We started using Microsoft Sentinel one year ago. We are still piloting the environment because we are transitioning towards cloud solutions with Microsoft Intune. Until now, we have been using third-party products, but due to requirements to have stronger security in the cloud, not only on the client endpoint side, we are moving to Microsoft Sentinel. Our focus is on strengthening cloud security as well as client endpoints. Microsoft Sentinel is used to substitute our Splunk solution, covering the security of main Azure services such as Entra ID and automating threat protection for client sites and endpoints.
The primary use case of Microsoft Sentinel is for user and entity behaviors, detecting unauthorized access to services, identifying malicious IP addresses, and preventing brute force attacks on services. These are generic security use cases.
In our Security Operations Center, we rely on Microsoft Sentinel for continuous security monitoring. We collect logs from various customer environments and define security use cases with correlation rules to analyze activities. These rules leverage predefined criteria to identify potential malicious behavior. Microsoft Sentinel serves as our central platform for security monitoring, investigation, and remediation of security threats detected through alerts. The biggest challenge in security monitoring is managing the vast amount of logs generated daily from various devices like web servers and firewalls. Microsoft Sentinel tackles this by collecting all logs in a central location and allowing us to define rules. Using its query language, we can search across these logs for specific conditions, like malicious activity. If a suspicious event is identified, Sentinel generates an immediate security alert, enabling our team to investigate and take appropriate action to stop potential attacks.
Security Ops Management at a manufacturing company with 1,001-5,000 employees
Real User
Top 20
2023-11-10T18:27:00Z
Nov 10, 2023
My role thus far has been to integrate security log sources into the platform. This includes developing or troubleshooting some of the data connectors for different sources, such as web application firewall interfaces. Sentinel is a SOAR platform. It represents the next generation beyond traditional SIM and SIEM platforms. Its powerful SOAR functionality orchestrates and automates responses to security events, eliminating the need for manual intervention. Instead of relying on human analysts to monitor events and react, Microsoft Sentinel leverages pre-defined automation rules. These rules correlate relevant events, generating a holistic understanding of the situation. Based on this analysis, automated responses are triggered, expediting the resolution process and eliminating any delays associated with manual identification and decision-making.
I use the solution to ensure proper security analytics and threat intelligence across the enterprise. The tool helps me to know the type of attack detection that happens and the kind of visibility, proactive hunting, and threat response we have.
Cyber Security Engineer at a tech services company with 51-200 employees
Real User
Top 10
2023-10-31T11:30:00Z
Oct 31, 2023
Microsoft Sentinel serves as a centralized hub for collecting and analyzing logs from various Microsoft tools and other sources. It eliminates the need to develop custom toolsets for detecting malicious activities across different Microsoft tools. Instead, Microsoft Sentinel provides standardized rules and playbooks to streamline the process of identifying and responding to potential threats. For instance, consider a scenario where an employee clicks on a phishing link in an email, leading to the installation of malware on their system. While the endpoint detection and response tool on the endpoint might not detect malicious activity, Microsoft Sentinel, acting as a central log collector, receives the EDR logs and triggers an event based on pre-defined rules. Upon detecting the suspicious activity, Microsoft Sentinel automatically executes a playbook, which may involve actions such as killing the malicious process or isolating the affected endpoint. This automated response helps expedite threat containment and reduces the burden on security analysts.
Integrator, Microsoft Security Advisor at Hitachi Data Systems
Real User
Top 20
2023-09-15T18:32:00Z
Sep 15, 2023
The usual use cases would be starting from scratch, implementing Sentinel for clients, onboarding log sources, building analytical use case rules, and supporting the platform for operations.
I'm an IT consultant, and I use Sentinel with two of my clients to monitor all their security signals and get alerts when things are happening that might be suspicious.
Threat Detection Engineer at a healthcare company with 10,001+ employees
Real User
Top 20
2023-08-15T09:51:00Z
Aug 15, 2023
We primarily use the solution for security purposes, to record events, and generate alerts, so that our security team can review the items and take proper action. We work jointly with an MSSP, we have about 14 people working on a 24/7 schedule, around 25 people might use our Sentinel workspace regularly, and more than 40 people benefit directly from the output of this solution.
