Microsoft Sentinel Reviews

Our organization is an SSP, a service provider for manual threat detection and hunting. We use Microsoft Sentinel for threat detection. We have a few clients using Microsoft Sentinel, and we provide SOAR services to them.

Having the ability to respond holistically from one place with Microsoft Sentinel is very useful. We don't need to log into different security consoles. It is less hectic and reduces our time to respond and resolve the issue.

The solution has helped improve our organization by detecting and hunting threats. The solution also correlates alerts from other solutions, such as Defender, Office 365, and other Endpoint solutions. Microsoft Sentinel has automated responses that help us reduce the number of analysts required for example, from ten to six because most of the tasks are done automatically.

The solution's automation of routine tasks helps us automate the finding of high-value alerts by reducing the manual work from 30 minutes down to three. 90 percent of the work is done by Sentinel which runs the playbook and provides us with all the data required to make a decision quickly.

The solution has helped eliminate the need to use multiple dashboards by incorporating SIEM plus SOAR into one convenient location. We don't need to log into each of the solutions individually. We can directly correlate the alerts and incidents from our Sentinel console. Sentinel reduces our time because we don't need to check multiple tabs for multiple solutions. All the information required to investigate and make a decision can be found in the solution's panel view.

We don't have any out-of-the-box threat intelligence from Microsoft, but with the integration of some open-source solutions and premium sources, Microsoft Sentinel helps us take proactive steps before threats enter our environment.

We have custom rules created to check IPs or domains for potential threats. Whenever an IP or domain is visible in our logs, the solution will automatically correlate with the threat intelligence feed and create an alert. If we skip the correlation portion and an alert has been created for a malicious IP or a malicious domain, the solution can check the reputation in different reputation sources such as a virus portal, or threat recorded future, and it will auto-populate the information for the analyst which helps us prepare for potential threats.

The solution has definitely saved us 90 percent of our time. Microsoft Sentinel reduces our time to detect, respond, and resolve incidents. Most of the incidents are detected automatically and we just need the data to make a decision. We don't have to go look for different clues or reputations over the internet or use other solutions.

Microsoft Sentinel has saved us from incurring costs related to a breach by protecting us.

The solution detects incidents and alerts us in real-time based on custom rules that we create or the out-of-the-box rules that are part of Sentinel. The information that auto-populates when we run the playbook reduces our response time in most cases because all the relevant data required for our investigation is provided on the incident details page.

Logic apps, playbooks, and dashboarding are all valuable features of this solution. 

Microsoft Sentinel prioritizes threats across our organization because the solution allows us to correlate using multiple solutions including Defender.

Integrating Microsoft solutions with each other is very easy. The integrated solutions work together to deliver coordinated detection and response in our environment.

The solution enables us to investigate threats and respond holistically from one place. We can write AQL queries and also create rules to detect the alerts. In the event that we don't have rules, we can proactively hunt through KQL queries.

The workbook based on KQL queries, which is the query language is very extensive compared to other solutions such as QRada and Splunk.

The solution requires no in-house maintenance because it is all handled by Microsoft. We only need to monitor the updates.

The playbook development environment is not as rich as it should be. There are multiple occasions when we face problems while creating the playbook. 

The cost is not straightforward and would benefit from a single charge model. 

The UI is not impressive, we need to train our analysts to conduct the investigation. Unlike IBM QRadar which has a different UI for searching, there is no UI where we can conduct searches with Sentinel. With Sentinel, all our searches require a KQL query, and if our analysts are not familiar with KQL queries, we have to train them. 

The data ingestion can use improvement. There are a few scenarios where we have experienced a delay in data ingestion.

I have been using the solution for one and a half years.

Sentinel is quite stable because it's a SaaS-based offering, so we don't have to worry about our stability. The solution is available 99.99999 percent of the time. The only time we have an issue is if there is a problem with the Azure portal. Microsoft handles the stability well.

We can scale the solution as much as we want, and with a few clicks, we can increase or decrease capacity.

We currently have four engineering teams that handle the deployments and use case development as well as a SOAR team that consists of ten technical people who all use the solution.

Microsoft Sentinel support is really good. They respond quickly to our requests and they try to resolve our issues as soon as possible. From my experience, Microsoft has the best support.

For SIEM, we previously used IBM QRadar and Splunk Enterprise Security. For SOAR, We have used IBM Resilient, Palo Alto XSOAR, and D3 SOAR, which is a new tool. D3 SOAR is a startup based in Canada and we used it for POC, but we have not used it in production. Sentinel is a SaaS-based solution. There is less administration required and with a few clicks, we can deploy Microsoft Sentinel, whereas, with other solutions, we have to build everything from scratch. There are other SaaS-based solutions but Sentinel is one of the most popular and because a lot of organizations are already using Microsoft and Azure products, Sentinel is the best compatible solution.

The initial setup for Sentinel is straightforward and the best I have worked with to date. We are able to deploy within half an hour and we only require one person to complete the implementation. 

The implementation was completed in-house.

From a cost perspective, there are some additional charges in addition to the licensing. Initially, the cost appears expensive, but over time, the solution justifies that cost. The cost is not straightforward, but instead really complex. We are charged for data ingestion as well as data leaving the environment. We are also charged for running playbooks and for logic apps. Compared with SIEM solutions, whose cost is simply based on EPS or data storage, Microsoft Sentinel's cost is complex. Over time we can predict what the cost of using the solution will be. Other standalone SOAR tools have fixed licensing and their cost is simple. We don't need to pay for each command we run or each integration we have or each automation we do. With Microsoft Sentinel, there is a cost associated with each of the connectors that we use in our playbook. Every time we run that playbook, there will be charges, but the charges are minimal unless we run the playbook repeatedly, then over time the cost shoots up.

We occasionally test POC and we are still evaluating other solutions.

I give the solution nine out of ten.

My impression of the visibility into threats that Microsoft Sentinel provides is that the solution is not perfect, but since it is part of Microsoft Workspace, Microsoft already provides so many services to clients, and Microsoft Sentinel is one of them. If we are already using Azure and other services from Microsoft, then Sentinel is easy to implement and use compared to other similar solutions. If I was not using Microsoft Solutions, then I can use other solutions, such as IBM QRadar or Splunk, and when it comes to XSOAR, Palo Alto XSOAR is a much better solution.

We use multiple solutions from Microsoft within our organization including Defender and Endpoint. We have integrated Endpoint with Defender and Microsoft Security Center to receive alerts.

Microsoft Sentinel has out-of-the-box support for up to 90 percent of solutions where we can find a connector to ingest the data directly, but for the remaining 10 percent, we need to write custom tables.

The ability to ingest data is the backbone of our security. If we don't ingest the data, we won't be able to perform anything at all in SIEM. SIEM is based on data ingestion. Once the data is ingested, then on top of that data, we can monitor and detect or hunt, whatever we want. We can create a reporting dashboard, but the data needs to be there.

