, analytics, et cetera. The visibility provided by the built-in analytics rules, what they detect, is rather good, but Microsoft Sentinel requires ongoing work. It helps automate routine tasks as well, but that's not something that comes "for free." It also requires ongoing work. Threat intelligence is something that you must be more than just a novice in Sentinel to make use of. Overall, I find Sentinel to be a really strong solution. Sentinel is where you can see the overall security status of your company. I really enjoy working with Microsoft Defender and the entire suite, combined with Microsoft Sentinel.
SIEM Engineer at a tech services company with 501-1,000 employees
Real User
2022-08-08T10:38:00Z
Aug 8, 2022
I would rate this solution eight out of ten. It's heading in the right direction, but it's already pretty good and mature. If a security colleague said it's better to go with the best-of-breed strategy rather than a single vendor security suite, I would understand that completely. Some people see tying yourself into a single vendor as a vulnerability. It's not quite spread out, but I think you can manage a single vendor security solution if you have a good relationship with the vendor and you really leverage your connections within that business. It's good to diversify your products and make sure that you have a suite of products available from different companies and that you use the best that's available. In terms of this technology stack, it's pretty good for what it does. My advice is to really focus on what's possible and what you could do with the SIEM. There are a lot of features that don't get used and maximized for their purpose from day one. It takes a couple of months to properly deploy the solution to full maturity.
I recommend implementing Sentinel because it's certainly the most powerful SIEM tool. It detects all malware based on the behavior of many things, including the files and anomalies. It detects things automatically.
If you have the funds, I would recommend it. I think the pricing is important; it's quite expensive, but if you have that, I think I would recommend it. The advice is to think carefully about what data you send to the platform because it is costly. The price is data-driven, so make sure you know how much data you will send and that you only send what is required. That, I believe, is the key point. We are Microsoft partners. I would rate Microsoft Sentinel a seven out of ten.
We are a gold customer. I would recommend the product if it made sense for an individual company's use case. For the people who are on the cloud, I would suggest they go for Sentinel regardless of any other SIEM. It will do a good integration with other solutions, and with other cloud providers while providing a holistic view as well. I'd rate the solution an eight out of ten.
Cyber Security Engineer at a performing arts with 1,001-5,000 employees
Real User
2022-02-17T20:20:08Z
Feb 17, 2022
Because it is mainly artificial intelligence and machine learning, you would need some time to learn it. It is a good solution, and it is straightforward. I would rate it a six out of 10. I haven't really dealt with other ones.
If you're using the cloud and Azure, I would really recommend Sentinel as it will keep making sure that the devices that you have in your environment are safe. Sentinel is very smart at detecting what type of attack is occurring and is actually able to detect and tell us the type of hash file. It is is able to go on the internet, look at the virus total, and see if this is a virus, scam, or phishing. I like how it's able to detect it and how we can make it learn what type of spam or email issue query it is. So, it's a very adaptive type of tool. I would rate Microsoft Sentinel at ten on a scale from one to ten.
The solution is great. As far as the product itself is concerned, not the pricing, I would rate it as nine out of 10. Including pricing, I would rate the product as five to six out of 10.
The company I work with now is a Microsoft partner. It's a very, very powerful tool that I recommend to my customers. I work as a consultant. I advise customers. I do not sell it directly. It's something that organizations should use. I would advise people to use it. It doesn't look into only your Azure environment. It spans other cloud solution providers. I'd rate the solution at a ten out of ten.
Cloud and DevOps Architect at a financial services firm with 11-50 employees
Real User
2021-10-25T16:21:00Z
Oct 25, 2021
If you are purely on Azure, Sentinel is the way to go. Also, it easily works with on-premise workloads from what I have been able to determine. When I look at connectors, it integrates with other cloud providers. I see it integrates with GCP. I would rate Sentinel as seven out of 10.
