Microsoft Sentinel Reviews

We are familiar with Microsoft Sentinel. We previously worked with McAfee and Check Point solutions, but since we specialized in Microsoft, we transitioned everything to Microsoft Sentinel.

Microsoft Sentinel allows you to manage all solutions as the base and integrate other brands, making reporting, event correlation, and data preparation easier to leverage AI for generating alarms or trend analysis.

The ability of Microsoft Sentinel to correlate data from multiple sources greatly helps our threat detection capabilities because correlation enables faster threat detection, even proactively. Previously, we had to check several sources, making it difficult for one person or even several people to monitor everything all day. With correlation, what initially appears simple may relate to other information, revealing that it is a situation worth addressing.

The best features of Microsoft Sentinel are its integration with all Microsoft products, which is the main aspect we value because all of our customers and ourselves primarily have Microsoft infrastructure, servers, applications, and systems, so it integrates seamlessly into the Microsoft environment.

Microsoft Sentinel should continue adding support for several other security brands because sometimes you have a firewall from a different brand and if you cannot correlate or integrate that seamlessly, it creates multiple points of checking information, which diminishes efficiency. Despite this, we believe Microsoft Sentinel has the best capabilities to work with.

The main factor that led us to Microsoft Sentinel is that it is a well-rated and well-perceived product. However, the key reason is that our unit focused exclusively on Microsoft solutions, and we believe in the quality of the product, so that decision was straightforward.

Microsoft Sentinel's support and customer service deserves at least a nine rating because if you have any issues, you can easily submit a ticket and they will help you. There are different priority levels if you purchase extended support, which we have not done. We have been working for over two years with standard support and have not encountered any problems, so we appreciate it greatly. Microsoft invests significantly in support, which is crucial for companies.

We previously worked with McAfee and Check Point solutions before Microsoft Sentinel, but since we specialized in Microsoft, we transitioned everything around.

Setting up Microsoft Sentinel requires a little expertise; there is substantial documentation available and while it is not extremely difficult, some configurations require know-how to truly make it work. Microsoft Sentinel rates at a seven or eight for how straightforward it is to set up on a scale where ten is the easiest.

Over 80% of our log data have been moved to auxiliary logs since implementing Microsoft Sentinel, as we primarily use Microsoft solutions.

Microsoft Sentinel's pricing is competitive, especially when you have a Microsoft infrastructure, as you typically receive better deals. In the end, it is positive because integrating Microsoft Sentinel with the Microsoft solutions you are acquiring turns out to be much cheaper than purchasing everything needed from a different SIEM solution.

As an ISO certified organization, it is very important for us to have clear data for usage, and Microsoft Sentinel helps significantly because you can automate reporting for audits, making the process very efficient.

We typically work on a cloud deployment model for Microsoft Sentinel, but hybrid is an option if there is a significant on-premise footprint. Our infrastructure is approximately 95% in the cloud, so we are using the cloud solution. Microsoft Sentinel can also be deployed hybrid if there is a data center involved; I would not recommend working on it locally as cloud-first is ideal.

We primarily use Azure as our main cloud provider, but it is possible to use AWS; it will just work more easily and configure better in Azure, though it can also be utilized in AWS for checking servers and security equipment on VMs.

Our overall rating for Microsoft Sentinel is nine out of ten.

Public Cloud

Microsoft Azure

We generally used Microsoft Sentinel to identify issues, threat hunting, log analysis, and incident triage. Logic App is one tool we use, along with Watchlist, Summary table, search job, and threat hunting. The search job feature allows us to check for archive logs through a search option.

Microsoft Sentinel helps us understand the areas that we have to improve and provides information on our current coverage. When we get an incident, we receive that information, but this also creates some noise around it because even simple things receive tags, though this noise actually makes more value for a real incident.

It has a positive impact. For example, we try to identify compliance issues and vulnerabilities and search across different custom applications. We are able to mitigate these, which helps improve the security score. Enriching all other information and making value out of it is important. Microsoft Sentinel is another SIEM tool, and any SIEM tool provides similar values. That is why we are going for the tool. Whatever SIEM we have, every SIEM has its own advantage and should have some value.

