Microsoft Sentinel Reviews

Microsoft Sentinel is a monitoring tool. It is a SIEM solution and is used to gather logs. It allows us to analyze and understand the flow of information based on the events that happen and the systems we connect it to. 

I explain it to my customers as being almost like an octopus. It sits in the middle of a tank, and it has all these tentacles that connect to different systems. We bring that information in via those connections, and then we query them. We can centrally analyze, examine, and understand the data that comes in through the analytics or the capabilities that Azure links to Microsoft Sentinel, which is Azure Log Analytics Workspace. We then use queries to help us understand or make sense of the data. We can have dashboards and visualize them. 

We use it to set up monitoring for cloud infrastructure and we use it as part of a larger monitoring capability around setting up a SOC capability. We are then able to keep track of infrastructure and mitigate risks.

Microsoft Sentinel gives visibility to some degree to all of the customers that I work with. It has given us more visibility into the accurate state of the endpoints being monitored in near real-time. 

With the solution, we are now able to respond to incidents in a more timely fashion, which helps us. It helped us to understand what is happening and make informed decisions as a result. It has given us a more comprehensive and holistic view of the ecosystem that exists, and not just an individual piece of that ecosystem. It does not give a view of just one server. It also gives a view of the supporting infrastructure around it. It has given us a lot more visibility, and it has made us smarter in terms of being able to defend ourselves against bad threat actors and the harm they look to do. It made us better armed and more informed, and therefore we can offer a better defense that will hopefully ward off some of those bad actions.

Microsoft Sentinel helps to prioritize threats across the enterprise in several ways. This capability is linked to other technology elements that make up the overall security posture of the Microsoft offering. Microsoft Sentinel, in particular, allows us to look at the flow of information coming through the connectors from various systems. This helps us create alerts and analyze that data so that we can bubble up and see what is happening. We can tie that into the Microsoft Defender stack or the products in the Microsoft Defender ecosystem, and we can take action and monitor. 

Whether it is being alerted, manually choosing to do something, or automating through the broader security capabilities of the platform, we can take action. When we tie in the broader security capabilities that involve governance, risk management, and compliance (GRC), and we have all the tools at our disposal to do that, Microsoft Sentinel becomes a huge ingestion engine that brings in signals. The telemetry and data from all the monitored endpoints allow other capabilities to access that data so that we can monitor it. We are then not only well-informed, but we can also choose how to respond. We can respond through a combination of automation and manual actions. If something occurs, we can then kick off an incident response to deal with it. If needed, we can quarantine and mitigate it. We have a rich set of capabilities but also a very flexible set of opportunities to respond because we are given near real-time information. We can analyze that information in near real-time to make informed choices when it comes to threat intelligence, threat mitigation, and threat assessment.

I use all of the products that Microsoft has in the market in various architectures or configurations with different customers, and I have used them for many years. Various customers use the entire suite of offerings that Microsoft has in the security space in terms of governance, risk management, and compliance, such as Microsoft Sentinel and Microsoft Defender. There are also solutions like Privileged Identity Management (PIM), which is now a part of Microsoft Entra, which has been renamed. I have integrated these products and set up the architectures or designs for customers. The setup depends on the size of the customer and some smaller businesses do not use all of them. They license at lower levels and do not have the business case, the resources, or the need to use them all. Larger companies tend to utilize more of them. Because I work with different-sized companies, I set the solutions up and have used them in a variety of circumstances across the board for different companies. 

In the beginning, like any technology, it was a little harder to integrate when the products were new. As they matured and went through iterations, they became easier to work with. Utilizing a new product is more painful than using a product that has perhaps been out for a year or two, that has been vetted and maybe has gone through one major update or release. The integration has gotten better over time, and the product lines continue to mature and become more powerful as a result.

Microsoft security products work natively together to deliver coordinated detection and response across the environment. For this, you need to use the appropriate connectors to bring in the information from both Microsoft-centric and third-party systems that you want to incorporate and monitor. It is bounded by the vision of the architecture that allows you to connect those systems and the availability of those connectors. Assuming those systems are connected properly, brought online, and are reporting, it gives you the depth of visibility that you need to manage both Microsoft and non-Microsoft systems.

Microsoft security products provide a very thorough set of security. Microsoft is looking at billions, perhaps a trillion, individual data points a day at this point across the Microsoft ecosystem, which includes everything Microsoft does, all customers, and all interactions. They take all that information and analyze it with dedicated security teams, machine learning and artificial intelligence, business analytics, etc. They turn that information around and make it available for customers who are consuming the threat analysis and threat intelligence capabilities on the platform. Some of the solutions are available for free to everybody regardless of licensing. For others, you need enhanced licensing to take advantage of it fully. The threat intelligence feeds, the live analysis, and the security posture that Microsoft provides to its customers globally as part of the shared responsibility model have matured tremendously. They are the best. You get incredible value for the amount of work that goes into providing that. The customers I work with are very happy with the work that Microsoft does and continues to do in that space.

We use the bi-directional sync capabilities of Microsoft Defender for Cloud in some cases. It is a very useful feature for myself and my customers. It is very important because it allows us to use the Defender product, which is made up of maybe 20 individual offerings at this point. There are a lot of different sub-areas that you have that you can attach the Defender product to. This concept allows us to be able to have the endpoints monitored, whether they are the servers or the service that Defender would monitor and protect. It allows us to understand what is happening with them and to have near real-time updates about their status. We can see the impact of potential threats that are attaching and risks that may become apparent, and we can see the impact of remediation or the things that are being done to stop those things or perhaps forestall them, hopefully, to prevent them from harming. This capability is very important, and it is one of the secrets that allow that platform to not only be very flexible but also very impactful in terms of monitoring the bulk of the infrastructure and services that most customers would have running in a public cloud, whether it is Microsoft or any other public cloud, such as Amazon, Google, etc. We can monitor any infrastructure and understand it, especially customers' environments that are hybrid where they have on-premises as well as cloud or multi-cloud infrastructure with more than one cloud. To be able to monitor both on-premises and multi-cloud environments is a requirement today, and Microsoft provides those capabilities but not all other providers do. 

It enables us to ingest data from the entire ecosystem as long as we are using a connector to link to the infrastructure that we need to monitor and as long as there is a connector for monitoring that infrastructure. So, as long as the pipe exists, we connect the pipe, and we can monitor the infrastructure. For a majority of mainline infrastructure or a majority of third-party vendor systems today, there are connectors. For some smaller systems or proprietary or custom systems that some companies run, there might not be connectors, but for mainline systems that you would buy, acquire, or use from large-scale SaaS vendors, connectors have been there for a while. As long as we are running connectors to that infrastructure, we can monitor almost anything that we have.

Sentinel enables us to investigate threats and respond holistically from one place. We have a central dashboard that we can use to monitor and then from there, do the analysis and also create the remediation if necessary. This functionality is very important. The biggest mistake vendors make in tool design from a UI/UX or user interface/user experience perspective is that they do not make things centrally available and obvious for the administrator or the end user who is going to run or use that system. Generally, if something is overly complicated and not very intuitive, it is hard to get people to buy into using something. With Microsoft Sentinel, you can have everything in one place and visualize the impact of the threats, the risks, the incoming data, and the number of incidents, events, or alerts that are happening. All those things are visually represented in the opening part of the dashboard. You could drill down from there with a navigation area that is intuitive and easily understood. That makes it very easy for different users, such as administrators and managers, and other user profiles that have different reasons for being in the tool, and that is the hallmark of a good design.

When you look at it holistically and look at what it is linked to in terms of the broader security platform that Microsoft provides, it is very strong, and it continues to get better. When you ask anyone about their thoughts about a product and how it works for their customers, the mistake that people often make in describing something is that they say, "I think it is great, and it is great for us. It does everything we need." That is good, and it should be. I can say that for the majority of my customers without any ambiguity or concern about being accurate, but the thing you have to add is that there are always things that we do not know that we need to do until they occur. We might not have seen that threat before. Maybe there is a new advanced persistent threat or zero-day exploit that we have to contend with, which we have not been aware of until now. The hallmark of a really good tool is its ability to integrate that new information in a timely fashion and have the flexibility to mature the tool over time based on feedback and iterative use. The strength that Microsoft has brought to the platform over time is the ability to listen to its customers and make sure they are offering based on that feedback. It is good, and it continues to get better. Today, it is good, and tomorrow, it will be better because of that thought process in the way they engineer over time.

Microsoft Sentinel helps automate routine tasks and the finding of high standards. If you set it up the right way, it does that as one of the key things that it is designed to do. It has streamlined our ability to respond, so response time has gone down. It has enhanced our understanding because automation is managing some of the remediation and the menial, repetitive ongoing tasks of:

• Paying attention to information flows.

• Picking out the most important elements.

• Prioritizing them and bubbling them up.

• Creating alerts around them and then telling people that these things are happening. 

