Microsoft Sentinel Reviews

Our use cases include working with clients by installing it for them, deploying it within our own organization, and I personally utilize it as a Solutions Architect for demo purposes, etc. 

The features that I or my customers consider most valuable within Microsoft Sentinel include the ability to query, the integration with the rest of the Defender and the Microsoft suites, and the workbooks and dashboards.

The ability to query is valuable to us because it allows you to drill down to specific information that you need and even drill down further from there. It really helps you get at the information, especially from an investigative perspective, that you need. With the workbook dashboards, once you find a good information set or data set, let you flip that around and turn it into a dashboard so it can be repeatable and visible to other folks in the organization.

Microsoft Sentinel's ability to correlate data from multiple sources enhances our threat detection capabilities beyond what is a simple data lake solution by filtering out the noise and consolidating the signal down to a meaningful level that is easier to investigate and see. It allows us to truly see what is going on and gives us that focused visibility.

It does provide actionable data, not just visibility, as it can provide insights beyond what a normal data stream could give you.

The integration of security functionalities such as SIEM, SOAR, TIP, and UEBA in Microsoft Sentinel is well-executed, particularly the seamless integration of UEBA. However, there is confusion between UEBA and Defender for Identity that needs to be explored further. Microsoft has defined the XDR level, but from an MSSP perspective, the SOAR capability is integrated adequately, while customers might not fully utilize it yet due to marketing factors.

Creating an awareness campaign for these integrations would be beneficial.

The impact of Microsoft Sentinel on our advanced hunting abilities has been significant because it allows us to really hone in from an investigative perspective and dive deeper into investigations. Even without access to a customer's environment, we capture a lot of data and can drill down on specifics like when and from where emails were sent, what their content was, and so on. It provides us with a complete attack story and history.

Up until recently, the MITRE ATT&CK integration in Microsoft Sentinel was based on an older version, rendering it less meaningful, but now with the upgrade to the latest version, it allows us to map our threat intelligence efficiently to the MITRE framework, which has been beneficial.

I would highlight the new case management feature as great. Its presence gives Microsoft Sentinel an edge as many other SIEMs have had mature case management capabilities. Additionally, as it becomes part of the Defender portal, the journey and integration narrative between Sentinel and the complete Defender XDR should be better defined, especially since more customers opt for Sentinel only.

Having a great CX team within Microsoft enhances the experience, although having a distracted account manager lessens focus on critical details for customer needs.

A lot of the automation inside Sentinel comes with inside actually rolling out brand new Sentinel environments. We utilize that a lot and it might go beyond just Sentinel, for example, utilizing templates in Azure and templates elsewhere to actually deploy out. A good scenario is when customer environments have multi tenancy. Being able to roll out those additional tenants with the automation has been huge. We went from it taking 20 hours to build a tenant to a matter of two to four hours. That's a 75% savings. 

The SOC optimization is a big part of what we do. We have to manage our own costs, however, we have built in automations for reporting to trigger when data is exposed. I have one customer that had 225 GBs a day when onboarded, and now we're down to 110 GBs. As far as our reporting, it does help everything become more efficient.

My primary improvement request would be for auxiliary logs, as they represent our biggest need.

While we have automated deployments now, Microsoft Sentinel is fairly easy to deploy, although we face challenges with integrations related to AWS and GCP, particularly with Google.

The integration challenges arise from both sides; Google tends to be noisy, and we find only ten analytic rules out of the box, necessitating the use of Defender for Cloud for alerts, which indicates a need for better documentation during deployment.

The story between UEBA and Defender for Identity and Intra needs to be further explored and defined. There's some confusion on what is happening from a user and entity behavior. 

I have been using Microsoft Sentinel on and off for two years.

Overall, I find Microsoft Sentinel to be pretty stable; in contrast, LogRhythm was less reliable and required consistent support for various components. We don't experience as many issues with the MMA agents and sensors in Sentinel.

Microsoft Sentinel does possess scalability from smaller to larger organizations and has been improving in terms of multi-tenancy, particularly as we had built our own multi-tenant platform ahead of Microsoft's documentation release.

Larger organizations experience more complexity, often requiring more advanced support, and we occasionally find ourselves ahead in technology knowledge compared to the Microsoft team, leading to challenges with support response.

From a partner perspective, our support experience with Microsoft has been decent. It can improve once we are fully validated as a named partner. Customer support has been adequate overall.

Support is more streamlined at the smaller end.

There's a need for higher-level knowledge in the support provided.

Before Microsoft Sentinel, we used LogRhythm internally, and we also supported LogRhythm, AlienVault, and Splunk.

Microsoft Sentinel stands out mainly for its signal-to-noise reduction; LogRhythm required numerous AI rules to reach a similar level of noise reduction. Additionally, Microsoft is cloud-first compared to LogRhythm's on-prem setup, which required resources to navigate the cloud successfully. While AlienVault is simpler and good for small to medium clients, it lacks the deep automation and analytics Microsoft offers.

I have deployed Microsoft Sentinel in various cloud environments and on-premises. Our focus typically lies with SMB, deploying it to organizations ranging from 50 users to about 2,000 users.

While we have automated deployments now, Microsoft Sentinel is fairly easy to deploy, although we face challenges with integrations related to AWS and GCP, particularly with Google.

I see ROI from using Microsoft Sentinel, particularly when transitioning from Splunk, yielding cost savings of about 100%. The reduction in billable events or messages per second can be between 25% to 45% with Sentinel, leading directly to cost reductions and enhanced time savings during investigations compared to the depth offered by tools like LogRhythm.

Specific SIEMs noted for their strong out-of-the-box reporting include LogRhythm, Splunk, Exabeam, and Securonix. Microsoft is actively working on improving out-of-the-box content and reports, while the ability to utilize KQL for reports, workbooks, and analytic rules is quite beneficial.

For one customer, SOC optimization reduced their daily usage from about 225 gigs a day down to about 110 gigs a day.

Microsoft Sentinel doesn't impact our reporting directly. That said, it makes the end customer's compliance reporting process more efficient. I cannot provide a specific time saved number, but it does improve efficiency.

Technically, we expect to move about 45% of our log data to auxiliary logs since implementing Microsoft Sentinel. This expectation exists since auxiliary is still in preview and not fully functional yet. We would love to do it, however, in most environments we manage, the feature is still grayed out, making it unavailable. It is currently one of our biggest needs.

Microsoft Sentinel is perfect for mid-sized companies, however, it can also scale for smaller clients up to large enterprises due to its adaptability. Smaller customers may increasingly turn to the Defender Unified Security Operations platform for correlation instead of adopting Sentinel as a full SIEM.

On a scale of one to ten, the overall solution rating is nine.

My main use case for Microsoft Sentinel is being able to put external threat intel into Sentinel.

The features of Microsoft Sentinel that I appreciate the most include the app integration. I think it is straightforward; there were a couple of hiccups, but generally, it is very straightforward.

I do not consider it so much a benefit to our organization because it results in the use of our products. It is actually a benefit to Microsoft Sentinel customers, which we are a secondary beneficiary of.

For us, improving Microsoft Sentinel would involve tying its usage closer to email threat telemetry and making it easier for folks that either use Defender and email to use Sentinel.

I have used Microsoft Sentinel for one year.

I do not have any experience with the stability and reliability of Microsoft Sentinel, other than technical support as a developer, and I have not experienced any downtime, crashes, or performance issues.

Before adopting Microsoft Sentinel, we were supporting other solutions.

The other solutions we considered before selecting Microsoft Sentinel were based on market reach, feature set, and go-to-market opportunities, as we are a developer.

Microsoft Sentinel does not give us a unified set of tools to detect, investigate, and respond to incidents, as we do not make use of those at this moment.

I do not know specifically about Microsoft Sentinel, but in general, I am a big supporter and believer in the effectiveness of AI and machine learning in enhancing threat detection and response.

Microsoft Sentinel's ability to correlate data from multiple sources does not enhance our threat detection capabilities beyond what a simple data lake solution could offer, as we are a developer, so it is not necessarily applicable.

The SOC optimization feature's impact on our organization's data management and cost efficiency is not applicable.

My advice to other organizations considering Microsoft Sentinel is that they ought to consider all solutions based on their needs. I do not have a particularly strong feeling one way or the other about Microsoft Sentinel, with a rating of zero out of ten.