Personally, I like the tool. From a SOC perspective, the visibility into government operations in particular is key, and I'm seeing a lot of advanced usage of it for some of my clients. The federal government, here in Canada, has primarily centralized on Azure as opposed to AWS. That's because most of these departments also have SaaS environments that are M365-centric. As a result, because they are already Microsoft on the SaaS side, a lot of departments maintain that Microsoft synergy, even if, in my opinion, AWS is a better platform. As a cloud SIEM, I would rate Sentinel at an eight out of 10. The only reason I'm not ranking it higher is that, as I said, there is some complexity with it. You have to tweak the service to get the outputs you want, by doing things like creating workbooks or rules for Sentinel, doing the threat-hunting, setting up the connectors, the log analytics, and workspaces. There's a lot of "heavy lifting" done to get Sentinel into a state where you can effectively use it. But as far as the actual outputs are concerned, if you know what you're doing with the queries, Sentinel is a great tool. Microsoft offers training around Sentinel. In our region, among the support guys that deal with the government departments and agencies, there are some Sentinel subject matter experts available. And when more advanced knowledge is needed, Microsoft can provide what are called "support ninjas." They have more advanced knowledge and can be flown in from wherever. There are a lot of opportunities to learn how to properly use Sentinel's tools. Once you get that familiarity, Sentinel is a valuable tool for your cloud security posture.
This is a product that I highly recommend, for all of the positives that I've mentioned. The transition from an on-premises to a cloud-based SIEM is something that I've actually done, and it's not overly complicated. It doesn't have to be a complex migration, which is something that a lot of companies may be reluctant about. Overall, this is a good product but there are parts of Sentinel that need improvement. There are some things that need to be more adaptable and more versatile. I would rate this solution a nine out of ten.
Director - Technology Risk & Cyber at a financial services firm with 10,001+ employees
Real User
2021-08-23T13:12:00Z
Aug 23, 2021
We see that a lot of clients are trying to explore more apart from Azure. Some of the clients are interested in Splunk. Some of the clients are interested in seeing what's available from AWS. This year is quite different in Malaysia because the government has opened up the adoption of public cloud in all sectors, especially in the financial sector. So, we are seeing new requirements coming up. I would rate Azure Sentinel a seven out of 10.
Domain Architect at a government with 5,001-10,000 employees
Real User
2021-04-08T08:18:00Z
Apr 8, 2021
It is fairly new but making a charge up the market anayses. Should be considered if you have E5 licence due to native and 'free' ingestion of M365 logs. We haven't used all of its capability yet because we haven't had the time yet to implement it all, and it appears that the MS roadmap for Sentinel is being actively invested in.
Azure Sentinel s actually quite handy, and very adaptive to the market trends. Anyone who is looking for the same store, creating their complete security solution for their enterprise, for the effective security solution, and for data integration, they must go with the Azure Sentinel as they are going to get everything in one place. I would rate Azure Sentinel at an eight on a scale of ten.
SOC Analyst at a wholesaler/distributor with 10,001+ employees
Real User
2021-02-12T14:37:31Z
Feb 12, 2021
We're using the latest version of the solution. Choosing this solution was a management decision. Due to cost-effectiveness, they opted for Azure Sentinel. Whether this product would work for another organization or not depends on the company's requirements. As it is still very early in terms of our experience with the solution, I would rate the product at a six out of ten.
If it's a security integrator like us, quite often people push the client into buying different vendors' products and the client already has the tool in-house. Microsoft is one of those tools that most clients already have. Many vendors, or integrators, that we know of, are not familiar with Microsoft Sentinel product classification security. So that's one thing I would encourage both potential customers, and users, to look into what suite of products do they have with existing Microsoft accounts that they have. Also, the integrators should be quite familiar with all the things that are available to their clients, so they don't have to invest tons of money in other tools. Based on having no complaints, I would rate Azure Sentinel an eight out of ten.
Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution that lets you see and stop threats before they cause harm. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Eliminate security infrastructure setup and...
Be aware of the risks and requirements before implementing the solution. Every related feature needs to have the necessary configuration to prevent any disruptions. Microsoft Sentinel covers everything needed. We have not yet moved our logs to Microsoft Sentinel. They are still being collected inside Splunk. We are trying to move all these log files to Microsoft Sentinel. I am not sure how many systems are connected yet, but all the integrated services inside the Entra ID are completely coherent. I am not a direct user, so I do not have the exact inner comparison to other solutions. It covers everything we need. I would rate Microsoft Sentinel a ten out of ten.
I am still quite new to Microsoft Sentinel, so I can't provide specific advice or recommendations. It is a good product with capabilities that might not be found in other SIEM solutions. I'd rate the solution eight out of ten.
We are an SSI system integrator. I'd rate the solution nine out of ten. For those interested in adopting the solution, I'd suggest looking at the costing and billing and ensuring you have the budget and maybe doing a POC for 45 days or two months so that they can really experience the product.