Automation lets you do that without having to spend human or people cycles to do that. The automation never gets tired and it never gets bored. It never needs to take a break. It never gets distracted. Because of that, we find not only more things we need to react to, but we react to the things that we truly should be chasing. We are not distracted as much by things that seem to be important, but we find out that they are just ghosts. They are false flags. The ability to bring machine learning, artificial intelligence, business analytics, and data visualization as a part of automation has filtered out a lot of the background noise that distracts. It has allowed us to hone in and refine our activity cycles around the most important things that we have to pay attention to.

Microsoft Sentinel helps eliminate having to look at multiple dashboards and gives one XDR dashboard if you set it up the right way. I have seen it set up in ways where it does not do that because it is not optimized, but if you are using it the right way, if you understand the tool and how to integrate it properly, then it gives you that single dashboard where you can directly find the information or link through a smaller visual tile that will take you to that information that you need if you need to drill down in a deeper, more meaningful way.

Its threat intelligence helps to prepare for potential threats before they hit and take proactive steps. If you are integrating the threat intelligence feeds from Microsoft and looking at them, everything is relative. They are there if you are smart enough to consume them and understand what you are looking at. In other words, people who are paying attention to them and are using them properly are getting tremendous value out of them. Microsoft globally examines billions, if not a trillion, of individual telemetry data points every day and incorporates that into their threat analysis feeds, so no individual company, irrespective of how big they are and how much money they have, can bring that kind of at-scale analysis to that problem. As a result, you are getting a tremendous amount of data that is being vetted, analyzed, and distilled down to meaningful actionable intelligence. It is consumable because it is presented in a very summarized and succinct way. It is very valuable, but you have to be able to understand that and utilize that to draw value from it.

We have saved me time with Sentinel. The ability to have the power of Microsoft as a global scanning organization service provider at my disposal is helping me to better understand the environment I operate in through threat intelligence and threat analysis. In addition, the ability to automate at scale across the platform and to have the research and design that is being done to continuously upgrade and add features to those platforms has made me a much more capable and therefore, more successful security practitioner. It is hard to quantify the time saved. It would probably be a very extreme exercise to go back and do that, but it is fair to say that over a year, we have probably saved a thousand or more human hours. I look across a team for one of the customers that I work with, it is fair to say that we have saved at least a thousand human hours for a year by relying more on the automation toolsets. That is about ninety hours a month on average. We can break it down to 15 or 20 hours a week or something like that, but the reality is that it is about a thousand or more hours that we have saved in a year.

Time to detection has decreased, and the time to respond has gone. They both have decreased. That has been an outcome that we have seen and is measurable. It goes back to the investments you make in building out that architecture in terms of:

• How many systems are you monitoring or how many are you connecting?

• How much data do you have coming in? 

• What are you doing with that data and how are you using it? 

If you are building out a full SOC analysis capability or a full monitoring solution, and you are typing this into incident response and alerting and event continuous monitoring through automation, time to respond and time to solution is going to decrease as a result.

It can connect to an ever-growing number of platforms and systems within the Microsoft ecosystem, such as Azure Active Directory and Microsoft 365 or Office 365, as well as to external services and systems that can be brought in and managed. We can manage on-premises infrastructure. We can manage not just the things that are running in Azure in the public cloud, but through Azure Arc and the hybrid capabilities, we can monitor on-premises servers and endpoints. We can monitor VMware infrastructure, for instance, running as part of a hybrid environment. The continuing evolution of what we call the connectors, which is the marketplace that lets us connect these systems to Microsoft Sentinel, is probably one of the most important features.

The reliance on a very simple but very powerful query language called Kusto Query Language or KQL that Microsoft uses to allow us to log into the analytics workspace to assess and analyze the data is also valuable. That has made it very approachable and very scalable. Those are very big and important things for me as a consultant, as an architect, and as a person who is implementing these solutions for customers and who is explaining them, and ultimately working with them. This makes the product not only usable but also very flexible. Those are two very important elements.

Everyone has their favorites. There is always room for improvement, and everybody will say, "I wish you could do this for me or that for me." It is a personal thing based on how you use the tool. I do not necessarily have those thoughts, and they are probably not valuable because they are unique to the context of the user, but broadly, where it can continue to improve is by adding more connectors to more systems. 

The really interesting area where we are already seeing the impact is the use of more artificial intelligence. There could be the ability to bring AI into the analysis capabilities of the toolset in more ways so that we can utilize the power that computer analysis at scale has. That is because we are limited. As humans, we can only look at so much information, see so many patterns, and absorb so much in any given cycle of a workday, but artificial intelligence and automation engines do not take breaks. They do not stop. They do not need to. They can go deeper, and they can see more data and ingest more to find patterns that, as humans, we are not going to be able to see. The evolving technology in this area is all moving towards the use of artificial intelligence, embedding it in multiple areas in the platform so that we can be told that there are things that we need to pay attention to that are becoming a problem as opposed to things that are already a problem. Where the biggest improvements can happen is how we move that ability to identify emerging threats closer to the point of contact so that we can interject and essentially stop and disrupt the kill chain of an event series before it harms. Currently, the problem we often have is that things get bad, and until they get bad, we do not really know what is happening, and we do not know how to respond, so we spend a lot of time responding to incidents that have already started or have unfortunately unfolded fully in a reactive manner. The value proposition in terms of improvement down the road is getting better at predictive defense and proactive response before events take place to stop them before they start. That is the future that we are moving towards, and that is where the biggest improvement lies.

Sentinel, which is now called Microsoft Sentinel, used to be called Azure Sentinel. It was renamed about a year and a half or two years ago, but I have used Sentinel for about four years. It was probably released in 2019.

It is very stable. I have had little to no difficulty with it in the more than four years that I have used it or deployed it. I cannot think of a time in the last four years when it was unstable or unstable enough that I had to open a support ticket. I have had issues with it because people have misconfigured it or not set it up properly, but those issues were not related to the platform itself. Those were human interactions that were complicating it because it was not set up the right way. When it is set up correctly, it is a very solid platform with minimal to no downtime. There were no major service disruptions that I remember that caused problems.

It is very scalable. You do not think of scalability necessarily the same way you would if you were setting up a cluster to run virtual machines, for instance, because there, you have to add resources, and you are monitoring to make sure that there are enough resources versus the load in the system. Microsoft Sentinel is a managed solution. You are deploying it, but then Microsoft is scaling it and managing it on the backend for you, so you do not control some of the things that would impact scalability directly. Microsoft is hosting it. It is essentially a service you are consuming. In my history with the product, it has always met my expectations, and I have never had an issue where it could not perform because of a resource constraint, so its scalability is solid, and it is always available when necessary. It is not scalable in the same sense as you would control it by adding hosts to a cluster. It is a different kind of scalability, but it has been rock solid all the time I have been working with it.

In terms of the environment, I have multiple customers, so each one is different, but generically, it is safe to say that it is deployed to monitor infrastructure that is in multiple geographies, multiple data centers, or multiple places both on-premises and in the cloud. It could be hybrid as well as multi-cloud. The infrastructure is being monitored from a variety of different locations. Microsoft Sentinel itself is typically installed and instantiated in one instance. You set it up inside of an Azure subscription and you have one instance. If you need more than one, you might set up more than one depending on the geography and the needs of the organization, but typically, we have one central Microsoft Sentinel instance running, and then you will bring that information into it through the connectors. It is typically going to be a single instance. It will usually monitor geographically distributed architecture, and it will usually operate at scale, so there will be quite a bit of information coming into that at any given moment.

Like anything else, you can get support depending on how you are using the tool and the level at which you are using it. You get basic support from Microsoft. If you have a problem, they are very good at telling you if there are service issues. If you are paying additionally, you can get premium support to support you with the tool. There is an additional fee for platinum-level support or premium support. Their support is very good if you are paying for it and you are able to utilize it. If you are just able to open a basic ticket because you are having a problem, support is good, but you are going to be limited in the help you are going to get. To talk to a high-level engineer to deal with complicated issues, you are going to need to pay extra money for support. Overall, I would rate their support an eight out of ten.

Positive

I have used several different solutions over time with different customers for different reasons. I work with a lot of different customers. I set up solutions for different customers. They have different technologies and different needs, and some of them have a bias towards certain products and against others, but I have used products like ConnectWise, which is a SIEM solution, and Splunk, which is probably one of the biggest ones out there that most people would name if you ask them. Splunk is probably at the top or near the top of everybody's list. Datadog would be another big one. I have used LogPoint and GrayLog. I have also used ManageEngine's Log360. SolarWinds is another popular one that I have come across pretty often. I have used many more than that, but those are probably the top five or six that I have used. They are the ones that customers tend to use a lot. Some of them are still using those products and have chosen not to move, but the ones that have chosen to move have done that because of two things. The cost plays a part. They have the ability to leverage a tool that is already built into the platform and that may be easier to work with and integrate in a more readily accessible fashion, and it would be as expensive and maybe less expensive over time. It might also seem to be a better architectural choice for them as they look at an upcoming renewal cycle, or they have heard or been told that they need a certain capability or feature and the vendor that they are currently using does not have that or it is not as easily accessible or readily available, but Microsoft Sentinel has that capability. It has connectors to those other platforms, but for whatever reason, their particular vendor does not have that connector, or they might promise to deliver it but it is not going to be ready for six months. It comes down to features and cost. These are the two main reasons or two main motivators to drive people to migrate.

