Microsoft Sentinel Reviews

Microsoft Sentinel is used to monitor cloud security for the university, focusing primarily on sign-in logs and alerts from those sources.

The playbooks and automated alerts are convenient features.

Microsoft Sentinel flags when admin credentials log in from an unusual location, automatically alerting the security team so they can investigate. This is an example of how Microsoft Sentinel's features have helped the organization.

Microsoft Sentinel provides a unified set of tools to detect, investigate, and respond to threats. A unified approach with Microsoft Sentinel is important, and if it works effectively, that would be beneficial.

The effectiveness of AI and machine learning in Microsoft Sentinel is uncertain, but in theory, it sounds promising if it would reduce the workload and make threat identification easier.

The SOC optimization feature of Microsoft Sentinel does not appear applicable at the moment in terms of data management and cost efficiency.

Microsoft Sentinel could be improved by integrating all playbooks with different other products that they can monitor. If that becomes even easier and more streamlined, it would probably be helpful.

Microsoft Sentinel has been in use for approximately four years.

There have not been any major issues with Microsoft Sentinel in terms of crashes or downtime. While there have been some outages over the several years of use, nothing has specifically affected the organization.

Microsoft Sentinel has scaled well with growing needs during this period, and it has been adopted gradually.

Microsoft customer service was used initially when implementing Microsoft Sentinel.

The customer service provided was good. Microsoft customer service would be rated eight or nine, as it was effective.

The experience with deploying Microsoft Sentinel was straightforward and easy, even though it was a few years ago. The ability to take it into use modularly was valuable, as it allowed starting in one area and then adding components incrementally, which worked well for this case.

A good return on investment has been observed from Microsoft Sentinel. While not in finance, the ROI appears positive.

Regarding the pricing and setup costs of Microsoft Sentinel, lower costs are always preferable. However, it has been beneficial that Microsoft Sentinel is included as part of the Microsoft package, making it more cost-effective.

Navigating and integrating Microsoft Sentinel for SIEM and XDR across the UI is mostly fairly convenient and easy. The new Defender XDR roles and permissions have changed, making it somewhat challenging to get them to work together with Microsoft Sentinel and Entra ID roles.

Microsoft Sentinel may possibly be used in additional ways at some point. The overall review rating for Microsoft Sentinel is eight out of ten.

Microsoft Azure

We are familiar with Microsoft Sentinel. We previously worked with McAfee and Check Point solutions, but since we specialized in Microsoft, we transitioned everything to Microsoft Sentinel.

Microsoft Sentinel allows you to manage all solutions as the base and integrate other brands, making reporting, event correlation, and data preparation easier to leverage AI for generating alarms or trend analysis.

The ability of Microsoft Sentinel to correlate data from multiple sources greatly helps our threat detection capabilities because correlation enables faster threat detection, even proactively. Previously, we had to check several sources, making it difficult for one person or even several people to monitor everything all day. With correlation, what initially appears simple may relate to other information, revealing that it is a situation worth addressing.

The best features of Microsoft Sentinel are its integration with all Microsoft products, which is the main aspect we value because all of our customers and ourselves primarily have Microsoft infrastructure, servers, applications, and systems, so it integrates seamlessly into the Microsoft environment.

Microsoft Sentinel should continue adding support for several other security brands because sometimes you have a firewall from a different brand and if you cannot correlate or integrate that seamlessly, it creates multiple points of checking information, which diminishes efficiency. Despite this, we believe Microsoft Sentinel has the best capabilities to work with.

The main factor that led us to Microsoft Sentinel is that it is a well-rated and well-perceived product. However, the key reason is that our unit focused exclusively on Microsoft solutions, and we believe in the quality of the product, so that decision was straightforward.

Microsoft Sentinel's support and customer service deserves at least a nine rating because if you have any issues, you can easily submit a ticket and they will help you. There are different priority levels if you purchase extended support, which we have not done. We have been working for over two years with standard support and have not encountered any problems, so we appreciate it greatly. Microsoft invests significantly in support, which is crucial for companies.

