Microsoft Sentinel Reviews

Our organization is an SSP, a service provider for manual threat detection and hunting. We use Microsoft Sentinel for threat detection. We have a few clients using Microsoft Sentinel, and we provide SOAR services to them.

Having the ability to respond holistically from one place with Microsoft Sentinel is very useful. We don't need to log into different security consoles. It is less hectic and reduces our time to respond and resolve the issue.

The solution has helped improve our organization by detecting and hunting threats. The solution also correlates alerts from other solutions, such as Defender, Office 365, and other Endpoint solutions. Microsoft Sentinel has automated responses that help us reduce the number of analysts required for example, from ten to six because most of the tasks are done automatically.

The solution's automation of routine tasks helps us automate the finding of high-value alerts by reducing the manual work from 30 minutes down to three. 90 percent of the work is done by Sentinel which runs the playbook and provides us with all the data required to make a decision quickly.

The solution has helped eliminate the need to use multiple dashboards by incorporating SIEM plus SOAR into one convenient location. We don't need to log into each of the solutions individually. We can directly correlate the alerts and incidents from our Sentinel console. Sentinel reduces our time because we don't need to check multiple tabs for multiple solutions. All the information required to investigate and make a decision can be found in the solution's panel view.

We don't have any out-of-the-box threat intelligence from Microsoft, but with the integration of some open-source solutions and premium sources, Microsoft Sentinel helps us take proactive steps before threats enter our environment.

We have custom rules created to check IPs or domains for potential threats. Whenever an IP or domain is visible in our logs, the solution will automatically correlate with the threat intelligence feed and create an alert. If we skip the correlation portion and an alert has been created for a malicious IP or a malicious domain, the solution can check the reputation in different reputation sources such as a virus portal, or threat recorded future, and it will auto-populate the information for the analyst which helps us prepare for potential threats.

The solution has definitely saved us 90 percent of our time. Microsoft Sentinel reduces our time to detect, respond, and resolve incidents. Most of the incidents are detected automatically and we just need the data to make a decision. We don't have to go look for different clues or reputations over the internet or use other solutions.

Microsoft Sentinel has saved us from incurring costs related to a breach by protecting us.

The solution detects incidents and alerts us in real-time based on custom rules that we create or the out-of-the-box rules that are part of Sentinel. The information that auto-populates when we run the playbook reduces our response time in most cases because all the relevant data required for our investigation is provided on the incident details page.

Logic apps, playbooks, and dashboarding are all valuable features of this solution. 

Microsoft Sentinel prioritizes threats across our organization because the solution allows us to correlate using multiple solutions including Defender.

Integrating Microsoft solutions with each other is very easy. The integrated solutions work together to deliver coordinated detection and response in our environment.

The solution enables us to investigate threats and respond holistically from one place. We can write AQL queries and also create rules to detect the alerts. In the event that we don't have rules, we can proactively hunt through KQL queries.

The workbook based on KQL queries, which is the query language is very extensive compared to other solutions such as QRada and Splunk.

The solution requires no in-house maintenance because it is all handled by Microsoft. We only need to monitor the updates.

The playbook development environment is not as rich as it should be. There are multiple occasions when we face problems while creating the playbook. 

The cost is not straightforward and would benefit from a single charge model. 

The UI is not impressive, we need to train our analysts to conduct the investigation. Unlike IBM QRadar which has a different UI for searching, there is no UI where we can conduct searches with Sentinel. With Sentinel, all our searches require a KQL query, and if our analysts are not familiar with KQL queries, we have to train them. 

The data ingestion can use improvement. There are a few scenarios where we have experienced a delay in data ingestion.

I have been using the solution for one and a half years.

Sentinel is quite stable because it's a SaaS-based offering, so we don't have to worry about our stability. The solution is available 99.99999 percent of the time. The only time we have an issue is if there is a problem with the Azure portal. Microsoft handles the stability well.

We can scale the solution as much as we want, and with a few clicks, we can increase or decrease capacity.

We currently have four engineering teams that handle the deployments and use case development as well as a SOAR team that consists of ten technical people who all use the solution.

Microsoft Sentinel support is really good. They respond quickly to our requests and they try to resolve our issues as soon as possible. From my experience, Microsoft has the best support.