In terms of the cost and ease of use of Microsoft Sentinel against standalone SIEM and SOAR solutions, it is difficult to do an apples-to-apples comparison. That is because, in theory, you can look at Microsoft Sentinel as a single standalone product with its own cost associated with it, but it is linked to, consumed by, and used in partnership with many other systems and tools that also have a licensing cost. Some of it is built-in and some of it is an add-on, depending on where you are and how you choose to license. In other words, Microsoft Defender is a per instance per month cost that is additional to using the Microsoft Sentinel product, and what you get with a standalone solution is essentially just the SIEM or the SOAR capability. You are not getting the capability to blend them across the platform, or if the vendor does both, you are buying them as an all-in-one solution and you are paying a monthly fee per user based on licensing. 

From my perspective, cost comparisons are not as accurate. When a customer asks whether Microsoft Sentinel is going to cost them less or more than using this other tool, it is a very simplistic way of looking at the tool, and it is a very operational-centric or OpEx discussion. When anyone asks about the monthly fee for the investment in this tool, you have to be more strategic. When you look at a tool, features, and capabilities, the capital expense is broader than just the operational expense. You have to understand the strategy associated with the tool decision and the impact and value of the tool. 

Microsoft Sentinel gives a good value for money or a return on investment in terms of what it costs you to run it. When comparing it to any of the other major competitors in the market, it is as cost-effective and perhaps even more cost-effective than some of them. It certainly is very competitive, but people do not necessarily understand the subtlety in that assessment in terms of how they are integrating the Microsoft Sentinel solution or the third-party solution into the broader context of their infrastructure and security posture. That is where they run into issues that become more prohibited from a cost perspective, both hard and soft. For example, the hard cost could be $15 a month per user to license or $15 a month per endpoint and $100 per gigabyte of storage or something like that. Those numbers are wildly inaccurate, but you do have hard costs, and then you have soft costs, which include what it costs you to train people who have to use that technology or to train people who have to manage it ongoing and integrate it. You might have to hire consultants to do that, for instance. Those are hard and soft costs. When you are using a Microsoft product and you are Microsoft-centric, you overcome some of those soft costs because you have people who already have skills on the platform. You are already integrating that technology. Microsoft is doing that for you. You do not have to do it yourself. As a result, some of what I refer to as hidden costs are not as high with a Microsoft solution as they would be with a third-party solution. If you are already Microsoft-centric and you are using a majority of Microsoft Azure and Microsoft 365-based infrastructure in some form, it is easier to implement that technology. It costs less when you go forward with Microsoft Sentinel than it does when you try to bring in a third-party external SIEM or SOAR and tie it into the Microsoft platforms and have it do the things that you are looking for it to do.

It is predominantly deployed for public cloud use, meaning customers hosting on a public cloud are using it. They are hosting in Azure, for instance, and they are running their cloud infrastructure in that cloud environment. You can link to on-premises resources in hybrid scenarios, and you can certainly make the case that it can be used for private cloud as well because you can extend it to the on-premises environment. It can be used to ingest information in a multi-cloud environment, meaning you can bring in infrastructure information from Amazon or Google, the other two major public cloud provider platforms, as well as VMware, which, in its own right, is a public cloud provider. So, it can be used or potentially be available to consume data from any of those areas.

I have been involved in the deployment of hundreds of instances of Microsoft Sentinel. Its initial deployment is straightforward. In terms of implementation strategy or how to approach it, it is important to spend a lot of time with whoever the customer is. I work with multiple customers. I ask them what sound like fairly simple and simplistic questions but are very important questions. What are they looking to accomplish by deploying a SIEM solution? What is the business requirement that we are addressing by deploying the solution? We need to define that and understand that because oftentimes, we find that the customer says, "Well, we think we need, for instance, X." We talk about it, but realize what they really need is perhaps X with other things or it is not X at all. It is really W. They just thought it was X because somebody told them that. They did not know any better, so asking W&H is important.

• Who is this for?

• Who are the stakeholders?

• Why are we doing this?

• What are we looking to accomplish?

• When are we looking to get it done?

• What is the timeline?

The where and the how are not as important because it is typically in the cloud, and we are going to have qualified people deploy this architecture and we are going to run it in Microsoft, Amazon, or whatever. If we ask those questions upfront, then we can come up with a deployment plan and architecture solution that approximates the customers' needs but also meets their expectations, so for me, a project's success or failure lies in planning. The majority of the work you do has to be done in the planning cycle before you do implementation. If you are really strong in planning, then implementation is relatively straightforward. There are not a lot of surprises. As long as you are technically competent, you can do your deployments, and they should be relatively straightforward and minimal risk to the organization in terms of the deployment. If you do not get your planning right, you are opening up a tremendous amount of risk and liability in the organization.

In terms of maintenance, you cannot set it and forget it. Like any other product, it does require maintenance. If you are smart about it and you set it up the right way the first time, it will take care of itself, and it will certainly operate well at scale, but you have to examine it on an ongoing basis. There is always an opportunity to refine and update connectors. You can add new connectors as you need to extend the reach of the tool. You may have to look at the volume of data that is coming in to refine the amount of data that you want to store, pay for, and analyze, and then you have to look at the queries you are running to be able to stay on top of the data to extrapolate meaning. So, there is maintenance that goes into using a tool like this. There is no checklist that you go through every day, but there are absolutely things that have to be done on a daily, weekly, and monthly basis to keep the tool running properly.

I am the one who handles the deployment. It is rare that I would not do it myself or work with a team that would be empowered to do it as part of that.

The deployment, depending on the size of the deployment, could be done by as little as one person. It does not necessarily need a huge number of people to be associated with it. The bigger need there is what you do once the initial deployment is done, meaning fine-tuning the operation of that. When you add all that in, you typically look at a team of anywhere from three to six individuals. There are incident management and response and SOC analysis people. There are also network people. There are different people who would play a part in ultimately standing up and optimizing a tool like this, but usually, four to six people play a part on average.

There is absolutely an ROI if it is architected properly and the customer has the right expectations going in.

Microsoft Sentinel has saved my customers money. There is an initial investment upfront, so you have to spend money to save money. There is an initial investment upfront of hard and soft hours, but if the systems are set up properly and optimized and you have people who understand them, one of the things that you are able to do is look at the redundancies in your security stack or in your provisioning. You can look at tools that you may be able to move away from at the end of a license period instead of renewing, for instance. You can do away with that redundancy and focus on simply using the Microsoft toolset, so you tend to find that there is definitely an economy of scale there in terms of recouping those returns on investment. There may be a one to three-year cycle to see those savings. It depends on where you are with redundant tool sets that you have identified to be eliminated and where you are with a contractual licensing obligation of time cycle or license period before you have to pay to renew based on current investment, so it may lag a little bit. You do not tend to see those results right away. They tend to lag anywhere from 12 to 36 months, but at the end of, for instance, a three-year cycle, you are not spending another $300,000 to re-license a new tool. You are saving that money. You can then work backward and say that on average, you are now saving x amount of dollars a month going forward because you are not making that investment anymore. You definitely do see investments that yield value, but they tend to lag.

It is priced fairly given the value that you get from the use of the product. The biggest mistake people make with Microsoft Sentinel is not understanding the pricing model and the amount of data that they are going to be running through the tool because you are paying based on the flow. You are paying based on the amount of data that is moving through the tool. People do not plan, and therefore, they get surprised by the cost associated with using the tool. They connect everything because they want to know everything, but connecting everything is very expensive. They might not need to know everything. That is what I talk about with customers. It would be nice to know everything, but it might not be affordable or cost-effective. Microsoft Sentinel provides good value for the money. It is competitive with any of the other offerings out there based on the cost, but the mistake customers make is that they do not understand the cost model for using a SIEM solution regardless of whose solution they are using. When they get visibility into that model, it becomes a lot easier for them to make informed decisions.

I certainly evaluate products all the time. I am always looking to see what capabilities exist and which vendor can offer me the best mix of features and capabilities for the price, and then I make recommendations to my customers as a result of that. Microsoft Sentinel is a newer product in the market in terms of time. It has only been around for about four years, whereas some of the other products, such as Splunk, have been around a lot longer, so I tend to find people evaluating Microsoft Sentinel versus the other products they already possess when they are looking to move.