Positive

We previously worked with McAfee and Check Point solutions before Microsoft Sentinel, but since we specialized in Microsoft, we transitioned everything around.

Setting up Microsoft Sentinel requires a little expertise; there is substantial documentation available and while it is not extremely difficult, some configurations require know-how to truly make it work. Microsoft Sentinel rates at a seven or eight for how straightforward it is to set up on a scale where ten is the easiest.

Over 80% of our log data have been moved to auxiliary logs since implementing Microsoft Sentinel, as we primarily use Microsoft solutions.

Microsoft Sentinel's pricing is competitive, especially when you have a Microsoft infrastructure, as you typically receive better deals. In the end, it is positive because integrating Microsoft Sentinel with the Microsoft solutions you are acquiring turns out to be much cheaper than purchasing everything needed from a different SIEM solution.

As an ISO certified organization, it is very important for us to have clear data for usage, and Microsoft Sentinel helps significantly because you can automate reporting for audits, making the process very efficient.

We typically work on a cloud deployment model for Microsoft Sentinel, but hybrid is an option if there is a significant on-premise footprint. Our infrastructure is approximately 95% in the cloud, so we are using the cloud solution. Microsoft Sentinel can also be deployed hybrid if there is a data center involved; I would not recommend working on it locally as cloud-first is ideal.

We primarily use Azure as our main cloud provider, but it is possible to use AWS; it will just work more easily and configure better in Azure, though it can also be utilized in AWS for checking servers and security equipment on VMs.

Our overall rating for Microsoft Sentinel is nine out of ten.

Public Cloud

Microsoft Azure

My main use case for Microsoft Sentinel is centralized log monitoring, threat detection, and incident investigation, utilizing automated response with analytic rules and playbooks to improve SOC efficiency.

Day-to-day, I monitor alerts and the dashboard, and Microsoft Sentinel investigates incidents using log queries and automated responses with playbooks. For example, I detected multiple failed login attempts from an unusual location, correlated Azure AD logs, and automatically triggered a playbook to block the IP and notify the team, which helped us stop a potential account compromise quickly.

Additionally, I use Microsoft Sentinel for continuous log integration for multiple resources, Azure endpoints, and firewalls, proactive threat hunting using KQL queries, and automating routine tasks including alert triggers and ticket creations.

The best features Microsoft Sentinel offers are centralized log management, AI-based threat detection, automation with playbooks, strong integration, and a scalable, cloud-native architecture.

I rely most on analytic rules and automation playbooks because they automatically detect suspicious activities and trigger responses such as alerting, blocking, or ticket creation, which saves considerable manual effort and helps us respond to incidents much faster and more consistently.

Additionally, the built-in connectors and KQL-based threat hunting are very useful as they allow me to pull logs from multiple resources and quickly investigate or proactively search for threats, which improves overall visibility and detection capability.

Microsoft Sentinel has positively impacted my organization by improving visibility across all security logs, reducing incident response time through automation, and enabling faster threat detection, which has strengthened our overall security posture and reduced the manual workload for the SOC team.

Microsoft Sentinel could be improved by making the UI more intuitive, simplifying KQL queries for easier use, improving cost visibility and optimization controls, and enhancing performance and query speed when handling large volumes of data.

Additionally, it would help if Microsoft Sentinel had more out-of-the-box use cases and pre-built dashboards, better correlation across multiple cloud and non-Microsoft sources, simplified troubleshooting of data collection, and more granular cost control to avoid unexpected billing in high-log ingestion environments.

I have been using Microsoft Sentinel for around one to two years.

Microsoft Sentinel is stable.

Microsoft Sentinel scales very well, as it is cloud-native, allowing me to handle large volumes of data and multiple data sources without worrying about infrastructure, and it continues to perform reliably as my environment grows.