I would rate Microsoft Sentinel eight out of ten. I've tried Splunk, QRadar, and Azure Sentinel. While Splunk requires knowledge of SPL for deeper exploration and QRadar's query language isn't powerful, Azure Sentinel strikes a great balance. It offers a user-friendly interface for basic investigations without needing a query language but also allows for custom queries and visualizations for advanced users. This makes it the most versatile of the three. Splunk requires users to learn SPL for full functionality, making it less accessible for basic investigations. Conversely, Microsoft Sentinel's intuitive UI allows even those without KQL knowledge to conduct basic security analysis through its built-in features and informative interface. Because our service is hosted on Microsoft's cloud, they completely manage all maintenance tasks, freeing us from infrastructure management responsibilities.
I would rate Microsoft Sentinel eight out of ten. We've got a user base globally of about 5,000 people. Microsoft Sentinel does require maintenance, which includes monitoring the incoming data and ensuring that everything is functioning as expected. While automation simplifies many tasks, it doesn't eliminate the need for oversight. We still need to verify that everything is working correctly. Part of the maintenance cycle involves ensuring that the automation agents are operational and performing their intended tasks and that events are being collected and evaluated properly. Users need to have a clear understanding of their goals before selecting a solution. I have encountered too many people who believe that simply choosing a solution will resolve all of their problems. It is crucial to understand the desired outcome and the specific requirements of the use case to determine whether or not Sentinel is the appropriate fit.
We use the tool to help secure our cloud-native security solutions. By enabling us to secure our cloud environments, it acts as a single solution for attack detection and threat visibility for proactive hunting. The solution gives us a library of customizable content that helps us address our unique needs. It also gives regular patch updates. It helps us to be updated with the latest threats happening across the world. We use the Microsoft Sentinel Content hub. Integration with Active Directory is also helpful for us. The content hub enables us to see the latest features. We have Extended Detection and Response in SentinelOne. It provides effective protection for the platform. It provides more cybersecurity by providing more visibility and protects our enterprise. The content hub helps us centralize out-of-the-box security information and event management content. It discovers and manages the built-in content. It provides an end-to-end security for us. Microsoft Sentinel correlates signals from first and third-party sources into a single high-confidence incident. It can extract the information through the respective APIs of the third parties. It has increased our threat intelligence, monitoring, and incident analysis efficiency. We use Microsoft Sentinel's AI in automation. The generative AI features enable real-time threat hunting and detection. The solution has helped improve our visibility into user and network behavior. The generative AI provides better detection and response capabilities and faster response times with actionable intelligence. The product has saved us time. It helps us get various log files. When there’s an incident, it enables us to do investigations faster. The tool saves us three days in a week. It reduces the work involved in our event investigation by streamlining the processes and making automation effective. Event investigation is much faster. If someone is looking for a comprehensive solution, Microsoft Sentinel is a good choice. It will fulfill all our needs, including attack detection, threat visibility, and response. Overall, I rate the solution an eight out of ten.
I would rate Microsoft Sentinel seven out of ten. We have five people in our organization who utilize Sentinel. No maintenance is required from our end.
I'd rate the solution nine out of ten.
I'd rate the solution a nine out of ten.
We are a customer of Microsoft. During implementation, it's helpful to get the vendor engaged in the implementation. I'd rate the solution nine out of ten. It's good to go with a single-vendor strategy. I've recommended this product to others. The user experience should be the number one priority. Microsoft is working on this every day. It's very important to us that the user experience is maintained and there's no conflict between the products or connectors. Having one dashboard makes it easier for admins and businesses to be in touch, engage, and share. For example, my manager can see my reports even if he's not knowledgeable in the technology.
Do a proof of concept. It's really easy to set up and get started. You don't have to turn everything on to start. Do a small proof of concept, get familiar with it, and you'll see how easy it is. Does it help prioritize threats across the enterprise? The short answer is, "Yes, it does." The slightly longer answer is that it is not a set-and-forget solution. And no SIEM is. You do need to configure Sentinel and fine-tune it. I have a calendar reminder every two weeks to go back in and make sure the right analytics rules are in place and change the ones that need changing, et cetera. It does prioritize threats, but it's not an automatic process that you never have to worry about again. Sentinel's threat intelligence doesn't really help with proactive steps. The threat intelligence has indicators of compromise, such as IP addresses, URLs, and file hashes. They get detected, but that's not really proactive. Perhaps it's "proactive" in the sense that somebody else has figured out that those things are bad and let the system know. But Microsoft 365 Defender does the proactive part because it has threat intelligence in it. It will tell you, "A new threat that we have a report on seems to be targeting your type of client." That's proactive, but Sentinel isn't proactive. Meaning, if you read about a threat and then protect yourself before that threat reaches you, Sentinel doesn't really do that. In the debate about best-of-breed versus a single-vendor security solution, if you pick best-of-breed individual security solutions and you have to integrate them, now you're an integrator. And that is hard. It's not easy to integrate different security products. And that's why, at least for my clients, Sentinel and Microsoft 365 Defender have been a huge shift. They're so easy to integrate. My clients could license separate products and then try to integrate them to get the same level of integration, but that would never work.