To those evaluating this solution, I would advise doing their due diligence. They have to understand the technology, the capabilities, and the limitations. They need to assess the business requirements that they are trying to address by deploying a SIEM solution, whether it is Microsoft or not. They need to understand what those key business requirements or key objectives are, and then evaluate the tools to make sure that those tools can achieve those objectives. They can then make an informed decision accordingly.

Microsoft Sentinel is one piece of the puzzle. Threat intelligence or threat analysis is a broader aspect of the security platform that Microsoft provides. It is certainly reliant on the data that Microsoft Sentinel provides, but there is a lot more to it than that. Overall, Microsoft has made tremendous investments in the last five to ten years. Especially in the last five years, in that space, they have developed a threat intelligence, threat analysis, and threat awareness capability that rivals any of the top platforms that are out there today. They continue to mature and grow that capability by maturing the products that support it. Microsoft Sentinel is one aspect of that. The Microsoft Defender stack or all different Defender products are a part of that. A few years ago, it would have been very hard to make the statement or make the case that Microsoft has a mature offering that is certainly at the very top along with other offerings that are often talked about as being at the top in that field. Today, Microsoft competes at the top tier of that field, and their solution is as mature as any of the ones in the market. The challenge with Microsoft solution is that it is very specific and uniquely honed for the Microsoft infrastructure. That is not a bad thing, but it is something that you need to be aware of. It is specifically designed to work with, work for, and wrap around Microsoft's public cloud offering Microsoft Azure and the supporting elements in Microsoft 365, etc. So, as long as you are Microsoft-centric in your stack, in your technology, in your architecture, it is a very valuable piece of the overall threat posture management that a company needs, but if your investment in technology is heavily weighted outside of Microsoft, it is of less value because you need to be Microsoft centric and Microsoft forward to be able to fully leverage that platform.

To a security colleague who says it is better to go with a best-of-breed strategy rather than a single vendor’s security suite, I would say that it depends on the nature of the organization's technology architecture. If the organization is overwhelmingly single-technology-centric, meaning they use Microsoft almost exclusively, you can make the case either way. Using an external third party not tied to Microsoft is important because now you are splitting your investment, and you are not gambling only on one provider, which is the argument you always hear people make when they say, "Do not put all your eggs in one basket." The counter to that argument is who knows my environment better than the vendor that has made all the technology that I am integrating, and who would be better to monitor it than the vendor that makes all the technology? When I have customers that are single-technology-stack customers, they are almost exclusively or predominantly Microsoft, I counsel them to think strongly about using Microsoft products unless there is a compelling reason not to because Microsoft is going to make a much better solution than a third-party vendor that has to figure out how to connect to Microsoft to use that product properly. Organizations that have a mixed technology environment do not use only one vendor. To be fair, many small, medium, and large organizations are mixed technology environments, and it would be foolish to only rely on one vendor's security solution.

Overall, I would rate Microsoft Sentinel an eight out of ten.

We use Microsoft Sentinel for log aggregation, data connectors, and alerts.

In terms of visibility, Microsoft Sentinel captures a lot of useful data.

Microsoft Sentinel helps us prioritize threats across our enterprise. It shows us the most vulnerable assets, and because we have agents on every machine, we know exactly where to go to investigate. This is important for staying secure as a company. It allows us to cover our own bases by seeing what is happening in real-time and taking proactive steps to address threats, rather than reacting to them after they have already occurred. We can stay up-to-date with security measures and ensure that we follow through and execute our security plan.

We integrated Microsoft Sentinel with Defender for Cloud, Endpoint, and Defender Vulnerability Management. 

Microsoft is not the most vendor-friendly company in terms of integrations and connections, but we were able to get it working in the end, so we cannot really complain.

Microsoft's security tools work natively together to deliver coordinated detection responses across our environment.

The comprehensive threat protection that Microsoft Sentinel provides is good. They provide really good information. We are able to create documents, perform root cause analysis, and analyze anything we need to. Log integration is also key. We are able to find potentially malicious files, correlate events to alerts, and then take action on alerts. So, the comprehensiveness is pretty straightforward.

We use Cloud and Endpoint security. We have our Defender cloud, and then Defender agents on each endpoint. The bidirectional sync capability is important, and it is a work in progress. We are in the process of off-boarding our contract with CrowdStrike. We are moving all of our cybersecurity needs to Microsoft Defender, which is included in our existing Microsoft licenses. This makes financial sense, and CrowdStrike was not providing us with much value.

The system allows us to ingest data from our entire ecosystem, which is very important. This is our main source of correlation of logs to alerts. Therefore, we definitely need to get every single log source, and possibly a few more.

The system allows us to investigate and respond holistically from one place.

It is a very comprehensive tool to use. However, the supporting documentation is limited to initial troubleshooting. This is where I find the most difficulty in explaining how good the tool is. Other than that, the tool is pretty straightforward. There is enough documentation to get us started. However, beyond that, we will need to rely on online forums and other open-source resources to learn more about the tool.

When comparing Microsoft Sentinel to other SIEMs in terms of cost, we are saving money because it is included with our Microsoft 365 E5 licenses. This also helps us to reduce the number of different types of software that we need to use. We do like redundancy in terms of coverage, but the cost of multiple solutions adds up. We want to be able to use one central location for all of our security software. This is one of the reasons why we choose Microsoft Sentinel over third-party solutions. As we move into larger projects, we need to have a centralized place for all of our security policies and procedures.

Microsoft Sentinel helps us automate routine tasks and find high-value alerts. We also use Sentinel as a store for our alerts. This allows us to automate most of our responses if not all of them. We also tailored our alerts to specific events that occur in our environment.

Microsoft Sentinel helps eliminate the need to use multiple dashboards by providing a single XDR dashboard. We currently use Sentinel's workbooks, which provide a dashboard that we can use for metrics, reporting, and other purposes. This makes it easier to relay information upwards, as it is presented in a more visually appealing and easy-to-understand manner. For example, we can use pie charts, bar charts, and line charts to represent data in a way that is easy to understand. This makes it easier to convey information to upper management, such as where we are most vulnerable and what steps we need to take to improve our security.

Microsoft Sentinel helps us prepare for potential threats before they hit by taking proactive steps. We can also detect ongoing incidents. For example, if we receive a ticket or alert that is ongoing and will not go away, we can automate a response to it and add it to our playbook. This way, if a similar incident occurs in the future, we will know what to do to respond immediately.

In terms of automation, I believe we save about 20 to 22 hours per week by closing tickets. We receive about 50 to 100 tickets per day, and we automated about 80 percent of those. This means that we can now close tickets without having to manually review them. This saved us a significant amount of time, which we can now use on other tasks.

We are on the smaller side in terms of the number of logs that come in. So, I don't think it's necessary to compare at this level of data ingestion. However, I can definitely see that if we scale and grow in the future, it will save us a lot of money, especially in terms of manpower and hours that we have to dedicate to automation or non-automated tasks. For example, in the six months that we've had Sentinel up and running, we've saved 755 hours in automation alone.

We currently meet all of our service level agreements in terms of incident response. This definitely saved us time, and we also receive email alerts directly so that we know as soon as something happens.

Log aggregation and data connectors are the most valuable features. We have a plethora of data connectors, so being able to get all of our logs into a central location is very helpful.

For certain vendors, some of the data that Microsoft Sentinel captures is redacted due to privacy reasons. In the future, it would be helpful to have this data unredacted so that we can have a better understanding of it.

Microsoft Sentinel is not the most user-friendly tool. Other tools, such as Splunk SIEM or any other SIEM, are better and easier to use.

Our threat-hunting capabilities can definitely be improved. We do use workbooks to view incoming data, but threat hunting is where we can really find those underlying issues that may not be immediately visible. We will use these alerts as a starting point for our hunting. If we can correlate two different events and identify the same root cause, it will save us a lot of time and resources.

I have been using Microsoft Sentinel for six months.

I would definitely rate Microsoft's technical support low. First, it is very difficult to reach a real person. We are always directed to a bot, which can only diagnose some issues. If we do need to speak to a real person, the wait time is very long. It can take hours or even days to get a call or video conference. Second, the documentation is outdated. This is especially true since Microsoft recently rebranded Azure Sentinel as Microsoft Sentinel. The new documentation is not yet available, and the old documentation is no longer accurate.

Negative

Microsoft Sentinel is included in our E5 license.

I give Microsoft Sentinel a seven out of ten. It has good capabilities, including a large number of native connectors. It is a well-known brand, so it is likely that many third-party vendors will integrate with it in the future. This will give Sentinel a wider range of data sources to collect from. In terms of data connectors, I think Microsoft Sentinel is one of the better options available. However, some of its competitors, such as Splunk and SentinelOne, have better interfaces and support. They may also have some proprietary capabilities that Microsoft Sentinel does not offer.