Positive

For SIEM, we previously used IBM QRadar and Splunk Enterprise Security. For SOAR, We have used IBM Resilient, Palo Alto XSOAR, and D3 SOAR, which is a new tool. D3 SOAR is a startup based in Canada and we used it for POC, but we have not used it in production. Sentinel is a SaaS-based solution. There is less administration required and with a few clicks, we can deploy Microsoft Sentinel, whereas, with other solutions, we have to build everything from scratch. There are other SaaS-based solutions but Sentinel is one of the most popular and because a lot of organizations are already using Microsoft and Azure products, Sentinel is the best compatible solution.

The initial setup for Sentinel is straightforward and the best I have worked with to date. We are able to deploy within half an hour and we only require one person to complete the implementation. 

The implementation was completed in-house.

From a cost perspective, there are some additional charges in addition to the licensing. Initially, the cost appears expensive, but over time, the solution justifies that cost. The cost is not straightforward, but instead really complex. We are charged for data ingestion as well as data leaving the environment. We are also charged for running playbooks and for logic apps. Compared with SIEM solutions, whose cost is simply based on EPS or data storage, Microsoft Sentinel's cost is complex. Over time we can predict what the cost of using the solution will be. Other standalone SOAR tools have fixed licensing and their cost is simple. We don't need to pay for each command we run or each integration we have or each automation we do. With Microsoft Sentinel, there is a cost associated with each of the connectors that we use in our playbook. Every time we run that playbook, there will be charges, but the charges are minimal unless we run the playbook repeatedly, then over time the cost shoots up.

We occasionally test POC and we are still evaluating other solutions.

I give the solution nine out of ten.

My impression of the visibility into threats that Microsoft Sentinel provides is that the solution is not perfect, but since it is part of Microsoft Workspace, Microsoft already provides so many services to clients, and Microsoft Sentinel is one of them. If we are already using Azure and other services from Microsoft, then Sentinel is easy to implement and use compared to other similar solutions. If I was not using Microsoft Solutions, then I can use other solutions, such as IBM QRadar or Splunk, and when it comes to XSOAR, Palo Alto XSOAR is a much better solution.

We use multiple solutions from Microsoft within our organization including Defender and Endpoint. We have integrated Endpoint with Defender and Microsoft Security Center to receive alerts.

Microsoft Sentinel has out-of-the-box support for up to 90 percent of solutions where we can find a connector to ingest the data directly, but for the remaining 10 percent, we need to write custom tables.

The ability to ingest data is the backbone of our security. If we don't ingest the data, we won't be able to perform anything at all in SIEM. SIEM is based on data ingestion. Once the data is ingested, then on top of that data, we can monitor and detect or hunt, whatever we want. We can create a reporting dashboard, but the data needs to be there.

Microsoft Sentinel's UEBA is quite capable. For SIEM, Splunk and IBM QRadar are slightly better than Sentinel, but Sentinel is catching up fast. The solution has only been in the market for two or three years and has already captured a large share with increasing popularity. For SOAR, Palo Alto XSOAR is much better than Microsoft Sentinel because Sentinel is a SIEM plus SOAR solution whereas Palo Alto XSOAR is a SOAR-focused solution only. What Microsoft Sentinel provides is one solution for SIEM plus SOAR, where we can detect and also respond in one place.

Currently, we have one environment based in a US data center, but we have the ability for multiple solutions in multiple regions within Azure, and we can integrate them using a master and slave configuration that will allow us to run all the queries from the master console.

Using a best-of-breed strategy rather than a single vendor suite is fine if we have a SIEM solution, a SOAR solution, or an Endpoint detection solution until a time when they are no longer compatible with each other and we can not integrate them. If we can not integrate the solutions it becomes difficult for our teams to log into and monitor multiple solutions separately.

I definitely recommend Microsoft Sentinel, but I suggest basing the decision on proof of concept by gathering the requirements, security solutions, and additional log source devices an organization has before using the solution. There are multiple solutions available that may be more suitable in some cases.

We have multiple use cases based on the data sources we have onboarded, like Sophos UTM or Firewall.

We also use Microsoft Defender for cloud and Microsoft Office.

We have integrated MD with Sentinel to receive alerts. If there are any suspicious activities in any of our resources, MD will create an alert. Once an alert comes through MDC, it is converted to Sentinel.

It was easy to integrate the solutions. It took about two or three clicks. The solutions work natively together, specifically to give us coordinated detection and response across our environment.

There is a correlation with the mail-based algorithm. We have an AML model algorithm in Sentinel. It has the capability to catch the pattern of attacks and shows that to us in the Sentinel app.

We mostly have cloud-based solutions, so Sentinel gives us better security. There's a feature that allows us to capture all the data in a single console, which we can analyze from the cloud itself.