I previously used a combination of a basic syslog monitoring tool and some vendor-native solutions, but I switched to Microsoft Sentinel for better scalability, centralized visibility, built-in automation, and stronger integration with the Microsoft Azure ecosystem.

Pricing is flexible and usage-based, while setup is straightforward but needs tuning. The licensing is simple, but cost control is important to avoid high ingestion charges.

I have achieved a significant ROI through faster response, up to sixty percent, reduced manual efforts, and improved team efficiency without increasing headcount.

I evaluated tools such as Splunk, IBM QRadar, and ArcSight before choosing Microsoft Sentinel, but I selected Sentinel due to its better Azure integration, flexible pricing model, and built-in automation capabilities.

My advice for others looking into using Microsoft Sentinel is to start with a very clear log ingestion strategy to control costs, invest time in learning KQL and tuning analytics rules, and leverage the built-in connectors and automation early, especially if you are already using Azure, to get the most value quickly.

Overall, Microsoft Sentinel is a powerful and scalable SIEM solution that significantly improves visibility and response capabilities. With proper tuning and cost management, it provides strong value for organizations, especially those already using the Microsoft ecosystem. I would rate this product an eight out of ten.

Public Cloud

Microsoft Azure

We generally used Microsoft Sentinel to identify issues, threat hunting, log analysis, and incident triage. Logic App is one tool we use, along with Watchlist, Summary table, search job, and threat hunting. The search job feature allows us to check for archive logs through a search option.

Microsoft Sentinel helps us understand the areas that we have to improve and provides information on our current coverage. When we get an incident, we receive that information, but this also creates some noise around it because even simple things receive tags, though this noise actually makes more value for a real incident.

It has a positive impact. For example, we try to identify compliance issues and vulnerabilities and search across different custom applications. We are able to mitigate these, which helps improve the security score. Enriching all other information and making value out of it is important. Microsoft Sentinel is another SIEM tool, and any SIEM tool provides similar values. That is why we are going for the tool. Whatever SIEM we have, every SIEM has its own advantage and should have some value.

There is a lot of room for improvement. Because there are automations and logics, we use mostly Logic App, and that can be improved significantly with additional connectors for integration. The GUI can be enhanced. Palo Alto XSOAR and others were very good in SOAR, but when it comes to Microsoft Sentinel, they are not matured to that level.

When compared to other industry standard SIEM solutions like Splunk or Palo Alto, Microsoft Sentinel can improve a lot. It is acceptable as its own product, but compared to others, it can be improved substantially.

I have been working with this solution since 2020.

Microsoft Sentinel is reliable and stable, but it is a little costlier.

The support from Microsoft is not up to the standard because it takes a lot of time to analyze and get the right people and the right solution. It takes time, but we are able to resolve things, though the process is time-consuming.

Neutral

I was using Splunk later, but not extensively as Microsoft Sentinel.

I am working on some Azure items, though I do not know if that qualifies as something relevant. I am working in Microsoft Sentinel and Defender XDR. We are a partner with Microsoft from our firm, and as an employee, I work on the solution for different customers. The version of Microsoft Sentinel is the latest version, and I do not see any version specific limitations.

Microsoft Sentinel is good, but it is going to be deprecated and integrated with Defender XDR, so we will use that. It is a little expensive. There is a limitation in that not all Azure Data Explorer queries and KQL queries can be used in Microsoft Sentinel. However, now they are moving to Azure Data Lake, which could be one reason for this limitation. There are many functionalities that are available in Azure Data Explorer which we cannot use in Microsoft Sentinel. It would be more useful if more Azure Data Explorer queries and the syntax available in Data Explorer could be leveraged in Microsoft Sentinel.

I am not using that module as we use it in the organization, but I am not handling it. This review has an overall rating of five out of five.

Public Cloud

Microsoft Azure

Our use cases for Microsoft Sentinel are SIEM and logging for any activity. We have been having some issues and we are using this logging for that purpose.