Microsoft Sentinel's UEBA is quite capable. For SIEM, Splunk and IBM QRadar are slightly better than Sentinel, but Sentinel is catching up fast. The solution has only been in the market for two or three years and has already captured a large share with increasing popularity. For SOAR, Palo Alto XSOAR is much better than Microsoft Sentinel because Sentinel is a SIEM plus SOAR solution whereas Palo Alto XSOAR is a SOAR-focused solution only. What Microsoft Sentinel provides is one solution for SIEM plus SOAR, where we can detect and also respond in one place.

Currently, we have one environment based in a US data center, but we have the ability for multiple solutions in multiple regions within Azure, and we can integrate them using a master and slave configuration that will allow us to run all the queries from the master console.

Using a best-of-breed strategy rather than a single vendor suite is fine if we have a SIEM solution, a SOAR solution, or an Endpoint detection solution until a time when they are no longer compatible with each other and we can not integrate them. If we can not integrate the solutions it becomes difficult for our teams to log into and monitor multiple solutions separately.

I definitely recommend Microsoft Sentinel, but I suggest basing the decision on proof of concept by gathering the requirements, security solutions, and additional log source devices an organization has before using the solution. There are multiple solutions available that may be more suitable in some cases.

My client has a huge environment in Azure. They have around 30,000 resources spread across the globe. They also have a huge presence on-premises itself. So, for on-prem, they have a SIEM solution already in place. But for the cloud, they didn't have anything. So, basically, no visibility into any kind of attacks or any kind of logging or monitoring in the cloud. We could not scale up our on-prem counterpart for it due to various reasons of cost and how much resources it would take. Microsoft Sentinel seemed like a pretty good solution since it's cloud-native, it's hosted by Azure itself. So we went ahead with the solution.

Microsoft Sentinel has given us great visibility into our cloud workloads and cloud environment as a whole. And not just that, but even, in fact, with the MCAS and email-security solutions also. We get a lot of visibility into what kind of emails we are getting and how many of them are malicious versus legitimate. From a visibility and compatibility perspective, it's really a nice product to have as a SIEM solution for your cloud environment. In fact, we have integrated this with our AWS, as well. At this point in time, it's just one account, but we plan on expanding more. So all the logs from our AWS environment flow to the solution. Microsoft Sentinel performs the analytics and gives us the alert for that.

The comprehensiveness and coverage of multiple different solutions, on-prem solutions, and cloud solutions, are the two aspects, Microsoft Sentinel really has an edge over other products.

Visibility into threats is above average. Since I also went through some slides of Microsoft and they receive a lot of telemetry because of their Windows platform, because of Azure. What I saw in those slides is that they benefit from this telemetry and create a rich threat-intelligence, kind of a backend service, which supports Sentinel and literally enriches the detection capabilities for Microsoft Sentinel.

Correlation is something that helps us instead of looking at every single alert. So, if we get a phishing email and five users click on it, instead of going through five individual detections, it correlates all of that and presents it in one single incident correlating all these five events. So, in terms of that correlation, it is pretty good. In terms of responding to these alerts, I know there is some automation. There were multiple calls with Microsoft when we were setting up this solution. They showed us how we can do this and they gave us a demo, which was really nice to see the automation. But from the response point of view, we haven't enabled any automation as of now because we are still in the nascent stages of setting this up. We have done multiple integrations, but, still, there's a lot of ground to cover. So, the response is something we would look at last. I think the response side also has a lot of automation and correlation, but we haven't worked on that as of now.

The time to detect and time to respond has been reduced considerably. Detect, because the analytics that is done by Microsoft Sentinel is near real-time, and response is based on us. So, when we see the alert, we respond to it, and we wait on the teams to receive an answer. Previously, the SOC guys were doing this. It was really slow and, sometimes, proceeded at a snail's pace. With Microsoft Sentinel, at least one part of it got addressed, which was running these queries with the SIEM and getting to analyze multiple events to go onto a specific security incident. That time has been saved by Sentinel. I would say 20 to 30% of the time to respond and detect has been saved.

In terms of Microsoft Sentinel, I think a large part of it has been automated by Azure itself. From a customer point of view, all you have to do is just run some queries and get the data. In terms of connections or the connectors for multiple data sources or multiple log sources, it's very easy to just set it up, be it Azure-native services or something customized, like some connection with the on-prem servers or things like that, or even connections with the other cloud platforms, such as AWS. The connectors are really one thing I appreciate. I think it sets Microsoft Sentinel apart from other solutions. Apart from that, the analytics that it performs and the built-in queries that it has, are valuable. A lot of automation on part of Microsoft Sentinel is really commendable.

Microsoft Sentinel definitely helps prioritize threats across our enterprise. I think Microsoft Defender for Cloud would also come in when we talk about this because Microsoft Defender for Cloud and Microsoft Sentinel work in conjunction with each other. We can set it up that way so any alerts that are found in Microsoft Defender for Cloud are forwarded to Microsoft Sentinel. Then, the prioritization is set based on the standard criticality, high, medium, low and informational. So, from our sense, what we can do is, we can simply target the high incidents.

Another thing is that it very efficiently correlates all the events. So if multiple emails have been sent from a single email ID, which is supposed to be a phishing email, Sentinel identifies it, flags all the emails, and it can very beautifully track all of it from their console such as who clicked it, when did they click it, which ID was it, who received it. So, in terms of all that, correlation also helps us prioritize those events.

Prioritization is important. If we have a bunch of alerts and we started investigating some alerts that are not of that much value, some alerts would get ignored if the prioritization was not set correctly. So if it's a phishing attempt and, in another area, we find that there's a brute-force attack going on, we would first want to address the phishing attempt since, in my opinion, in my experience, the probability of getting a link clicked is high rather than a password getting compromised by a brute-force attack. So, in those terms, prioritization really helps us.

Microsoft Sentinel definitely enables us to ingest data from the entire ecosystem. Microsoft Sentinel has around 122 or 123 connectors. Although we haven't set up the solution for our whole ecosystem, be it on-prem, Azure Cloud, AWS cloud, or any other cloud for that matter, looking at the connectors, I feel like there's a whole lot of support, and possibly, we can cover our whole ecosystem, with some exceptions for some solutions. Exceptions are always there. From a coverage point of view, I think it's pretty good. We can cover at least 80 to 90% of our ecosystem. Obviously, it comes at a cost. So at that point in time, it could get very costly. That is one downside.

From the SOC point of view, everything depends on how good the data you are ingesting is and the amount of data you are ingesting. So, the more data we have, the better insights we would have into what activities are going on in our cloud environment, and in our on-prem environment. So it's very critical to have the right data ingested into things like Microsoft Sentinel. Otherwise, you could have a great solution but an ineffective solution in place if you don't have data ingestion configured in the right manner.

Investigations are something really remarkable. We can drill down right to the raw logs by running different queries and getting those on the console itself.