We don't have to use third-party services to check these activities. If we see that one of our accounts is compromised or anything has happened, we can remove that person from other groups.

There's a feature that allows us to see what is in a secure state and what is in a critical state.

Sentinel helps automate routine tasks and find high-value alerts. We can have a custom playbook and create automation rules through that. If there is a false positive address, we can do the automation from there. If we want an email notification based on high-activated rules, we can provide the automation rules that will notify us on Outlook or through Teams.

It minimizes our analyst's workload. Once a high activity comes up, we'll get a notification on Teams. As analysts, they will validate and send us the email or notification within 10 to 15 minutes with more valid data. If there's a playbook with the top 10 critical rules, we can create multiple playbooks and attach them with the data that we want to protect.

Once that incentive is triggered, we'll get notifications with the full details of that incentive. If high severity comes up, that email is sent to the client, and we do more analysis on that rather than wasting time on the first analysis. We can directly get into the deeper version of the automation.

If an incident comes up, we have to validate the load and find out the correlation of the users. We can focus on the advanced test rather than wasting time on the previous one. This saves five to ten minutes.

On a monthly basis, the analyst team saves at least three to four hours with automation. We have multiple rules based on our more critical test. From that perspective, analysts don't want to work more on low priorities because we'll be automatically notified of low and high priorities. We focus more on critical users where the threat is high. By focusing on what is a high priority, our analysts save five to six hours per week.

We have multiple dashboard views that allow us to see logs coming from different solutions and users who were involved in the previous incident.

The best feature is that onboarding to the SIM solution is quite easy. If you use cloud-based solutions, it's just a few clicks to migrate it.

The console is user-friendly. We have almost 120 different types of data, so the solution helps us to onboard different types of third-party services to the SIM solution. We have UB features, and the SOAR capability in the Sentinel server is also a good feature.

Sentinel's visibility into threats is very good. We have an investigation graph that allows us to see the correlation between the incident and the users. We can see if there are multiple incidents with the same IP address and if there are multiple breaches. We can correlate with the rules and check if any inside threat activities are going on with the malicious site or the malicious URL link that we have onboarded. The threat view provides good visibility.

We can prioritize threats based on our investigation assets. It's very fast. We're able to see the rest of the threat activities and how impactful they are. Based on the AML algorithm, we can get all the stages of the attack as well.

Sentinel enables us to ingest data from our entire ecosystem.

The importance of this ingestion of data to our security operations depends on the data and the type of solutions we have to onboard. We onboard our critical servers and assets to the same solution so we'll have good visibility.

We're able to investigate threats and respond holistically from one place.

We can validate the logs from where the logs have been received. By doing the log analysis, we'll be able to find them. It's a straightforward function and isn't very hard.

There's an incident pane in Sentinel. We have a query package, and we can have a deep dive alert through that, or we can have a deep look into the log. From the console itself, we have a great view of our threats and the current phase we're in.

We have multiple source features. There are between 20 to 30 in addition to data. Microsoft provides custom features through which we can connect with third-party solutions and correlate the incident. For example, if we have multiple incidents, we can use the SOAR capabilities and correlate them with multiple third-party threats. It's an easier way of understanding whether or not we have a malicious bug.

We can see how much time our analysts have taken to raise the ticket and how much time they have taken to resolve the issue assets. We can create a dashboard for that. They're able to notify us within five or ten minutes for high priorities. For the medium priorities, it is 10 to 12 minutes. Our detection time for low priorities is within three hours, but our team still performs under 15 to 18 minutes.

If we want to use more features, we have to pay more. There are multiple solutions on the cloud itself, but the pricing model package isn't consistent, which is confusing to clients.

We have been using this solution for almost two years.

The stability is very good.

I would rate the scalability an eight out of ten.

I would rate technical support a six out of ten. Technical support doesn't understand the features well enough. They will give us links to reference, so we go through those links as a team or Google the solution. We reach out to them if we can't find the solution, but they provide us with the same links and URLs that we've already referred to. It's a hassle because it wastes a week and a half of our time. Their solutions and response time aren't very good.

Neutral

The setup is based on our data sources. We have a segregated timeframe of two payments. It depends on the client or who is doing the operation. Onboarding on the cloud is pretty easy. It takes just a few clicks from migrating the data sources to getting the logs.

For an on-premises or third-party software servicer, it will take more time and troubleshooting to do the setup. It won't be hard if you have a good team for the onboarding process. It can be complicated initially, but the rest of the timeframe will involve fine-tuning the logs and creating the custom rules based on your requirement.