We're an MDR provider, so we utilize Microsoft Sentinel in deployments into our customers' environments to protect their environments and detect any type of security threats. We offer 24/7 support.

Microsoft Sentinel helps our company generate revenue directly from supplying these security services and managing them for our customers on a monthly basis. Along with the SOC services that we provide on top, there is a holistic coverage for customers.

It has enabled our team to triage security incidents faster and remediate them to get back to business quicker after customer incidents. Because we're able to reduce the number of incidents and the time per incident with Microsoft Sentinel, we can handle more incidents. Additionally, through rule tuning within Microsoft Sentinel, we reduce the number of incidents that have to be reviewed.

Microsoft Sentinel has increased efficiency and allowed our team to do more proactive work. We have seen at least a 60% increase in efficiency with Microsoft Sentinel and the ability to reduce the MTTD down to under five minutes and MTTR down to under fifteen.

A part of what we do within Microsoft Sentinel for our customers, and for ourselves, is the rule tuning. We're able to only ingest the logs that are going to provide additional security value. With that, we're able to utilize the SOC automation features. We're able to reduce the amount of log ingestion that takes place and reduce the customers' costs.

The integration of security functionalities, such as SIEM, SOAR, TIP, and EUBA, in Microsoft Sentinel is definitely beneficial. It's definitely a benefit of Microsoft Sentinel to be able to have a holistic deployment and a best-of-breed tool set that can integrate with each other. We can utilize the components from each of the tools to gain additional insight, additional access, and additional steps.

Microsoft Sentinel has not directly affected our compliance reporting, but it has been utilized for audit evidence collection to be able to do SOX compliance from Microsoft Sentinel logs.

Microsoft Sentinel has the ability to enhance some of the features that we already have. It allows our team to see some additional threat vectors.

The MITRE ATT&CK-based recommendations within Microsoft Sentinel are paramount for helping our customers understand where they're seeing threats and the part of the framework. We are able to catch threats faster instead of waiting for breach notifications. Microsoft Sentinel drastically reduces the impact of any type of breach.

Microsoft Sentinel is cloud native, which is a significant advantage. The data connectors that provide the ability to connect third-party log sources are highly valuable. The overall visibility that Microsoft Sentinel provides into the environments across multiple clouds and platforms on the ground is beneficial. It's a comprehensive solution and ties back into the Defender XDR holistic security platform.

A great thing with Microsoft Sentinel is that we have the ability to pull in third-party log sources as well as the Microsoft native logs. With that, we can create a complete story for the customers. We can see, with full transparency, the attack path and the movements that the bad actors have made. We can see not only what was impacted, but what has the potential to be impacted at a later date, and create additional hardening steps.

Driving deeper integration with the Defender XDR portal within Microsoft Sentinel, which is being done, and continuing to increase the number of third-party data connectors available is important. Multi-tenancy is also a current focus.

They should continue to integrate the components of Microsoft Sentinel and work to make a holistic component. They should continue to improve log ingestion across multi-cloud platforms.

We've been utilizing Microsoft Sentinel for a little over three years.

It has been working very smoothly irrespective of different uses.

We have been able to scale Microsoft Sentinel as our needs grow.

Their support can be challenging at times, particularly around unique experiences or circumstances with Microsoft Sentinel. The documentation requires specific knowledge to locate. Once familiar with the system, it becomes very straightforward, though the documentation could be streamlined and made easier to navigate.

Neutral

Before choosing Microsoft Sentinel, we had used QRadar. With Microsoft Sentinel, we're able to utilize multi-tenancy better. It's in a single instance within our environment, which doesn't necessarily correlate to transparency and data ownership for our customers. By allowing us to use Microsoft Sentinel within the customer's environments and utilize Lighthouse access to gain visibility into that, it allows our customers to have full transparency into what our team is doing, along with their existing staff, and it also retains data ownership for the customer.

We were able to deploy Microsoft Sentinel through infrastructure as code, and we do a Terraform deployment which allows us to deploy and configure the main components of Microsoft Sentinel, all of them managed for our customers.

The biggest return on investment when using Microsoft Sentinel is customer stickiness, customer engagement, and the ability to leverage existing Microsoft investments that the customer already owns to be able to deploy Microsoft Sentinel in their environments.

Pricing for Microsoft Sentinel could always be lower, but it's workable. The ingestion costs for the data analytics is usually the highest cost, but the licensing per Microsoft Sentinel is fairly straightforward and transparent.

We did consider other solutions before choosing Microsoft Sentinel. We wanted to make sure that we chose a cloud-native solution, and we feel that with the hyperscale data, it provides the best value for price by far.

I would rate Microsoft Sentinel an eight out of ten. 

Public Cloud

Microsoft Azure

I use Microsoft Sentinel for security incident management, monitoring, and incident tracking in the security environment. My clients use it to unify and monitor their entire ecosystem in the security sector using either Microsoft or other security products. This enables them to correlate all incidents and logs into Microsoft Sentinel.

The best feature of Microsoft Sentinel is its ability to unify all dashboards or functions into one modern SecOps dashboard. This integration means that I do not need to check multiple dashboards for security operations, offering seamless integration with the Microsoft ecosystem. The pre-built detection analytics and the ability to create custom detection rules more easily than some other solutions are also highly valuable. Additionally, the ability of Microsoft Sentinel to correlate data from multiple sources enhances threat detection capabilities.

The pricing tiers of Microsoft Sentinel should be improved. There are complexities in calculating the right pricing tier for different customers, which makes it difficult for me as a consultant during upfront pricing. Additionally, I would like to see more out-of-the-box data collectors to connect to proprietary systems in future versions.

I have been working with Microsoft Sentinel for around two years.

The cloud deployment of Microsoft Sentinel is very straightforward and one of the easiest I have worked with. It integrates quickly if all the requirements are prepared. This is different from other SIM solutions, which require more complex processes like preparing hardware and finding the right server size. In 10 to 15 minutes, it can be set up with a proxy server, and logs are automatically integrated, allowing for fast deployment without additional software installation.

Microsoft Sentinel is quite stable. However, some of the data connectors can become deprecated, requiring reconnection. I need to be aware of deprecated connectors as they may disconnect, but the data continues to be sent with a need for quick adaptation.

Being a SaaS solution, the scalability of Microsoft Sentinel is robust. I do not need to manage resources, and the open infrastructure allows for scalable usage.

As a consultant, I rate the quality of service for technical support a seven out of ten. The response is usually quick, especially through live chat, and further support is provided through email or remote assistance if needed.

Neutral

I have experience with other SIM solutions, including Azure and other major players in the security market. With Microsoft Sentinel, the ease of building detection rules and correlation queries is more straightforward than other tools like Splunk.

The initial setup is very simple and fast with Microsoft Sentinel, requiring only a small virtual machine as a proxy server. There is no need for complex hardware setups, unlike other SIM solutions.

Calculating the ROI of Microsoft Sentinel can be challenging. If a customer is already using Microsoft’s ecosystem, the ROI can be positive due to seamless integration. For those without significant Microsoft usage, the cost may be high, leading to a lower ROI.

The pricing tiers and associated complexities of Microsoft Sentinel can be cumbersome. Setting up the right cost model for customers is intricate, requiring careful consideration of various components and licensing tiers.

I have also worked with solutions like Splunk and other SIMs in the security market.

There are some issues with data connectors being deprecated and the lack of immediate replacements being available. However, the solution remains user-friendly and efficient for those within the Microsoft ecosystem. Overall, I rate Microsoft Sentinel an 8.5 out of ten.

Public Cloud

Microsoft Azure

My recent experience with Microsoft Sentinel involves my current work at another Government of Canada client where we are rolling out Microsoft Sentinel as their SIEM product of choice. In doing so, we are looking at connectors and data sources that we are going to be ingesting into Microsoft Sentinel. We are also examining the determination of whether it makes sense to look at a LAW or a Log Analytics Workspace on a per-subscription basis versus an aggregated approach where it is one subscription, but we are ingesting data from many different sources. It comes down to how much data has to be parsed by Microsoft Sentinel and what the volume is because you are paying essentially for Microsoft Sentinel to ingest the data. These are the analytical discussions taking place right now.