The number one area of improvement for Sentinel would be the cost. 
At this point in time, I feel like, simply because we are a huge organization spread across the globe, we can afford it, but small and medium businesses cannot afford it. Maybe it's not meant for them? I don't know; that's a debatable topic. But even for organizations like ours, a problem that we face and for some of my other friends that I have talked to, it's a great solution, but we cannot deploy it everywhere because, frankly, we overrun our budget.

One thing that would really help or benefit would be the alerts that get thrown up. I've seen multiple alerts. For example, external file activity or external user activity. I open those alerts and there is absolutely no information in them. If there's external user activity, then who is that user, what is something that they are doing, how did Microsoft Sentinel detect this, or what were the analytics based on this outcome that it was a malicious activity or there was something anomalous or something like that? There is some particular type of alerts where a bit more data enrichment would help us.

The alerts get thrown out, and this is something we generally see with any kind of SIEM or any kind of other detection-based solution. For example, in an EDR solution or a vulnerability solution, the typical problem is alert fatigue. We get so many alerts that we start to see a large amount of them, and then we don't know where to start. Although here, we have the prioritization already shared by Microsoft Sentinel, so we have a starting point, but then it never ends. Perhaps tweaking and reducing the number of alerts that get thrown out, and enriching those alerts with more data would help. A lot of these alerts are just very normal things. They are not security incidents in their truest form, but it does take up our time just viewing those alerts. And sometimes, it also lacks a lot of information, like who did what, at exactly what time, and why did Microsoft Sentinel think that it was a malicious incident. That is one question I see a lot of times myself and don't get an answer for, like, "Okay, I get this a lot, but why do you think it's a security event?" So, enriching those alerts with more data might be a good area of improvement for Microsoft Sentinel.

The number of dashboards is something we complained a lot to Microsoft about, "You have great solutions, but you have a different console or a different dashboard for everything. So, as a person who is responding to these alerts, it really becomes overwhelming juggling between multiple different screens, dashboards, tabs, and windows." They have acknowledged this and they have mentioned to us that a lot of other customers made the same complaint and they're working on integrating these dashboards. So, for example, if you are using Microsoft Defender for Cloud, in one click you can reach a Microsoft Sentinel page wherein it would show you the raw logs. It sometimes gets overwhelming viewing the same alert on multiple different dashboards. In one sense, if I had to give an example, you might see an alert on Microsoft Sentinel, but it won't have much data to it. To drill down to the very specific raw data, you would have to go to some other console. You would have to go to the source of that event or detection, be it Microsoft Defender for Cloud, MDI, or MCAS. So in those terms, we have to sometimes juggle through all these dashboards and tabs of multiple solutions.

I have been using the solution for eight months.

I think the solution is pretty stable. I didn't see any aberrations or anomalous behavior of Microsoft Sentinel. And that's the benefit of having a managed service. Downtime is quite less. Especially from providers like Microsoft. With Microsoft Sentinel, we didn't feel like there were any hiccups in the operations or any sort of problems we faced with the solution, as of now.

This is something good about having a managed product, you don't have to worry about scaling. And this is exactly the problem we felt with our existing on-prem solution LogRhythm: the scaling was not possible because of the cost included. With Microsoft Sentinel, you have to pay extra, but you don't have to worry about setting up more servers, configuring them, patching them, doing all the maintenance, and doing additional administrative work. The solution is pretty scalable.

Based on our interactions at the time of setup, after that, we didn't really require that much assistance from Microsoft. So, at the time of setup, they really helped us with insights and with decisions that we had to take based on our organization type and how we work. We have teams distributed globally across multiple time zones, and similarly, we have data and operations distributed all over the world. So this becomes a challenge when dealing with anything related to IT. So, Microsoft did really help us with setting it up. From a technical-assistance point of view, at the initial stages, it was a good experience.

Neutral

Our on-prem solution is LogRhythm and the reason we decided to add Microsoft Sentinel was scaling up of LogRhythm would have been a huge cost to us. Because right now, on-prem LogRhythm is running on multiple VMs, so their cost structure is very different. If you run the same setup on Azure, it's just an exorbitant amount of money. So that was one factor that we chose not to scale up LogRhythm to our cloud environment and looked for some other solution. The other reason we went for Microsoft Sentinel was that it is cloud-native. Since it's a managed service from Microsoft and from Azure themselves, not just time but also a lot of responsibility on our end gets transferred to the cloud provider of just setting up and maintaining that infrastructure, updating and patching all those systems, and doing that maintenance work. That overhead gets taken off our heads. That's why we were looking for a cloud-native solution. And hence, in our comparison, in our multiple rounds of discussion with internal stakeholders within the cybersecurity team, Microsoft Sentinel seemed like a perfect fit, so we went ahead with the solution.

The initial setup is pretty straightforward. We didn't face many problems or complexity. We had everything running in a couple of weeks. The deployment was just me and one other person from the security team. She had a lot more experience with Microsoft 365 and the MCAS side of things. And I was more from an Azure infrastructure point of view, Defender for Cloud and the like.

We started the deployment from scratch and we brought on Microsoft for assistance. We already have a huge presence in Azure, so we already had a Microsoft contact. We reached out to them. We mentioned that we want Microsoft Sentinel on board. We got in touch with their own cloud security and Microsoft Sentinel experts. They advised us, but I can say all the setup and all the operational side of things we did because if Microsoft did it then that would be handled by the consulting arm of Microsoft and that would be a full-fledged project, which would have its own cost. So Microsoft had to play a role as an advisor. We used to get about four IT calls to set it up. Whatever Microsoft recommended us to do, we went ahead with that.

First of all, we enabled everything that was free of cost. When you onboard Microsoft Sentinel, you pay some fee for the solution itself, and with that, you get some free connectors. So Azure AD sign-in and audit logs are one thing, Azure activity logs, and Microsoft Defender for Cloud are another. All these integrations don't cost anything extra over and above. So we started off with integrating all of that, and later on, slowly and steadily, we scaled up our integrations. There's still a lot of ground to cover. We aren't there yet with what we envisioned initially.

At this time I don't have an answer about a return on investment but it is something we have been contemplating inside our own team and we have been thinking of since we talked about how good a solution Microsoft Sentinel is. We cannot enable it across the organization, so we are thinking about creating a story of how much value, not in just terms of money but how much value in terms of security has the solution brought for us, and communicating this idea to other stakeholders in other teams and probably to the leadership, and maybe getting a little more budget for this project.

Microsoft Sentinel is definitely costly. If we factor in the cost of other services, MCAS, MDI, and Microsoft Defender for Cloud, it gets seriously costly, to the extent that we cannot enable it across the organization. It simply overshoots the budget by a huge margin. When talking about the Microsoft Sentinel piece itself, let's say we have set up custom integrations and it does not cost us that much, it is definitely costly. If we talk about log retention, then it is even more costly. Comparing it to the other solutions, in fact, when we started off with the SIEM solutions for the cloud, we did do a comparison between which one would be the best: the classic Splunk, like we used in our on-prem, or maybe Microsoft Defender for Cloud. So, for our use case, Splunk was also a bit costly but less than Microsoft Sentinel. We went ahead with Microsoft Sentinel being a cloud-native platform on our side, the effort would be a lot less. Splunk would require to be set up from scratch. From a cost perspective, Microsoft Sentinel is quite costly.