I am using Microsoft Sentinel for threat intelligence and threat hunting, and it is definitely helping us.

We did not have centralized logging in place, and Microsoft Sentinel has definitely helped us instead of having to spin up our own centralized logging, which is not scalable. Microsoft Sentinel has many integrations that help us with threat hunting and reduce the amount of effort needed from our end.

We're using it for threat intelligence and threat hunting and it's definitely been helping. 

The most valuable feature I have found in Microsoft Sentinel is logging. Microsoft Sentinel collects everything, and it is a centralized place for logging management.

It performs its functions in an efficient way for me.

Microsoft Sentinel's ability to correlate data from multiple sources has enhanced my threat detection capabilities beyond what simple data lake solutions offer. You can tie in with Defender intelligence and that really helps us. We want to see all activity going on.

I evaluate the integration of security functionalities such as SIEM, SOAR, TIP, UBA, and Microsoft Sentinel as good. The integration between them is good and straightforward, the documentation is excellent, and we do not have any problems. I foresee it having a positive impact.

With regards to MITRE ATT&CK, the recommendations from Microsoft Sentinel are really helpful for us to go back and remediate any recommendations.

The SOC optimization feature has impacted our organization's data management and cost efficiency significantly. It brings substantial savings compared to using different products, such as Splunk for SIEM and having another product for gathering intelligence. With the Microsoft platforms that we have, the integration is straightforward, which is definitely a cost savings for us instead of trying to get different product lines from different vendors.

The impact that Microsoft Sentinel has had on our organization's advanced hunting capabilities is significant. We depend on centralized logging for partnering with other providers, and we also use CrowdStrike. For threat hunting, we have seen issues where there were lateral movements, and for identifying those malicious sources and containing them, it has been definitely helpful.

In terms of improvements, pricing, licensing, and overall cost could be better.

We've used the solution for one and a half months. 

I assess the stability and reliability of Microsoft Sentinel as good. We have not had any issues.

Microsoft Sentinel scales as our needs grow without any problems. We are a very small organization, so it fits our needs.

I would evaluate the customer support and technical support I received from Microsoft as very good. It is very responsive, and I really appreciate the documentation that is available online.

Positive

In the past, with a different organization, I used Splunk prior to using Microsoft Sentinel. The interface is not as simple as Microsoft Sentinel; it has its own query language, and Microsoft Sentinel is more straightforward. We also use CrowdStrike. 

The deployment was straightforward. 

We have seen an ROI. Essentially, we didn't have centralized logging before. This has helped us substantially. Spinning up your own centralized logging is not really scalable. It's helped with threat hunting and has reduced the amount of effort on our end. 

The pricing is a bit high.

Splunk was the other solution I was evaluating prior to picking Microsoft Sentinel.

I decided to go with Microsoft Sentinel as opposed to Splunk. Splunk has gone through a change. It has just been acquired by Cisco, and we do not know how the experience is going to be. There could be a transformation in their product line.

On a scale of one to ten, I would rate Microsoft Sentinel as a product overall as nine.

Public Cloud

Microsoft Azure

As a managed security service provider, we have a managed security service that we provide to customers, and our managed services are often built on Microsoft Sentinel.

Our managed SOC is based on Microsoft Sentinel, and a key benefit is that we've been able to take customers' investments, especially in E5 licensing, and make that investment stretch further than they would have had they gone to a competitor's product. This helps organizations drive and uplift their cyber resilience in a cost-effective manner.

For us, customer retention is key, and we can articulate value about the services we provide because the backend services and Microsoft Sentinel itself do the job for us. The benefit lies in customer retention, keeping our costs down, and providing value to customers by making every dollar they invest go further.

Microsoft Sentinel was the first real cloud-native SIEM solution, and it integrates into an ecosystem around Microsoft and the entire stack with all of the other vendor products. I appreciate that we can get the free ingestion from the Microsoft ecosystem into Microsoft Sentinel, which works really for us.

