Microsoft Sentinel Reviews

I use Microsoft Sentinel for security incident management, monitoring, and incident tracking in the security environment. My clients use it to unify and monitor their entire ecosystem in the security sector using either Microsoft or other security products. This enables them to correlate all incidents and logs into Microsoft Sentinel.

The best feature of Microsoft Sentinel is its ability to unify all dashboards or functions into one modern SecOps dashboard. This integration means that I do not need to check multiple dashboards for security operations, offering seamless integration with the Microsoft ecosystem. The pre-built detection analytics and the ability to create custom detection rules more easily than some other solutions are also highly valuable. Additionally, the ability of Microsoft Sentinel to correlate data from multiple sources enhances threat detection capabilities.

The pricing tiers of Microsoft Sentinel should be improved. There are complexities in calculating the right pricing tier for different customers, which makes it difficult for me as a consultant during upfront pricing. Additionally, I would like to see more out-of-the-box data collectors to connect to proprietary systems in future versions.

I have been working with Microsoft Sentinel for around two years.

The cloud deployment of Microsoft Sentinel is very straightforward and one of the easiest I have worked with. It integrates quickly if all the requirements are prepared. This is different from other SIM solutions, which require more complex processes like preparing hardware and finding the right server size. In 10 to 15 minutes, it can be set up with a proxy server, and logs are automatically integrated, allowing for fast deployment without additional software installation.

Microsoft Sentinel is quite stable. However, some of the data connectors can become deprecated, requiring reconnection. I need to be aware of deprecated connectors as they may disconnect, but the data continues to be sent with a need for quick adaptation.

Being a SaaS solution, the scalability of Microsoft Sentinel is robust. I do not need to manage resources, and the open infrastructure allows for scalable usage.

As a consultant, I rate the quality of service for technical support a seven out of ten. The response is usually quick, especially through live chat, and further support is provided through email or remote assistance if needed.

Neutral

I have experience with other SIM solutions, including Azure and other major players in the security market. With Microsoft Sentinel, the ease of building detection rules and correlation queries is more straightforward than other tools like Splunk.

The initial setup is very simple and fast with Microsoft Sentinel, requiring only a small virtual machine as a proxy server. There is no need for complex hardware setups, unlike other SIM solutions.

Calculating the ROI of Microsoft Sentinel can be challenging. If a customer is already using Microsoft’s ecosystem, the ROI can be positive due to seamless integration. For those without significant Microsoft usage, the cost may be high, leading to a lower ROI.

The pricing tiers and associated complexities of Microsoft Sentinel can be cumbersome. Setting up the right cost model for customers is intricate, requiring careful consideration of various components and licensing tiers.

I have also worked with solutions like Splunk and other SIMs in the security market.

There are some issues with data connectors being deprecated and the lack of immediate replacements being available. However, the solution remains user-friendly and efficient for those within the Microsoft ecosystem. Overall, I rate Microsoft Sentinel an 8.5 out of ten.

Public Cloud

Microsoft Azure

Our use cases for Microsoft Sentinel are SIEM and logging for any activity. We have been having some issues and we are using this logging for that purpose.

I am using Microsoft Sentinel for threat intelligence and threat hunting, and it is definitely helping us.

We did not have centralized logging in place, and Microsoft Sentinel has definitely helped us instead of having to spin up our own centralized logging, which is not scalable. Microsoft Sentinel has many integrations that help us with threat hunting and reduce the amount of effort needed from our end.

We're using it for threat intelligence and threat hunting and it's definitely been helping. 

The most valuable feature I have found in Microsoft Sentinel is logging. Microsoft Sentinel collects everything, and it is a centralized place for logging management.

It performs its functions in an efficient way for me.

Microsoft Sentinel's ability to correlate data from multiple sources has enhanced my threat detection capabilities beyond what simple data lake solutions offer. You can tie in with Defender intelligence and that really helps us. We want to see all activity going on.

I evaluate the integration of security functionalities such as SIEM, SOAR, TIP, UBA, and Microsoft Sentinel as good. The integration between them is good and straightforward, the documentation is excellent, and we do not have any problems. I foresee it having a positive impact.

With regards to MITRE ATT&CK, the recommendations from Microsoft Sentinel are really helpful for us to go back and remediate any recommendations.

