Microsoft Sentinel Reviews

On Azure, we have workloads on virtual machines, Kubernetes clusters, and SQL Servers. The way Sentinel works is that logs from our Kubernetes services, virtual machines, and database servers go into what is called Log Analytics on Azure. Log Analytics connects to Azure Sentinel, then all the logs move from the resources to Log Analytics down to Sentinel. Sentinel is configured to do some form of threat detection on these logs. For example, there is a firewall log connected to Log Analytics. Sentinel looks at those firewall logs for repeated IPs that are trying to either do an attack on our system or get access into our system. There is some form of machine learning and AI implemented in it to be able to tell us which particular IP address is trying to do this. 

It is mainly used for securing our platform. As the infrastructure person who works on it, I have some automated ways of seeing threats. We have seen a few possible issues that might come up. So, our customers are safe on some level when we are using Sentinel.

It improves our security posture by using automated threat detection.

Having your logs put all in one place with machine learning working on those logs is a good feature. I don't need to start thinking, "Where are my logs?" My logs are in a centralized repository, like Log Analytics, which is why you can't use Sentinel without Log Analytics. Having all those logs in one place is an advantage. 

We have not really had any major threats. We have had alarms about four times. In the end, they were false positive alarms. Over time, the machine learning feature understands that something is a false positive, then you don't see them anymore. So, it reduces the number of false positives.

The learning curve could be improved. I am still learning it. We were able to implement the basic features to get them up and running, but there are still so many things that I don't know about all its features. They have a lot of features that we have not been able to use or apply. If they could work on reducing the solution's learning curve, that would be good. While there is a training course held by Microsoft to learn more about this solution, there is a cost associated with it. 

We have been using it in our organization for six months.

It is quite stable. It is one of the most mature SIEM solutions that I know.

Currently, I am the person maintaining the solution since we are a startup. However, it probably needs a team of four people to work on it. It needs an infrastructure person to configure it, a security analyst to tell us what they want configured, and a business person to tell us what kind of security targets are needed.

Scalability is good. We are increasing usage for different use cases. For compliance reasons, we will probably expand usage in the future.

Also, there are a lot of features that we have still not tested.

I have not had to use the technical support yet.

We were starting from scratch with Azure Sentinel.

We started using it because we were trying to get PCI certified. The updated PCI requirements requested that we have a security information and event management tool. If it wasn't for PCI compliance, then we probably would not have used Sentinel.

The initial setup was complex, not straightforward. Connecting it is easy once you have an Azure resource on the cloud. We also have on-prem resources, but we have not been able to connect those. Trying to create your on-prem resource with Azure Sentinel is not straightforward. I have not seen many implementation videos that I can watch on YouTube to learn how to do it. 

It is not just Azure. Other SIEMs solutions are a bit complex when trying to connect them. 

Deployment took no more than 10 minutes. Configuring it in our workloads was the major issue, not the deployment. The configuration timeframe depends on the number of resources that you are connected to and your prior knowledge of Sentinel before starting your configuration. 

I did the deployment.

From a cost perspective, there are certain Azure resources that we don't need to additionally pay for when using Sentinel.

When we looked at other SIEM tools, they were quite expensive. Sentinel is also expensive for a startup, but we were able to configure it so there are some logs that Azure frees up, like your firewall, Office 365, or Kubernetes logs. From a cost perspective, this works well financially for us.

Sentinel is a bit expensive. If you can figure a way of configuring it to meet your needs, then you can find a way around the cost.

We looked at so many tools, like Elastic Search and IBM. We went with Sentinel because the majority of our workloads were on Azure already, so the integration was easier rather than going with something external and integrating it. 

If you are purely on Azure, Sentinel is the way to go. Also, it easily works with on-premise workloads from what I have been able to determine. When I look at connectors, it integrates with other cloud providers. I see it integrates with GCP. 

I would rate Sentinel as seven out of 10.