It's ideal to go with a best-in-breed strategy rather than a single vendor. You need to know what is available in the market. Companies should be free to use any security tool that they consider to fit their needs. For companies considering Sentinel, they need to ensure a threat detection engineer will be available to manage their detection rules, you shouldn't enable all of them blindly. You may get value from Microsoft Sentinel, however, you need to continuously invest time and ensure everything is set up and working as expected. I'd rate the solution nine out of ten.
I would rate Microsoft Sentinel nine out of ten. While Microsoft Sentinel offers SIEM capabilities for security information and event management, it doesn't fully replace the need for a separate SOAR solution, which specializes in security orchestration, automation, and response. In addition to Microsoft Sentinel, I've also used IBM Security QRadar, which I believe is a superior solution because it functions as both a SIEM and SOAR, offering a more comprehensive approach to handling complex security processes. I advise taking the course before using Microsoft Sentinel to have a better understanding of the solution. I recommend trying Microsoft Sentinel.
Previously, it was a little bit difficult to find where an incident came from, including which IP address and which country. So in Sentinel, it's very easy to find where the incident came from since we can easily get the information from the dashboard, after which we take action quickly. Sentinel does provide me with the ability to set priorities on all the threats across your entire enterprise. So, it is very important because we were previously getting the service from the outside. It would be yes. Sentinel is a next-generation SOC. So, Sentinel also still develops some applications on Sentinel's site, so maybe in the next release, they will introduce a much more effective version for the company. I'm not sure how many companies use it right now. Maybe in the future, more companies will use Sentinel because its features are such that compared to the traditional SOC systems, they are not affected since the system is a cloud-based system. So it's easy to manage. Also, you don't need to care about it from an infrastructure point of view. Additionally, we don't need to take care of products, and we don't need to take care of maintenance. From a product point of view, we do not need to manage since we just need to focus on the incident event. Right now, we are using very traditional applications, so there is no use of native Microsoft applications right now. Sentinel enables me to ingest or collect data from my entire ecosystem, but not all of them, because some traditional applications cannot provide some data needed for export. It cannot allow you to get reports or logs from outside. It's a challenging point, so this might be an opportunity for us to change the traditional application. In traditional applications, and sometimes in IT systems, it might be very difficult to get data insight. In some cases, we need to change the application since, in traditional applications, you cannot get support. To fix it, you need to decide something, or maybe you need to decide on the application change. It might be an opportunity for you. But in the next-generation application, there is no problem. With a new application, you can easily integrate with Sentinel. In Sentinel, the negative point is just related to cloud applications. With cloud applications, maybe sometimes you cannot get data from the on-prem application. So if you use a cloud system, like Sentinel, which is a cloud system, then it's very easy. If you are using an on-prem system, Microsoft Sentinel sometimes may not be easy to integrate. Sentinel allows me to investigate threats and respond quickly and thoroughly from just one place. It accelerates our investigation, especially our event investigation and incident investigation. Using Sentinel, we take quick actions and get quick insights after its standard implementation. So it is time-efficient. Previously, we had no SOAR applications. In Sentinel, if you want to take action quickly, you need to create playbooks so that if something happens, you can just develop an application like a playbook in Sentinel so that if something happens, you can tell Sentinel to take action. You can freely create your own playbooks since it's very easy. In my opinion, this is the best feature of one product. Normally, you need to purchase two applications or two products. But in Sentinel, they combine everything together. This is the most beautiful feature for me. Sentinel helps automate routine tasks and help automate the finding of high-value alerts. We do not need to create manual operations like when our system engineers see the incident and they do a system analysis. So after Sentinel, the system analysis is not done by anyone since Sentinel can already make decisions and then take action by itself. So at this point, there's no human power. Sometimes human power is needed, but maybe eighty percent or ninety percent of the time, there is no human power needed. So, it has caused significant improvements in our entire company. Sentinel has helped eliminate having to look at multiple dashboards and giving us just one XDR dashboard. Previously, we had to check multiple dashboards, especially in relation to whether logs were coming and other things, like incidents and events. In Sentinel, you do not need to check many dashboards. So you are just designing one dashboard, and then, on the entire dashboard, you will see everything. So, it now saves time since previously there were multiple dashboards causing our engineers and our analysts to get confused at times. So they used to ask our managers to understand better. Currently, it is very easy to understand since one needs to check in on one dashboard, and there's no confusion among the engineers. But they do not need to ask anyone to understand. Apart from better understanding, it has improved our systems. From a security point of view, you need to go with multiple vendors, but this is a traditional system. But right now, if you want to create a good security system, you need to implement each product with one vendor. Because vendors currently state that, if you want to have a high-level security system. You need to implement each product on a security level from one vendor. Microsoft-level vendors offer many features, but people only just purchase or use one product, and that's all. It's not good for security infrastructure. So, you need to implement all security products from just one vendor. I think one vendor and the needed security products will be enough for a company. Sentinel is our next-generation SOC. Currently, I don't see any competitors at this level. I rate the overall solution a nine out of ten.