The SOC optimization feature has impacted our organization's data management and cost efficiency significantly. It brings substantial savings compared to using different products, such as Splunk for SIEM and having another product for gathering intelligence. With the Microsoft platforms that we have, the integration is straightforward, which is definitely a cost savings for us instead of trying to get different product lines from different vendors.

The impact that Microsoft Sentinel has had on our organization's advanced hunting capabilities is significant. We depend on centralized logging for partnering with other providers, and we also use CrowdStrike. For threat hunting, we have seen issues where there were lateral movements, and for identifying those malicious sources and containing them, it has been definitely helpful.

In terms of improvements, pricing, licensing, and overall cost could be better.

We've used the solution for one and a half months. 

I assess the stability and reliability of Microsoft Sentinel as good. We have not had any issues.

Microsoft Sentinel scales as our needs grow without any problems. We are a very small organization, so it fits our needs.

I would evaluate the customer support and technical support I received from Microsoft as very good. It is very responsive, and I really appreciate the documentation that is available online.

Positive

In the past, with a different organization, I used Splunk prior to using Microsoft Sentinel. The interface is not as simple as Microsoft Sentinel; it has its own query language, and Microsoft Sentinel is more straightforward. We also use CrowdStrike. 

The deployment was straightforward. 

We have seen an ROI. Essentially, we didn't have centralized logging before. This has helped us substantially. Spinning up your own centralized logging is not really scalable. It's helped with threat hunting and has reduced the amount of effort on our end. 

The pricing is a bit high.

Splunk was the other solution I was evaluating prior to picking Microsoft Sentinel.

I decided to go with Microsoft Sentinel as opposed to Splunk. Splunk has gone through a change. It has just been acquired by Cisco, and we do not know how the experience is going to be. There could be a transformation in their product line.

On a scale of one to ten, I would rate Microsoft Sentinel as a product overall as nine.

Public Cloud

Microsoft Azure

As a managed security service provider, we have a managed security service that we provide to customers, and our managed services are often built on Microsoft Sentinel.

Our managed SOC is based on Microsoft Sentinel, and a key benefit is that we've been able to take customers' investments, especially in E5 licensing, and make that investment stretch further than they would have had they gone to a competitor's product. This helps organizations drive and uplift their cyber resilience in a cost-effective manner.

For us, customer retention is key, and we can articulate value about the services we provide because the backend services and Microsoft Sentinel itself do the job for us. The benefit lies in customer retention, keeping our costs down, and providing value to customers by making every dollar they invest go further.

Microsoft Sentinel was the first real cloud-native SIEM solution, and it integrates into an ecosystem around Microsoft and the entire stack with all of the other vendor products. I appreciate that we can get the free ingestion from the Microsoft ecosystem into Microsoft Sentinel, which works really for us.

Microsoft Sentinel's ability to correlate data from multiple sources has improved our capability significantly. We have used other SIEM products and data lake products outside of Microsoft Sentinel, and it's evident that what you get out of Microsoft Sentinel and the ability to enrich the data with threat intelligence and correlate over various sources provides better detection capabilities, better response times, and more assurance of security. In the five years that we've had the product in market as a managed service offering, we've not missed anything, demonstrating a strong track record.

The automation feature in Microsoft Sentinel has been amazing and has significantly affected our team's efficiency in handling security incidents. As a managed security partner, we've effectively been able to triple our customer base but only had to increase headcount by 15% to 20%. The built-in integrations and automation allow us to scale and have more coverage and greater capabilities without the corresponding increase in headcount.

The integration of security functionalities such as SIEM, SOAR, TIP, and UEBA in Microsoft Sentinel is robust. The ecosystem is very integrated together within Microsoft.

Microsoft Sentinel's SOC automation and optimization feature has significantly impacted our company's data management and cost efficiency. We operate as a provider, using the product both ourselves and for our customers. We've completed substantial optimization work around ingestion and cost optimization, and some of our customers have saved up to 300% to 400% compared to their original budgets.

Microsoft Sentinel has had an exceptional impact on our company's and customers' advanced hunting abilities. The integrations and automations natively built into the system help us perform retrospective threat hunting. We now have the capability of utilizing threat intelligence provided by the government in New Zealand, allowing us to take indicators of compromise and pass them directly into Microsoft Sentinel and the Defender suite, which moves us from a reactive to a proactive security stance.