Some of the best features of Microsoft Sentinel are that it is cloud-based, which from a CapEx perspective saves clients money in procuring on-premises infrastructure. It proves to be a dynamic tool because we use it for not just IaaS related resources, but also for SaaS related resources. Additionally, we have some on-premises infrastructure that will be feeding Microsoft Sentinel log data as well. Looking at it as a SaaS tool makes it easier to leverage, procure, and configure without the need to be concerned about buying hundreds of thousands of dollars in gear from a CapEx perspective.

The automated response capability in Microsoft Sentinel enhances our security posture quite beneficially from a SOAR perspective. One of the things that we are looking to do is alleviate some of the day-to-day actions and functionalities from our SOC personnel. Anything that can be automated from an investigative or event-related perspective is helpful. Microsoft Sentinel is a great example of a SOAR tool, and that is the intent for the current client; they want to be able to automate as many of these functionalities as possible.

To improve Microsoft Sentinel currently, focusing on the quality of the telemetry is essential. The data sources are critical, so understanding where they are located, how much there is, and what kind of telemetry is coming in from these data sources is vital. We are looking to reduce the amount of non-critical data; it is important to ensure that the quality of the log data ingested by Microsoft Sentinel is high.

The government deals with international entities, so it is necessary to ensure from a threat hunting and workbook perspective that if suspicious event information is generated by Microsoft Sentinel, there is good quality telemetry and understanding of where this is coming from and what kind of alerts are being generated. It is about being able to use as many features of the tool as possible and making sure that with these connectors in place, the quality of the data sources is high.

We are currently implementing Microsoft Sentinel.

We have dealt with Microsoft support, and I would rate their support highly. We have good relations with the Microsoft resources in Ottawa, and the account manager we have dealt with is leading our efforts. We have to speak to what is referred to as one of the support ninjas, who is our point of contact. He has been very helpful, and where needed, we have been directed to other support resources, so overall it works well.

Positive

The initial setup of Microsoft Sentinel is a gradual iterative process for this case. There is the initial deployment of Microsoft Sentinel itself, setting up the Log Analytics Workspace, and then going through the configuration again, looking at what we want the tool to ingest.

We have a Power Platform tenant, so we are pulling in SaaS data from the Power Platform tenant. We do have an IaaS environment as well, so there will be some endpoints and other services that we will be pulling data in from that. Additionally, the majority of our applications are located on-premises, so we will be ingesting on-premises log data as well. This is done through an Event Hub, where you set up an Event Hub to ingest that on-premises data, which gets repackaged through an API call and sent to Microsoft Sentinel.

With those three environments actively generating log data, the full deployment of Microsoft Sentinel is realized over time. We have SOC personnel that are not highly knowledgeable about the tool, which is why it is taking more time to ensure that the configurations are correct and appropriate while tracking costs. At the end of the day, we want to use as many features of the tool as possible, and I estimate that over a year, maybe a year and a half timeframe, we will go from the initial setup to a fully blown deployment with all of the connectors in place and all of the threat hunting configuration done; it is a gradual process.

The AI is helping us improve threat detection from a generative perspective, although not yet from an agentic perspective. When looking to leverage LLMs for various tasks and for seeking information, it is great. However, given where we are in the deployment lifetime for the tool, we are not really leveraging AI as it is incorporated into the tool yet, such as looking for various analytics and data sources and suspicion around those data sources. That functionality will come, but it certainly is helpful when looking for information right now. I rate Microsoft Sentinel 8 out of 10.

On-premises

Microsoft Azure

In our Security Operations Center, we rely on Microsoft Sentinel for continuous security monitoring. We collect logs from various customer environments and define security use cases with correlation rules to analyze activities. These rules leverage predefined criteria to identify potential malicious behavior. Microsoft Sentinel serves as our central platform for security monitoring, investigation, and remediation of security threats detected through alerts.

The biggest challenge in security monitoring is managing the vast amount of logs generated daily from various devices like web servers and firewalls. Microsoft Sentinel tackles this by collecting all logs in a central location and allowing us to define rules. Using its query language, we can search across these logs for specific conditions, like malicious activity. If a suspicious event is identified, Sentinel generates an immediate security alert, enabling our team to investigate and take appropriate action to stop potential attacks.

Microsoft Sentinel helps us identify security threats through built-in machine learning. It analyzes network traffic patterns and can detect anomalies, like unusually high data transfers outside typical hours. These anomalies trigger alerts, allowing for early intervention.

Microsoft Sentinel shines in its ability to bridge hybrid and multi-cloud environments. It seamlessly integrates with on-premises infrastructure through Azure Arc, and even private clouds can be connected via Azure Gateway and a VPN to the Azure Log Analytics workspace. This unified approach ensures all our security data, regardless of origin, is ingested and analyzed for potential threats.

Microsoft recently launched Content Hub, a marketplace for pre-configured security solutions within Azure Sentinel. Unlike our previous experience setting up data connectors a few years ago, Content Hub offers a one-stop shop for integrating security tools. When we choose a data connector, we also get pre-built correlation rules, playbooks, and workbooks – all packaged together for faster and more effective security monitoring. The content hub streamlines onboarding pre-built SIEM content, especially during the initial SOC setup. When starting fresh with a new environment and unsure of specific use cases, we can search for relevant data sources in the hub. Once integrated, the content hub provides pre-configured rules alongside those connectors. Simply enabling these rules offers substantial coverage for our MITRE ATT&CK mapping, a framework that assesses our ability to detect various attack techniques. By leveraging these out-of-the-box tools, we gain significant initial security coverage with minimal effort.

The content hub helps us centralize all of the out-of-the-box content available from Sentinel.

Sentinel acts as a central hub, bringing together information from various sources both internal, first-party, and external, third-party into a single, unified view. This allows us to analyze logs stored in different tables, regardless of their naming conventions. By defining correlation routes, Sentinel can examine specific activities across these disparate sources. For example, we could create a route that checks firewall logs for suspicious activity and then correlates it with specific user actions in Windows device logs, providing a more comprehensive picture of potential security incidents.

Sentinel improves our visibility into user and network behavior through a feature called User Entity Behavior Analytics. This leverages Microsoft's machine learning to analyze user and device activity. If we're investigating multiple security incidents involving a user or device, UEBA provides a broader view. We can directly access the user's history of incidents and visualize their connections to other alerts and impacted devices in a graph format. This allows for efficient investigation of complex incidents impacting multiple users and devices.

Microsoft Sentinel streamlines security incident investigation. The incident page clearly displays involved entities and details of triggered alerts, including logs. This allows SOC analysts to quickly assess the situation and potentially predict the nature of the activity, even before diving into event logs. Sentinel's powerful query language further simplifies investigation by enabling easy data visualization, formatting, and custom functions, all within various timeframes. This significantly accelerates the overall investigation process.

Sentinel has streamlined our event investigation process. By allowing us to predefine keyword queries for specific alerts, it eliminates the need to manually craft queries each time. Similar to how SOCs use pre-defined playbooks for various incidents, Sentinel lets us define queries that return relevant data quickly. This cuts down on investigation time by allowing us to focus on the specific alert and the data it generates.

Microsoft Sentinel stands out among SIEM tools for its user-friendliness and powerful built-in query language. This language, included at no additional cost, allows for easy data collection, sorting, formatting, and visualization, making it accessible even to non-experts. Additionally, its seamless integration with other Azure products eliminates the need for custom parsing logic, saving time and resources.

Microsoft Sentinel's search efficiency can be improved, especially for queries spanning large datasets or long timeframes like 90 days compared to competitors like Splunk. While Sentinel might take several minutes to return results for such investigations, Splunk queries are significantly faster.

I have been using Microsoft Sentinel for two years.

Since the entire Azure Sentinel analytics workspace resides within the Azure environment, we've never experienced lag or downtime. This is because Microsoft handles all data storage, hosting, and infrastructure maintenance. As a result, we're relieved of those burdens and haven't encountered any Sentinel downtime.

Microsoft Sentinel's cloud-based deployment on Azure allows it to scale automatically. This likely involves built-in load-balancing mechanisms that distribute processing across different Azure resources when needed. This ensures Sentinel can handle increased workloads without manual intervention.