There is a lot of room for improvement. Because there are automations and logics, we use mostly Logic App, and that can be improved significantly with additional connectors for integration. The GUI can be enhanced. Palo Alto XSOAR and others were very good in SOAR, but when it comes to Microsoft Sentinel, they are not matured to that level.

When compared to other industry standard SIEM solutions like Splunk or Palo Alto, Microsoft Sentinel can improve a lot. It is acceptable as its own product, but compared to others, it can be improved substantially.

I have been working with this solution since 2020.

Microsoft Sentinel is reliable and stable, but it is a little costlier.

The support from Microsoft is not up to the standard because it takes a lot of time to analyze and get the right people and the right solution. It takes time, but we are able to resolve things, though the process is time-consuming.

Neutral

I was using Splunk later, but not extensively as Microsoft Sentinel.

I am working on some Azure items, though I do not know if that qualifies as something relevant. I am working in Microsoft Sentinel and Defender XDR. We are a partner with Microsoft from our firm, and as an employee, I work on the solution for different customers. The version of Microsoft Sentinel is the latest version, and I do not see any version specific limitations.

Microsoft Sentinel is good, but it is going to be deprecated and integrated with Defender XDR, so we will use that. It is a little expensive. There is a limitation in that not all Azure Data Explorer queries and KQL queries can be used in Microsoft Sentinel. However, now they are moving to Azure Data Lake, which could be one reason for this limitation. There are many functionalities that are available in Azure Data Explorer which we cannot use in Microsoft Sentinel. It would be more useful if more Azure Data Explorer queries and the syntax available in Data Explorer could be leveraged in Microsoft Sentinel.

I am not using that module as we use it in the organization, but I am not handling it. This review has an overall rating of five out of five.

Public Cloud

Microsoft Azure

We're an MDR provider, so we utilize Microsoft Sentinel in deployments into our customers' environments to protect their environments and detect any type of security threats. We offer 24/7 support.

Microsoft Sentinel helps our company generate revenue directly from supplying these security services and managing them for our customers on a monthly basis. Along with the SOC services that we provide on top, there is a holistic coverage for customers.

It has enabled our team to triage security incidents faster and remediate them to get back to business quicker after customer incidents. Because we're able to reduce the number of incidents and the time per incident with Microsoft Sentinel, we can handle more incidents. Additionally, through rule tuning within Microsoft Sentinel, we reduce the number of incidents that have to be reviewed.

Microsoft Sentinel has increased efficiency and allowed our team to do more proactive work. We have seen at least a 60% increase in efficiency with Microsoft Sentinel and the ability to reduce the MTTD down to under five minutes and MTTR down to under fifteen.

A part of what we do within Microsoft Sentinel for our customers, and for ourselves, is the rule tuning. We're able to only ingest the logs that are going to provide additional security value. With that, we're able to utilize the SOC automation features. We're able to reduce the amount of log ingestion that takes place and reduce the customers' costs.

The integration of security functionalities, such as SIEM, SOAR, TIP, and EUBA, in Microsoft Sentinel is definitely beneficial. It's definitely a benefit of Microsoft Sentinel to be able to have a holistic deployment and a best-of-breed tool set that can integrate with each other. We can utilize the components from each of the tools to gain additional insight, additional access, and additional steps.

Microsoft Sentinel has not directly affected our compliance reporting, but it has been utilized for audit evidence collection to be able to do SOX compliance from Microsoft Sentinel logs.

Microsoft Sentinel has the ability to enhance some of the features that we already have. It allows our team to see some additional threat vectors.

The MITRE ATT&CK-based recommendations within Microsoft Sentinel are paramount for helping our customers understand where they're seeing threats and the part of the framework. We are able to catch threats faster instead of waiting for breach notifications. Microsoft Sentinel drastically reduces the impact of any type of breach.

Microsoft Sentinel is cloud native, which is a significant advantage. The data connectors that provide the ability to connect third-party log sources are highly valuable. The overall visibility that Microsoft Sentinel provides into the environments across multiple clouds and platforms on the ground is beneficial. It's a comprehensive solution and ties back into the Defender XDR holistic security platform.

A great thing with Microsoft Sentinel is that we have the ability to pull in third-party log sources as well as the Microsoft native logs. With that, we can create a complete story for the customers. We can see, with full transparency, the attack path and the movements that the bad actors have made. We can see not only what was impacted, but what has the potential to be impacted at a later date, and create additional hardening steps.