SOC Analyst at a tech services company with 501-1,000 employees
Real User
Top 20
2023-08-07T08:38:00Z
Aug 7, 2023
Our team uses Microsoft Sentinel to monitor all security incidents. Security analysts working the intake process configure rules that trigger alerts based on specific criteria and route them to the appropriate team based on the event ID. This unified view within Sentinel allows me to investigate each incident, tracing its origin, path, and endpoint. By analyzing the information gathered, I can then determine whether the alert is a true positive or a false positive.
We are using Microsoft Sentinel for our traditional SOC. So previously, we had multiple products, like VM products, log analytics products, and analysts. We are making so much effort to analyze incidents and events in the security operation center., after which we decide whether it's an incident or an event, and we take action. After Sentinel's implementation, it would be much better and much simpler. For instance, we can now save much more time since in Sentinel, there is artificial intelligence, so the system will decide for you instead of a human. The system will learn what kind of thing you should take action on, and it will save some time since you do not need much human power. In traditional SOC systems, there were three or four people. But in Sentinel, it's much easier, and you do not need so many people in the SOC. So you will save time and keep it cost-effective.
IT Senior Systems Administrator at Dubai Developments
Real User
Top 10
2023-05-17T10:46:00Z
May 17, 2023
We primarily use the solution for analyzing logs, such as those from Azure AD. We have it integrated with Microsoft 365 and plan to integrate it with our firewalls so we can analyze those logs too. So, our main uses are for log analysis and to check for vulnerabilities in our system. We use more than one Microsoft security product; we also use Defender for Cloud.
Senior Cyber Security Operations Analyst at a financial services firm with 5,001-10,000 employees
Real User
Top 20
2023-05-09T16:57:00Z
May 9, 2023
We use it for security. It's at the forefront of managing the security within our organization. We use the platform as our main SIEM for enterprise security whereby we have several tools that feed into Microsoft Sentinel and then from there, we have the use cases. It's a major tool for security monitoring within the enterprise.
Our organization is a service company, therefore, we are proposing Microsoft Sentinel as an MSSP solution to our clients. Additionally, we are offering other solutions with Microsoft Sentinel. We have integrated Microsoft Sentinel with MISP, an open source intelligence trading platform, to create a deluxe solution. Furthermore, we use the five-year tool in conjunction with Microsoft Sentinel. We pitched the solution for BFSI, healthcare, and ONG sectors. The solution can be deployed based on the client's requirements.
Our use cases range from more complex configurations, looking at things like playbooks, workbooks, and threat-hunting, for which we rolled out architectures in some departments in the Government of Canada, to a more streamlined functionality and looking at things from a correlation perspective. We work in tandem with a couple of departments that have products called cloud sensors and those sensors feed telemetry into Sentinel. In its simplest form, we're using it for the ingestion of all that telemetry and looking for anomalies. The anomalous behavior can include anonymous IPs and geolocation that might indicate bad actors are trying to access a system. If I'm located in Ottawa, Ontario and somebody from Russia is trying to access our tenant, that's going to be pretty suspicious. Just like the US government has FedRAMP, there is a similar approach, here, for the Government of Canada where the funding for projects takes a cloud-first approach. Most of the departments in the government are now on some kind of cloud journey. When I look at the various projects I've worked on, every single one, to some degree, has an IaaS in Azure environment, and most of those deployments incorporate Sentinel and the log analytics workspace into the solution.
When Exchange email is outside the domain, we have found sometimes that there are phishing emails. With the help of Microsoft Defender only, without Sentinel, we would not be able to track them. A couple of times data was compromised. With Sentinel, what we have done is integrate Microsoft Endpoint for Defender, M365 Defender, and our Exchange Online for all the email communications in and out.