The time saved per incident in Microsoft Sentinel has reduced by more than half compared to five years ago. We're able to handle more customers and incidents simultaneously, with detection and remediation times decreasing. With the investments we're making around Microsoft Security Copilot and AI, that efficiency is expected to improve further.

Using the MITRE ATT&CK framework has enhanced our security posture by providing a way to align to a framework that helps contextualize and explain why security threats are relevant and how they can manifest in the environment. It offers a common language for our analysts to communicate across all of our customers on the service, focusing on the TTPs that threat actors would use to undertake an attack or compromise in the customer's environment.

The three challenges we have are outside of the Microsoft ecosystem. In New Zealand, there are customers that run dual stack, running Microsoft but also competitor products, EDR software, cloud security software, and other tooling. While it's improved over the last four or five years, there's still more work that can be done to integrate better outside of the Microsoft ecosystem.

Microsoft Sentinel is on the right track in terms of improvements. Being part of a Microsoft partner security association in New Zealand gives us access to information about product roadmaps and developments. The only recommendation, rather selfishly as an MSSP, is for a model where MSSPs can take Microsoft Sentinel and deliver it at scale to customers under a licensing construct.

To improve Microsoft Sentinel further, providing better options for long-term retention and storage of non-Microsoft logs is important for our customers. There is always a cost element there, and for us as an MSSP partner, being able to differentiate our service using the platform through a licensing construct specifically for MSSP partners would be beneficial.

We've been using Microsoft Sentinel ever since it came out in Purview, approximately five years now.

Microsoft Sentinel has been amazing in terms of stability and reliability, as we haven't had any issues with it.

While Microsoft Sentinel scales effectively from a technical standpoint, it could be improved in terms of being more suited for MSSP partners with regard to licensing construct.

I have never had to use Microsoft Sentinel's customer service or technical support officially, however, the teams I have reached out to have been excellent. I've never received any bad responses or feedback.

Positive

I have definitely seen a return on investment when using Microsoft Sentinel, though it's difficult to quantify in dollar terms, considering security cannot be given a precise value. 

From a risk perspective, it's about mitigating risk, and as mentioned earlier, we haven't missed many things since we've had the offering in market—only a couple of minor incidents.

I was more familiar with Microsoft Sentinel's pricing, setup costs, and licensing many years ago, and in my current role, I'm not as involved with these aspects.

On a scale of one to ten, this solution rates as a nine.

Public Cloud

My security team has been using Microsoft Sentinel for around two years. We also have Bastion and SolarWinds as part of our monitoring tools. We use a three-way tool, alongside Microsoft Sentinel, in our environment.

The most valuable features for us include threat collection, threat detection, response, and the knowledge base for investigation. These are the three separations in the tool that we are currently using.

My team enjoys using Microsoft Sentinel. However, we are not using it for some features, mainly for cost-related reasons and our company policy. We choose other solutions for basic monitoring due to better cost opportunities. There could be improvements in those areas, but these are based on management decisions.

We have been using it for approximately two years.

In the past two years, our team hasn't encountered any issues with the stability of Microsoft Sentinel from an operations perspective. We rate it an eight, as no escalations have been made for Microsoft Sentinel.

I cannot provide a specific number for scalability, as I wasn't part of the scaling team. We did use an external vendor, I-Tracing, for assistance.

When my team needs to escalate issues to Microsoft, especially for Microsoft Sentinel, the response is fast through their French entity. We would rate technical support an eight.

Positive

We used Bastion before Microsoft Sentinel. We still use Bastion in some regions for end-to-end security and SolarWinds for monitoring. We switched to Microsoft Sentinel for specific security cases.

Initially, we had dedicated training from a UK trainer who worked with our team for three months. The cloud, DevOps, and security teams wrapped up training quickly, especially within the EMEA region. No major issues were encountered during the adoption.

We had a dedicated trainer from the UK who worked with our security level one and two teams during the initial setup. The DevOps team had some delays, but these were likely operational specifics.

I'm not on top of the full business case, but from a support and licensing perspective, it's fine. Microsoft Azure was not fitting for short-term cost savings but promised a better ROI over three to five years for medium to large companies.