We compared Splunk with Microsoft Sentinel.

I give the solution an eight out of ten.

We have used and tested additional Microsoft solutions. At one point in time, we used Microsoft Defender for Identity, MDI solution, but it was for three to four months only. We discontinued it because it was more of an experiment and the guys from Microsoft gave us the license for that product for a limited time for testing. We were short on budgets, hence we could not leverage or we could not go ahead and purchase it. Another product was MCAS, Microsoft Cloud App Security. Primarily, we use Microsoft Sentinel. Microsoft Defender for Cloud is also used, but it has not been enabled on a lot of resources because it has a cost implication. So cost is a huge factor that we have to think about every time we do anything in security related to all these four products. 

Wherever it is possible, wherever we have identified some critical resources and we had the budget, we enabled Microsoft Defender for Cloud and then integrated it with Microsoft Sentinel. Integration is super easy for anything which is an Azure service. It's mostly about doing a couple of clicks or maybe running a couple of commands. For Azure-native services, it's very easy, be it integrating the Azure AD logs or Microsoft Defender for Cloud or things like that. If I remember correctly, I integrated Microsoft Defender simply by flipping a toggle on the console. So it was easy to integrate Microsoft Defender for Cloud.

The coordination among all these tools is really marvelous. Although my role is not exactly that of an incident responder or from a SOC point of view, if I was a SOC person or an incident responder, it really takes the load off of my work to look around and to correlate that, and open four, five tabs and just juggling through them and trying to make a story. Microsoft Defender for Cloud, Microsoft Sentinel, and MCAS, all of them do it for us. So you just have a single pane of glass. Although these are four different products and you sometimes do have to juggle around, but not to that extent. Many times, it happens that your job gets done with just a single pane of glass.

I think the coverage is comprehensive from a protection point of view for all these four, or five products from Microsoft.

The bi-directional sync capabilities of Microsoft Defender is an option that we get at the time of integrating the solution. This is exactly what I mean by using the toggle button to integrate Microsoft Defender for Cloud with Microsoft Sentinel.

I would say the sync capabilities are both critical and a nice add-on to have. Even if it's not critical and there was no sync between Microsoft Defender for Cloud and Microsoft Sentinel, we would still be doing our job of looking at two multiple portals. But since Microsoft does it for us, then it's really good to have. It takes the load off our shoulders and we could do other tasks and possibly look at more alerts instead of juggling through these portals between Microsoft Defender for Cloud, Microsoft Sentinel, MCAS, and MDI.

Investigations are something really remarkable. We can drill down right to the raw logs by running different queries and getting those on the console itself.
In terms of response, I do not have that much experience in automating the responses or letting Azure handle it, because we feel like the automation here might go wrong and we might have to face another incident caused by some sort of misconfiguration. So, at this point in time, we respond manually to the alerts. We don't use many of the response capabilities of Microsoft Sentinel. I did have a look at what I think, these are called playbooks, which are based on LogicHub. They do seem very promising, but we haven't used those functionalities as of now.

If I had to rank the three capabilities in terms of comprehensiveness, at the top would be SOAR. I would put threat intelligence and UEBA second. I haven't used both of these capabilities that much. We haven't enabled UEBA in our environment. Threat intelligence is the default one. Again, this is something we haven't enabled on a custom basis or something add-on; it's the default one that Microsoft provides.

In regards to proactiveness, I don't feel like there is anything proactive about the solution. It's mostly reactive. The nature of the whole SIEM is reactive: you analyze the logs, you get some alerts, and then you react to those alerts. I think in terms of prediction, I don't see it like that. But in terms of using threat intelligence, I definitely think that it really adds value when, for example, there's something legitimate in the email, there's something malicious. But when it comes to the unknown, when you cannot determine if it's good or bad, it adds value there, its threat intelligence, by simply stating that. Just a couple of days back, we had an alert that said that "URL was clicked," and it wasn't able to determine the nature of the URL: Was it malicious? Was it bad? So it gave us a low or an informational alert. Threat intelligence helps us in those situations.

The solution has saved us time in two aspects. A tremendous amount of time is saved in terms of integration. Nowadays every organization across any sector you talk about has a lot of IT solutions and security solutions in place. You talk about network devices, VPNs, security devices, these collaboration services, et cetera, all of these generate a lot of data integrating and investing all of that data into SIEM is really critical for the SIEM to function properly. That is something that Microsoft Sentinel does quite well. And I see that they are always working on not just creating those integrations but also making them very easy to configure, from a customer point of view. So, those integrations are one thing that I really like about Microsoft Sentinel. The second is the correlation of these alerts across multiple of these integrations. So, integrations and correlations are two aspects that I really like about the solution. I would say the solution saved me around 50% of the time. Simply, it's less of running the queries on a standard SIEM solution and more of clicking on the dashboards. So the typing time gets taken off and the loading time of getting the results back, and doing this over and over again with a typical SIEM solution, that has been absorbed, by the solution. Microsoft Sentinel does it for us. Our time has been saved in that sense.

I would say that, since the solution saved us time, and time is money, in that sense, the solution has saved us money. On the other, hand the solution's cost is such that it might have balanced out. So, I can say it saved us money in one sense, but I don't think it's because of the solution, it's because of how the processes are set up in our firm. When we find some detections primarily from Microsoft Defender for Cloud, we share it with the team and we get to know that "XYZ resource is not in use anymore," and it probably gets deleted. So, in that sense, resource getting deleted, obviously, would stop incurring the money and the extra cost that we would have been paying. In that sense, our money is saved, but I wouldn't really put Microsoft Sentinel there because if there was any other solution that would also do the same, the resource would eventually get deleted.

Microsoft Sentinel runs on top of Log Analytics. And right now, we have it just hosted in the European region, but logs get ingested from all over the world, and the logs are of all types. Such as Microsoft Defender for Cloud, Azure AD sign-in logs, audit logs, Azure activity logs, and MCAS. We stopped using MDIs. We also have AWS. From AWS, there is a couple of log types. I think it's the CloudTrail, and events around S3 buckets and Kubernetes, although we don't use Kubernetes. That is all that is configured as of now with Microsoft Sentinel.

Four people in our organization use the solution. We have a dedicated SOC team, two guys are from the SOC team: one is me, and one is another person who has experience with Microsoft 365, and two people from the cybersecurity team.

I don't think there is any maintenance required. But there is overhead administration. So far, what I have experienced, it's just about integration. If you have to get started with the integration, then that's the overhead administrative effort on your head. Otherwise, it's not much of a problem. Everything is pretty smooth and automated with regard to maintenance.