While I wasn't involved in deploying Microsoft Sentinel myself, I did help configure and set it up on our end. The initial setup process wasn't particularly simple, but it wasn't overly complex either.

While the user interface in Azure simplifies the deployment process of Microsoft Sentinel, some architectural knowledge is still necessary. The initial configuration might involve just a few selections, deciding on the deployment architecture, data replication workspace locations, etc. requires experience. This prior experience, however, should make integration with existing systems smoother. Three people on average are required for the initial deployment.

Our Microsoft Sentinel implementation approach depended on available time. For complex deployments, we handled it directly. In time-sensitive situations, we collaborated with teams managing the devices, providing them with implementation steps and troubleshooting support as needed.

While I wasn't involved with the specifics of Microsoft Sentinel's pricing, my understanding is it scales based on data ingestion. This means we only pay for the amount of data we bring in, which is fair. However, if a device generates excessive data like hundreds of GBs daily, investigating the cause becomes crucial to avoid unnecessary costs. In most cases though, the pay-as-you-go model shouldn't be an issue.

I would rate Microsoft Sentinel eight out of ten. I've tried Splunk, QRadar, and Azure Sentinel. While Splunk requires knowledge of SPL for deeper exploration and QRadar's query language isn't powerful, Azure Sentinel strikes a great balance. It offers a user-friendly interface for basic investigations without needing a query language but also allows for custom queries and visualizations for advanced users. This makes it the most versatile of the three.

Splunk requires users to learn SPL for full functionality, making it less accessible for basic investigations. Conversely, Microsoft Sentinel's intuitive UI allows even those without KQL knowledge to conduct basic security analysis through its built-in features and informative interface.

Because our service is hosted on Microsoft's cloud, they completely manage all maintenance tasks, freeing us from infrastructure management responsibilities.

Public Cloud

Microsoft Azure

Our use cases for Microsoft Sentinel are SIEM and logging for any activity. We have been having some issues and we are using this logging for that purpose.

I am using Microsoft Sentinel for threat intelligence and threat hunting, and it is definitely helping us.

We did not have centralized logging in place, and Microsoft Sentinel has definitely helped us instead of having to spin up our own centralized logging, which is not scalable. Microsoft Sentinel has many integrations that help us with threat hunting and reduce the amount of effort needed from our end.

We're using it for threat intelligence and threat hunting and it's definitely been helping. 

The most valuable feature I have found in Microsoft Sentinel is logging. Microsoft Sentinel collects everything, and it is a centralized place for logging management.

It performs its functions in an efficient way for me.

Microsoft Sentinel's ability to correlate data from multiple sources has enhanced my threat detection capabilities beyond what simple data lake solutions offer. You can tie in with Defender intelligence and that really helps us. We want to see all activity going on.

I evaluate the integration of security functionalities such as SIEM, SOAR, TIP, UBA, and Microsoft Sentinel as good. The integration between them is good and straightforward, the documentation is excellent, and we do not have any problems. I foresee it having a positive impact.

With regards to MITRE ATT&CK, the recommendations from Microsoft Sentinel are really helpful for us to go back and remediate any recommendations.

The SOC optimization feature has impacted our organization's data management and cost efficiency significantly. It brings substantial savings compared to using different products, such as Splunk for SIEM and having another product for gathering intelligence. With the Microsoft platforms that we have, the integration is straightforward, which is definitely a cost savings for us instead of trying to get different product lines from different vendors.

The impact that Microsoft Sentinel has had on our organization's advanced hunting capabilities is significant. We depend on centralized logging for partnering with other providers, and we also use CrowdStrike. For threat hunting, we have seen issues where there were lateral movements, and for identifying those malicious sources and containing them, it has been definitely helpful.

In terms of improvements, pricing, licensing, and overall cost could be better.

We've used the solution for one and a half months. 

I assess the stability and reliability of Microsoft Sentinel as good. We have not had any issues.

Microsoft Sentinel scales as our needs grow without any problems. We are a very small organization, so it fits our needs.

I would evaluate the customer support and technical support I received from Microsoft as very good. It is very responsive, and I really appreciate the documentation that is available online.

Positive

In the past, with a different organization, I used Splunk prior to using Microsoft Sentinel. The interface is not as simple as Microsoft Sentinel; it has its own query language, and Microsoft Sentinel is more straightforward. We also use CrowdStrike. 

The deployment was straightforward. 

We have seen an ROI. Essentially, we didn't have centralized logging before. This has helped us substantially. Spinning up your own centralized logging is not really scalable. It's helped with threat hunting and has reduced the amount of effort on our end. 

The pricing is a bit high.

Splunk was the other solution I was evaluating prior to picking Microsoft Sentinel.

I decided to go with Microsoft Sentinel as opposed to Splunk. Splunk has gone through a change. It has just been acquired by Cisco, and we do not know how the experience is going to be. There could be a transformation in their product line.

On a scale of one to ten, I would rate Microsoft Sentinel as a product overall as nine.

Public Cloud

Microsoft Azure

As a managed security service provider, we have a managed security service that we provide to customers, and our managed services are often built on Microsoft Sentinel.

Our managed SOC is based on Microsoft Sentinel, and a key benefit is that we've been able to take customers' investments, especially in E5 licensing, and make that investment stretch further than they would have had they gone to a competitor's product. This helps organizations drive and uplift their cyber resilience in a cost-effective manner.

For us, customer retention is key, and we can articulate value about the services we provide because the backend services and Microsoft Sentinel itself do the job for us. The benefit lies in customer retention, keeping our costs down, and providing value to customers by making every dollar they invest go further.

Microsoft Sentinel was the first real cloud-native SIEM solution, and it integrates into an ecosystem around Microsoft and the entire stack with all of the other vendor products. I appreciate that we can get the free ingestion from the Microsoft ecosystem into Microsoft Sentinel, which works really for us.

Microsoft Sentinel's ability to correlate data from multiple sources has improved our capability significantly. We have used other SIEM products and data lake products outside of Microsoft Sentinel, and it's evident that what you get out of Microsoft Sentinel and the ability to enrich the data with threat intelligence and correlate over various sources provides better detection capabilities, better response times, and more assurance of security. In the five years that we've had the product in market as a managed service offering, we've not missed anything, demonstrating a strong track record.

The automation feature in Microsoft Sentinel has been amazing and has significantly affected our team's efficiency in handling security incidents. As a managed security partner, we've effectively been able to triple our customer base but only had to increase headcount by 15% to 20%. The built-in integrations and automation allow us to scale and have more coverage and greater capabilities without the corresponding increase in headcount.

The integration of security functionalities such as SIEM, SOAR, TIP, and UEBA in Microsoft Sentinel is robust. The ecosystem is very integrated together within Microsoft.

Microsoft Sentinel's SOC automation and optimization feature has significantly impacted our company's data management and cost efficiency. We operate as a provider, using the product both ourselves and for our customers. We've completed substantial optimization work around ingestion and cost optimization, and some of our customers have saved up to 300% to 400% compared to their original budgets.

Microsoft Sentinel has had an exceptional impact on our company's and customers' advanced hunting abilities. The integrations and automations natively built into the system help us perform retrospective threat hunting. We now have the capability of utilizing threat intelligence provided by the government in New Zealand, allowing us to take indicators of compromise and pass them directly into Microsoft Sentinel and the Defender suite, which moves us from a reactive to a proactive security stance.

The time saved per incident in Microsoft Sentinel has reduced by more than half compared to five years ago. We're able to handle more customers and incidents simultaneously, with detection and remediation times decreasing. With the investments we're making around Microsoft Security Copilot and AI, that efficiency is expected to improve further.

Using the MITRE ATT&CK framework has enhanced our security posture by providing a way to align to a framework that helps contextualize and explain why security threats are relevant and how they can manifest in the environment. It offers a common language for our analysts to communicate across all of our customers on the service, focusing on the TTPs that threat actors would use to undertake an attack or compromise in the customer's environment.

The three challenges we have are outside of the Microsoft ecosystem. In New Zealand, there are customers that run dual stack, running Microsoft but also competitor products, EDR software, cloud security software, and other tooling. While it's improved over the last four or five years, there's still more work that can be done to integrate better outside of the Microsoft ecosystem.