Consultant Expert Microsoft at a tech services company with 1,001-5,000 employees
Real User
2022-11-11T19:42:00Z
Nov 11, 2022
My customers mainly want to correlate logs so that they have a single point for their log information. In addition to correlating logs, they want to automate tasks. Microsoft Sentinel is just a "watch tower" to get all the logs and manage threats. After that, you have the Microsoft Defender products that help to reduce threats. For example, Microsoft Defender for Endpoint is an anti-virus and EDR that helps to eliminate threats on devices such as laptops and smartphones. Microsoft Defender for Office 365 enables protection for Teams, Mail, or SharePoint, and Microsoft Defender for Identity helps to reduce risk on Active Directory or Azure AD. So Microsoft Defender products are the tools for reducing threats, and Microsoft Sentinel is the tool for analyzing incidents and threats.
I'm using it as a SIEM solution. If I consider the leading clouds, especially Google and Amazon, so we don't have a dedicated SIEM solution available in either and we have to create a SIEM solution by using the native services of those clouds. But Microsoft Sentinel gives us an opportunity to use a direct SIEM solution. I have clients from different regions and they already have environments on the cloud with various vendors, as well as on-prem. The problem they came to me with was that they wanted to secure their environments. They wanted to monitor all the vulnerability management, patches, and vulnerability scans in a single place. They have third-party data sources that they wanted to monitor things in a single dashboard. I suggested they use Microsoft Sentinel because it can integrate many third-party vendors into a single picture. Those are the kinds of scenarios in which I suggest that my clients use Microsoft Sentinel.
Senior Cyber Security Consultant at a financial services firm with 10,001+ employees
Real User
2022-10-08T05:40:00Z
Oct 8, 2022
I'm currently using this solution for monitoring our SOC. I also implement Sentinel for clients. We use Defender for Cloud, Defender for Endpoint, Defender for Office 365, and Defender for Identity. They were easy to integrate. It's necessary to understand the background of the data source to integrate the devices into Sentinel. If it is cloud-based, we can utilize the GeoLogic app or Azure function to integrate the log sources or use the slot method. These solutions work natively together to deliver coordinated detection and response across our enterprise. We have different EDR solutions in our environment, and we have integrated them with Sentinel. We directly monitor all of the other security devices from Sentinel. I haven't seen many issues with integrating different products. We can set a robust error detection mechanism. If there are some issues while integrating the logs, we can do automated alerting and easily troubleshoot any issues. There are no issues with integrating multiple-location firewalls. We have Sentinel deployed in the US and other geolocations. There are between 15 to 20 people using this solution in my team. The solution is deployed on the cloud.
Senior Cloud Infrastructure Consultant at a tech services company with 201-500 employees
Consultant
2022-09-03T21:49:00Z
Sep 3, 2022
We needed a SIEM solution that could integrate with our Microsoft 365 stack. Being a Microsoft product, that was the first SIEM we looked at, and we haven't looked back. We're still growing with the product over the last couple of years. It is phenomenal. We're mainly focused on the cloud, but one of our selling points is that you can integrate with on-prem. We push to get the Azure Arc implementation done on top of Sentinel so that we can ingest data from your on-prem environment into Azure Monitor, which is then exposed to Sentinel. That's how we drive that integration, but we mainly have the cloud. We have 80% cloud and 20% on-prem.
Consultant at a tech services company with 11-50 employees
Real User
2022-08-23T11:28:00Z
Aug 23, 2022
Microsoft Sentinel is basically a major log, on top of which you can build queries that can analyze the data you get. It's used to build up security operations centers. In addition, it is a SIEM and SOAR solution.
SIEM Engineer at a tech services company with 501-1,000 employees
Real User
2022-08-08T10:38:00Z
Aug 8, 2022
We use Microsoft Sentinel to monitor many different environments for cybersecurity incidents, and we use it as our main alerting tool to let us know when this activity happens. It also interfaces with all of our other Defender products, such as Defender for Office 365, Defender for Endpoint, et cetera. Almost all of our solutions are based in Azure. We use Defender for Endpoint, Defender for Office 365, Defender for cloud, Sentinel, and Azure Active Directory Identity Protection. I use the latest version of Sentinel. Sentinel is mostly used within our security operations center and our security team. We have about 50 endpoint users.