I rate the solution seven out of ten. Sentinel allows us to ingest data from our entire ecosystem, though we are attempting to integrate all our products. It can ingest and analyze all the data, but we aren't using this functionality to its fullest extent yet. My advice to someone considering the product is to use it. Start by integrating your primary applications, then slowly move on to others in descending order of importance.
I give Microsoft Sentinel a seven out of ten. It has good capabilities, including a large number of native connectors. It is a well-known brand, so it is likely that many third-party vendors will integrate with it in the future. This will give Sentinel a wider range of data sources to collect from. In terms of data connectors, I think Microsoft Sentinel is one of the better options available. However, some of its competitors, such as Splunk and SentinelOne, have better interfaces and support. They may also have some proprietary capabilities that Microsoft Sentinel does not offer. I believe that duplicating security measures is a good thing. It is also important to have redundancy in tools. If we have multiple tools that cover the same thing, we will have more eyes and visibility, and we will be able to remediate issues as they arise. Therefore, using multiple vendors, platforms, and consoles is the way to go. If we use only one tool for everything, it will be like a Swiss Army knife. We will definitely run into problems. I believe that we should avoid single points of failure at all costs. We should have redundancy in tools, but not just in tools. It is also beneficial for our team to all know the same tool or a specific suite.
You need to customize the kind of logs that you feed to Microsoft Sentinel. If you just plug-in data connectors and don't do any customization and feed everything to Microsoft Sentinel, it will be very expensive in terms of cost. You only need the traffic that assists you in addressing security issues within your environment. You only need the information that gives you visibility to address security issues. Overall, I would rate Microsoft Sentinel an eight out of ten.
I give the solution an eight out of ten. The maintenance is completed by Microsoft. I recommend Microsoft Sentinel to others.
Many organizations leverage the MITRE ATT&CK framework. Within MITRE there are all kinds of tactics that could be brought to bear on any unsuspecting department or target. Or they align with something like OWASP. But with Sentinel, you're able to delineate what categories you want to prioritize. For anything web-based, because everything is based on APIs and is based on a web interface, you might want to prioritize OWASP-based threats. But if you look at things like APTs, advanced, persistent threats, and various bad actors that MITRE categorizes, that gives you a really good source of information in terms of what to prioritize. There are a lot of Microsoft security products: Defender for Cloud, Security Center, Azure Monitor. On the SaaS side, we leverage Compliance Manager. And within the dashboards for M365, you've got the ability to leverage policies. For some clients I've worked on, we have things like DLP policies, to prevent unauthorized exfiltration of data. But for IaaS, where Azure typically resides, Defender for Cloud is a big one. With the use of connectors, if you're looking to provide data telemetry from various services back into Sentinel to do threat-hunting, it is quite a straightforward process. If you're looking to look at things like logging and auditing and how storage accounts integrate, that's a bit more complex, but it's not rocket science. It's certainly quite feasible. Because they're all services incorporated into Azure, and into IaaS from a broader perspective, there's fairly straightforward integration. Everything is API driven. As long as you can take advantage of that within your dashboard and your admin center, you can enable them very simply through that. If you're looking for historical data through login auditing, it's a matter of parsing through some of that information to get some of those key nuggets of information. But the broader ability to spin up a bunch of services through Azure and have them communicate and work together to build a better security posture is very straightforward. Cloud platforms, whether Microsoft or AWS or Google, are always in flux. There are always services coming down the line, as well as updates or upgrades, and refinements to these services. Very rarely do you find a static service. When I look at the comprehensiveness of Sentinel from when I started to use it back in 2018 and through to early 2023, there have been a fair number of changes to the functionality of the tool. There are more connectors coming online all the time. It's evolving to make it more and more comprehensive in terms of what kind of information you can pull into Sentinel. It's more and more comprehensive as time goes on; the tool just improves.