I believe that duplicating security measures is a good thing. It is also important to have redundancy in tools. If we have multiple tools that cover the same thing, we will have more eyes and visibility, and we will be able to remediate issues as they arise. Therefore, using multiple vendors, platforms, and consoles is the way to go. If we use only one tool for everything, it will be like a Swiss Army knife. We will definitely run into problems. I believe that we should avoid single points of failure at all costs. We should have redundancy in tools, but not just in tools. It is also beneficial for our team to all know the same tool or a specific suite.

We use Microsoft Sentinel as our main SIEM suite alerts and automation rules. It feeds everything into Sentinel Logs and Realities for security purposes.

Microsoft Sentinel has helped by streamlining our security. We have a nine-member network team, with three members managing security for the city, and Sentinel allows us to operate an unofficial SOC. 

It makes investigations easy. We were spending a lot of time manually investigating and resolving false positives. Once Sentinel was fully integrated and we suppressed those false positives, our SOC environment greatly improved. 

The most valuable feature of Sentinel is the automation. Creating automation rules helps eliminate false positives, which is crucial due to the high amount of noise in security. Sentinel integrates with Microsoft Defender XDR as a single security hub. Sending our alerts from XDR into Sentinel has made it a decent transition to one solution.

We can easily build reports based on Sentinel alerts and logs. Around 80 percent of our logs go into Sentinel. The solution has improved our threat-hunting by enabling us to run KQL queries. If we learn something through threat intelligence, we can run a query to see if our environment is affected.

Sentinel MITRE ATT&CK recommendations strengthen our security posture. For a small security team like ours, the automation and integrated technologies increase our service efficiency.

There is room for improvement in terms of integrations. We have some tools, such as our off-site Meraki firewalls, that have not fully integrated with Sentinel. We lack integration for Syslogs into Sentinel.

Sentinel's stability is great. I don't see us changing Sentinel as our SIEM in the near future.

Sentinel's scalability is excellent. As our organization uses Microsoft Azure and Defender, everything grows together, and we can integrate various features seamlessly.

Customer service and support for Sentinel have been very responsive. Working with a Sentinel engineer helped us tune settings effectively.

Positive

The initial setup process involved working with a Microsoft Expert, which helped in achieving an effective setup.

The implementation team was a Microsoft Expert, providing substantial support in tuning Sentinel post-deployment.

The management has expressed that the return on investment has been favorable, especially due to the reduction in security investigations. However, specific metrics were not shared with me.

We already had the necessary licensing for Sentinel, so we didn't need to to spend extra money. 

We considered Splunk and ano Splunk and another unnamed product, but Splunk was a notable option.

I Sentinel nine out of 10. Our licensing strategy and the positive impact on investigations indicate a good return on investment.

Sentinel is Microsoft's SIEM solution, similar to QRadar, Splunk, etc. It is the primary tool used by our Security Operations Center.

Sentinel enhances our visibility by integrating with on-prem and cloud log sources. It provides visibility into any cloud environment, including GCP and AWS, not just Azure. With Sentinel, we get end-to-end coverage of all types of infrastructure. Last week, I was talking to a client who already had a SIEM solution, and they had just deployed Sentinel through us. I asked them why they wanted Sentinel when they already have an MSP. They told me their SIEM solution doesn't cover the cloud, so there's clearly a gap. Sentinel covers on-premise and all the cloud providers. It has a highly flexible ingestion method. There are seven or eight ways to ingest.

A lack of total visibility is a significant pain point for security analysts working on a SIEM solution. Furthermore, even if they have visibility, they might not be able to take remedial action because the company lacks a license or a separate SOAR solution. In that case, you need to have integration for each playbook. Sentinel addresses all of these issues out of the box. 

The SOAR component of Sentinel can automate some routine tasks. Sentinel comes with around 180 different playbooks you can execute with one click. If you face a type of incident, you can run a specific playbook or automate it to run each time the incident is triggered. These automation features make our lives easier. Analysts have to do the same tasks over and over again. It's a nightmare that makes you want to give up sometimes. You are dealing with the same incidents many times daily for many MSPs and customers. The playbook is incredibly beneficial.

It also reduces the number of dashboards we need to check, and you can create a custom dashboard. There are also several preset dashboards from Microsoft that are solution-specific. For example, if I'm using Defender for Office, it has a separate dashboard for Office that I can customize. I can also see everything from one console if I want. It's highly flexible.

Sentinel saves time because you don't need to look at multiple SIEM solutions, like IBM, Splunk, AlienVault, McAfee, etc. You need to spend time deploying those solutions, and there's a learning curve, whereas Sentinel is cloud-native. You click "next," "next," and "next," and the whole solution is deployed in the cloud in five minutes. Other parts, like integration, are native. It takes only a click to integrate all the services. Sentinel has its own agent, so it's easy to deploy the agent and start collecting logs. Overall, Sentinel requires less effort than other solutions.

It also saves us money because deployment costs less. Many SIEM solutions charge for the log forwarders deployed in the client's system. Sentinel is free. You have a VM in the cloud or on the client infrastructure, and there is just a script to turn that server into a log forwarder. 

Sentinel speeds up our response, but I don't have any hard numbers. It depends on how well you have configured it. You can go to an incident and then click on each playbook in sequence, or it can be automated to run a playbook when an incident is triggered. You don't need to go into the interface and do anything.

Sentinel proactively responds by detecting IOCs in our environment and automatically triggering an incident. The threat intelligence feed is typically based on IOCs, like malicious IP, UR, hostname, file hash, etc. However, real proactive response requires you to buy threat intel from different providers. Those companies provide you with information before an attack occurs anywhere. For example, there could be dark web forums where attackers discuss an attack on organization XYZ, and the threat intel provider informs us about that. That's an entirely different thing, but Microsoft has built-in rules for any threat intelligence matches. 

I've worked on most of the top SIEM solutions, and Sentinel has an edge in most areas. For example, it has built-in SOAR capabilities, allowing you to run playbooks automatically. Other vendors typically offer SOAR as a separate licensed solution or module, but you get it free with Sentinel. In-depth incident integration is available out of the box. 

Having all these solutions built into a single platform is an advantage. Once any malware is detected, it only takes a single click to run the playbook, and it will do the desired actions. It may be blocking an IP address or isolating a machine. 

The SOAR, UEBA, automated detection and response, and threat intelligence capabilities are comprehensive. I have 10-plus years of experience working with different SIEM solutions. This is the best by far. Everything is integrated, and there is so much flexibility, whether you're trying to customize ingestion or run custom playbooks.

Sentinel performs well when searching a large amount of data, like two months of logs. Sentinel uses underlying big data and KQL, which is highly efficient in query performance. I also like Sentinel's user behavior analytics. UEBA is another solution vendors typically sell as a separate product, but it's included with Sentinel for free. It has integration with other multiple cloud platforms, whereas most vendors lack this capability. 

When comparing visibility, we need to also compare at the company level. Microsoft doesn't only provide a security solution. They have a cloud platform with many services and security products that feed threat intelligence into Sentinel. There are many backend things that Microsoft does in cybersecurity. That is an added advantage that comes with this solution.

The native integration with the vast Microsoft ecosystem is a huge advantage. Another good aspect about Sentinel is that you can integrate all the Microsoft technologies with one click using the backend APIs. It's a seamless process because Sentinel is a Microsoft-native solution. It doesn't take much effort to do the integration.

We also use Defender for Endpoint, Defender for Cloud, and Azure firewall. Most of our customers already use some Microsoft services, so when we integrate their environments, we integrate Defender for Endpoint and Defender for Office 365. We also have Azure Activity, Azure Identity Protection, and many other solutions from Microsoft.

Microsoft products can be integrated with one click. You check a box, and it integrates with that service on the backend. You only need to set the permissions only. Integrating third-party solutions requires the same effort that would be necessary for any other SIEM solution. 

All the solutions work together seamlessly to protect our environment. For example, Defender for Endpoint detects threats on the endpoints, and you see the same alerts within Sentinel. If Defender for Office detects a malicious email, it feeds that incident to Sentinel. The whole ecosystem is integrated there.

Sentinel ingests data from our entire environment. There are seven or eight ways to ingest data. You can install agents through LogStack or do it through APA calls. There are many ways to ingest everything that's required. We have had cases of custom applications running critical services for clients who wanted to ensure they were being monitored. 

The out-of-the-box integration wasn't there, but other methods of ingesting the solution exist. We used one of the custom methods with LogStack, and we could use onboard these applications. Managed services need to have that kind of flexibility for product onboarding.

We have been working with multiple customers, and every time we onboard a customer, we are missing an essential feature that surprisingly doesn't exist in Sentinel. We searched the forums and knowledge bases but couldn't find a solution. When you onboard new customers, you need to enable the data connectors. That part is easy, but you must create rules from scratch for every associated connector. You click "next," "next," "next," and it requires five clicks for each analytical rule. Imagine we have a customer with 150 rules.