We use it to protect our Office 365 environment. We can also deploy it for the entire infrastructure, including on-premises, firewalls, and also users' devices. I'm a partner with many customers using Sentinel. Some are small companies but I also have many banks that have implemented the solution.
We use Microsoft Sentinel for providing managed services and for security use cases, which include detecting anomalies or security events and collecting security events from various data sources.
Cyber Security Engineer at a performing arts with 1,001-5,000 employees
Real User
2022-02-17T20:20:08Z
Feb 17, 2022
It is for tracking the logs. I'm working on automation. So, the use case basically includes logs, incidents, automation, UEBA, and endpoint integration with Office 365 Defender.
We actually use it for queuing logs and checking log systems that we have downloading from other devices to see if there are any issues. For example, if we get an alert, then we triage it and query the logs and the devices that we're looking for.
We work as a managed security services provider (MSSP). We have different clients who have their own security team. One company that I worked for recently had a security team of three people, then they hired us for 24/7 analysis and monitoring. For that, I solely worked on building this product, then there are the eight to nine people who do 24/7 monitoring and analysis. Sentinel is a full-fledged SIEM and SOAR solution. It is made to enhance your security posture and entirely centered around enhancing security. Every feature that is built into Azure Sentinel is for enhancing security posture.
Azure Sentinel is a SIEM solution. It offers security information on an event management solution and also security orchestration automation response. It actually looks into events coming into your environment and events from a lot of sources, or whatever you might have in your network. There are a lot of events and logs generated by all of these resources - sometimes in the thousands or millions. Azure Sentinel helps you investigate a lot of these logs faster. It uses artificial intelligence, called threat intelligence, to look into all the events that might be coming into your environment. For example, on a daily basis, you might be receiving two million events coming from all the resources you have, including your users. If you're a very big enterprise and you have thousands of users, there are logs coming in from each of these users. You also have some resources, such as your web application, virtual machine, and a lot of your resources that span across both Azure AWS, GCP, and other solution providers like Sophos, Fortinet, Cisco, and your on-premise environment. You can get all these logs together with this.
Cloud and DevOps Architect at a financial services firm with 11-50 employees
Real User
2021-10-25T16:21:00Z
Oct 25, 2021
On Azure, we have workloads on virtual machines, Kubernetes clusters, and SQL Servers. The way Sentinel works is that logs from our Kubernetes services, virtual machines, and database servers go into what is called Log Analytics on Azure. Log Analytics connects to Azure Sentinel, then all the logs move from the resources to Log Analytics down to Sentinel. Sentinel is configured to do some form of threat detection on these logs. For example, there is a firewall log connected to Log Analytics. Sentinel looks at those firewall logs for repeated IPs that are trying to either do an attack on our system or get access into our system. There is some form of machine learning and AI implemented in it to be able to tell us which particular IP address is trying to do this.
It is a tool for compliance for us. Every department and agency in the government is trying to get to the cloud as fast as they can. Because of that, there's a lot of SA&A workâservice authorization and accreditation. In that, you're assessing the environment against a set of controls. We use Sentinel to provide us with a core piece of evidence that ensures these environments are compliant.
Azure Sentinel is a next-generation SIEM, which is purely cloud-based. There is no on-premises deployment. We primarily use it to leverage the machine learning and AI capabilities that are embedded in the solution.
Director - Technology Risk & Cyber at a financial services firm with 10,001+ employees
Real User
2021-08-23T13:12:00Z
Aug 23, 2021
We internally do not use this solution. We provide advisory for Azure Sentinel because we are Microsoft's partner. Our clients use it for Security Operations Centers. Some of the clients wish to build a Security Operation Center. They want to perform threat analysis and see that the environment is secure and monitor it. That's why we deploy SIEM solutions. In terms of deployment, what we see here in Asia, specifically in Malaysia, are hybrid and public cloud deployments.