It doesn't require a lot of maintenance. It's pretty simple. We just had to play with it for a couple of months.

We haven't seen any financial ROI.

Sentinel is the best solution that we use. It's a pay-as-you-go model. We can fine-tune the features we want and choose if we want to remove logs. We can also segregate logs, which helps us minimize costs. Sentinel provides free Office 365 and Azure-based logs without pricing assets. When it comes to the third-party solution or our server logs, we just have to do the fine-tuning of the logs.

The pricing isn't very high. It depends on the number of logs you have. If you're expecting to ingest 50 to 60G in a day, but you're only ingesting 20 to 25G per day at first and you have a good team to analyze the logs, then you can segregate the ingestion at under 15G.

I would rate this solution a nine out of ten.

It's very user-friendly. The only issue is that Microsoft's technical support isn't very good. If you have a good team who can onboard the resources to the solution, then you'll be happy with the solution itself.

For us, it's better to go for multiple solutions rather than a single suite because we cannot strictly trust one client. If you only have one cloud-based solution, it's better to use Sentinel to secure it. It's helpful to have a good team that can do the monitoring and onboarding smoothly. You can go with one solution if you have a trusted partner. If you don't, then I would use multiple solutions.

You should purchase the features that Microsoft provides. It's a configured network, so they will correlate with the end resources, RMD, and receiver identity. The fusion-based algorithm rule will detect advanced multistage attacks to stop the attack.

Microsoft Sentinel serves as a centralized hub for collecting and analyzing logs from various Microsoft tools and other sources. It eliminates the need to develop custom toolsets for detecting malicious activities across different Microsoft tools. Instead, Microsoft Sentinel provides standardized rules and playbooks to streamline the process of identifying and responding to potential threats.

For instance, consider a scenario where an employee clicks on a phishing link in an email, leading to the installation of malware on their system. While the endpoint detection and response tool on the endpoint might not detect malicious activity, Microsoft Sentinel, acting as a central log collector, receives the EDR logs and triggers an event based on pre-defined rules.

Upon detecting the suspicious activity, Microsoft Sentinel automatically executes a playbook, which may involve actions such as killing the malicious process or isolating the affected endpoint. This automated response helps expedite threat containment and reduces the burden on security analysts.

It is crucial that Sentinel empowers us to safeguard our hybrid, cloud, and multi-cloud environments. We employ a hybrid cloud setup, and securing our environment using Sentinel is significantly simpler than manual methods. We can gather events in the Central Point and develop playbooks and scripts to automate responses. This streamlines the process and enhances our overall security posture. Additionally, if an alert is triggered, we receive an incident notification via email, prompting us to take action and resolve the issue.

Sentinel provides a library of customizable content to address our company's needs.

Microsoft Sentinel has helped our organization with alerts. We'll receive alerts from Sentinel indicating that we're at risk. It's important to address these alerts promptly. We first need to review the information in the email, and then work on the issue in the office. After that, we'll contact the team members on the relevant shift. There's nothing particularly difficult about this process. It's based on our access privileges, which are determined by our role in the company. If we have a high-level role, we'll have access to all the necessary tools and resources. We'll even be able to receive alerts at home if there's a security issue. The company that provides this technology grants work-from-home access based on security considerations. If someone has a critical role, they'll also be equipped with the tools they need to work remotely and connect with their team members. So, the company that provided the technology can resolve the issue first, and then we can address it. Once we've taken care of the issue, everything will be much easier.

By leveraging Sentinel's AI in conjunction with our playbooks for automation, we can enhance the effectiveness of our security team, subject to the specific rules and policies we implement.

The logs provided by Sentinel have helped improve our visibility into our user's network behavior.

Sentinel has helped us save 60 percent of our time by prioritizing the severity of the alerts we receive. When we receive an alert with a high-risk level, we immediately address it to mitigate the potential security threat. Additionally, we have configured our anti-ransomware software, to further protect our systems from cyberattacks. In the event of a ransomware attack, our Halcyon system will generate an encryption key that can be used to unlock our system. This key is securely stored by Halcyon.

Sentinel has helped reduce our investigation times by enabling us to review an alert, generate a ticket, and resolve the issue simultaneously upon receiving the alert.

The most valuable feature is the alert notifications, which are categorized by severity levels: informational, low, medium, and high. This allows us to prioritize and address alerts based on their urgency. For instance, we would immediately address high-severity alerts. This feature, along with the ability to create playbooks, significantly enhances our workflow.