I haven't seen the full business case, but the cost for support and licensing is justified with what we receive. Microsoft Sentinel offers more capabilities than Bastion, with a more intuitive experience.

We evaluated Bastion and SolarWinds.

My CISO wanted to get more with less money. Short-term, Microsoft Sentinel might not fit the budget, but long-term it makes sense, especially for medium to large companies. I rate Microsoft Sentinel an eight out of ten, offering a better experience than our previous solution.

Public Cloud

Microsoft Azure

We started using Microsoft Sentinel one year ago. We are still piloting the environment because we are transitioning towards cloud solutions with Microsoft Intune. 

Until now, we have been using third-party products, but due to requirements to have stronger security in the cloud, not only on the client endpoint side, we are moving to Microsoft Sentinel. Our focus is on strengthening cloud security as well as client endpoints. Microsoft Sentinel is used to substitute our Splunk solution, covering the security of main Azure services such as Entra ID and automating threat protection for client sites and endpoints.

The automation feature affects our team's efficiency in handling security incidents. It helps us to auto-isolate or auto-react to defined issues or activities. We do not need a lot of manpower.

We are now seeing many more incidents. Previously, we were not aware of them. We are able to close those security gaps. It helps us protect our environment better. We feel safe knowing that we have a solution that we can use to react in case of an emergency.

We now have Office 365, Exchange, and other solutions included in there. We are now also onboarding clients. We will be able to track the threat workflow better and see if it is coming through the email or getting exploited from the network share. We will be able to find the source of the issues and prevent them in the future. We are still at the beginning and have not discovered any issues yet.

Custom workbooks are valuable. It is one of the crucial points in dealing with potential security threats in an automated way without requiring too much manpower. Our security department is not big. With the custom workbooks, we are able to immediately respond by auto-isolating the devices, and after that, our technical team or security team can look into it. It helps us to solve issues with a small bunch of people behind it.

We can gather all security events in one platform and react to all these events. We have the integration through various connectors to Intune, Entra ID, etc. We have a single pane of glass for collecting all the information.

I am not deeply involved with Microsoft Sentinel, so I cannot pinpoint weaknesses. As of now, there have been only benefits. However, I am curious about potential AI integration and whether it will be affordable for us because all the compliance costs are rising with all the new features. I know there is a similar solution inside Defender that you can use with Security Plan 2, but for us, Security Plan 2 is expensive. Currently, we are happy to have a way in the middle with not so much cost, but it would be nice to have the ability to enhance the automation of workflows based on learned incidents.

We started using Microsoft Sentinel one year ago, initiating with a pilot.

So far, we have not experienced any issues, and it has been stable from the beginning. Any problems have been due to internal configuration errors rather than system instability.

Its scalability is good. We do not have any performance issues. It is hunting a lot of events. We do not have so many clients, but Office 365 and Exchange are running on it, covering about 35,000 users efficiently.

Microsoft provides the highest level of customer support. The information provided is reliable, and their solutions' integration simplifies resolving issues compared to those caused by third-party products.

Positive

We are switching from Splunk because Microsoft Sentinel is integrated with our Entra ID. We do not need to have a separate solution. The Splunk solution currently in place is not cloud-ready. Microsoft Sentinel is definitely better integrated.

It was done by other colleagues. I was not involved in this part.

In the beginning, we had a lot of sessions to understand it. Most Azure features require simple activation, but we had to ensure that we understood the impact of enabling certain features. This cautious approach was necessary for proper integration without inducing incidents.

I am not aware of the price. We are currently covered with Security Plan 1, and it works well for us.

We previously evaluated other solutions but opted for Microsoft because it is integrated within our infrastructure, offering better cloud-readiness compared to Splunk. This seamless integration supports our focus on enhancing security without separate solutions.

Be aware of the risks and requirements before implementing the solution. Every related feature needs to have the necessary configuration to prevent any disruptions. Microsoft Sentinel covers everything needed.

We have not yet moved our logs to Microsoft Sentinel. They are still being collected inside Splunk. We are trying to move all these log files to Microsoft Sentinel. I am not sure how many systems are connected yet, but all the integrated services inside the Entra ID are completely coherent.

I am not a direct user, so I do not have the exact inner comparison to other solutions. It covers everything we need. I would rate Microsoft Sentinel a ten out of ten.