Senior Microsoft 365 Consultant at The Collective Consulting
Real User
2021-06-18T10:57:00Z
Jun 18, 2021
We are running an MDR service for our customers and use Azure Sentinel as the SIEM product to allow us to have an overview of all our customers, but also to easily push configurations to different customers. We use Azure Sentinel as an alert aggregator to import all of the incidents/alerts from the different (Microsoft) security products in order to have a single pane of glass. On top of that, we create our own custom Analytics Rule that can be used to add our own added value. This enables us to create our own IP to protect customers.
We use it on a public cloud. We have integrated Azure Lighthouse with Azure Sentinel Security. By integrating all of these, Azure Security Center and Azure Defender, we are providing an MSSP platform to our customers.
SOC Analyst at a wholesaler/distributor with 10,001+ employees
Real User
2021-02-12T14:37:31Z
Feb 12, 2021
The primary use case is the same use case as Splunk. Requirements differ. We're still doing fine-tuning. However, lots of users are added to its security group to note activities.
Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution that lets you see and stop threats before they cause harm. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Eliminate security infrastructure setup and...
We started using Microsoft Sentinel one year ago. We are still piloting the environment because we are transitioning towards cloud solutions with Microsoft Intune. Until now, we have been using third-party products, but due to requirements to have stronger security in the cloud, not only on the client endpoint side, we are moving to Microsoft Sentinel. Our focus is on strengthening cloud security as well as client endpoints. Microsoft Sentinel is used to substitute our Splunk solution, covering the security of main Azure services such as Entra ID and automating threat protection for client sites and endpoints.
The primary use case of Microsoft Sentinel is for user and entity behaviors, detecting unauthorized access to services, identifying malicious IP addresses, and preventing brute force attacks on services. These are generic security use cases.
We require a comprehensive, scalable solution for cyber threat protection.
In our Security Operations Center, we rely on Microsoft Sentinel for continuous security monitoring. We collect logs from various customer environments and define security use cases with correlation rules to analyze activities. These rules leverage predefined criteria to identify potential malicious behavior. Microsoft Sentinel serves as our central platform for security monitoring, investigation, and remediation of security threats detected through alerts. The biggest challenge in security monitoring is managing the vast amount of logs generated daily from various devices like web servers and firewalls. Microsoft Sentinel tackles this by collecting all logs in a central location and allowing us to define rules. Using its query language, we can search across these logs for specific conditions, like malicious activity. If a suspicious event is identified, Sentinel generates an immediate security alert, enabling our team to investigate and take appropriate action to stop potential attacks.
We use it for our security operations center. We have private and multi-cloud environments.
My role thus far has been to integrate security log sources into the platform. This includes developing or troubleshooting some of the data connectors for different sources, such as web application firewall interfaces. Sentinel is a SOAR platform. It represents the next generation beyond traditional SIM and SIEM platforms. Its powerful SOAR functionality orchestrates and automates responses to security events, eliminating the need for manual intervention. Instead of relying on human analysts to monitor events and react, Microsoft Sentinel leverages pre-defined automation rules. These rules correlate relevant events, generating a holistic understanding of the situation. Based on this analysis, automated responses are triggered, expediting the resolution process and eliminating any delays associated with manual identification and decision-making.
I use the solution to ensure proper security analytics and threat intelligence across the enterprise. The tool helps me to know the type of attack detection that happens and the kind of visibility, proactive hunting, and threat response we have.
Microsoft Sentinel serves as a centralized hub for collecting and analyzing logs from various Microsoft tools and other sources. It eliminates the need to develop custom toolsets for detecting malicious activities across different Microsoft tools. Instead, Microsoft Sentinel provides standardized rules and playbooks to streamline the process of identifying and responding to potential threats. For instance, consider a scenario where an employee clicks on a phishing link in an email, leading to the installation of malware on their system. While the endpoint detection and response tool on the endpoint might not detect malicious activity, Microsoft Sentinel, acting as a central log collector, receives the EDR logs and triggers an event based on pre-defined rules. Upon detecting the suspicious activity, Microsoft Sentinel automatically executes a playbook, which may involve actions such as killing the malicious process or isolating the affected endpoint. This automated response helps expedite threat containment and reduces the burden on security analysts.