Driving deeper integration with the Defender XDR portal within Microsoft Sentinel, which is being done, and continuing to increase the number of third-party data connectors available is important. Multi-tenancy is also a current focus.

They should continue to integrate the components of Microsoft Sentinel and work to make a holistic component. They should continue to improve log ingestion across multi-cloud platforms.

We've been utilizing Microsoft Sentinel for a little over three years.

It has been working very smoothly irrespective of different uses.

We have been able to scale Microsoft Sentinel as our needs grow.

Their support can be challenging at times, particularly around unique experiences or circumstances with Microsoft Sentinel. The documentation requires specific knowledge to locate. Once familiar with the system, it becomes very straightforward, though the documentation could be streamlined and made easier to navigate.

Neutral

Before choosing Microsoft Sentinel, we had used QRadar. With Microsoft Sentinel, we're able to utilize multi-tenancy better. It's in a single instance within our environment, which doesn't necessarily correlate to transparency and data ownership for our customers. By allowing us to use Microsoft Sentinel within the customer's environments and utilize Lighthouse access to gain visibility into that, it allows our customers to have full transparency into what our team is doing, along with their existing staff, and it also retains data ownership for the customer.

We were able to deploy Microsoft Sentinel through infrastructure as code, and we do a Terraform deployment which allows us to deploy and configure the main components of Microsoft Sentinel, all of them managed for our customers.

The biggest return on investment when using Microsoft Sentinel is customer stickiness, customer engagement, and the ability to leverage existing Microsoft investments that the customer already owns to be able to deploy Microsoft Sentinel in their environments.

Pricing for Microsoft Sentinel could always be lower, but it's workable. The ingestion costs for the data analytics is usually the highest cost, but the licensing per Microsoft Sentinel is fairly straightforward and transparent.

We did consider other solutions before choosing Microsoft Sentinel. We wanted to make sure that we chose a cloud-native solution, and we feel that with the hyperscale data, it provides the best value for price by far.

I would rate Microsoft Sentinel an eight out of ten. 

Public Cloud

Microsoft Azure

I use Microsoft Sentinel for security incident management, monitoring, and incident tracking in the security environment. My clients use it to unify and monitor their entire ecosystem in the security sector using either Microsoft or other security products. This enables them to correlate all incidents and logs into Microsoft Sentinel.

The best feature of Microsoft Sentinel is its ability to unify all dashboards or functions into one modern SecOps dashboard. This integration means that I do not need to check multiple dashboards for security operations, offering seamless integration with the Microsoft ecosystem. The pre-built detection analytics and the ability to create custom detection rules more easily than some other solutions are also highly valuable. Additionally, the ability of Microsoft Sentinel to correlate data from multiple sources enhances threat detection capabilities.

The pricing tiers of Microsoft Sentinel should be improved. There are complexities in calculating the right pricing tier for different customers, which makes it difficult for me as a consultant during upfront pricing. Additionally, I would like to see more out-of-the-box data collectors to connect to proprietary systems in future versions.

I have been working with Microsoft Sentinel for around two years.

The cloud deployment of Microsoft Sentinel is very straightforward and one of the easiest I have worked with. It integrates quickly if all the requirements are prepared. This is different from other SIM solutions, which require more complex processes like preparing hardware and finding the right server size. In 10 to 15 minutes, it can be set up with a proxy server, and logs are automatically integrated, allowing for fast deployment without additional software installation.

Microsoft Sentinel is quite stable. However, some of the data connectors can become deprecated, requiring reconnection. I need to be aware of deprecated connectors as they may disconnect, but the data continues to be sent with a need for quick adaptation.

Being a SaaS solution, the scalability of Microsoft Sentinel is robust. I do not need to manage resources, and the open infrastructure allows for scalable usage.

As a consultant, I rate the quality of service for technical support a seven out of ten. The response is usually quick, especially through live chat, and further support is provided through email or remote assistance if needed.

Neutral

I have experience with other SIM solutions, including Azure and other major players in the security market. With Microsoft Sentinel, the ease of building detection rules and correlation queries is more straightforward than other tools like Splunk.