I would recommend Microsoft Sentinel. It's always good to compare against other tools when it comes to the value, to get an idea of what you are paying for. Compare the market strategies and the new capabilities that are coming out and whether you're able to unlock the full capabilities or not. Double-check that. As for best-of-breed versus one vendor, you should stick with one vendor only and take whatever they gave.
We have created a logic app that creates tickets in our service desk. Whenever a ticket is raised, it is automatically assigned to one of the members of our SOC team. They investigate, or reverse-investigate, and track the incident. Every solution requires continuous maintenance. We cannot rely on AI/ML for everything. Whenever there is a custom requirement or we want to do something differently, we do sit with the team to create the required analytic rules, et cetera. It doesn't involve more than three to four people. In terms of the comprehensiveness of Sentinel when it comes to security, it plays a wide role in analysis, including geographical analysis, of our multiple sites. It is our centralized eye where we can have a complete analysis and view of our ecosystem. Go with a single vendor security suite if you have the choice between that and a best-of-breed strategy. It is better to have a single vendor for security in such a complex environment of multiple vendors, a vendor who would understand all the requirements and give you a central contact. And the SLA for response should be on the low side in that situation, as Microsoft, with its premium support, gives an SLA of an immediate callback, within two to three minutes of creating a ticket.
Before using Sentinel, I recommend reading the documentation and watching the YouTube Ninja Training channel. They go through all options for Sentinel. In addition, I recommend knowing KQL—it's a requirement—and how to automate tasks in Azure. Other than these points, Sentinel is easy to enter because if you have a native connector, it's just "next, next, next." But when you want to do customization, it can sometimes be hard to do what you want. When you look at going with a best-of-breed strategy versus a single vendor's security stack, it depends on the strategy of the customer. Sometimes, the customer prefers to get all its security products from a single vendor because they get discounts when they do that. Other customers prefer to have several vendors for security reasons. From my point of view, there is no correct answer. If I were responsible for the security of a company, I think I would prefer to use an all-Microsoft security stack because it's easier to interconnect the solutions and you get more information as a result.
Microsoft is proactive in helping you be ready for potential threats, but I'm not involved in that part. It's something my counterpart takes care of. But I have heard from them that it is proactive. We also use Microsoft's CASB solution, Microsoft Defender for Cloud, and Defender for Endpoint. There is some complexity when it comes to integration of Defender for Endpoint. This is the feedback I have submitted to Microsoft. When we do the integration of Defender for Endpoint, we have more than 12,000 machines, with different OSs. Onboarding all those machines into the environment is a challenge because of the large number of machines. Although it's not creating any kind of mess, compared with Sentinel or the CASB product, Defender for Endpoint is something Microsoft can work on to create an option where we don't need to onboard all these machines into Intune and then into Defender for Endpoint. If that step can be omitted, Defender for Point will also be a good solution because it is also working on an AI basis. These Microsoft products do work together to deliver coordinated detection and response. We simultaneously get the benefits of all these products. We are also using Microsoft Defender for Cloud to see the security posture of our environment and it also has some great features. It helps us understand vulnerability issues and, on the top of that, we get recommendations for resolving those issues. The security posture is based on the policies it has, as well as third-party CIS benchmarks that people are using in the backend to provide the recommendations. It's good. We have created an automation rule, but not directly using Defender for Cloud's bi-directional feature. The automation we have created is logic using a bidirectional aspect for Sentinel incidents. When we get incidents in Sentinel, we can trigger those same incidents in ServiceNow as well. We have a SOC team that manages our incident response plan and ServiceNow. Once they take an action in ServiceNow, they don't need to go to Microsoft Sentinel again and take action on the incident. It will automatically reflect the action they have taken. Between best-of-breed versus a single vendor for security, Microsoft is on top. They are continuously enhancing their product and other cloud platforms don't have a direct SIEM solution. We need to customize other solutions every time if we want to opt for another cloud vendor. This is the advantage of Microsoft Sentinel at this point in time. I would recommend Microsoft Sentinel to anybody. I and my colleagues feel that Microsoft Sentinel is the number-one product for anyone considering something similar. We have other tools as well, but none compare with Sentinel.