There's one guy in our organization who for some reason, doesn't really like Microsoft and its products. He thinks that it's a way for them to catch us in a net and then upsell all their services to us. But I have a different, opposing view. I think, yes, they do have their own strategy of upselling and cross-selling all their products and solutions, but I think they are pretty good when working with them with those solutions, be it Azure as a whole cloud service, or just one part of it like Microsoft Sentinel. It takes off a lot of overhead, also, in terms of when you want some support, since it's a one-vendor-based solution, they would be much more helpful to support you and give you the right resolution in comparison to having three different products from three different vendors. What happens is, more often than not, they all start blaming each other, and then there's a blame game going on, and we, as a customer, have to suffer with whatever problem we are dealing with. So, I would go with having one vendor's solution, provided the vendor is not the kind of vendor that just sees you as a cash cow.

The only advice I would give to someone is that when you are evaluating the solution, if possible, you onboard people from Microsoft so they can help you and guide you. It's their product, they know how to best use it. So you would be in a better position right from the get-go, and it would also save a lot of time and effort in case you did something wrong or you chose a bad design decision, which might end up wasting a lot of time in the future. So, one piece of advice I would say is, simply to onboard Microsoft and it won't cost you extra. I don't think it would cost you extra. If you are already using any good Azure service or Azure itself, then that could be possible with the help of the account manager and the relationship that you have already with Microsoft. 

We have multiple use cases based on the data sources we have onboarded, like Sophos UTM or Firewall.

We also use Microsoft Defender for cloud and Microsoft Office.

We have integrated MD with Sentinel to receive alerts. If there are any suspicious activities in any of our resources, MD will create an alert. Once an alert comes through MDC, it is converted to Sentinel.

It was easy to integrate the solutions. It took about two or three clicks. The solutions work natively together, specifically to give us coordinated detection and response across our environment.

There is a correlation with the mail-based algorithm. We have an AML model algorithm in Sentinel. It has the capability to catch the pattern of attacks and shows that to us in the Sentinel app.

We mostly have cloud-based solutions, so Sentinel gives us better security. There's a feature that allows us to capture all the data in a single console, which we can analyze from the cloud itself.

We don't have to use third-party services to check these activities. If we see that one of our accounts is compromised or anything has happened, we can remove that person from other groups.

There's a feature that allows us to see what is in a secure state and what is in a critical state.

Sentinel helps automate routine tasks and find high-value alerts. We can have a custom playbook and create automation rules through that. If there is a false positive address, we can do the automation from there. If we want an email notification based on high-activated rules, we can provide the automation rules that will notify us on Outlook or through Teams.

It minimizes our analyst's workload. Once a high activity comes up, we'll get a notification on Teams. As analysts, they will validate and send us the email or notification within 10 to 15 minutes with more valid data. If there's a playbook with the top 10 critical rules, we can create multiple playbooks and attach them with the data that we want to protect.

Once that incentive is triggered, we'll get notifications with the full details of that incentive. If high severity comes up, that email is sent to the client, and we do more analysis on that rather than wasting time on the first analysis. We can directly get into the deeper version of the automation.

If an incident comes up, we have to validate the load and find out the correlation of the users. We can focus on the advanced test rather than wasting time on the previous one. This saves five to ten minutes.

On a monthly basis, the analyst team saves at least three to four hours with automation. We have multiple rules based on our more critical test. From that perspective, analysts don't want to work more on low priorities because we'll be automatically notified of low and high priorities. We focus more on critical users where the threat is high. By focusing on what is a high priority, our analysts save five to six hours per week.

We have multiple dashboard views that allow us to see logs coming from different solutions and users who were involved in the previous incident.

The best feature is that onboarding to the SIM solution is quite easy. If you use cloud-based solutions, it's just a few clicks to migrate it.

The console is user-friendly. We have almost 120 different types of data, so the solution helps us to onboard different types of third-party services to the SIM solution. We have UB features, and the SOAR capability in the Sentinel server is also a good feature.

Sentinel's visibility into threats is very good. We have an investigation graph that allows us to see the correlation between the incident and the users. We can see if there are multiple incidents with the same IP address and if there are multiple breaches. We can correlate with the rules and check if any inside threat activities are going on with the malicious site or the malicious URL link that we have onboarded. The threat view provides good visibility.

We can prioritize threats based on our investigation assets. It's very fast. We're able to see the rest of the threat activities and how impactful they are. Based on the AML algorithm, we can get all the stages of the attack as well.

Sentinel enables us to ingest data from our entire ecosystem.

The importance of this ingestion of data to our security operations depends on the data and the type of solutions we have to onboard. We onboard our critical servers and assets to the same solution so we'll have good visibility.

We're able to investigate threats and respond holistically from one place.

We can validate the logs from where the logs have been received. By doing the log analysis, we'll be able to find them. It's a straightforward function and isn't very hard.

There's an incident pane in Sentinel. We have a query package, and we can have a deep dive alert through that, or we can have a deep look into the log. From the console itself, we have a great view of our threats and the current phase we're in.

We have multiple source features. There are between 20 to 30 in addition to data. Microsoft provides custom features through which we can connect with third-party solutions and correlate the incident. For example, if we have multiple incidents, we can use the SOAR capabilities and correlate them with multiple third-party threats. It's an easier way of understanding whether or not we have a malicious bug.

We can see how much time our analysts have taken to raise the ticket and how much time they have taken to resolve the issue assets. We can create a dashboard for that. They're able to notify us within five or ten minutes for high priorities. For the medium priorities, it is 10 to 12 minutes. Our detection time for low priorities is within three hours, but our team still performs under 15 to 18 minutes.

If we want to use more features, we have to pay more. There are multiple solutions on the cloud itself, but the pricing model package isn't consistent, which is confusing to clients.

We have been using this solution for almost two years.

The stability is very good.

I would rate the scalability an eight out of ten.

I would rate technical support a six out of ten. Technical support doesn't understand the features well enough. They will give us links to reference, so we go through those links as a team or Google the solution. We reach out to them if we can't find the solution, but they provide us with the same links and URLs that we've already referred to. It's a hassle because it wastes a week and a half of our time. Their solutions and response time aren't very good.

Neutral

The setup is based on our data sources. We have a segregated timeframe of two payments. It depends on the client or who is doing the operation. Onboarding on the cloud is pretty easy. It takes just a few clicks from migrating the data sources to getting the logs.

For an on-premises or third-party software servicer, it will take more time and troubleshooting to do the setup. It won't be hard if you have a good team for the onboarding process. It can be complicated initially, but the rest of the timeframe will involve fine-tuning the logs and creating the custom rules based on your requirement.

It doesn't require a lot of maintenance. It's pretty simple. We just had to play with it for a couple of months.

We haven't seen any financial ROI.

Sentinel is the best solution that we use. It's a pay-as-you-go model. We can fine-tune the features we want and choose if we want to remove logs. We can also segregate logs, which helps us minimize costs. Sentinel provides free Office 365 and Azure-based logs without pricing assets. When it comes to the third-party solution or our server logs, we just have to do the fine-tuning of the logs.