Microsoft Sentinel's ability to correlate data from multiple sources has improved our capability significantly. We have used other SIEM products and data lake products outside of Microsoft Sentinel, and it's evident that what you get out of Microsoft Sentinel and the ability to enrich the data with threat intelligence and correlate over various sources provides better detection capabilities, better response times, and more assurance of security. In the five years that we've had the product in market as a managed service offering, we've not missed anything, demonstrating a strong track record.

The automation feature in Microsoft Sentinel has been amazing and has significantly affected our team's efficiency in handling security incidents. As a managed security partner, we've effectively been able to triple our customer base but only had to increase headcount by 15% to 20%. The built-in integrations and automation allow us to scale and have more coverage and greater capabilities without the corresponding increase in headcount.

The integration of security functionalities such as SIEM, SOAR, TIP, and UEBA in Microsoft Sentinel is robust. The ecosystem is very integrated together within Microsoft.

Microsoft Sentinel's SOC automation and optimization feature has significantly impacted our company's data management and cost efficiency. We operate as a provider, using the product both ourselves and for our customers. We've completed substantial optimization work around ingestion and cost optimization, and some of our customers have saved up to 300% to 400% compared to their original budgets.

Microsoft Sentinel has had an exceptional impact on our company's and customers' advanced hunting abilities. The integrations and automations natively built into the system help us perform retrospective threat hunting. We now have the capability of utilizing threat intelligence provided by the government in New Zealand, allowing us to take indicators of compromise and pass them directly into Microsoft Sentinel and the Defender suite, which moves us from a reactive to a proactive security stance.

The time saved per incident in Microsoft Sentinel has reduced by more than half compared to five years ago. We're able to handle more customers and incidents simultaneously, with detection and remediation times decreasing. With the investments we're making around Microsoft Security Copilot and AI, that efficiency is expected to improve further.

Using the MITRE ATT&CK framework has enhanced our security posture by providing a way to align to a framework that helps contextualize and explain why security threats are relevant and how they can manifest in the environment. It offers a common language for our analysts to communicate across all of our customers on the service, focusing on the TTPs that threat actors would use to undertake an attack or compromise in the customer's environment.

The three challenges we have are outside of the Microsoft ecosystem. In New Zealand, there are customers that run dual stack, running Microsoft but also competitor products, EDR software, cloud security software, and other tooling. While it's improved over the last four or five years, there's still more work that can be done to integrate better outside of the Microsoft ecosystem.

Microsoft Sentinel is on the right track in terms of improvements. Being part of a Microsoft partner security association in New Zealand gives us access to information about product roadmaps and developments. The only recommendation, rather selfishly as an MSSP, is for a model where MSSPs can take Microsoft Sentinel and deliver it at scale to customers under a licensing construct.

To improve Microsoft Sentinel further, providing better options for long-term retention and storage of non-Microsoft logs is important for our customers. There is always a cost element there, and for us as an MSSP partner, being able to differentiate our service using the platform through a licensing construct specifically for MSSP partners would be beneficial.

We've been using Microsoft Sentinel ever since it came out in Purview, approximately five years now.

Microsoft Sentinel has been amazing in terms of stability and reliability, as we haven't had any issues with it.

While Microsoft Sentinel scales effectively from a technical standpoint, it could be improved in terms of being more suited for MSSP partners with regard to licensing construct.

I have never had to use Microsoft Sentinel's customer service or technical support officially, however, the teams I have reached out to have been excellent. I've never received any bad responses or feedback.

Positive

I have definitely seen a return on investment when using Microsoft Sentinel, though it's difficult to quantify in dollar terms, considering security cannot be given a precise value. 

From a risk perspective, it's about mitigating risk, and as mentioned earlier, we haven't missed many things since we've had the offering in market—only a couple of minor incidents.