Our clients use it for just an overall health check and security check for their deployments, whether it's on-prem or in Azure. Azure Sentinel basically collects the data from any kind of endpoint or server that is enrolled in the service, irrespective of whether they are on-prem or in the cloud. It can be laptop servers, virtual machines. It is a cloud solution, but it does extend to on-prem deployment.

I have been using the most up-to-date version. 

One of the most valuable features is that it creates a kind of a single pane of glass for organizations that already use Microsoft software. So, when they have things like Microsoft 365, it is very easy for them to kind of plug in or enroll those endpoints into the Azure Sentinel service.

I can't think of anything other than just getting the name out there. I think a lot of customers don't fully understand the full capabilities of Azure Sentinel yet. It is kind of like when they're first starting to use Azure, it might not be something they first think about. So, they should just kind of get to the point where it is more widely used.

I have been using Azure Sentinel since it came out, so it has been at least a couple of years.

It is very stable. It has been around for a while, and it is a Microsoft product. So, it is pretty secure and pretty stable.

Like all Azure services, it is definitely very scalable. You can very easily and very quickly enroll devices and other data points into Azure. 

Microsoft tech support is pretty good when it comes to Azure. It is really easy to open a ticket because you can do that right through the Azure portal. In addition, my company and other companies that kind of resell Azure services, oftentimes have our own help desk included with the consumption of Azure services. So, we have a 24/7 help desk that works on top of that. There are many managed services partners, like my company, that provide additional services in tech support on top of what Microsoft already has.

It is very straightforward.

It is kind of like a sliding scale. There are different tiers of pricing that go from $100 per day up to $3,500 per day. So, it just kind of depends on how much data is being stored. There can be additional costs to the standard license other than the additional data. It just kind of depends on what other services you're spinning up in Azure, or if you're using something like Azure log analytics.

For any customers who are either looking at Azure or already have Azure or Microsoft 365, this is a great service to look at because it does provide an additional layer of protection and security for all of their data points, whether they are on-prem or in the cloud.

I would rate Azure Sentinel a nine out of 10.

We internally do not use this solution. We provide advisory for Azure Sentinel because we are Microsoft's partner.

Our clients use it for Security Operations Centers. Some of the clients wish to build a Security Operation Center. They want to perform threat analysis and see that the environment is secure and monitor it. That's why we deploy SIEM solutions.

In terms of deployment, what we see here in Asia, specifically in Malaysia, are hybrid and public cloud deployments.

It helps our clients in enhancing their security. 

It is quite efficient. It helps our clients in identifying their security issues and respond quickly. Our clients want to automate incident response and all those things.

Its documentation is not so simple. It is easy for somebody who is Microsoft certified or more closely attached to Microsoft solutions. It is not easy for those who are working on open-source platforms. There isn't a central point where everything is documented, and there is no specific training or certification.

It has been almost three years.

It is stable. Those who have adopted it are okay with it.

It is a cloud solution, so it is scalable.

Most of us know how Microsoft operates. They are quite good at that.

Its setup is of moderate complexity for me, but I have heard it is complex for others because of the query language and other things.

There is documentation, but I don't think Microsoft is providing a central point where everything is documented. In fact, there is no specific training or certification. There is Microsoft Secure training, but it is not so dedicated. All these things make it moderate.

I have had mixed feedback. At one point, I heard a client say that it sometimes seems more expensive. Most of the clients are on Office 365 or M365, and they are forced to take Azure SIEM because of the integration.

We see that a lot of clients are trying to explore more apart from Azure. Some of the clients are interested in Splunk. Some of the clients are interested in seeing what's available from AWS. This year is quite different in Malaysia because the government has opened up the adoption of public cloud in all sectors, especially in the financial sector. So, we are seeing new requirements coming up. 

I would rate Azure Sentinel a seven out of 10.

We are running an MDR service for our customers and use Azure Sentinel as the SIEM product to allow us to have an overview of all our customers, but also to easily push configurations to different customers.