I would rate this solution as nine out of ten. My advice is that colleagues who have worked on different solutions, whether on-premises or cloud, should use the Ninja training. Microsoft provides this training directly. It is publicly available and provides a better understanding of how to utilize the solution more effectively. I think it's ideal to go with different vendors across our environment rather than a single vendor for security purposes.
Having worked with the product and knowing the capabilities of the product, it is worth investing in a product that Microsoft has spent a great deal on integrating with the rest of its product stack. Now, we can argue how far along the third-party vendors are in terms of integration with the rest of the security landscape, but if you're a Microsoft house, there is literally no better solution right now in terms of integration and highlighting the best out of your investment. Of course, every use case is different, but I'm happy to look at any challenge in terms of what a third-party solution can bring and what they reckon Sentinel can't. My advice to others evaluating the solution is that Sentinel isn't a silver bullet solution. It is not something you deploy and set up, and it is going to work 100% well and you're going to be happy. There is going to be some upfront investment. You're going to have to spend some time getting the product in place and getting it configured to your needs. To showcase in a PoC environment is quick and easy, but to realize real-world day-to-day benefits from this product, there is going to be some investment. Keep that in mind. If you're willing to spend that time upfront within the first couple of days or a couple of weeks of you deploying the solution, you'll immediately realize the benefit, but you have to have that mindset. It is not going to just be next, next, next, where it is deployed, and congratulations, you are now secure. That's never going to be the case, but after spending a bit of time on this product, there is nothing it can't do. I want to give it a 10 out of 10 just because I'm very passionate about this product. I've seen it grow from a very basic SIEM solution to a fully-fledged SIEM, SOAR solution. Some of the capabilities that are built in right now make my day so much easier. Overall, it is a brilliant product, and I love what Microsoft is doing to it. It is a great product.
My advice is to start out with a little bit of data and build on top of that. Don't enable too many data connectors in the beginning. Get familiar with the product, and remember to work with Sentinel every day. That's the only way the product gets better. It comes with some out-of-the-box analytics, but to get the full and best usage out of it, you have to really keep developing it with hunting queries, analytics, et cetera. The visibility provided by the built-in analytics rules, what they detect, is rather good, but Microsoft Sentinel requires ongoing work. It helps automate routine tasks as well, but that's not something that comes "for free." It also requires ongoing work. Threat intelligence is something that you must be more than just a novice in Sentinel to make use of. Overall, I find Sentinel to be a really strong solution. Sentinel is where you can see the overall security status of your company. I really enjoy working with Microsoft Defender and the entire suite, combined with Microsoft Sentinel.
I would rate this solution eight out of ten. It's heading in the right direction, but it's already pretty good and mature. If a security colleague said it's better to go with the best-of-breed strategy rather than a single vendor security suite, I would understand that completely. Some people see tying yourself into a single vendor as a vulnerability. It's not quite spread out, but I think you can manage a single vendor security solution if you have a good relationship with the vendor and you really leverage your connections within that business. It's good to diversify your products and make sure that you have a suite of products available from different companies and that you use the best that's available. In terms of this technology stack, it's pretty good for what it does. My advice is to really focus on what's possible and what you could do with the SIEM. There are a lot of features that don't get used and maximized for their purpose from day one. It takes a couple of months to properly deploy the solution to full maturity.
I recommend implementing Sentinel because it's certainly the most powerful SIEM tool. It detects all malware based on the behavior of many things, including the files and anomalies. It detects things automatically.
Always record your KQL queries and stick to the basics.
If you have the funds, I would recommend it. I think the pricing is important; it's quite expensive, but if you have that, I think I would recommend it. The advice is to think carefully about what data you send to the platform because it is costly. The price is data-driven, so make sure you know how much data you will send and that you only send what is required. That, I believe, is the key point. We are Microsoft partners. I would rate Microsoft Sentinel a seven out of ten.
We are a gold customer. I would recommend the product if it made sense for an individual company's use case. For the people who are on the cloud, I would suggest they go for Sentinel regardless of any other SIEM. It will do a good integration with other solutions, and with other cloud providers while providing a holistic view as well. I'd rate the solution an eight out of ten.
Because it is mainly artificial intelligence and machine learning, you would need some time to learn it. It is a good solution, and it is straightforward. I would rate it a six out of 10. I haven't really dealt with other ones.