We primarily use the solution for security operations.
The usual use cases would be starting from scratch, implementing Sentinel for clients, onboarding log sources, building analytical use case rules, and supporting the platform for operations.
We have possible use cases for the solution. We have ten or 12 different use cases under this solution.
I'm an IT consultant, and I use Sentinel with two of my clients to monitor all their security signals and get alerts when things are happening that might be suspicious.
We primarily use the solution for security purposes, to record events, and generate alerts, so that our security team can review the items and take proper action. We work jointly with an MSSP, we have about 14 people working on a 24/7 schedule, around 25 people might use our Sentinel workspace regularly, and more than 40 people benefit directly from the output of this solution.
Our team uses Microsoft Sentinel to monitor all security incidents. Security analysts working the intake process configure rules that trigger alerts based on specific criteria and route them to the appropriate team based on the event ID. This unified view within Sentinel allows me to investigate each incident, tracing its origin, path, and endpoint. By analyzing the information gathered, I can then determine whether the alert is a true positive or a false positive.
We are using Microsoft Sentinel for our traditional SOC. So previously, we had multiple products, like VM products, log analytics products, and analysts. We are making so much effort to analyze incidents and events in the security operation center., after which we decide whether it's an incident or an event, and we take action. After Sentinel's implementation, it would be much better and much simpler. For instance, we can now save much more time since in Sentinel, there is artificial intelligence, so the system will decide for you instead of a human. The system will learn what kind of thing you should take action on, and it will save some time since you do not need much human power. In traditional SOC systems, there were three or four people. But in Sentinel, it's much easier, and you do not need so many people in the SOC. So you will save time and keep it cost-effective.
We primarily use the solution for analyzing logs, such as those from Azure AD. We have it integrated with Microsoft 365 and plan to integrate it with our firewalls so we can analyze those logs too. So, our main uses are for log analysis and to check for vulnerabilities in our system. We use more than one Microsoft security product; we also use Defender for Cloud.
We use Microsoft Sentinel for log aggregation, data connectors, and alerts.
We use it for security. It's at the forefront of managing the security within our organization. We use the platform as our main SIEM for enterprise security whereby we have several tools that feed into Microsoft Sentinel and then from there, we have the use cases. It's a major tool for security monitoring within the enterprise.
Our organization is a service company, therefore, we are proposing Microsoft Sentinel as an MSSP solution to our clients. Additionally, we are offering other solutions with Microsoft Sentinel. We have integrated Microsoft Sentinel with MISP, an open source intelligence trading platform, to create a deluxe solution. Furthermore, we use the five-year tool in conjunction with Microsoft Sentinel. We pitched the solution for BFSI, healthcare, and ONG sectors. The solution can be deployed based on the client's requirements.
Our use cases range from more complex configurations, looking at things like playbooks, workbooks, and threat-hunting, for which we rolled out architectures in some departments in the Government of Canada, to a more streamlined functionality and looking at things from a correlation perspective. We work in tandem with a couple of departments that have products called cloud sensors and those sensors feed telemetry into Sentinel. In its simplest form, we're using it for the ingestion of all that telemetry and looking for anomalies. The anomalous behavior can include anonymous IPs and geolocation that might indicate bad actors are trying to access a system. If I'm located in Ottawa, Ontario and somebody from Russia is trying to access our tenant, that's going to be pretty suspicious. Just like the US government has FedRAMP, there is a similar approach, here, for the Government of Canada where the funding for projects takes a cloud-first approach. Most of the departments in the government are now on some kind of cloud journey. When I look at the various projects I've worked on, every single one, to some degree, has an IaaS in Azure environment, and most of those deployments incorporate Sentinel and the log analytics workspace into the solution.
When Exchange email is outside the domain, we have found sometimes that there are phishing emails. With the help of Microsoft Defender only, without Sentinel, we would not be able to track them. A couple of times data was compromised. With Sentinel, what we have done is integrate Microsoft Endpoint for Defender, M365 Defender, and our Exchange Online for all the email communications in and out.