Microsoft Sentinel is on the right track in terms of improvements. Being part of a Microsoft partner security association in New Zealand gives us access to information about product roadmaps and developments. The only recommendation, rather selfishly as an MSSP, is for a model where MSSPs can take Microsoft Sentinel and deliver it at scale to customers under a licensing construct.

To improve Microsoft Sentinel further, providing better options for long-term retention and storage of non-Microsoft logs is important for our customers. There is always a cost element there, and for us as an MSSP partner, being able to differentiate our service using the platform through a licensing construct specifically for MSSP partners would be beneficial.

We've been using Microsoft Sentinel ever since it came out in Purview, approximately five years now.

Microsoft Sentinel has been amazing in terms of stability and reliability, as we haven't had any issues with it.

While Microsoft Sentinel scales effectively from a technical standpoint, it could be improved in terms of being more suited for MSSP partners with regard to licensing construct.

I have never had to use Microsoft Sentinel's customer service or technical support officially, however, the teams I have reached out to have been excellent. I've never received any bad responses or feedback.

Positive

I have definitely seen a return on investment when using Microsoft Sentinel, though it's difficult to quantify in dollar terms, considering security cannot be given a precise value. 

From a risk perspective, it's about mitigating risk, and as mentioned earlier, we haven't missed many things since we've had the offering in market—only a couple of minor incidents.

I was more familiar with Microsoft Sentinel's pricing, setup costs, and licensing many years ago, and in my current role, I'm not as involved with these aspects.

On a scale of one to ten, this solution rates as a nine.

Public Cloud

My security team has been using Microsoft Sentinel for around two years. We also have Bastion and SolarWinds as part of our monitoring tools. We use a three-way tool, alongside Microsoft Sentinel, in our environment.

The most valuable features for us include threat collection, threat detection, response, and the knowledge base for investigation. These are the three separations in the tool that we are currently using.

My team enjoys using Microsoft Sentinel. However, we are not using it for some features, mainly for cost-related reasons and our company policy. We choose other solutions for basic monitoring due to better cost opportunities. There could be improvements in those areas, but these are based on management decisions.

We have been using it for approximately two years.

In the past two years, our team hasn't encountered any issues with the stability of Microsoft Sentinel from an operations perspective. We rate it an eight, as no escalations have been made for Microsoft Sentinel.

I cannot provide a specific number for scalability, as I wasn't part of the scaling team. We did use an external vendor, I-Tracing, for assistance.

When my team needs to escalate issues to Microsoft, especially for Microsoft Sentinel, the response is fast through their French entity. We would rate technical support an eight.

Positive

We used Bastion before Microsoft Sentinel. We still use Bastion in some regions for end-to-end security and SolarWinds for monitoring. We switched to Microsoft Sentinel for specific security cases.

Initially, we had dedicated training from a UK trainer who worked with our team for three months. The cloud, DevOps, and security teams wrapped up training quickly, especially within the EMEA region. No major issues were encountered during the adoption.

We had a dedicated trainer from the UK who worked with our security level one and two teams during the initial setup. The DevOps team had some delays, but these were likely operational specifics.

I'm not on top of the full business case, but from a support and licensing perspective, it's fine. Microsoft Azure was not fitting for short-term cost savings but promised a better ROI over three to five years for medium to large companies.

I haven't seen the full business case, but the cost for support and licensing is justified with what we receive. Microsoft Sentinel offers more capabilities than Bastion, with a more intuitive experience.

We evaluated Bastion and SolarWinds.

My CISO wanted to get more with less money. Short-term, Microsoft Sentinel might not fit the budget, but long-term it makes sense, especially for medium to large companies. I rate Microsoft Sentinel an eight out of ten, offering a better experience than our previous solution.

Public Cloud

Microsoft Azure

Microsoft Sentinel is a monitoring tool. It is a SIEM solution and is used to gather logs. It allows us to analyze and understand the flow of information based on the events that happen and the systems we connect it to. 

I explain it to my customers as being almost like an octopus. It sits in the middle of a tank, and it has all these tentacles that connect to different systems. We bring that information in via those connections, and then we query them. We can centrally analyze, examine, and understand the data that comes in through the analytics or the capabilities that Azure links to Microsoft Sentinel, which is Azure Log Analytics Workspace. We then use queries to help us understand or make sense of the data. We can have dashboards and visualize them. 

We use it to set up monitoring for cloud infrastructure and we use it as part of a larger monitoring capability around setting up a SOC capability. We are then able to keep track of infrastructure and mitigate risks.

Microsoft Sentinel gives visibility to some degree to all of the customers that I work with. It has given us more visibility into the accurate state of the endpoints being monitored in near real-time. 

With the solution, we are now able to respond to incidents in a more timely fashion, which helps us. It helped us to understand what is happening and make informed decisions as a result. It has given us a more comprehensive and holistic view of the ecosystem that exists, and not just an individual piece of that ecosystem. It does not give a view of just one server. It also gives a view of the supporting infrastructure around it. It has given us a lot more visibility, and it has made us smarter in terms of being able to defend ourselves against bad threat actors and the harm they look to do. It made us better armed and more informed, and therefore we can offer a better defense that will hopefully ward off some of those bad actions.

Microsoft Sentinel helps to prioritize threats across the enterprise in several ways. This capability is linked to other technology elements that make up the overall security posture of the Microsoft offering. Microsoft Sentinel, in particular, allows us to look at the flow of information coming through the connectors from various systems. This helps us create alerts and analyze that data so that we can bubble up and see what is happening. We can tie that into the Microsoft Defender stack or the products in the Microsoft Defender ecosystem, and we can take action and monitor. 

Whether it is being alerted, manually choosing to do something, or automating through the broader security capabilities of the platform, we can take action. When we tie in the broader security capabilities that involve governance, risk management, and compliance (GRC), and we have all the tools at our disposal to do that, Microsoft Sentinel becomes a huge ingestion engine that brings in signals. The telemetry and data from all the monitored endpoints allow other capabilities to access that data so that we can monitor it. We are then not only well-informed, but we can also choose how to respond. We can respond through a combination of automation and manual actions. If something occurs, we can then kick off an incident response to deal with it. If needed, we can quarantine and mitigate it. We have a rich set of capabilities but also a very flexible set of opportunities to respond because we are given near real-time information. We can analyze that information in near real-time to make informed choices when it comes to threat intelligence, threat mitigation, and threat assessment.

I use all of the products that Microsoft has in the market in various architectures or configurations with different customers, and I have used them for many years. Various customers use the entire suite of offerings that Microsoft has in the security space in terms of governance, risk management, and compliance, such as Microsoft Sentinel and Microsoft Defender. There are also solutions like Privileged Identity Management (PIM), which is now a part of Microsoft Entra, which has been renamed. I have integrated these products and set up the architectures or designs for customers. The setup depends on the size of the customer and some smaller businesses do not use all of them. They license at lower levels and do not have the business case, the resources, or the need to use them all. Larger companies tend to utilize more of them. Because I work with different-sized companies, I set the solutions up and have used them in a variety of circumstances across the board for different companies. 

In the beginning, like any technology, it was a little harder to integrate when the products were new. As they matured and went through iterations, they became easier to work with. Utilizing a new product is more painful than using a product that has perhaps been out for a year or two, that has been vetted and maybe has gone through one major update or release. The integration has gotten better over time, and the product lines continue to mature and become more powerful as a result.

Microsoft security products work natively together to deliver coordinated detection and response across the environment. For this, you need to use the appropriate connectors to bring in the information from both Microsoft-centric and third-party systems that you want to incorporate and monitor. It is bounded by the vision of the architecture that allows you to connect those systems and the availability of those connectors. Assuming those systems are connected properly, brought online, and are reporting, it gives you the depth of visibility that you need to manage both Microsoft and non-Microsoft systems.

Microsoft security products provide a very thorough set of security. Microsoft is looking at billions, perhaps a trillion, individual data points a day at this point across the Microsoft ecosystem, which includes everything Microsoft does, all customers, and all interactions. They take all that information and analyze it with dedicated security teams, machine learning and artificial intelligence, business analytics, etc. They turn that information around and make it available for customers who are consuming the threat analysis and threat intelligence capabilities on the platform. Some of the solutions are available for free to everybody regardless of licensing. For others, you need enhanced licensing to take advantage of it fully. The threat intelligence feeds, the live analysis, and the security posture that Microsoft provides to its customers globally as part of the shared responsibility model have matured tremendously. They are the best. You get incredible value for the amount of work that goes into providing that. The customers I work with are very happy with the work that Microsoft does and continues to do in that space.