If you're using the cloud and Azure, I would really recommend Sentinel as it will keep making sure that the devices that you have in your environment are safe. Sentinel is very smart at detecting what type of attack is occurring and is actually able to detect and tell us the type of hash file. It is is able to go on the internet, look at the virus total, and see if this is a virus, scam, or phishing. I like how it's able to detect it and how we can make it learn what type of spam or email issue query it is. So, it's a very adaptive type of tool. I would rate Microsoft Sentinel at ten on a scale from one to ten.
The solution is great. As far as the product itself is concerned, not the pricing, I would rate it as nine out of 10. Including pricing, I would rate the product as five to six out of 10.
The company I work with now is a Microsoft partner. It's a very, very powerful tool that I recommend to my customers. I work as a consultant. I advise customers. I do not sell it directly. It's something that organizations should use. I would advise people to use it. It doesn't look into only your Azure environment. It spans other cloud solution providers. I'd rate the solution at a ten out of ten.
If you are purely on Azure, Sentinel is the way to go. Also, it easily works with on-premise workloads from what I have been able to determine. When I look at connectors, it integrates with other cloud providers. I see it integrates with GCP. I would rate Sentinel as seven out of 10.
Personally, I like the tool. From a SOC perspective, the visibility into government operations in particular is key, and I'm seeing a lot of advanced usage of it for some of my clients. The federal government, here in Canada, has primarily centralized on Azure as opposed to AWS. That's because most of these departments also have SaaS environments that are M365-centric. As a result, because they are already Microsoft on the SaaS side, a lot of departments maintain that Microsoft synergy, even if, in my opinion, AWS is a better platform. As a cloud SIEM, I would rate Sentinel at an eight out of 10. The only reason I'm not ranking it higher is that, as I said, there is some complexity with it. You have to tweak the service to get the outputs you want, by doing things like creating workbooks or rules for Sentinel, doing the threat-hunting, setting up the connectors, the log analytics, and workspaces. There's a lot of "heavy lifting" done to get Sentinel into a state where you can effectively use it. But as far as the actual outputs are concerned, if you know what you're doing with the queries, Sentinel is a great tool. Microsoft offers training around Sentinel. In our region, among the support guys that deal with the government departments and agencies, there are some Sentinel subject matter experts available. And when more advanced knowledge is needed, Microsoft can provide what are called "support ninjas." They have more advanced knowledge and can be flown in from wherever. There are a lot of opportunities to learn how to properly use Sentinel's tools. Once you get that familiarity, Sentinel is a valuable tool for your cloud security posture.
This is a product that I highly recommend, for all of the positives that I've mentioned. The transition from an on-premises to a cloud-based SIEM is something that I've actually done, and it's not overly complicated. It doesn't have to be a complex migration, which is something that a lot of companies may be reluctant about. Overall, this is a good product but there are parts of Sentinel that need improvement. There are some things that need to be more adaptable and more versatile. I would rate this solution a nine out of ten.
We see that a lot of clients are trying to explore more apart from Azure. Some of the clients are interested in Splunk. Some of the clients are interested in seeing what's available from AWS. This year is quite different in Malaysia because the government has opened up the adoption of public cloud in all sectors, especially in the financial sector. So, we are seeing new requirements coming up. I would rate Azure Sentinel a seven out of 10.
It is fairly new but making a charge up the market anayses. Should be considered if you have E5 licence due to native and 'free' ingestion of M365 logs. We haven't used all of its capability yet because we haven't had the time yet to implement it all, and it appears that the MS roadmap for Sentinel is being actively invested in.
Azure Sentinel s actually quite handy, and very adaptive to the market trends. Anyone who is looking for the same store, creating their complete security solution for their enterprise, for the effective security solution, and for data integration, they must go with the Azure Sentinel as they are going to get everything in one place. I would rate Azure Sentinel at an eight on a scale of ten.
We're using the latest version of the solution. Choosing this solution was a management decision. Due to cost-effectiveness, they opted for Azure Sentinel. Whether this product would work for another organization or not depends on the company's requirements. As it is still very early in terms of our experience with the solution, I would rate the product at a six out of ten.
If it's a security integrator like us, quite often people push the client into buying different vendors' products and the client already has the tool in-house. Microsoft is one of those tools that most clients already have. Many vendors, or integrators, that we know of, are not familiar with Microsoft Sentinel product classification security. So that's one thing I would encourage both potential customers, and users, to look into what suite of products do they have with existing Microsoft accounts that they have. Also, the integrators should be quite familiar with all the things that are available to their clients, so they don't have to invest tons of money in other tools. Based on having no complaints, I would rate Azure Sentinel an eight out of ten.