We use Azure Sentinel as an alert aggregator to import all of the incidents/alerts from the different (Microsoft) security products in order to have a single pane of glass. On top of that, we create our own custom Analytics Rule that can be used to add our own added value. This enables us to create our own IP to protect customers. 

It's really convenient for us to aggregate the logs/alerts from all our customers into a single pane of glass. By using the automation capabilities, it's relatively easy to sync all incidents to our ITSM tool which we can use to follow up on incidents. As it's based on the Microsoft stack, it's convenient for our engineers to learn the product. As Azure Sentinel is also a big focus for Microsoft, we have the ability to work with them on certain products. This creates visibility within the community and for new customers.

There are three valuable aspects of the solution: MSSP support, integration with Microsoft, and Automation. By using Azure Lighthouse, an MSSP can easily integrate their applications into their own baseline of policies/configurations.

Because Sentinel is built as an MS-first product, it integrates natively with other Microsoft products, which is really convenient as we are standardized on it. Without much work, you can connect any Microsoft product to it. 

Last, but not least, Sentinel uses Azure Logic Apps for automation, which is really powerful. This allows us to easily automate responses to incidents.

Azure Sentinel is constantly growing. Throughout the two years we have been using it, we have seen it expand tremendously. A lot of the limitations we had originally seen have already been mitigated. A couple of potential improvements could be: allow for a streamlined CI/CD procedure. Now it's a combination of using API/Powershell and ARM which is not ideal. Also, it should allow us to ingest on-prem logs by using a SaaS platform to ingest CEF/Syslog logs that also allow for prefiltering. This would allow us to minimize the cost of the solution.

I've been using the solution for 1.5 years.

We didn't use another SIEM product before Azure Sentinel. 

The cost can be a little confusing at first, but the Azure calculator is a great place to start. I would advise to start with integrating Microsoft products first, as this is the most convenient way forward and allows you to learn the product as you go.

In general, Azure Sentinel can be set up really quickly.

We use this solution for analyzing Microsoft cloud-based log services and for security data. The services include Microsoft 365, Azure Security Center logs and Microsoft cache logs. We are gold security partners with Azure. 

The UI-based analytics are excellent, it's something I haven't seen with any other SIEM products. Microsoft has excellent tools for cleaning data, sorting out irrelevant log data and even fixing log data.

There's not much that needs improvement but the on-prem log sources still require a lot of development. It's clear that there are limitations there. I also think that the implementation and on-prem data sources could be done in a better way. We've used some functions with Python and whole scripting on FortiSIEM, which is something that Microsoft could easily provide, but so far hasn't.

The product has been very reliable. I don't know that there have been any service outbreaks. We haven't had any problems. 

We have 700 users and from our perspective, it has unlimited processing power, but this is quite common for cloud services. I think the scalability has to be some kind of ABM and feeding all of the log stats, which could possibly have limits, but Azure has huge computing power behind it.

The support is good, the only issue is getting past the level one people who ask if you've tried rebooting. If you have Microsoft's Unified Support, the most expensive support, then you'll be very happy. It's not the best support in the industry, but it's pretty good and they also support Sentinel. 

The initial setup was extremely straightforward. It was the easiest I have seen because it's an SaaS service. I think anybody can do it by just clicking and clicking and saying yes. Straight out of the box and that's the strength of the SaaS service because there's no installation, you just use it. 

We compared Azure to Splunk and to our current mainstream implementation, FortiSIEM. If you have a lot of security data, then you feel that Azure is quite expensive but it's nowhere near as costly as Splunk which is four or five times more expensive. FortiSIEM wasn't good enough and Splunk was way to expensive. 

I would definitely recommend this solution. If you have cloud-based workloads and different cloud or cloud lookalike services that require security data, or if you are looking for SOAR functionalities, then it's a no brainer. It's the best in that market. On the other hand, if you are mainly working and operating with on-prem stuff then there's no advantage over FortiSIEM or other solutions. 

I rate this solution a nine out of 10. 