My customers mainly want to correlate logs so that they have a single point for their log information. In addition to correlating logs, they want to automate tasks. Microsoft Sentinel is just a "watch tower" to get all the logs and manage threats. After that, you have the Microsoft Defender products that help to reduce threats. For example, Microsoft Defender for Endpoint is an anti-virus and EDR that helps to eliminate threats on devices such as laptops and smartphones. Microsoft Defender for Office 365 enables protection for Teams, Mail, or SharePoint, and Microsoft Defender for Identity helps to reduce risk on Active Directory or Azure AD. So Microsoft Defender products are the tools for reducing threats, and Microsoft Sentinel is the tool for analyzing incidents and threats.
I'm using it as a SIEM solution. If I consider the leading clouds, especially Google and Amazon, so we don't have a dedicated SIEM solution available in either and we have to create a SIEM solution by using the native services of those clouds. But Microsoft Sentinel gives us an opportunity to use a direct SIEM solution. I have clients from different regions and they already have environments on the cloud with various vendors, as well as on-prem. The problem they came to me with was that they wanted to secure their environments. They wanted to monitor all the vulnerability management, patches, and vulnerability scans in a single place. They have third-party data sources that they wanted to monitor things in a single dashboard. I suggested they use Microsoft Sentinel because it can integrate many third-party vendors into a single picture. Those are the kinds of scenarios in which I suggest that my clients use Microsoft Sentinel.
I'm currently using this solution for monitoring our SOC. I also implement Sentinel for clients. We use Defender for Cloud, Defender for Endpoint, Defender for Office 365, and Defender for Identity. They were easy to integrate. It's necessary to understand the background of the data source to integrate the devices into Sentinel. If it is cloud-based, we can utilize the GeoLogic app or Azure function to integrate the log sources or use the slot method. These solutions work natively together to deliver coordinated detection and response across our enterprise. We have different EDR solutions in our environment, and we have integrated them with Sentinel. We directly monitor all of the other security devices from Sentinel. I haven't seen many issues with integrating different products. We can set a robust error detection mechanism. If there are some issues while integrating the logs, we can do automated alerting and easily troubleshoot any issues. There are no issues with integrating multiple-location firewalls. We have Sentinel deployed in the US and other geolocations. There are between 15 to 20 people using this solution in my team. The solution is deployed on the cloud.
We needed a SIEM solution that could integrate with our Microsoft 365 stack. Being a Microsoft product, that was the first SIEM we looked at, and we haven't looked back. We're still growing with the product over the last couple of years. It is phenomenal. We're mainly focused on the cloud, but one of our selling points is that you can integrate with on-prem. We push to get the Azure Arc implementation done on top of Sentinel so that we can ingest data from your on-prem environment into Azure Monitor, which is then exposed to Sentinel. That's how we drive that integration, but we mainly have the cloud. We have 80% cloud and 20% on-prem.
Microsoft Sentinel is basically a major log, on top of which you can build queries that can analyze the data you get. It's used to build up security operations centers. In addition, it is a SIEM and SOAR solution.
We use Microsoft Sentinel to monitor many different environments for cybersecurity incidents, and we use it as our main alerting tool to let us know when this activity happens. It also interfaces with all of our other Defender products, such as Defender for Office 365, Defender for Endpoint, et cetera. Almost all of our solutions are based in Azure. We use Defender for Endpoint, Defender for Office 365, Defender for cloud, Sentinel, and Azure Active Directory Identity Protection. I use the latest version of Sentinel. Sentinel is mostly used within our security operations center and our security team. We have about 50 endpoint users.
We use it to protect our Office 365 environment. We can also deploy it for the entire infrastructure, including on-premises, firewalls, and also users' devices. I'm a partner with many customers using Sentinel. Some are small companies but I also have many banks that have implemented the solution.
We use it to monitor the cloud for any security issues. We are using it as a SIEM for our cloud workspace.