Public Cloud

Microsoft Azure

Our use case for Microsoft Sentinel is having a more holistic view by having all security events in one place.

We were likely the first partner in New Zealand. We've been able to manage the path forward early on and have helped small businesses adopt a really scalable solution.

It's one of the key areas we've focused on. We love the ability of having reliable threat intelligence.

Microsoft Sentinel's ability to integrate with other Microsoft products has been beneficial to our team's operations. We like the best of ecosystem versus the best of breed approach. We can have everyone have the same skillsets and not have individuals specialized. It's much more holistic. 

The threat detection has been useful. We like having everything managed by one solution. It simplifies everything. 

The automation feature helps with efficiency, specifically around security. 

It has good integration with other security features. It's a great product. The ease of use and ease of management are great. 

It's allowing us to have one Microsoft security pane of glass.

Microsoft Sentinel has improved cost efficiency, which is one of the key areas we're able to win business against the ability to have threat intelligence.

To improve Microsoft Sentinel specifically, giving us different functionality to handle tasks would be really amazing. I don't have any issues with what's currently available.

It would be nice to be able to leverage more AI to handle more data and recovery aspects in the future. 

I've used the solution for the last five years. 

Regarding the stability of Microsoft Sentinel, there haven't been any significant issues. There may have been one or two minor incidents over time, yet nothing substantial.

The scalability is very good. Our largest customer has 55,000 seats. Others have 100 to 200 seats. 

We've had a good experience with Microsoft support.

We decided early on we weren't going to partner with a lot of vendors. We liked what Microsoft was going to do with a best-of-ecosystem approach instead of best of breed. 

The initial setup is pretty easy. 

I have definitely seen a return on investment in the past five years. We attribute our growth to Sentinel. It became a product that everyone suddenly wanted. 

My experience with the pricing setup has been positive.

There were a couple of other products available, however, we were quite certain we were going to go with Microsoft Sentinel.

The reason why having a best-of-ecosystem is crucial for our customers is that it eliminates the need to set up multiple different products, so it was really attractive to have everything in one place.

I'd rate the solution ten out of ten. 

Public Cloud

My recent experience with Microsoft Sentinel involves my current work at another Government of Canada client where we are rolling out Microsoft Sentinel as their SIEM product of choice. In doing so, we are looking at connectors and data sources that we are going to be ingesting into Microsoft Sentinel. We are also examining the determination of whether it makes sense to look at a LAW or a Log Analytics Workspace on a per-subscription basis versus an aggregated approach where it is one subscription, but we are ingesting data from many different sources. It comes down to how much data has to be parsed by Microsoft Sentinel and what the volume is because you are paying essentially for Microsoft Sentinel to ingest the data. These are the analytical discussions taking place right now.

Some of the best features of Microsoft Sentinel are that it is cloud-based, which from a CapEx perspective saves clients money in procuring on-premises infrastructure. It proves to be a dynamic tool because we use it for not just IaaS related resources, but also for SaaS related resources. Additionally, we have some on-premises infrastructure that will be feeding Microsoft Sentinel log data as well. Looking at it as a SaaS tool makes it easier to leverage, procure, and configure without the need to be concerned about buying hundreds of thousands of dollars in gear from a CapEx perspective.

The automated response capability in Microsoft Sentinel enhances our security posture quite beneficially from a SOAR perspective. One of the things that we are looking to do is alleviate some of the day-to-day actions and functionalities from our SOC personnel. Anything that can be automated from an investigative or event-related perspective is helpful. Microsoft Sentinel is a great example of a SOAR tool, and that is the intent for the current client; they want to be able to automate as many of these functionalities as possible.

To improve Microsoft Sentinel currently, focusing on the quality of the telemetry is essential. The data sources are critical, so understanding where they are located, how much there is, and what kind of telemetry is coming in from these data sources is vital. We are looking to reduce the amount of non-critical data; it is important to ensure that the quality of the log data ingested by Microsoft Sentinel is high.

The government deals with international entities, so it is necessary to ensure from a threat hunting and workbook perspective that if suspicious event information is generated by Microsoft Sentinel, there is good quality telemetry and understanding of where this is coming from and what kind of alerts are being generated. It is about being able to use as many features of the tool as possible and making sure that with these connectors in place, the quality of the data sources is high.

We are currently implementing Microsoft Sentinel.