The pricing isn't very high. It depends on the number of logs you have. If you're expecting to ingest 50 to 60G in a day, but you're only ingesting 20 to 25G per day at first and you have a good team to analyze the logs, then you can segregate the ingestion at under 15G.

I would rate this solution a nine out of ten.

It's very user-friendly. The only issue is that Microsoft's technical support isn't very good. If you have a good team who can onboard the resources to the solution, then you'll be happy with the solution itself.

For us, it's better to go for multiple solutions rather than a single suite because we cannot strictly trust one client. If you only have one cloud-based solution, it's better to use Sentinel to secure it. It's helpful to have a good team that can do the monitoring and onboarding smoothly. You can go with one solution if you have a trusted partner. If you don't, then I would use multiple solutions.

You should purchase the features that Microsoft provides. It's a configured network, so they will correlate with the end resources, RMD, and receiver identity. The fusion-based algorithm rule will detect advanced multistage attacks to stop the attack.

Microsoft Sentinel serves as a centralized hub for collecting and analyzing logs from various Microsoft tools and other sources. It eliminates the need to develop custom toolsets for detecting malicious activities across different Microsoft tools. Instead, Microsoft Sentinel provides standardized rules and playbooks to streamline the process of identifying and responding to potential threats.

For instance, consider a scenario where an employee clicks on a phishing link in an email, leading to the installation of malware on their system. While the endpoint detection and response tool on the endpoint might not detect malicious activity, Microsoft Sentinel, acting as a central log collector, receives the EDR logs and triggers an event based on pre-defined rules.

Upon detecting the suspicious activity, Microsoft Sentinel automatically executes a playbook, which may involve actions such as killing the malicious process or isolating the affected endpoint. This automated response helps expedite threat containment and reduces the burden on security analysts.

It is crucial that Sentinel empowers us to safeguard our hybrid, cloud, and multi-cloud environments. We employ a hybrid cloud setup, and securing our environment using Sentinel is significantly simpler than manual methods. We can gather events in the Central Point and develop playbooks and scripts to automate responses. This streamlines the process and enhances our overall security posture. Additionally, if an alert is triggered, we receive an incident notification via email, prompting us to take action and resolve the issue.

Sentinel provides a library of customizable content to address our company's needs.

Microsoft Sentinel has helped our organization with alerts. We'll receive alerts from Sentinel indicating that we're at risk. It's important to address these alerts promptly. We first need to review the information in the email, and then work on the issue in the office. After that, we'll contact the team members on the relevant shift. There's nothing particularly difficult about this process. It's based on our access privileges, which are determined by our role in the company. If we have a high-level role, we'll have access to all the necessary tools and resources. We'll even be able to receive alerts at home if there's a security issue. The company that provides this technology grants work-from-home access based on security considerations. If someone has a critical role, they'll also be equipped with the tools they need to work remotely and connect with their team members. So, the company that provided the technology can resolve the issue first, and then we can address it. Once we've taken care of the issue, everything will be much easier.

By leveraging Sentinel's AI in conjunction with our playbooks for automation, we can enhance the effectiveness of our security team, subject to the specific rules and policies we implement.

The logs provided by Sentinel have helped improve our visibility into our user's network behavior.

Sentinel has helped us save 60 percent of our time by prioritizing the severity of the alerts we receive. When we receive an alert with a high-risk level, we immediately address it to mitigate the potential security threat. Additionally, we have configured our anti-ransomware software, to further protect our systems from cyberattacks. In the event of a ransomware attack, our Halcyon system will generate an encryption key that can be used to unlock our system. This key is securely stored by Halcyon.

Sentinel has helped reduce our investigation times by enabling us to review an alert, generate a ticket, and resolve the issue simultaneously upon receiving the alert.

The most valuable feature is the alert notifications, which are categorized by severity levels: informational, low, medium, and high. This allows us to prioritize and address alerts based on their urgency. For instance, we would immediately address high-severity alerts. This feature, along with the ability to create playbooks, significantly enhances our workflow.

I would like Microsoft to add more connectors for Sentinel.

Microsoft Sentinel should provide an alternative query language to KQL for users who lack KQL expertise. 

I have been using Microsoft Sentinel for one and a half years.

Microsoft Sentinel is a stable solution. 

Microsoft Sentinel is scalable.

We have to write playbooks to resolve our issues.

Neutral

The configuration of Microsoft Sentinel involved a complex process that required thorough familiarity with the available connectors and the policies to be implemented.

We have seen a 30 percent return on investment.

Sentinel is costly.

I would rate Microsoft Sentinel seven out of ten.

We have five people in our organization who utilize Sentinel.

No maintenance is required from our end.

I use the solution to ensure proper security analytics and threat intelligence across the enterprise. The tool helps me to know the type of attack detection that happens and the kind of visibility, proactive hunting, and threat response we have.

We use the tool because we want a solution that can quickly analyze large volumes of data across the enterprise. Microsoft Sentinel is a one-stop solution for all our security needs. It gives threat visibility, enables proactive hunting, and provides investigation reports.

The product can integrate with any device. It has connectors. So, we do not have big issues in building connectors. Microsoft Sentinel gives us a unified set of tools to detect, investigate, and respond to incidents. It also helps us recover things. It is very important to our organization. It centralizes our total threat collection and detection and generates investigation reports.

The AI capabilities must be improved. The product must efficiently leverage the AI capabilities for threat detection and response. The product does not provide auto-configuration features. So, we need to do configuration, policy changes, and group policies ourselves. If AI can do these functions, it will be easier for the customers.

I have been using the solution for three years.

The product is stable.

We have around 1500 users. We have only one administrator. The product is easily scalable. As long as the enterprise grows, we will continue using Microsoft Sentinel.

The technical support team is very good.

Positive

We were using Splunk before. We decided to switch to Microsoft Sentinel because we were unable to work on large data using Splunk. Splunk did not have AI capabilities and was not user-friendly.

The product is deployed on the cloud. It is a SaaS solution. The initial deployment was easy. We ensured that all the devices and the APIs were configured well. We needed two engineers from our team for the deployment. We have deployed the tool in a single location. The solution does not need any maintenance.

We took help from an integrator to deploy the tool. It was a user-friendly experience.

The solution is efficient. We could see the returns on investment immediately. It doesn’t take much time.

The product is costly compared to Splunk. When we pay for the product, we also have Azure Monitor Log Analytics as part of the package. It is economical for us.

We use the tool to help secure our cloud-native security solutions. By enabling us to secure our cloud environments, it acts as a single solution for attack detection and threat visibility for proactive hunting. The solution gives us a library of customizable content that helps us address our unique needs. It also gives regular patch updates. It helps us to be updated with the latest threats happening across the world.

We use the Microsoft Sentinel Content hub. Integration with Active Directory is also helpful for us. The content hub enables us to see the latest features. We have Extended Detection and Response in SentinelOne. It provides effective protection for the platform. It provides more cybersecurity by providing more visibility and protects our enterprise.

The content hub helps us centralize out-of-the-box security information and event management content. It discovers and manages the built-in content. It provides an end-to-end security for us.