The initial setup is very simple and fast with Microsoft Sentinel, requiring only a small virtual machine as a proxy server. There is no need for complex hardware setups, unlike other SIM solutions.

Calculating the ROI of Microsoft Sentinel can be challenging. If a customer is already using Microsoft’s ecosystem, the ROI can be positive due to seamless integration. For those without significant Microsoft usage, the cost may be high, leading to a lower ROI.

The pricing tiers and associated complexities of Microsoft Sentinel can be cumbersome. Setting up the right cost model for customers is intricate, requiring careful consideration of various components and licensing tiers.

I have also worked with solutions like Splunk and other SIMs in the security market.

There are some issues with data connectors being deprecated and the lack of immediate replacements being available. However, the solution remains user-friendly and efficient for those within the Microsoft ecosystem. Overall, I rate Microsoft Sentinel an 8.5 out of ten.

Public Cloud

Microsoft Azure

Our use cases for Microsoft Sentinel are SIEM and logging for any activity. We have been having some issues and we are using this logging for that purpose.

I am using Microsoft Sentinel for threat intelligence and threat hunting, and it is definitely helping us.

We did not have centralized logging in place, and Microsoft Sentinel has definitely helped us instead of having to spin up our own centralized logging, which is not scalable. Microsoft Sentinel has many integrations that help us with threat hunting and reduce the amount of effort needed from our end.

We're using it for threat intelligence and threat hunting and it's definitely been helping. 

The most valuable feature I have found in Microsoft Sentinel is logging. Microsoft Sentinel collects everything, and it is a centralized place for logging management.

It performs its functions in an efficient way for me.

Microsoft Sentinel's ability to correlate data from multiple sources has enhanced my threat detection capabilities beyond what simple data lake solutions offer. You can tie in with Defender intelligence and that really helps us. We want to see all activity going on.

I evaluate the integration of security functionalities such as SIEM, SOAR, TIP, UBA, and Microsoft Sentinel as good. The integration between them is good and straightforward, the documentation is excellent, and we do not have any problems. I foresee it having a positive impact.

With regards to MITRE ATT&CK, the recommendations from Microsoft Sentinel are really helpful for us to go back and remediate any recommendations.

The SOC optimization feature has impacted our organization's data management and cost efficiency significantly. It brings substantial savings compared to using different products, such as Splunk for SIEM and having another product for gathering intelligence. With the Microsoft platforms that we have, the integration is straightforward, which is definitely a cost savings for us instead of trying to get different product lines from different vendors.

The impact that Microsoft Sentinel has had on our organization's advanced hunting capabilities is significant. We depend on centralized logging for partnering with other providers, and we also use CrowdStrike. For threat hunting, we have seen issues where there were lateral movements, and for identifying those malicious sources and containing them, it has been definitely helpful.

In terms of improvements, pricing, licensing, and overall cost could be better.

We've used the solution for one and a half months. 

I assess the stability and reliability of Microsoft Sentinel as good. We have not had any issues.

Microsoft Sentinel scales as our needs grow without any problems. We are a very small organization, so it fits our needs.

I would evaluate the customer support and technical support I received from Microsoft as very good. It is very responsive, and I really appreciate the documentation that is available online.

Positive

In the past, with a different organization, I used Splunk prior to using Microsoft Sentinel. The interface is not as simple as Microsoft Sentinel; it has its own query language, and Microsoft Sentinel is more straightforward. We also use CrowdStrike. 

The deployment was straightforward. 

We have seen an ROI. Essentially, we didn't have centralized logging before. This has helped us substantially. Spinning up your own centralized logging is not really scalable. It's helped with threat hunting and has reduced the amount of effort on our end. 

The pricing is a bit high.

Splunk was the other solution I was evaluating prior to picking Microsoft Sentinel.

I decided to go with Microsoft Sentinel as opposed to Splunk. Splunk has gone through a change. It has just been acquired by Cisco, and we do not know how the experience is going to be. There could be a transformation in their product line.

On a scale of one to ten, I would rate Microsoft Sentinel as a product overall as nine.

Public Cloud

Microsoft Azure

As a managed security service provider, we have a managed security service that we provide to customers, and our managed services are often built on Microsoft Sentinel.