We have dealt with Microsoft support, and I would rate their support highly. We have good relations with the Microsoft resources in Ottawa, and the account manager we have dealt with is leading our efforts. We have to speak to what is referred to as one of the support ninjas, who is our point of contact. He has been very helpful, and where needed, we have been directed to other support resources, so overall it works well.

Positive

The initial setup of Microsoft Sentinel is a gradual iterative process for this case. There is the initial deployment of Microsoft Sentinel itself, setting up the Log Analytics Workspace, and then going through the configuration again, looking at what we want the tool to ingest.

We have a Power Platform tenant, so we are pulling in SaaS data from the Power Platform tenant. We do have an IaaS environment as well, so there will be some endpoints and other services that we will be pulling data in from that. Additionally, the majority of our applications are located on-premises, so we will be ingesting on-premises log data as well. This is done through an Event Hub, where you set up an Event Hub to ingest that on-premises data, which gets repackaged through an API call and sent to Microsoft Sentinel.

With those three environments actively generating log data, the full deployment of Microsoft Sentinel is realized over time. We have SOC personnel that are not highly knowledgeable about the tool, which is why it is taking more time to ensure that the configurations are correct and appropriate while tracking costs. At the end of the day, we want to use as many features of the tool as possible, and I estimate that over a year, maybe a year and a half timeframe, we will go from the initial setup to a fully blown deployment with all of the connectors in place and all of the threat hunting configuration done; it is a gradual process.

The AI is helping us improve threat detection from a generative perspective, although not yet from an agentic perspective. When looking to leverage LLMs for various tasks and for seeking information, it is great. However, given where we are in the deployment lifetime for the tool, we are not really leveraging AI as it is incorporated into the tool yet, such as looking for various analytics and data sources and suspicion around those data sources. That functionality will come, but it certainly is helpful when looking for information right now. I rate Microsoft Sentinel 8 out of 10.

On-premises

Microsoft Azure

In our Security Operations Center, we rely on Microsoft Sentinel for continuous security monitoring. We collect logs from various customer environments and define security use cases with correlation rules to analyze activities. These rules leverage predefined criteria to identify potential malicious behavior. Microsoft Sentinel serves as our central platform for security monitoring, investigation, and remediation of security threats detected through alerts.

The biggest challenge in security monitoring is managing the vast amount of logs generated daily from various devices like web servers and firewalls. Microsoft Sentinel tackles this by collecting all logs in a central location and allowing us to define rules. Using its query language, we can search across these logs for specific conditions, like malicious activity. If a suspicious event is identified, Sentinel generates an immediate security alert, enabling our team to investigate and take appropriate action to stop potential attacks.

Microsoft Sentinel helps us identify security threats through built-in machine learning. It analyzes network traffic patterns and can detect anomalies, like unusually high data transfers outside typical hours. These anomalies trigger alerts, allowing for early intervention.

Microsoft Sentinel shines in its ability to bridge hybrid and multi-cloud environments. It seamlessly integrates with on-premises infrastructure through Azure Arc, and even private clouds can be connected via Azure Gateway and a VPN to the Azure Log Analytics workspace. This unified approach ensures all our security data, regardless of origin, is ingested and analyzed for potential threats.

Microsoft recently launched Content Hub, a marketplace for pre-configured security solutions within Azure Sentinel. Unlike our previous experience setting up data connectors a few years ago, Content Hub offers a one-stop shop for integrating security tools. When we choose a data connector, we also get pre-built correlation rules, playbooks, and workbooks – all packaged together for faster and more effective security monitoring. The content hub streamlines onboarding pre-built SIEM content, especially during the initial SOC setup. When starting fresh with a new environment and unsure of specific use cases, we can search for relevant data sources in the hub. Once integrated, the content hub provides pre-configured rules alongside those connectors. Simply enabling these rules offers substantial coverage for our MITRE ATT&CK mapping, a framework that assesses our ability to detect various attack techniques. By leveraging these out-of-the-box tools, we gain significant initial security coverage with minimal effort.

The content hub helps us centralize all of the out-of-the-box content available from Sentinel.