We use the bi-directional sync capabilities of Microsoft Defender for Cloud in some cases. It is a very useful feature for myself and my customers. It is very important because it allows us to use the Defender product, which is made up of maybe 20 individual offerings at this point. There are a lot of different sub-areas that you have that you can attach the Defender product to. This concept allows us to be able to have the endpoints monitored, whether they are the servers or the service that Defender would monitor and protect. It allows us to understand what is happening with them and to have near real-time updates about their status. We can see the impact of potential threats that are attaching and risks that may become apparent, and we can see the impact of remediation or the things that are being done to stop those things or perhaps forestall them, hopefully, to prevent them from harming. This capability is very important, and it is one of the secrets that allow that platform to not only be very flexible but also very impactful in terms of monitoring the bulk of the infrastructure and services that most customers would have running in a public cloud, whether it is Microsoft or any other public cloud, such as Amazon, Google, etc. We can monitor any infrastructure and understand it, especially customers' environments that are hybrid where they have on-premises as well as cloud or multi-cloud infrastructure with more than one cloud. To be able to monitor both on-premises and multi-cloud environments is a requirement today, and Microsoft provides those capabilities but not all other providers do. 

It enables us to ingest data from the entire ecosystem as long as we are using a connector to link to the infrastructure that we need to monitor and as long as there is a connector for monitoring that infrastructure. So, as long as the pipe exists, we connect the pipe, and we can monitor the infrastructure. For a majority of mainline infrastructure or a majority of third-party vendor systems today, there are connectors. For some smaller systems or proprietary or custom systems that some companies run, there might not be connectors, but for mainline systems that you would buy, acquire, or use from large-scale SaaS vendors, connectors have been there for a while. As long as we are running connectors to that infrastructure, we can monitor almost anything that we have.

Sentinel enables us to investigate threats and respond holistically from one place. We have a central dashboard that we can use to monitor and then from there, do the analysis and also create the remediation if necessary. This functionality is very important. The biggest mistake vendors make in tool design from a UI/UX or user interface/user experience perspective is that they do not make things centrally available and obvious for the administrator or the end user who is going to run or use that system. Generally, if something is overly complicated and not very intuitive, it is hard to get people to buy into using something. With Microsoft Sentinel, you can have everything in one place and visualize the impact of the threats, the risks, the incoming data, and the number of incidents, events, or alerts that are happening. All those things are visually represented in the opening part of the dashboard. You could drill down from there with a navigation area that is intuitive and easily understood. That makes it very easy for different users, such as administrators and managers, and other user profiles that have different reasons for being in the tool, and that is the hallmark of a good design.

When you look at it holistically and look at what it is linked to in terms of the broader security platform that Microsoft provides, it is very strong, and it continues to get better. When you ask anyone about their thoughts about a product and how it works for their customers, the mistake that people often make in describing something is that they say, "I think it is great, and it is great for us. It does everything we need." That is good, and it should be. I can say that for the majority of my customers without any ambiguity or concern about being accurate, but the thing you have to add is that there are always things that we do not know that we need to do until they occur. We might not have seen that threat before. Maybe there is a new advanced persistent threat or zero-day exploit that we have to contend with, which we have not been aware of until now. The hallmark of a really good tool is its ability to integrate that new information in a timely fashion and have the flexibility to mature the tool over time based on feedback and iterative use. The strength that Microsoft has brought to the platform over time is the ability to listen to its customers and make sure they are offering based on that feedback. It is good, and it continues to get better. Today, it is good, and tomorrow, it will be better because of that thought process in the way they engineer over time.

Microsoft Sentinel helps automate routine tasks and the finding of high standards. If you set it up the right way, it does that as one of the key things that it is designed to do. It has streamlined our ability to respond, so response time has gone down. It has enhanced our understanding because automation is managing some of the remediation and the menial, repetitive ongoing tasks of:

• Paying attention to information flows.

• Picking out the most important elements.

• Prioritizing them and bubbling them up.

• Creating alerts around them and then telling people that these things are happening. 

Automation lets you do that without having to spend human or people cycles to do that. The automation never gets tired and it never gets bored. It never needs to take a break. It never gets distracted. Because of that, we find not only more things we need to react to, but we react to the things that we truly should be chasing. We are not distracted as much by things that seem to be important, but we find out that they are just ghosts. They are false flags. The ability to bring machine learning, artificial intelligence, business analytics, and data visualization as a part of automation has filtered out a lot of the background noise that distracts. It has allowed us to hone in and refine our activity cycles around the most important things that we have to pay attention to.

Microsoft Sentinel helps eliminate having to look at multiple dashboards and gives one XDR dashboard if you set it up the right way. I have seen it set up in ways where it does not do that because it is not optimized, but if you are using it the right way, if you understand the tool and how to integrate it properly, then it gives you that single dashboard where you can directly find the information or link through a smaller visual tile that will take you to that information that you need if you need to drill down in a deeper, more meaningful way.

Its threat intelligence helps to prepare for potential threats before they hit and take proactive steps. If you are integrating the threat intelligence feeds from Microsoft and looking at them, everything is relative. They are there if you are smart enough to consume them and understand what you are looking at. In other words, people who are paying attention to them and are using them properly are getting tremendous value out of them. Microsoft globally examines billions, if not a trillion, of individual telemetry data points every day and incorporates that into their threat analysis feeds, so no individual company, irrespective of how big they are and how much money they have, can bring that kind of at-scale analysis to that problem. As a result, you are getting a tremendous amount of data that is being vetted, analyzed, and distilled down to meaningful actionable intelligence. It is consumable because it is presented in a very summarized and succinct way. It is very valuable, but you have to be able to understand that and utilize that to draw value from it.

We have saved me time with Sentinel. The ability to have the power of Microsoft as a global scanning organization service provider at my disposal is helping me to better understand the environment I operate in through threat intelligence and threat analysis. In addition, the ability to automate at scale across the platform and to have the research and design that is being done to continuously upgrade and add features to those platforms has made me a much more capable and therefore, more successful security practitioner. It is hard to quantify the time saved. It would probably be a very extreme exercise to go back and do that, but it is fair to say that over a year, we have probably saved a thousand or more human hours. I look across a team for one of the customers that I work with, it is fair to say that we have saved at least a thousand human hours for a year by relying more on the automation toolsets. That is about ninety hours a month on average. We can break it down to 15 or 20 hours a week or something like that, but the reality is that it is about a thousand or more hours that we have saved in a year.

Time to detection has decreased, and the time to respond has gone. They both have decreased. That has been an outcome that we have seen and is measurable. It goes back to the investments you make in building out that architecture in terms of:

• How many systems are you monitoring or how many are you connecting?

• How much data do you have coming in? 

• What are you doing with that data and how are you using it? 

If you are building out a full SOC analysis capability or a full monitoring solution, and you are typing this into incident response and alerting and event continuous monitoring through automation, time to respond and time to solution is going to decrease as a result.

It can connect to an ever-growing number of platforms and systems within the Microsoft ecosystem, such as Azure Active Directory and Microsoft 365 or Office 365, as well as to external services and systems that can be brought in and managed. We can manage on-premises infrastructure. We can manage not just the things that are running in Azure in the public cloud, but through Azure Arc and the hybrid capabilities, we can monitor on-premises servers and endpoints. We can monitor VMware infrastructure, for instance, running as part of a hybrid environment. The continuing evolution of what we call the connectors, which is the marketplace that lets us connect these systems to Microsoft Sentinel, is probably one of the most important features.

The reliance on a very simple but very powerful query language called Kusto Query Language or KQL that Microsoft uses to allow us to log into the analytics workspace to assess and analyze the data is also valuable. That has made it very approachable and very scalable. Those are very big and important things for me as a consultant, as an architect, and as a person who is implementing these solutions for customers and who is explaining them, and ultimately working with them. This makes the product not only usable but also very flexible. Those are two very important elements.