It can be a nightmare. It would be much easier if Microsoft provided a way to select all the rules you need, and you can click once to create them. I went to multiple forums to find a way to automate this. Unfortunately, the best I can do is a semi-automated method. Half of them can be automated, but you must do the rest manually. 

For now, we are doing it manually, and our DevOps team is assigned to do this. Some APIs could be used. We leverage the Azure Insights PowerShell module to do the automation part. Currently, the team is working on it, but I know from the discussion that the solution would only be semi-automated. We can't fully automate this because it simply lacks that capability. Many people in the Microsoft community have already requested this solution. Hopefully, Microsoft will implement this feature.

These solutions provide comprehensive protection, but there is always room for improvement. For example, virus removal has 98 different antivirus engines associated. Still, if you are searching for a malicious IP address or a hostname, some solutions will pick it up, and others won't. It's okay overall. I wouldn't say it isn't good enough. It does what we need, but sometimes another solution does it better. It depends on who detects it first.

I've been using Sentinel for nearly a year.

Sentinel is a cloud-based solution, so everything is handled by Microsoft. We haven't experienced any outages. With any on-premise solution, you will see downtime when there are problems or changes in the infrastructure.

Sentinel is highly scalable. It's on the cloud, so we can scale up to any level. There are two models: pay-go and commitment tier. The commitment tier is there to help reduce costs. If you're a large organization with high volumes of data coming in, Microsoft recommends the commitment tier, which will save you 40-60%. Scalability isn't a problem.

I rate Microsoft support nine out of 10. Within all Microsoft services, there is a link you can use to contact support and raise a ticket based on severity. If it's something that will impact business, they are available 24/7. Once we get a call from them, they follow up around the clock until it's closed. It isn't bad.

Positive

I've worked on Splunk, QRadar, LogRhythm, AlienVault, McAfee, Juniper STRM, etc. I started using Sentinel when I joined this company. We are Microsoft Gold partners. However, my feedback is neutral as an analyst. Compared to other solutions I've used, Microsoft is easier in terms of integration and deployment.

We've seen an ROI. Having used multiple SIEM solutions, I would recommend Microsoft Sentinel for the ROI, integration, cloud visibility, customization, etc. 

The price is reasonable because Sentinel includes features like user behavior analytics and SOAR that are typically sold separately. Overall, a standalone on-prem solution would require some high-end servers at a different cost. It is a cloud-based solution, so there are backend cloud computing costs, but they are negligible. 

The most significant cost factor is log ingestion. The best approach with any SIEM solution is only to ingest the necessary security-specific logs. You consume the EPS licenses, memory, bandwidth, and CPU. It doesn't make sense to forward and dump everything into any SIEM solution. If you are doing the architecture correctly, you send the right amount of logs.

On top of that, Sentinel provides you with a workbook that tells you which log costs how much. You can optimize that part so it's cost-effective. Its dashboard offers clear graphs and charts, showing which log sources ingest the most logs, contributing to the cost. We can easily cut 40-60% of the price if we do appropriate fine-tuning. As long as you're doing the fine-tuning regularly, it's a highly cost-efficient solution.

I rate Sentinel 10 out of 10. At the same time, I understand no solution is perfect. I've had multiple issues with SIEM solutions I've used previously. Sentinel is missing one minor feature that could be added eventually. I have no complaints about the core functionality.

A large enterprise client contacted us about replacing Splunk with Sentinel, and their team wanted a side-by-side comparison. They're pretty new to SOC, and I've been in the field for a long time, so I told them that it's hard to do an apples-to-apples comparison. In many instances, you won't see much difference between the two, and Sentinel might beat Splunk in certain cases.

However, the essential component they would be missing in the comparison is the ecosystem. Sentinel can leverage a huge ecosystem on the backend that Splunk or any other solution simply can't. Splunk specializes in SIEM, but Microsoft covers the full cybersecurity spectrum. When comparing solutions, customers should look at the whole ecosystem and not only product features. 

A best-in-breed strategy works for some categories of security products. For example, it was an organizational policy that we would not purchase all of our firewall-related products from one vendor. However, SIEM only does detection based on the type of logs ingested. An organization might have firewalls from Cisco, Fortinet, and Juniper. At the end of the day, these three firewall brands are feeding the logs into one security solution, which is Sentinel. It's a single pane of glass that correlates all threats across your enterprise. It doesn't make sense to have multiple SIEM solutions.

The only cases where it makes sense are in large enterprises like oil and gas. For example, they may have an IT environment and an OT environment. In the IT environment, they have one solution and a different solution in the OT environment. They are silos being managed by different teams. They may have separate budgets and decision-making processes. That's why they have different solutions. Other than that, I really don't see any reason for having two different SIEM solutions in place.

Our organization is an SSP, a service provider for manual threat detection and hunting. We use Microsoft Sentinel for threat detection. We have a few clients using Microsoft Sentinel, and we provide SOAR services to them.

Having the ability to respond holistically from one place with Microsoft Sentinel is very useful. We don't need to log into different security consoles. It is less hectic and reduces our time to respond and resolve the issue.

The solution has helped improve our organization by detecting and hunting threats. The solution also correlates alerts from other solutions, such as Defender, Office 365, and other Endpoint solutions. Microsoft Sentinel has automated responses that help us reduce the number of analysts required for example, from ten to six because most of the tasks are done automatically.

The solution's automation of routine tasks helps us automate the finding of high-value alerts by reducing the manual work from 30 minutes down to three. 90 percent of the work is done by Sentinel which runs the playbook and provides us with all the data required to make a decision quickly.

The solution has helped eliminate the need to use multiple dashboards by incorporating SIEM plus SOAR into one convenient location. We don't need to log into each of the solutions individually. We can directly correlate the alerts and incidents from our Sentinel console. Sentinel reduces our time because we don't need to check multiple tabs for multiple solutions. All the information required to investigate and make a decision can be found in the solution's panel view.

We don't have any out-of-the-box threat intelligence from Microsoft, but with the integration of some open-source solutions and premium sources, Microsoft Sentinel helps us take proactive steps before threats enter our environment.

We have custom rules created to check IPs or domains for potential threats. Whenever an IP or domain is visible in our logs, the solution will automatically correlate with the threat intelligence feed and create an alert. If we skip the correlation portion and an alert has been created for a malicious IP or a malicious domain, the solution can check the reputation in different reputation sources such as a virus portal, or threat recorded future, and it will auto-populate the information for the analyst which helps us prepare for potential threats.

The solution has definitely saved us 90 percent of our time. Microsoft Sentinel reduces our time to detect, respond, and resolve incidents. Most of the incidents are detected automatically and we just need the data to make a decision. We don't have to go look for different clues or reputations over the internet or use other solutions.

Microsoft Sentinel has saved us from incurring costs related to a breach by protecting us.

The solution detects incidents and alerts us in real-time based on custom rules that we create or the out-of-the-box rules that are part of Sentinel. The information that auto-populates when we run the playbook reduces our response time in most cases because all the relevant data required for our investigation is provided on the incident details page.

Logic apps, playbooks, and dashboarding are all valuable features of this solution. 

Microsoft Sentinel prioritizes threats across our organization because the solution allows us to correlate using multiple solutions including Defender.

Integrating Microsoft solutions with each other is very easy. The integrated solutions work together to deliver coordinated detection and response in our environment.

The solution enables us to investigate threats and respond holistically from one place. We can write AQL queries and also create rules to detect the alerts. In the event that we don't have rules, we can proactively hunt through KQL queries.

The workbook based on KQL queries, which is the query language is very extensive compared to other solutions such as QRada and Splunk.

The solution requires no in-house maintenance because it is all handled by Microsoft. We only need to monitor the updates.

The playbook development environment is not as rich as it should be. There are multiple occasions when we face problems while creating the playbook. 

The cost is not straightforward and would benefit from a single charge model. 

The UI is not impressive, we need to train our analysts to conduct the investigation. Unlike IBM QRadar which has a different UI for searching, there is no UI where we can conduct searches with Sentinel. With Sentinel, all our searches require a KQL query, and if our analysts are not familiar with KQL queries, we have to train them. 

The data ingestion can use improvement. There are a few scenarios where we have experienced a delay in data ingestion.

I have been using the solution for one and a half years.

Sentinel is quite stable because it's a SaaS-based offering, so we don't have to worry about our stability. The solution is available 99.99999 percent of the time. The only time we have an issue is if there is a problem with the Azure portal. Microsoft handles the stability well.

We can scale the solution as much as we want, and with a few clicks, we can increase or decrease capacity.

We currently have four engineering teams that handle the deployments and use case development as well as a SOAR team that consists of ten technical people who all use the solution.

Microsoft Sentinel support is really good. They respond quickly to our requests and they try to resolve our issues as soon as possible. From my experience, Microsoft has the best support.