Sentinel acts as a central hub, bringing together information from various sources both internal, first-party, and external, third-party into a single, unified view. This allows us to analyze logs stored in different tables, regardless of their naming conventions. By defining correlation routes, Sentinel can examine specific activities across these disparate sources. For example, we could create a route that checks firewall logs for suspicious activity and then correlates it with specific user actions in Windows device logs, providing a more comprehensive picture of potential security incidents.

Sentinel improves our visibility into user and network behavior through a feature called User Entity Behavior Analytics. This leverages Microsoft's machine learning to analyze user and device activity. If we're investigating multiple security incidents involving a user or device, UEBA provides a broader view. We can directly access the user's history of incidents and visualize their connections to other alerts and impacted devices in a graph format. This allows for efficient investigation of complex incidents impacting multiple users and devices.

Microsoft Sentinel streamlines security incident investigation. The incident page clearly displays involved entities and details of triggered alerts, including logs. This allows SOC analysts to quickly assess the situation and potentially predict the nature of the activity, even before diving into event logs. Sentinel's powerful query language further simplifies investigation by enabling easy data visualization, formatting, and custom functions, all within various timeframes. This significantly accelerates the overall investigation process.

Sentinel has streamlined our event investigation process. By allowing us to predefine keyword queries for specific alerts, it eliminates the need to manually craft queries each time. Similar to how SOCs use pre-defined playbooks for various incidents, Sentinel lets us define queries that return relevant data quickly. This cuts down on investigation time by allowing us to focus on the specific alert and the data it generates.

Microsoft Sentinel stands out among SIEM tools for its user-friendliness and powerful built-in query language. This language, included at no additional cost, allows for easy data collection, sorting, formatting, and visualization, making it accessible even to non-experts. Additionally, its seamless integration with other Azure products eliminates the need for custom parsing logic, saving time and resources.

Microsoft Sentinel's search efficiency can be improved, especially for queries spanning large datasets or long timeframes like 90 days compared to competitors like Splunk. While Sentinel might take several minutes to return results for such investigations, Splunk queries are significantly faster.

I have been using Microsoft Sentinel for two years.

Since the entire Azure Sentinel analytics workspace resides within the Azure environment, we've never experienced lag or downtime. This is because Microsoft handles all data storage, hosting, and infrastructure maintenance. As a result, we're relieved of those burdens and haven't encountered any Sentinel downtime.

Microsoft Sentinel's cloud-based deployment on Azure allows it to scale automatically. This likely involves built-in load-balancing mechanisms that distribute processing across different Azure resources when needed. This ensures Sentinel can handle increased workloads without manual intervention.

While I wasn't involved in deploying Microsoft Sentinel myself, I did help configure and set it up on our end. The initial setup process wasn't particularly simple, but it wasn't overly complex either.

While the user interface in Azure simplifies the deployment process of Microsoft Sentinel, some architectural knowledge is still necessary. The initial configuration might involve just a few selections, deciding on the deployment architecture, data replication workspace locations, etc. requires experience. This prior experience, however, should make integration with existing systems smoother. Three people on average are required for the initial deployment.

Our Microsoft Sentinel implementation approach depended on available time. For complex deployments, we handled it directly. In time-sensitive situations, we collaborated with teams managing the devices, providing them with implementation steps and troubleshooting support as needed.

While I wasn't involved with the specifics of Microsoft Sentinel's pricing, my understanding is it scales based on data ingestion. This means we only pay for the amount of data we bring in, which is fair. However, if a device generates excessive data like hundreds of GBs daily, investigating the cause becomes crucial to avoid unnecessary costs. In most cases though, the pay-as-you-go model shouldn't be an issue.

I would rate Microsoft Sentinel eight out of ten. I've tried Splunk, QRadar, and Azure Sentinel. While Splunk requires knowledge of SPL for deeper exploration and QRadar's query language isn't powerful, Azure Sentinel strikes a great balance. It offers a user-friendly interface for basic investigations without needing a query language but also allows for custom queries and visualizations for advanced users. This makes it the most versatile of the three.

Splunk requires users to learn SPL for full functionality, making it less accessible for basic investigations. Conversely, Microsoft Sentinel's intuitive UI allows even those without KQL knowledge to conduct basic security analysis through its built-in features and informative interface.

Because our service is hosted on Microsoft's cloud, they completely manage all maintenance tasks, freeing us from infrastructure management responsibilities.

Public Cloud

Microsoft Azure