Everyone has their favorites. There is always room for improvement, and everybody will say, "I wish you could do this for me or that for me." It is a personal thing based on how you use the tool. I do not necessarily have those thoughts, and they are probably not valuable because they are unique to the context of the user, but broadly, where it can continue to improve is by adding more connectors to more systems. 

The really interesting area where we are already seeing the impact is the use of more artificial intelligence. There could be the ability to bring AI into the analysis capabilities of the toolset in more ways so that we can utilize the power that computer analysis at scale has. That is because we are limited. As humans, we can only look at so much information, see so many patterns, and absorb so much in any given cycle of a workday, but artificial intelligence and automation engines do not take breaks. They do not stop. They do not need to. They can go deeper, and they can see more data and ingest more to find patterns that, as humans, we are not going to be able to see. The evolving technology in this area is all moving towards the use of artificial intelligence, embedding it in multiple areas in the platform so that we can be told that there are things that we need to pay attention to that are becoming a problem as opposed to things that are already a problem. Where the biggest improvements can happen is how we move that ability to identify emerging threats closer to the point of contact so that we can interject and essentially stop and disrupt the kill chain of an event series before it harms. Currently, the problem we often have is that things get bad, and until they get bad, we do not really know what is happening, and we do not know how to respond, so we spend a lot of time responding to incidents that have already started or have unfortunately unfolded fully in a reactive manner. The value proposition in terms of improvement down the road is getting better at predictive defense and proactive response before events take place to stop them before they start. That is the future that we are moving towards, and that is where the biggest improvement lies.

Sentinel, which is now called Microsoft Sentinel, used to be called Azure Sentinel. It was renamed about a year and a half or two years ago, but I have used Sentinel for about four years. It was probably released in 2019.

It is very stable. I have had little to no difficulty with it in the more than four years that I have used it or deployed it. I cannot think of a time in the last four years when it was unstable or unstable enough that I had to open a support ticket. I have had issues with it because people have misconfigured it or not set it up properly, but those issues were not related to the platform itself. Those were human interactions that were complicating it because it was not set up the right way. When it is set up correctly, it is a very solid platform with minimal to no downtime. There were no major service disruptions that I remember that caused problems.

It is very scalable. You do not think of scalability necessarily the same way you would if you were setting up a cluster to run virtual machines, for instance, because there, you have to add resources, and you are monitoring to make sure that there are enough resources versus the load in the system. Microsoft Sentinel is a managed solution. You are deploying it, but then Microsoft is scaling it and managing it on the backend for you, so you do not control some of the things that would impact scalability directly. Microsoft is hosting it. It is essentially a service you are consuming. In my history with the product, it has always met my expectations, and I have never had an issue where it could not perform because of a resource constraint, so its scalability is solid, and it is always available when necessary. It is not scalable in the same sense as you would control it by adding hosts to a cluster. It is a different kind of scalability, but it has been rock solid all the time I have been working with it.

In terms of the environment, I have multiple customers, so each one is different, but generically, it is safe to say that it is deployed to monitor infrastructure that is in multiple geographies, multiple data centers, or multiple places both on-premises and in the cloud. It could be hybrid as well as multi-cloud. The infrastructure is being monitored from a variety of different locations. Microsoft Sentinel itself is typically installed and instantiated in one instance. You set it up inside of an Azure subscription and you have one instance. If you need more than one, you might set up more than one depending on the geography and the needs of the organization, but typically, we have one central Microsoft Sentinel instance running, and then you will bring that information into it through the connectors. It is typically going to be a single instance. It will usually monitor geographically distributed architecture, and it will usually operate at scale, so there will be quite a bit of information coming into that at any given moment.

Like anything else, you can get support depending on how you are using the tool and the level at which you are using it. You get basic support from Microsoft. If you have a problem, they are very good at telling you if there are service issues. If you are paying additionally, you can get premium support to support you with the tool. There is an additional fee for platinum-level support or premium support. Their support is very good if you are paying for it and you are able to utilize it. If you are just able to open a basic ticket because you are having a problem, support is good, but you are going to be limited in the help you are going to get. To talk to a high-level engineer to deal with complicated issues, you are going to need to pay extra money for support. Overall, I would rate their support an eight out of ten.

Positive

I have used several different solutions over time with different customers for different reasons. I work with a lot of different customers. I set up solutions for different customers. They have different technologies and different needs, and some of them have a bias towards certain products and against others, but I have used products like ConnectWise, which is a SIEM solution, and Splunk, which is probably one of the biggest ones out there that most people would name if you ask them. Splunk is probably at the top or near the top of everybody's list. Datadog would be another big one. I have used LogPoint and GrayLog. I have also used ManageEngine's Log360. SolarWinds is another popular one that I have come across pretty often. I have used many more than that, but those are probably the top five or six that I have used. They are the ones that customers tend to use a lot. Some of them are still using those products and have chosen not to move, but the ones that have chosen to move have done that because of two things. The cost plays a part. They have the ability to leverage a tool that is already built into the platform and that may be easier to work with and integrate in a more readily accessible fashion, and it would be as expensive and maybe less expensive over time. It might also seem to be a better architectural choice for them as they look at an upcoming renewal cycle, or they have heard or been told that they need a certain capability or feature and the vendor that they are currently using does not have that or it is not as easily accessible or readily available, but Microsoft Sentinel has that capability. It has connectors to those other platforms, but for whatever reason, their particular vendor does not have that connector, or they might promise to deliver it but it is not going to be ready for six months. It comes down to features and cost. These are the two main reasons or two main motivators to drive people to migrate.

In terms of the cost and ease of use of Microsoft Sentinel against standalone SIEM and SOAR solutions, it is difficult to do an apples-to-apples comparison. That is because, in theory, you can look at Microsoft Sentinel as a single standalone product with its own cost associated with it, but it is linked to, consumed by, and used in partnership with many other systems and tools that also have a licensing cost. Some of it is built-in and some of it is an add-on, depending on where you are and how you choose to license. In other words, Microsoft Defender is a per instance per month cost that is additional to using the Microsoft Sentinel product, and what you get with a standalone solution is essentially just the SIEM or the SOAR capability. You are not getting the capability to blend them across the platform, or if the vendor does both, you are buying them as an all-in-one solution and you are paying a monthly fee per user based on licensing. 

From my perspective, cost comparisons are not as accurate. When a customer asks whether Microsoft Sentinel is going to cost them less or more than using this other tool, it is a very simplistic way of looking at the tool, and it is a very operational-centric or OpEx discussion. When anyone asks about the monthly fee for the investment in this tool, you have to be more strategic. When you look at a tool, features, and capabilities, the capital expense is broader than just the operational expense. You have to understand the strategy associated with the tool decision and the impact and value of the tool. 

Microsoft Sentinel gives a good value for money or a return on investment in terms of what it costs you to run it. When comparing it to any of the other major competitors in the market, it is as cost-effective and perhaps even more cost-effective than some of them. It certainly is very competitive, but people do not necessarily understand the subtlety in that assessment in terms of how they are integrating the Microsoft Sentinel solution or the third-party solution into the broader context of their infrastructure and security posture. That is where they run into issues that become more prohibited from a cost perspective, both hard and soft. For example, the hard cost could be $15 a month per user to license or $15 a month per endpoint and $100 per gigabyte of storage or something like that. Those numbers are wildly inaccurate, but you do have hard costs, and then you have soft costs, which include what it costs you to train people who have to use that technology or to train people who have to manage it ongoing and integrate it. You might have to hire consultants to do that, for instance. Those are hard and soft costs. When you are using a Microsoft product and you are Microsoft-centric, you overcome some of those soft costs because you have people who already have skills on the platform. You are already integrating that technology. Microsoft is doing that for you. You do not have to do it yourself. As a result, some of what I refer to as hidden costs are not as high with a Microsoft solution as they would be with a third-party solution. If you are already Microsoft-centric and you are using a majority of Microsoft Azure and Microsoft 365-based infrastructure in some form, it is easier to implement that technology. It costs less when you go forward with Microsoft Sentinel than it does when you try to bring in a third-party external SIEM or SOAR and tie it into the Microsoft platforms and have it do the things that you are looking for it to do.