Microsoft Sentinel correlates signals from first and third-party sources into a single high-confidence incident. It can extract the information through the respective APIs of the third parties. It has increased our threat intelligence, monitoring, and incident analysis efficiency.

We use Microsoft Sentinel's AI in automation. The generative AI features enable real-time threat hunting and detection. The solution has helped improve our visibility into user and network behavior. The generative AI provides better detection and response capabilities and faster response times with actionable intelligence.

The product has saved us time. It helps us get various log files. When there’s an incident, it enables us to do investigations faster. The tool saves us three days in a week. It reduces the work involved in our event investigation by streamlining the processes and making automation effective. Event investigation is much faster.

If someone is looking for a comprehensive solution, Microsoft Sentinel is a good choice. It will fulfill all our needs, including attack detection, threat visibility, and response.

Overall, I rate the solution an eight out of ten.

Sentinel is used to cover cloud-native customers for security monitoring. It includes UEBA, threat intelligence, behavioral analytics, etcetera. We also use it to automate incidents into tickets.

The solution improved our organization in a few ways. The key one is the cloud layer of integrations. When we were on-premises with SAP monitoring we faced a few issues in the integration of cloud infrastructure logs. Once we moved into the Sentinel Cloud the integration was pretty easy. Monitoring the cloud infrastructure and their respective applications and their cloud cloud-native products became pretty easy in terms of integration with monitored areas.

Also, the cost of infrastructure is no longer an issue.

The detection layer has also been improved with analytics. Plus, it keeps on getting better in Sentinel. Since 2020, I've seen Sentinel has made a lot more changes in feature improvements and performance. They’re fine-tuning detection and analysis layers.

The analytics rules are excellent. It's pretty easy to create them. It’s all about SQL queries that we need to deploy at the back end.

The search of the logs is easy. Before, there were no archival logs. Now, in recent versions, it’s easy to bring back the logs from the archives. We can research and query the archive of logs very easily.

The visibility is great. It gives good alerts. The way an analyst can go and drill down into more details is simple, The ability to threat hunt has been useful.

Sentinel helps us prioritize threats across the enterprise. With it, we have a single pane for monitoring security logs. As an MSP, they just ingest all the logs into the system, and this actually leads to a hierarchy for our integrations. It’s easy to review the logs for auditing purposes.

We use more than one Microsoft security product. Other team members use Intune, Microsoft CASB, and Microsoft Defender as well. It’s easy to integrate everything. You just need to enable the connector in the back end. It takes one minute. These solutions work natively together to deliver coordinated detection responses across our environment. We just integrated the Microsoft Defender logs into Sentinel. It already has the prebuilt use cases in Sentinel, including threat-hunting playbooks, and automation playbooks. It's pretty easy and ready to use out of the box.

Sentinel enables us to ingest data from our entire ecosystem. That's really the high point for us. The coverage needs to be expanded. The threat landscape is getting wider and wider and so we need to monitor each and every ecosystem in our customer organization's endpoints, including the endpoints or applications for systems or on the servers or network level. It needs to be integrated on all levels, whether it’s on-premises or cloud. It is really important to have a single point of security monitoring, to have everything coordinated.

Sentinel enables us to investigate threats and respond holistically from one place. For that analyst team, the Sentinel page is like a single point of investigation layer for them. Whenever an incident is created, they can just come in and get deeper into a particular investigation incident. They are able to get more information, figure out the indicators, and make recommendations to customers or internal teams to help them take action.

Given its built-in UEBA and threat intelligence capabilities, the comprehensiveness of Sentinel's security protection is really nice. The UEBA can be integrated with only the AD logs. And, since they need to get integrated with the networks and the VPN layers as well, it’s useful to have comprehensive security. It can be integrated into other Microsoft security products as well.

Sentinel pricing is good. The customer doesn't want to worry about the enterprise infrastructure cost in the system. They worry about the enterprise cost and the management, and operation, CAPEX, et cetera. However, in general, the customer simply needs to worry only about the usage, for example, how much data is getting sent into the system. We can still refine the data ingestion layer as well and decide what needs to be monitored and whatnot. That way, we can pay only for what we are monitoring.

Our Microsoft security solution helps automate routine tasks and help automate the finding of high-value alerts. By leveraging Sentinel's automation playbook, we have automated the integrations and triage as well. This has simplified the initial investigation triage, to the point where we do not need to do any initial investigations. It will directly go on into layer two or it directly goes to the customer status.

Our Microsoft security solution helped eliminate having to look at multiple dashboards and gave us one XDR dashboard. The dashboard is pretty cool. We now have a single pane of glass. A lot of customization needs to be done, however, there are predefined dashboards and a content hub. We still leverage those dashboards to get the single view into multiple days, including the log volumes or types of security monitoring or in the operation monitoring system.

Sentinel saves us time. Even just the deployment, it only takes ten minutes for the could. When you have on-premises tasks that are manual, it can take hours or a day to deploy the entire setup. Integrating the log sources used also takes time. By enabling out-of-the-box tools, we can save a lot of time here and there. Also, once you leverage automation, by simply leveraging logic apps in a local kind of environment, you don’t need to know much coding. You just need knowledge of logic at the back end.

The solution has saved us money. While I’m not sure of the exact commercial price, it’s likely saved about 20% to 30%.

The solution decreased our time to detect and your time to respond. For time to detect, by leveraging analytic rules, we’ve been able to cut down on time. Everything is happening within minutes. We can begin remediation quickly instead of in hours.

The UEBA part needs improvement. They need to bring other log sources to UEBA. 

The reporting could be more structured. There are no reporting modules or anything. It's only the dashboard. Therefore, when a customer requests a report, you need to manually pull the dashboard and send it to the customer for the reporting. However, if there was a report or template there, it would be easier to schedule and send the weekly reports or monthly executive reports.

The log ingestion could be improved on the connector layer.

I've been using the solution since November of 2020. 

The solution is stable. We had some issues with an automation component. There might have been outages on the back end, however, it's mostly fine.

We have about 25 people using the solution in our organization, including analysts. 

You only need to pay for what you are ingesting and monitoring. It scales well. There are no issues with it. 

Support is okay. We don't have many issues on the platform layers. We might reach out to support for integration questions. Largely, the engineering team would handle support cases. 

Neutral

We do use other solutions. We added this solution as we needed to support cloud-native customers. 

We also use LogRhythm among other solutions.

Each solution has its own pros and cons. There isn't a direct contrast to each. Some have better reporting. However, Sentinel has very good analytical rules and automation. LogRhythm, however, requires more backend work. 

The deployment of the Microsoft bundle is pretty easy. It's fast and saves time. In ten minutes, we can deploy Sentinel to the customer and start monitoring data with the existing rules. You'll have dashboards in thirty minutes. One person can do the deployment. To manage the solution, one can manage the injections, and one can manage the detection layers.

The solution does not require any maintenance. You just have to make sure it's up to date.

We're using it in the automotive and energy industries. 