Security incident and event management. Threat detection and automated response.

It is a software as a service from Microsoft.

Reduced mean time to detect and resolve

Quickly able to cover a majority of mitre att&ck techniques

Free to ingest Azure logs with E5 license

Free ingestion for Azure logs (with E5 licence)

It is easy to implement (turn on) - does need a skilled analyst to develop queries and playbooks.

It has basic out-of-the-box integrations with multiple log sources.

Add more out-of-the-box connectors with other SaaS platforms/applications.

12 months

No stability issues encountered.

It is scalable as a SaaS offering, but there is a consumption cost to consider.

Cybersecurity team uses this on a daily basis.

We work together very well with local MS Team.

The initial setup was simple. All that was needed was to put agents onto our infrastructure.

Integration more complex for non-MS SaaS and OS, but do-able using middleware.

It was done in-house.

It is an evergreen service.

What is the cost of lack of visibility?  Average cost of breach = $$$

It is a consumption-based license model. bands at 100, 200, 400 GB per day etc. Azure Sentinel Pricing | Microsoft Azure

Good monthly operational cost model for the detection and response outcomes delivered, M365 logs don't count toward the limits which is a good benefit.

Others were considered however being an E5 M365 and Azure user this was by far the preferred solution.

It is fairly new but making a charge up the market anayses.  Should be considered if you have E5 licence due to native and 'free' ingestion of M365 logs.

We haven't used all of its capability yet because we haven't had the time yet to implement it all, and it appears that the MS roadmap for Sentinel is being actively invested in.

The primary use case is the same use case as Splunk.

Requirements differ. We're still doing fine-tuning. However, lots of users are added to its security group to note activities.

So far, the solution has been perfect. 

The pricing of the product is excellent.

So far, we have found the stability to be very good.

The solution, as a SIEM tool, has very good integration capabilities, at least, according to our needs.

We have just recently migrated to this product. We haven't used it long enough to note all of the features. Therefore, it would be impossible to note what is lacking just yet.

The interface could be more user-friendly. It''s a small improvement that they could make if they wanted to.

We've recently migrated to this solution. We've only been using it for a month.

The stability of the product is very good. It doesn't have bugs. It's not glitchy. It doesn't crash or freeze. It's been reliable so far.

As a Microsoft product, customers get scalability and elasticity. We have policies in place, and, based on them, we can upgrade if we need to. A company shouldn't have issues scaling should they have the need to expand. 

Only the security team uses this product. It's not accessible for every user. We have a team of about 20.

We have just invested in the solution, and therefore we have plans to use it for the foreseeable future.

We do have access to support, and if we need them, we can call on them. However, the solution is so new, we have yet to need their services. Therefore, I can't speak to their level of responsiveness or knowledgeability just yet.

The installation is very straightforward and easy. It's not complex. It's a cloud deployment, and therefore, it is very quick. You just connect the APIs to the data center.

The product is extremely cost-effective and affordable for customers.

I'm more on the technical side. Therefore, I don't have any insights into the actual cost or the structure of the license.

We looked at Splunk as well and compared to that solution, this one is less expensive.

We're using the latest version of the solution.

Choosing this solution was a management decision. Due to cost-effectiveness, they opted for Azure Sentinel.

Whether this product would work for another organization or not depends on the company's requirements.

As it is still very early in terms of our experience with the solution, I would rate the product at a six out of ten.

We primarily use the solution for security operations. 

It has a lot of great features. 

The integrations on offer are very good. They have a lot of frequent updates on the integrations as well. 

We also use other Microsoft products with it, such as Active Directory and Defender for Endpoint and Identity. Everything is well integrated together. The integration itself is seamless.

Its connectors are helpful.

We get good logs from the solution.

Threat visibility is good so far. We are able to prioritize threats based on many factors.

The comprehensiveness of the solution is good. 

The alert response could be better. We'd also like a better ticketing system, which is older.

I've been using the solution for two years.

I'd rate the solution nine out of ten.