It is predominantly deployed for public cloud use, meaning customers hosting on a public cloud are using it. They are hosting in Azure, for instance, and they are running their cloud infrastructure in that cloud environment. You can link to on-premises resources in hybrid scenarios, and you can certainly make the case that it can be used for private cloud as well because you can extend it to the on-premises environment. It can be used to ingest information in a multi-cloud environment, meaning you can bring in infrastructure information from Amazon or Google, the other two major public cloud provider platforms, as well as VMware, which, in its own right, is a public cloud provider. So, it can be used or potentially be available to consume data from any of those areas.

I have been involved in the deployment of hundreds of instances of Microsoft Sentinel. Its initial deployment is straightforward. In terms of implementation strategy or how to approach it, it is important to spend a lot of time with whoever the customer is. I work with multiple customers. I ask them what sound like fairly simple and simplistic questions but are very important questions. What are they looking to accomplish by deploying a SIEM solution? What is the business requirement that we are addressing by deploying the solution? We need to define that and understand that because oftentimes, we find that the customer says, "Well, we think we need, for instance, X." We talk about it, but realize what they really need is perhaps X with other things or it is not X at all. It is really W. They just thought it was X because somebody told them that. They did not know any better, so asking W&H is important.

• Who is this for?

• Who are the stakeholders?

• Why are we doing this?

• What are we looking to accomplish?

• When are we looking to get it done?

• What is the timeline?

The where and the how are not as important because it is typically in the cloud, and we are going to have qualified people deploy this architecture and we are going to run it in Microsoft, Amazon, or whatever. If we ask those questions upfront, then we can come up with a deployment plan and architecture solution that approximates the customers' needs but also meets their expectations, so for me, a project's success or failure lies in planning. The majority of the work you do has to be done in the planning cycle before you do implementation. If you are really strong in planning, then implementation is relatively straightforward. There are not a lot of surprises. As long as you are technically competent, you can do your deployments, and they should be relatively straightforward and minimal risk to the organization in terms of the deployment. If you do not get your planning right, you are opening up a tremendous amount of risk and liability in the organization.

In terms of maintenance, you cannot set it and forget it. Like any other product, it does require maintenance. If you are smart about it and you set it up the right way the first time, it will take care of itself, and it will certainly operate well at scale, but you have to examine it on an ongoing basis. There is always an opportunity to refine and update connectors. You can add new connectors as you need to extend the reach of the tool. You may have to look at the volume of data that is coming in to refine the amount of data that you want to store, pay for, and analyze, and then you have to look at the queries you are running to be able to stay on top of the data to extrapolate meaning. So, there is maintenance that goes into using a tool like this. There is no checklist that you go through every day, but there are absolutely things that have to be done on a daily, weekly, and monthly basis to keep the tool running properly.

I am the one who handles the deployment. It is rare that I would not do it myself or work with a team that would be empowered to do it as part of that.

The deployment, depending on the size of the deployment, could be done by as little as one person. It does not necessarily need a huge number of people to be associated with it. The bigger need there is what you do once the initial deployment is done, meaning fine-tuning the operation of that. When you add all that in, you typically look at a team of anywhere from three to six individuals. There are incident management and response and SOC analysis people. There are also network people. There are different people who would play a part in ultimately standing up and optimizing a tool like this, but usually, four to six people play a part on average.

There is absolutely an ROI if it is architected properly and the customer has the right expectations going in.

Microsoft Sentinel has saved my customers money. There is an initial investment upfront, so you have to spend money to save money. There is an initial investment upfront of hard and soft hours, but if the systems are set up properly and optimized and you have people who understand them, one of the things that you are able to do is look at the redundancies in your security stack or in your provisioning. You can look at tools that you may be able to move away from at the end of a license period instead of renewing, for instance. You can do away with that redundancy and focus on simply using the Microsoft toolset, so you tend to find that there is definitely an economy of scale there in terms of recouping those returns on investment. There may be a one to three-year cycle to see those savings. It depends on where you are with redundant tool sets that you have identified to be eliminated and where you are with a contractual licensing obligation of time cycle or license period before you have to pay to renew based on current investment, so it may lag a little bit. You do not tend to see those results right away. They tend to lag anywhere from 12 to 36 months, but at the end of, for instance, a three-year cycle, you are not spending another $300,000 to re-license a new tool. You are saving that money. You can then work backward and say that on average, you are now saving x amount of dollars a month going forward because you are not making that investment anymore. You definitely do see investments that yield value, but they tend to lag.

It is priced fairly given the value that you get from the use of the product. The biggest mistake people make with Microsoft Sentinel is not understanding the pricing model and the amount of data that they are going to be running through the tool because you are paying based on the flow. You are paying based on the amount of data that is moving through the tool. People do not plan, and therefore, they get surprised by the cost associated with using the tool. They connect everything because they want to know everything, but connecting everything is very expensive. They might not need to know everything. That is what I talk about with customers. It would be nice to know everything, but it might not be affordable or cost-effective. Microsoft Sentinel provides good value for the money. It is competitive with any of the other offerings out there based on the cost, but the mistake customers make is that they do not understand the cost model for using a SIEM solution regardless of whose solution they are using. When they get visibility into that model, it becomes a lot easier for them to make informed decisions.

I certainly evaluate products all the time. I am always looking to see what capabilities exist and which vendor can offer me the best mix of features and capabilities for the price, and then I make recommendations to my customers as a result of that. Microsoft Sentinel is a newer product in the market in terms of time. It has only been around for about four years, whereas some of the other products, such as Splunk, have been around a lot longer, so I tend to find people evaluating Microsoft Sentinel versus the other products they already possess when they are looking to move.

To those evaluating this solution, I would advise doing their due diligence. They have to understand the technology, the capabilities, and the limitations. They need to assess the business requirements that they are trying to address by deploying a SIEM solution, whether it is Microsoft or not. They need to understand what those key business requirements or key objectives are, and then evaluate the tools to make sure that those tools can achieve those objectives. They can then make an informed decision accordingly.

Microsoft Sentinel is one piece of the puzzle. Threat intelligence or threat analysis is a broader aspect of the security platform that Microsoft provides. It is certainly reliant on the data that Microsoft Sentinel provides, but there is a lot more to it than that. Overall, Microsoft has made tremendous investments in the last five to ten years. Especially in the last five years, in that space, they have developed a threat intelligence, threat analysis, and threat awareness capability that rivals any of the top platforms that are out there today. They continue to mature and grow that capability by maturing the products that support it. Microsoft Sentinel is one aspect of that. The Microsoft Defender stack or all different Defender products are a part of that. A few years ago, it would have been very hard to make the statement or make the case that Microsoft has a mature offering that is certainly at the very top along with other offerings that are often talked about as being at the top in that field. Today, Microsoft competes at the top tier of that field, and their solution is as mature as any of the ones in the market. The challenge with Microsoft solution is that it is very specific and uniquely honed for the Microsoft infrastructure. That is not a bad thing, but it is something that you need to be aware of. It is specifically designed to work with, work for, and wrap around Microsoft's public cloud offering Microsoft Azure and the supporting elements in Microsoft 365, etc. So, as long as you are Microsoft-centric in your stack, in your technology, in your architecture, it is a very valuable piece of the overall threat posture management that a company needs, but if your investment in technology is heavily weighted outside of Microsoft, it is of less value because you need to be Microsoft centric and Microsoft forward to be able to fully leverage that platform.

To a security colleague who says it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that it depends on the nature of the organization's technology architecture. If the organization is overwhelmingly single-technology-centric, meaning they use Microsoft almost exclusively, you can make the case either way. Using an external third party not tied to Microsoft is important because now you are splitting your investment, and you are not gambling only on one provider, which is the argument you always hear people make when they say, "Do not put all your eggs in one basket." The counter to that argument is who knows my environment better than the vendor that has made all the technology that I am integrating, and who would be better to monitor it than the vendor that makes all the technology? When I have customers that are single-technology-stack customers, they are almost exclusively or predominantly Microsoft, I counsel them to think strongly about using Microsoft products unless there is a compelling reason not to because Microsoft is going to make a much better solution than a third-party vendor that has to figure out how to connect to Microsoft to use that product properly. Organizations that have a mixed technology environment do not use only one vendor. To be fair, many small, medium, and large organizations are mixed technology environments, and it would be foolish to only rely on one vendor's security solution.

Overall, I would rate Microsoft Sentinel an eight out of ten.