Positive

For SIEM, we previously used IBM QRadar and Splunk Enterprise Security. For SOAR, We have used IBM Resilient, Palo Alto XSOAR, and D3 SOAR, which is a new tool. D3 SOAR is a startup based in Canada and we used it for POC, but we have not used it in production. Sentinel is a SaaS-based solution. There is less administration required and with a few clicks, we can deploy Microsoft Sentinel, whereas, with other solutions, we have to build everything from scratch. There are other SaaS-based solutions but Sentinel is one of the most popular and because a lot of organizations are already using Microsoft and Azure products, Sentinel is the best compatible solution.

The initial setup for Sentinel is straightforward and the best I have worked with to date. We are able to deploy within half an hour and we only require one person to complete the implementation. 

The implementation was completed in-house.

From a cost perspective, there are some additional charges in addition to the licensing. Initially, the cost appears expensive, but over time, the solution justifies that cost. The cost is not straightforward, but instead really complex. We are charged for data ingestion as well as data leaving the environment. We are also charged for running playbooks and for logic apps. Compared with SIEM solutions, whose cost is simply based on EPS or data storage, Microsoft Sentinel's cost is complex. Over time we can predict what the cost of using the solution will be. Other standalone SOAR tools have fixed licensing and their cost is simple. We don't need to pay for each command we run or each integration we have or each automation we do. With Microsoft Sentinel, there is a cost associated with each of the connectors that we use in our playbook. Every time we run that playbook, there will be charges, but the charges are minimal unless we run the playbook repeatedly, then over time the cost shoots up.

We occasionally test POC and we are still evaluating other solutions.

I give the solution nine out of ten.

My impression of the visibility into threats that Microsoft Sentinel provides is that the solution is not perfect, but since it is part of Microsoft Workspace, Microsoft already provides so many services to clients, and Microsoft Sentinel is one of them. If we are already using Azure and other services from Microsoft, then Sentinel is easy to implement and use compared to other similar solutions. If I was not using Microsoft Solutions, then I can use other solutions, such as IBM QRadar or Splunk, and when it comes to XSOAR, Palo Alto XSOAR is a much better solution.

We use multiple solutions from Microsoft within our organization including Defender and Endpoint. We have integrated Endpoint with Defender and Microsoft Security Center to receive alerts.

Microsoft Sentinel has out-of-the-box support for up to 90 percent of solutions where we can find a connector to ingest the data directly, but for the remaining 10 percent, we need to write custom tables.

The ability to ingest data is the backbone of our security. If we don't ingest the data, we won't be able to perform anything at all in SIEM. SIEM is based on data ingestion. Once the data is ingested, then on top of that data, we can monitor and detect or hunt, whatever we want. We can create a reporting dashboard, but the data needs to be there.

Microsoft Sentinel's UEBA is quite capable. For SIEM, Splunk and IBM QRadar are slightly better than Sentinel, but Sentinel is catching up fast. The solution has only been in the market for two or three years and has already captured a large share with increasing popularity. For SOAR, Palo Alto XSOAR is much better than Microsoft Sentinel because Sentinel is a SIEM plus SOAR solution whereas Palo Alto XSOAR is a SOAR-focused solution only. What Microsoft Sentinel provides is one solution for SIEM plus SOAR, where we can detect and also respond in one place.

Currently, we have one environment based in a US data center, but we have the ability for multiple solutions in multiple regions within Azure, and we can integrate them using a master and slave configuration that will allow us to run all the queries from the master console.

Using a best-of-breed strategy rather than a single vendor suite is fine if we have a SIEM solution, a SOAR solution, or an Endpoint detection solution until a time when they are no longer compatible with each other and we can not integrate them. If we can not integrate the solutions it becomes difficult for our teams to log into and monitor multiple solutions separately.

I definitely recommend Microsoft Sentinel, but I suggest basing the decision on proof of concept by gathering the requirements, security solutions, and additional log source devices an organization has before using the solution. There are multiple solutions available that may be more suitable in some cases.

We use Sentinel for our SOC operations. We set up analytics rules and SOAR playbooks. Sentinel covers our entire security operation. It is deployed across multiple locations and covers around 4,000 users.

Sentinel gives us alerts, identifies vulnerabilities, and helps us remediate issues. Some of it is automated, but we also do manual remediation through the ticketing process. We have integrated Sentinel with ServiceNow, so the alerts are routed to the engineers.

Sentinel has reduced our mean time to resolution, one of our KPIs, by about 30 to 40 percent and enabled us to identify vulnerabilities faster. The co-pilot capability saves us a lot of time, too. We're also doing mapping with the MITRE framework, improving our MITRE coverage. We started to see results after the initial deployment and configuration. It took about two or three months. It's an ongoing process, but we realized the benefits within three months. 

The solution correlates signals from native and third-party sources into a single incident. Before implementing Sentinel, we used multiple tools to investigate and remedy vulnerabilities. Having that single pane of glass has significantly increased the efficiency.

Sentinel has improved our overall visibility. We get data about user behavior and correlate it. It also gives us alerts about network vulnerabilities. Having a single pane of glass and one consolidated security tool allows us to capture multiple layers, from the endpoints to the servers. One solution gives us visibility into all the layers. 

The SOAR playbooks are Sentinel's most valuable feature. It gives you a unified toolset for detecting, investigating, and responding to incidents. That's what clearly differentiates Sentinels from its competitors. It's cloud-native, offering end-to-end coverage with more than 120 connectors. All types of data logs can be poured into the system so analysis can happen. That end-to-end visibility gives it the advantage.

Sentinel's AI and automation capabilities make our SOC team's job easy. When logs come into Sentinel, the AI engine analyzes, contextualizes, and correlates them. The AI is correlating the data from multiple log sources and giving us alerts. We depend on that. We also perform automated remediation based on our SOAR playbooks. 

I would like Sentinel to have more out-of-the-box analytics rules. There are already more than 400 rules, but they could add more industry-specific ones. For example, you could have sets of out-of-the-box rules for banking, financial sector, insurance, automotive, etc., so it's easier for people to use it out of the box. Structuring the rules according to industry might help us. 

They could also add some more connectors. Sentinel has 120 connectors, including most of the essential data ones, but they could add some more legacy connectors.

I have used Microsoft Sentinel for three years.

Our SOC team relies on Sentinel from end to end, and it has been quite stable. It's always up, and we've never had any issues with the connectors.

Scalability isn't a problem because we have an Azure environment, and Sentinel is native.

I rate Microsoft support nine out of 10. They resolve our tickets within an acceptable time frame. That is pretty much okay for us.

Positive

Initially, we used Splunk, but I've mostly worked on Sentinel at this company. It was a company decision. Splunk works well in an on-premise or legacy environment, but our entire digital estate shifted to the cloud, so it makes more sense to move to Microsoft Sentinel because we moved to Azure.

Our deployment went smoothly. We spent about three or four months setting up the entire thing, and it all went according to plan without any undue complications. About three months of that was the configuration phase, and we had a transitional month before starting operations. 

The implementation steps included enabling Sentinel, setting up Log Analytics Workspace, and connecting the data connectors. After that, the logs started flowing in. Next, we created the analytic rules and remediation use cases. The deployment team included seven full-time staff. After deployment, Sentinel requires some ongoing maintenance when we add new analytics rules or log sources. We have one engineer responsible for that.

We see an ROI. Our efficiency increased once we created the initial set of analytics rules and SOAR automation, and we review our automation use cases every six months to find more ways to save money. It comes out to roughly a 10 percent return annually on a three-year contract.

I am not involved on the financial side, but from an enterprise-wide use perspective, I think the price is good enough. We have bundled pricing with Azure Monitor Log Analytics. We would be using Log Analytics Workspace even if we didn't have Sentinel, and we would need to pay a separate license for IBM QRadar or Splunk. It optimizes costs when we use both in our digital estate. 

We considered IBM QRadar. 

I rate Microsoft Sentinel eight out of 10. It's a plug-and-play solution, so you can start seeing benefits quickly using the out-of-the-box analytics rules and use cases. Of course, you need more time to create custom use cases and playbooks, but it's simple to get started. It might be challenging to migrate from a legacy system because you may have trouble connecting to the old data, but this is the best tool for a greenfield deployment. 

We are developing our security signals for Microsoft Sentinel, so we are making a connector for Microsoft Sentinel. We try to use several features.

When using mobile devices, if there is an attacker or malware, the signal goes to the Microsoft Sentinel console from there. Our IT admin looks at those incidents.

The importance of that for our organization is because we are using our mobile devices for work. Mobile devices are not safe enough.

I focus on mobile devices while using Microsoft Sentinel. Mainly we want to expand our Identity performers. 

The signal correlation and dashboards features of Microsoft Sentinel are fantastic because it correlates the signal logs with other products. The customizable dashboards are also valuable.

Microsoft Sentinel's ability to correlate data from multiple sources and its detection capabilities are essential.