Our managed SOC is based on Microsoft Sentinel, and a key benefit is that we've been able to take customers' investments, especially in E5 licensing, and make that investment stretch further than they would have had they gone to a competitor's product. This helps organizations drive and uplift their cyber resilience in a cost-effective manner.

For us, customer retention is key, and we can articulate value about the services we provide because the backend services and Microsoft Sentinel itself do the job for us. The benefit lies in customer retention, keeping our costs down, and providing value to customers by making every dollar they invest go further.

Microsoft Sentinel was the first real cloud-native SIEM solution, and it integrates into an ecosystem around Microsoft and the entire stack with all of the other vendor products. I appreciate that we can get the free ingestion from the Microsoft ecosystem into Microsoft Sentinel, which works really for us.

Microsoft Sentinel's ability to correlate data from multiple sources has improved our capability significantly. We have used other SIEM products and data lake products outside of Microsoft Sentinel, and it's evident that what you get out of Microsoft Sentinel and the ability to enrich the data with threat intelligence and correlate over various sources provides better detection capabilities, better response times, and more assurance of security. In the five years that we've had the product in market as a managed service offering, we've not missed anything, demonstrating a strong track record.

The automation feature in Microsoft Sentinel has been amazing and has significantly affected our team's efficiency in handling security incidents. As a managed security partner, we've effectively been able to triple our customer base but only had to increase headcount by 15% to 20%. The built-in integrations and automation allow us to scale and have more coverage and greater capabilities without the corresponding increase in headcount.

The integration of security functionalities such as SIEM, SOAR, TIP, and UEBA in Microsoft Sentinel is robust. The ecosystem is very integrated together within Microsoft.

Microsoft Sentinel's SOC automation and optimization feature has significantly impacted our company's data management and cost efficiency. We operate as a provider, using the product both ourselves and for our customers. We've completed substantial optimization work around ingestion and cost optimization, and some of our customers have saved up to 300% to 400% compared to their original budgets.

Microsoft Sentinel has had an exceptional impact on our company's and customers' advanced hunting abilities. The integrations and automations natively built into the system help us perform retrospective threat hunting. We now have the capability of utilizing threat intelligence provided by the government in New Zealand, allowing us to take indicators of compromise and pass them directly into Microsoft Sentinel and the Defender suite, which moves us from a reactive to a proactive security stance.

The time saved per incident in Microsoft Sentinel has reduced by more than half compared to five years ago. We're able to handle more customers and incidents simultaneously, with detection and remediation times decreasing. With the investments we're making around Microsoft Security Copilot and AI, that efficiency is expected to improve further.

Using the MITRE ATT&CK framework has enhanced our security posture by providing a way to align to a framework that helps contextualize and explain why security threats are relevant and how they can manifest in the environment. It offers a common language for our analysts to communicate across all of our customers on the service, focusing on the TTPs that threat actors would use to undertake an attack or compromise in the customer's environment.

The three challenges we have are outside of the Microsoft ecosystem. In New Zealand, there are customers that run dual stack, running Microsoft but also competitor products, EDR software, cloud security software, and other tooling. While it's improved over the last four or five years, there's still more work that can be done to integrate better outside of the Microsoft ecosystem.

Microsoft Sentinel is on the right track in terms of improvements. Being part of a Microsoft partner security association in New Zealand gives us access to information about product roadmaps and developments. The only recommendation, rather selfishly as an MSSP, is for a model where MSSPs can take Microsoft Sentinel and deliver it at scale to customers under a licensing construct.

To improve Microsoft Sentinel further, providing better options for long-term retention and storage of non-Microsoft logs is important for our customers. There is always a cost element there, and for us as an MSSP partner, being able to differentiate our service using the platform through a licensing construct specifically for MSSP partners would be beneficial.

We've been using Microsoft Sentinel ever since it came out in Purview, approximately five years now.

Microsoft Sentinel has been amazing in terms of stability and reliability, as we haven't had any issues with it.

While Microsoft Sentinel scales effectively from a technical standpoint, it could be improved in terms of being more suited for MSSP partners with regard to licensing construct.

I have never had to use Microsoft Sentinel's customer service or technical support officially, however, the teams I have reached out to have been excellent. I've never received any bad responses or feedback.