We use Microsoft Sentinel for providing managed services and for security use cases, which include detecting anomalies or security events and collecting security events from various data sources.
We primarily use the solution for the surrounding management.
It is for tracking the logs. I'm working on automation. So, the use case basically includes logs, incidents, automation, UEBA, and endpoint integration with Office 365 Defender.
We actually use it for queuing logs and checking log systems that we have downloading from other devices to see if there are any issues. For example, if we get an alert, then we triage it and query the logs and the devices that we're looking for.
We work as a managed security services provider (MSSP). We have different clients who have their own security team. One company that I worked for recently had a security team of three people, then they hired us for 24/7 analysis and monitoring. For that, I solely worked on building this product, then there are the eight to nine people who do 24/7 monitoring and analysis. Sentinel is a full-fledged SIEM and SOAR solution. It is made to enhance your security posture and entirely centered around enhancing security. Every feature that is built into Azure Sentinel is for enhancing security posture.
Azure Sentinel is a SIEM solution. It offers security information on an event management solution and also security orchestration automation response. It actually looks into events coming into your environment and events from a lot of sources, or whatever you might have in your network. There are a lot of events and logs generated by all of these resources - sometimes in the thousands or millions. Azure Sentinel helps you investigate a lot of these logs faster. It uses artificial intelligence, called threat intelligence, to look into all the events that might be coming into your environment. For example, on a daily basis, you might be receiving two million events coming from all the resources you have, including your users. If you're a very big enterprise and you have thousands of users, there are logs coming in from each of these users. You also have some resources, such as your web application, virtual machine, and a lot of your resources that span across both Azure AWS, GCP, and other solution providers like Sophos, Fortinet, Cisco, and your on-premise environment. You can get all these logs together with this.
On Azure, we have workloads on virtual machines, Kubernetes clusters, and SQL Servers. The way Sentinel works is that logs from our Kubernetes services, virtual machines, and database servers go into what is called Log Analytics on Azure. Log Analytics connects to Azure Sentinel, then all the logs move from the resources to Log Analytics down to Sentinel. Sentinel is configured to do some form of threat detection on these logs. For example, there is a firewall log connected to Log Analytics. Sentinel looks at those firewall logs for repeated IPs that are trying to either do an attack on our system or get access into our system. There is some form of machine learning and AI implemented in it to be able to tell us which particular IP address is trying to do this.
It is a tool for compliance for us. Every department and agency in the government is trying to get to the cloud as fast as they can. Because of that, there's a lot of SA&A workâservice authorization and accreditation. In that, you're assessing the environment against a set of controls. We use Sentinel to provide us with a core piece of evidence that ensures these environments are compliant.
Azure Sentinel is a next-generation SIEM, which is purely cloud-based. There is no on-premises deployment. We primarily use it to leverage the machine learning and AI capabilities that are embedded in the solution.
We internally do not use this solution. We provide advisory for Azure Sentinel because we are Microsoft's partner. Our clients use it for Security Operations Centers. Some of the clients wish to build a Security Operation Center. They want to perform threat analysis and see that the environment is secure and monitor it. That's why we deploy SIEM solutions. In terms of deployment, what we see here in Asia, specifically in Malaysia, are hybrid and public cloud deployments.
We are running an MDR service for our customers and use Azure Sentinel as the SIEM product to allow us to have an overview of all our customers, but also to easily push configurations to different customers. We use Azure Sentinel as an alert aggregator to import all of the incidents/alerts from the different (Microsoft) security products in order to have a single pane of glass. On top of that, we create our own custom Analytics Rule that can be used to add our own added value. This enables us to create our own IP to protect customers.
Security incident and event management. Threat detection and automated response. It is a software as a service from Microsoft.
We use it on a public cloud. We have integrated Azure Lighthouse with Azure Sentinel Security. By integrating all of these, Azure Security Center and Azure Defender, we are providing an MSSP platform to our customers.
The primary use case is the same use case as Splunk. Requirements differ. We're still doing fine-tuning. However, lots of users are added to its security group to note activities.
We are security system integrators.