Microsoft Sentinel can be improved in terms of automation or connecting with security products so that it is easier to use for general IT admins.

I started using Microsoft Sentinel last June, so it has been about a year.

I was not using any other solutions for this specific task before Microsoft Sentinel. We ultimately chose Microsoft Sentinel because we have partnerships.

We have not yet seen a return on investment with Microsoft Sentinel. We expect to see a return on investment this year. 

We try to use the security incidents feature in Microsoft Sentinel, but I have not seen the actual incident yet. I could not find good use cases. My experience with the collaboration capabilities of Microsoft Sentinel is limited, as I am still getting used to it.

I would rate Microsoft Sentinel a seven out of ten. 

My role thus far has been to integrate security log sources into the platform. This includes developing or troubleshooting some of the data connectors for different sources, such as web application firewall interfaces.

Sentinel is a SOAR platform. It represents the next generation beyond traditional SIM and SIEM platforms. Its powerful SOAR functionality orchestrates and automates responses to security events, eliminating the need for manual intervention. Instead of relying on human analysts to monitor events and react, Microsoft Sentinel leverages pre-defined automation rules. These rules correlate relevant events, generating a holistic understanding of the situation. Based on this analysis, automated responses are triggered, expediting the resolution process and eliminating any delays associated with manual identification and decision-making.

Sentinel provides us with a unified set of tools for detecting, investigating, and responding to incidents. This centralized approach offers both advantages and challenges. On the one hand, it grants us the flexibility to tailor Sentinel's capabilities to various situations. However, this flexibility demands a deep understanding of the environments and activities we're dealing with to effectively utilize Sentinel's features. While this presents a challenge, it also highlights the potential benefits of this unified approach. The unified view is important to me because I get all the information together in a single pane of glass instead of having to switch between multiple applications. The ability to consolidate all of that information into a single application or dashboard and to centrally evaluate its intelligence is a significant advantage.

Sentinel's ability to secure our cloud environment is of the utmost importance.

Sentinel Cloud Protection offers a collection of customizable content that caters to our specific requirements, demonstrating the solution's flexibility. The versatility of this content allows us to address a wide range of needs. However, in most instances, we need to adapt the material to suit our unique circumstances. While Sentinel Cloud Protection provides a comprehensive set of resources, including pre-written responses, it often requires tailoring to fit specific situations. This customization process is not a drawback but rather an essential aspect of effectively utilizing the tool. It's crucial to understand the nuances of each situation to apply the content appropriately. While I wouldn't consider this a negative aspect, I've encountered individuals who believe they can purchase a solution, implement it without modification, and achieve optimal results. However, such unrealistic expectations often lead to disappointment.

The Sentinel Content Hub is essentially the central repository where we acquire the content to build upon. Therefore, it serves as the starting point for our efforts. Some of the hunt rules have been quite beneficial in terms of what they provide from the Content Hub, allowing for a plug-and-play approach. This means we can immediately benefit from what's available without having to do any additional work. We can then build upon this foundation and extend the capabilities beyond what's provided by the Content Hub. The Content Hub itself is a valuable asset that gives us a head start in achieving our objectives.

Content Hub helps us centralize out-of-the-box SIM content. This has made our workload more manageable.

The ability to correlate and centralize all of that information together, rather than having to manage it across multiple platforms and potentially miss things between different platforms, makes it more likely that we will not miss anything. The workload and the missed threats that we need to respond to have been reduced because of that unified approach. The mean time to detect has been reduced, and the mean time to respond has been reduced.

Sentinel correlates signals from first- and third-party sources into a single, high-confidence incident. The third-party integrations provided through Microsoft offer all the tools we need to integrate those sources. In other cases, we have to build the integrations from the ground up. Currently, we are struggling to integrate some of the sources that don't have existing connectors. However, the platform is flexible enough to allow us to build these integrations. It is just a matter of finding the time to address this issue.

Our security team's overall efficiency has improved. The build phase is still ongoing. We have not yet fully transitioned to an operational model. We are still in the build implementation stage because we need to integrate some third-party sources into the existing platform and ensure that they are included in the scope of the analytics rules. However, this has significantly reduced the amount of time spent working between different platforms.

The automation capabilities are perhaps the platform's most significant advantage. The force multiplier capability is exceptional. Traditional SIM or SIEM-like platforms were effective in gathering and presenting security information to security personnel. However, security personnel were still responsible for evaluating the information and determining whether a response was necessary. One of the benefits of Sentinel's automation capabilities is the ability to automatically trigger an action or response activity, which is a significant advantage.

The automation capabilities have helped reduce our mean time to respond. Automated events can prevent a problem from escalating beyond a single incident to multiple occurrences before we have to respond to it. In this way, automation effectively catches problems right away.

Sentinel has helped to improve our visibility into user and network behavior. This is extremely important because it allows us to have a better understanding of how users and networks are behaving.

Sentinel has helped reduce our team's time.

Sentinel has streamlined our event investigation process by eliminating the need to manually track down specific event activities. The rules are now automatically identifying and processing these activities, significantly reducing the time required for investigation. Tasks that previously took half an hour can now be completed in under five minutes.

The analytic rule is the most valuable feature. It allows us to assess the various use cases we've developed and then automate those processes accordingly. I consider it a force multiplier. It empowers a small team to achieve a significant impact, whereas previously, I would have relied on multiple individuals. By utilizing it, we can accomplish more with fewer resources.

While I appreciate the UI itself and the vast amount of information available on the platform, I'm finding the overall user experience to be frustrating due to frequent disconnections and the requirement to repeatedly re-authenticate. Microsoft needs to address these usability issues to enhance the user experience.

I have been using Microsoft Sentinel for seven months.

The stability is exceptionally reliable. I tend to be quite vocal when things don't function as expected. The web interface requires using a browser for interaction, and I often find myself multitasking between Sentinel-related tasks and other activities, such as responding to emails. When I return to the Sentinel interface, I'm prompted to re-enter my credentials, which causes me to lose my previous work. If I'm using KQL to query data, I frequently have to restart my work from scratch. This can be frustrating, but I've learned to copy my work periodically to avoid losing it. I haven't encountered this issue with previous platforms, even those that use web interfaces.

Sentinel boasts exceptional scalability. While it's crucial to monitor data ingestion costs, Microsoft has effectively crafted a platform capable of expanding to accommodate far greater volumes than initially anticipated.

The technical support has room for improvement.

Neutral

The initial deployment was straightforward. Our strategy was to consolidate onto a common platform. We have a significant portion of our security information being handled through SysLog events. As a result, it was almost as straightforward as simply rerouting data from the old platform to the new one. This served as a preliminary test of the new platform to ensure it was functioning as intended and could effectively redirect and handle the increased volume.

The deployment likely involved six people, but not all at the same time. There were six people involved in the deployment overall, but we probably had four people working on it at any given time. From a headcount perspective, I believe four people is the appropriate number.

We employed a third-party company for the implementation because we sought expertise in Sentinel and the Azure platform, and we aimed to augment our existing staff.

We have achieved a positive return on our investment. In my previous jobs of comparable size, I would have needed approximately three people to manage the event activity and to handle and respond to it. Here, we can accomplish this with two people. As a result, we have saved at least one headcount with our current staffing levels. Additionally, as we expand the platform, we will not need to increase the headcount to manage the growth.

Microsoft Sentinel can be costly, particularly for data management. While Microsoft provides various free offerings to attract users, these benefits can quickly become overwhelmed by escalating data management expenses if proper precautions are not taken.

I don't think it's Microsoft engaging in underhanded tactics. I believe the issue lies with customers not paying close enough attention to what they're enabling. Initially, they're excited and eager to incorporate everything, but before they realize it, they've incurred unexpected costs.

Azure Monitor Log Analytics and Sentinel have different subscription plans and pricing tiers. This segmentation was implemented to accommodate the distinct business relationships within our organization. Sentinel costs are managed separately from Azure costs.

The decision to adopt Microsoft Sentinel was made before I joined the organization. I understand that they evaluated all the major solutions available, including Splunk and QRadar. However, due to the selection of a cloud-based solution, they opted for Microsoft Sentinel as it aligned with their overall strategy.

I would rate Microsoft Sentinel eight out of ten.

We've got a user base globally of about 5,000 people.

Microsoft Sentinel does require maintenance, which includes monitoring the incoming data and ensuring that everything is functioning as expected. While automation simplifies many tasks, it doesn't eliminate the need for oversight. We still need to verify that everything is working correctly. Part of the maintenance cycle involves ensuring that the automation agents are operational and performing their intended tasks and that events are being collected and evaluated properly.

Users need to have a clear understanding of their goals before selecting a solution. I have encountered too many people who believe that simply choosing a solution will resolve all of their problems. It is crucial to understand the desired outcome and the specific requirements of the use case to determine whether or not Sentinel is the appropriate fit.