Positive

I have definitely seen a return on investment when using Microsoft Sentinel, though it's difficult to quantify in dollar terms, considering security cannot be given a precise value. 

From a risk perspective, it's about mitigating risk, and as mentioned earlier, we haven't missed many things since we've had the offering in market—only a couple of minor incidents.

I was more familiar with Microsoft Sentinel's pricing, setup costs, and licensing many years ago, and in my current role, I'm not as involved with these aspects.

On a scale of one to ten, this solution rates as a nine.

Public Cloud

My main use case for Microsoft Sentinel is being able to put external threat intel into Sentinel.

The features of Microsoft Sentinel that I appreciate the most include the app integration. I think it is straightforward; there were a couple of hiccups, but generally, it is very straightforward.

I do not consider it so much a benefit to our organization because it results in the use of our products. It is actually a benefit to Microsoft Sentinel customers, which we are a secondary beneficiary of.

For us, improving Microsoft Sentinel would involve tying its usage closer to email threat telemetry and making it easier for folks that either use Defender and email to use Sentinel.

I have used Microsoft Sentinel for one year.

I do not have any experience with the stability and reliability of Microsoft Sentinel, other than technical support as a developer, and I have not experienced any downtime, crashes, or performance issues.

Before adopting Microsoft Sentinel, we were supporting other solutions.

The other solutions we considered before selecting Microsoft Sentinel were based on market reach, feature set, and go-to-market opportunities, as we are a developer.

Microsoft Sentinel does not give us a unified set of tools to detect, investigate, and respond to incidents, as we do not make use of those at this moment.

I do not know specifically about Microsoft Sentinel, but in general, I am a big supporter and believer in the effectiveness of AI and machine learning in enhancing threat detection and response.

Microsoft Sentinel's ability to correlate data from multiple sources does not enhance our threat detection capabilities beyond what a simple data lake solution could offer, as we are a developer, so it is not necessarily applicable.

The SOC optimization feature's impact on our organization's data management and cost efficiency is not applicable.

My advice to other organizations considering Microsoft Sentinel is that they ought to consider all solutions based on their needs. I do not have a particularly strong feeling one way or the other about Microsoft Sentinel, with a rating of zero out of ten.

Our use case for Microsoft Sentinel is having a more holistic view by having all security events in one place.

We were likely the first partner in New Zealand. We've been able to manage the path forward early on and have helped small businesses adopt a really scalable solution.

It's one of the key areas we've focused on. We love the ability of having reliable threat intelligence.

Microsoft Sentinel's ability to integrate with other Microsoft products has been beneficial to our team's operations. We like the best of ecosystem versus the best of breed approach. We can have everyone have the same skillsets and not have individuals specialized. It's much more holistic. 

The threat detection has been useful. We like having everything managed by one solution. It simplifies everything. 

The automation feature helps with efficiency, specifically around security. 

It has good integration with other security features. It's a great product. The ease of use and ease of management are great. 

It's allowing us to have one Microsoft security pane of glass.

Microsoft Sentinel has improved cost efficiency, which is one of the key areas we're able to win business against the ability to have threat intelligence.

To improve Microsoft Sentinel specifically, giving us different functionality to handle tasks would be really amazing. I don't have any issues with what's currently available.

It would be nice to be able to leverage more AI to handle more data and recovery aspects in the future. 

I've used the solution for the last five years. 

Regarding the stability of Microsoft Sentinel, there haven't been any significant issues. There may have been one or two minor incidents over time, yet nothing substantial.

The scalability is very good. Our largest customer has 55,000 seats. Others have 100 to 200 seats. 

We've had a good experience with Microsoft support.

We decided early on we weren't going to partner with a lot of vendors. We liked what Microsoft was going to do with a best-of-ecosystem approach instead of best of breed. 

The initial setup is pretty easy. 

I have definitely seen a return on investment in the past five years. We attribute our growth to Sentinel. It became a product that everyone suddenly wanted. 

My experience with the pricing setup has been positive.

There were a couple of other products available, however, we were quite certain we were going to go with Microsoft Sentinel.

The reason why having a best-of-ecosystem is crucial for our customers is that it eliminates the need to set up multiple different products, so it was really attractive to have everything in one place.

I'd rate the solution ten out of ten. 

Public Cloud