When we calculated the pricing, we thought it was 10% to 20% less, however, it depends on how much data is being collected. It's not overly expensive. It's fairly priced. 

Security vendors are chosen based on use cases. Those gaps are met by the respective solution. The benefit of a single vendor is that everything is on a single-layer stack. It helps you see everything in one single pane. 

I'd rate the solution eight out of ten. 

We are a Microsoft partner, an MSP. 

As a security engineer, I help onboard with Sentinel. I enable all the connectors and tune the analytics to minimize the number of false positives.

We're a Microsoft house and it provides very good visibility into all the threats a company might be facing. 

The connectivity and analytics are great.

It allows people to connect to different data sources under a single pane of glass.

The visibility is great in terms of having the notebook features. By using the notebook features, people can generate different graphs, which helps create greater visibility on the front end.

We've been able to integrate other products, including Defender. It's super easy to integrate them. All Microsoft products easily connect with each other. They coordinate together to help with detection and response across our network. This is critical. 

This allows me to have better visibility to understand what is happening on each endpoint.

The threat protection is pretty comprehensive across Microsoft products. Having dependable endpoints and other security tools ensures good security overall. In terms of compliance, you have a lot of data that can help ensure comprehensive information is available and transparent. 

We like that it's on the cloud.

Sentinel does allow us to ingest data from our entire ecosystem. This plays an important security role.

We can investigate threats holistically from one place. Having everything centralized makes security easier and helps us better understand what is happening. 

Sentinel's security protection helps us to better identify anomalies or erratic user behavior. It helps me minimize false positives. 

There is good automation. They do an okay job.

Consolidating into one dashboard has made it possible to have a holistic view of security. I can investigate issues and have better visibility.

Overall, the solution has saved me time. I'm not sure if I can quantify it, as I'm on the engineering side. 

The product has helped save the organization money. 

It has decreased our time to detect and time to respond. 

They only classify alerts into three categories: high, medium, and low. So, from the user's point of view, having another critical category would be awesome. That would minimize the level of high alerts and break them down so we understand which are truly critical. We should be able to prioritize more effectively. Right now, this doesn't necessarily help users to prioritize when it comes to the alert or triage.

The bi-directional capabilities are okay. However, sometimes I need to fall back on Defender for cloud.

I've been using the solution for two or three years now.

The stability is okay. I've only experienced one outage.

We have about 200 staff on the solution. 

The scalability is very good. All I have to do is enable data sources in order to expand. 

I haven't had much contact with technical support. My one experience was okay. 

Neutral

I did not previously use a different solution.

The initial deployment is straightforward. The entire process was as simple as following clear steps. We basically create a workspace and push the pipeline.

As long as a person has relevant access to Azure, one person would be enough in terms of handling the deployment. 

We did a deployment in a single location, not across multiple locations. 

There is a bit of maintenance, in terms of ensuring logs are being digested. The number of people involved depends on the situation. We have two to three people who may check logs or connectors. 

We are consultants for clients. We help SMEs deploy the solution. 

We have witnessed an ROI while using the solution, however, I cannot quantify the amount exactly.

Sentinel charges based on ingestion. If Microsoft would allow us to view the logs before ingesting something we don't want, that would make the pricing better. Sometimes we don't want to pass illegitimate data into Sentinel, yet I don't have a choice. 

It's not cheap. However, it's okay pricing.

I did not evaluate any other options previously.

I'd rate the solution eight out of ten.

I'd tend to go with a single vendor over best of breed. A company like Microsoft allows everything to easily link various products together. 

If you are using Microsoft Sentinel, go for the XDR solutions as well. 

We use Sentinel to monitor logs, build alarms, correlate events, and fire up specific automation boards in the event of a security incident. 

Sentinel creates a focal point for cybersecurity incidents, so it's much easier to correlate logs and incidents to get a more comprehensive view of our security posture. Microsoft provides many educational resources, so onboarding new people is easy. 

It took us about a month to realize the benefits of Sentinel. Integrating all the Microsoft security products into the solution was straightforward. It seamlessly integrates with Microsoft Logic Apps, so it's easy to develop custom playbooks and automate many manual tasks. 

Automation has made us more efficient and effective because we're free to focus on priority alerts. Sentinel has reduced the time spent on menial security tasks by 30-40 percent. Sentinel consolidates our dashboards into a single XDR console, one of our strategic goals. We're moving all of the data into Microsoft Sentinel to create a single point of truth for security incidents.

Microsoft provides some threat intelligence for significant incidents. They provide us with remediation and mitigation controls we can implement to react to these potential threats much faster.

I like the ability to run custom KQL queries. I don't know if that feature is specific to Sentinel. As far as I know, they use technology built into Azure's Log Analytics app. Sentinel integrates with that, and we use this functionality heavily.

Threat prioritization is a crucial feature. It already has them in order, so we know we should investigate high alerts first and move down the line to the less urgent ones. 

We use all of the other Microsoft security solutions in addition to Sentinel. They all can be integrated together seamlessly to deliver comprehensive threat detection and response. 

I would like to see additional artificial intelligence capabilities. They're already working on this with new features like Microsoft Security Copilot. This will help us investigate incidents much faster. 

When we pass KPIs to the governance department, there's no option to provide rights to the data or dashboard to colleagues. We can use Power BI for this, but it isn't easy or convenient. They should just come up with a way to provide limited role-based access to auditing personnel 

I have used Sentinel for two years.

We haven't experienced any downtime, so I think Sentinel is highly stable. 

Sentinel runs on the cloud, so it scales automatically. 

I rate Microsoft's support a 10 out of 10. They can connect you with the developers, and you get answers quickly. 

Positive

I also worked with RSA enVision at my previous company. Sentinel has advantages because of its tight integration with the Microsoft ecosystem. It's effortless to set up because you don't need specific connectors. Sentinel works out of the box. It makes sense for a company that primarily works with Microsoft products to use Sentinel for security monitoring.

Sentinel runs on the Microsoft Azure Cloud, so it was easy to set up. It took about two days to set it up. You start by integrating the Microsoft security solutions using the available connectors and move on to the firewall, SysTalk databases, and application-specific logs. 

It's a bit more complicated to come up with custom rules and alarms, so that's the last part of our implementation strategy. We completed the deployment with two or three people and the help of Microsoft support. Because Sentinel is deployed in the cloud, it doesn't require any maintenance. 

Our ROI comes from automating lots of tasks. 

Microsoft Sentinel is pretty expensive, and they recently announced that they will increase the price of all Microsoft services running in Azure by 11 percent. Luckily, I'm not responsible for the financial side. For one of my clients, the estimated cost is 880,000 euros for one year. There are additional costs for the service agreement. 

I rate Microsoft Sentinel an eight out of ten. I recommend taking advantage of the virtual training before you implement Sentinel. Familiarize yourself with the product, dashboards, features, integration, etc., before you decide to use it. 

A single-vendor strategy is preferable because it's easier to integrate them. Otherwise, it can get complicated.