I was more familiar with Microsoft Sentinel's pricing, setup costs, and licensing many years ago, and in my current role, I'm not as involved with these aspects.

On a scale of one to ten, this solution rates as a nine.

Public Cloud

My main use case for Microsoft Sentinel is being able to put external threat intel into Sentinel.

The features of Microsoft Sentinel that I appreciate the most include the app integration. I think it is straightforward; there were a couple of hiccups, but generally, it is very straightforward.

I do not consider it so much a benefit to our organization because it results in the use of our products. It is actually a benefit to Microsoft Sentinel customers, which we are a secondary beneficiary of.

For us, improving Microsoft Sentinel would involve tying its usage closer to email threat telemetry and making it easier for folks that either use Defender and email to use Sentinel.

I have used Microsoft Sentinel for one year.

I do not have any experience with the stability and reliability of Microsoft Sentinel, other than technical support as a developer, and I have not experienced any downtime, crashes, or performance issues.

Before adopting Microsoft Sentinel, we were supporting other solutions.

The other solutions we considered before selecting Microsoft Sentinel were based on market reach, feature set, and go-to-market opportunities, as we are a developer.

Microsoft Sentinel does not give us a unified set of tools to detect, investigate, and respond to incidents, as we do not make use of those at this moment.

I do not know specifically about Microsoft Sentinel, but in general, I am a big supporter and believer in the effectiveness of AI and machine learning in enhancing threat detection and response.

Microsoft Sentinel's ability to correlate data from multiple sources does not enhance our threat detection capabilities beyond what a simple data lake solution could offer, as we are a developer, so it is not necessarily applicable.

The SOC optimization feature's impact on our organization's data management and cost efficiency is not applicable.

My advice to other organizations considering Microsoft Sentinel is that they ought to consider all solutions based on their needs. I do not have a particularly strong feeling one way or the other about Microsoft Sentinel, with a rating of zero out of ten.

Our use case for Microsoft Sentinel is having a more holistic view by having all security events in one place.

We were likely the first partner in New Zealand. We've been able to manage the path forward early on and have helped small businesses adopt a really scalable solution.

It's one of the key areas we've focused on. We love the ability of having reliable threat intelligence.

Microsoft Sentinel's ability to integrate with other Microsoft products has been beneficial to our team's operations. We like the best of ecosystem versus the best of breed approach. We can have everyone have the same skillsets and not have individuals specialized. It's much more holistic. 

The threat detection has been useful. We like having everything managed by one solution. It simplifies everything. 

The automation feature helps with efficiency, specifically around security. 

It has good integration with other security features. It's a great product. The ease of use and ease of management are great. 

It's allowing us to have one Microsoft security pane of glass.

Microsoft Sentinel has improved cost efficiency, which is one of the key areas we're able to win business against the ability to have threat intelligence.

To improve Microsoft Sentinel specifically, giving us different functionality to handle tasks would be really amazing. I don't have any issues with what's currently available.

It would be nice to be able to leverage more AI to handle more data and recovery aspects in the future. 

I've used the solution for the last five years. 

Regarding the stability of Microsoft Sentinel, there haven't been any significant issues. There may have been one or two minor incidents over time, yet nothing substantial.

The scalability is very good. Our largest customer has 55,000 seats. Others have 100 to 200 seats. 

We've had a good experience with Microsoft support.

We decided early on we weren't going to partner with a lot of vendors. We liked what Microsoft was going to do with a best-of-ecosystem approach instead of best of breed. 

The initial setup is pretty easy. 

I have definitely seen a return on investment in the past five years. We attribute our growth to Sentinel. It became a product that everyone suddenly wanted. 

My experience with the pricing setup has been positive.

There were a couple of other products available, however, we were quite certain we were going to go with Microsoft Sentinel.

The reason why having a best-of-ecosystem is crucial for our customers is that it eliminates the need to set up multiple different products, so it was really attractive to have everything in one place.

I'd rate the solution ten out of ten. 

Public Cloud