I would like Microsoft to add more connectors for Sentinel.

Microsoft Sentinel should provide an alternative query language to KQL for users who lack KQL expertise. 

I have been using Microsoft Sentinel for one and a half years.

Microsoft Sentinel is a stable solution. 

Microsoft Sentinel is scalable.

We have to write playbooks to resolve our issues.

Neutral

The configuration of Microsoft Sentinel involved a complex process that required thorough familiarity with the available connectors and the policies to be implemented.

We have seen a 30 percent return on investment.

Sentinel is costly.

I would rate Microsoft Sentinel seven out of ten.

We have five people in our organization who utilize Sentinel.

No maintenance is required from our end.

I use the solution to ensure proper security analytics and threat intelligence across the enterprise. The tool helps me to know the type of attack detection that happens and the kind of visibility, proactive hunting, and threat response we have.

We use the tool because we want a solution that can quickly analyze large volumes of data across the enterprise. Microsoft Sentinel is a one-stop solution for all our security needs. It gives threat visibility, enables proactive hunting, and provides investigation reports.

The product can integrate with any device. It has connectors. So, we do not have big issues in building connectors. Microsoft Sentinel gives us a unified set of tools to detect, investigate, and respond to incidents. It also helps us recover things. It is very important to our organization. It centralizes our total threat collection and detection and generates investigation reports.

The AI capabilities must be improved. The product must efficiently leverage the AI capabilities for threat detection and response. The product does not provide auto-configuration features. So, we need to do configuration, policy changes, and group policies ourselves. If AI can do these functions, it will be easier for the customers.

I have been using the solution for three years.

The product is stable.

We have around 1500 users. We have only one administrator. The product is easily scalable. As long as the enterprise grows, we will continue using Microsoft Sentinel.

The technical support team is very good.

Positive

We were using Splunk before. We decided to switch to Microsoft Sentinel because we were unable to work on large data using Splunk. Splunk did not have AI capabilities and was not user-friendly.

The product is deployed on the cloud. It is a SaaS solution. The initial deployment was easy. We ensured that all the devices and the APIs were configured well. We needed two engineers from our team for the deployment. We have deployed the tool in a single location. The solution does not need any maintenance.

We took help from an integrator to deploy the tool. It was a user-friendly experience.

The solution is efficient. We could see the returns on investment immediately. It doesn’t take much time.

The product is costly compared to Splunk. When we pay for the product, we also have Azure Monitor Log Analytics as part of the package. It is economical for us.

We use the tool to help secure our cloud-native security solutions. By enabling us to secure our cloud environments, it acts as a single solution for attack detection and threat visibility for proactive hunting. The solution gives us a library of customizable content that helps us address our unique needs. It also gives regular patch updates. It helps us to be updated with the latest threats happening across the world.

We use the Microsoft Sentinel Content hub. Integration with Active Directory is also helpful for us. The content hub enables us to see the latest features. We have Extended Detection and Response in SentinelOne. It provides effective protection for the platform. It provides more cybersecurity by providing more visibility and protects our enterprise.

The content hub helps us centralize out-of-the-box security information and event management content. It discovers and manages the built-in content. It provides an end-to-end security for us.

Microsoft Sentinel correlates signals from first and third-party sources into a single high-confidence incident. It can extract the information through the respective APIs of the third parties. It has increased our threat intelligence, monitoring, and incident analysis efficiency.

We use Microsoft Sentinel's AI in automation. The generative AI features enable real-time threat hunting and detection. The solution has helped improve our visibility into user and network behavior. The generative AI provides better detection and response capabilities and faster response times with actionable intelligence.

The product has saved us time. It helps us get various log files. When there’s an incident, it enables us to do investigations faster. The tool saves us three days in a week. It reduces the work involved in our event investigation by streamlining the processes and making automation effective. Event investigation is much faster.

If someone is looking for a comprehensive solution, Microsoft Sentinel is a good choice. It will fulfill all our needs, including attack detection, threat visibility, and response.

Overall, I rate the solution an eight out of ten.

Sentinel is used to cover cloud-native customers for security monitoring. It includes UEBA, threat intelligence, behavioral analytics, etcetera. We also use it to automate incidents into tickets.

The solution improved our organization in a few ways. The key one is the cloud layer of integrations. When we were on-premises with SAP monitoring we faced a few issues in the integration of cloud infrastructure logs. Once we moved into the Sentinel Cloud the integration was pretty easy. Monitoring the cloud infrastructure and their respective applications and their cloud cloud-native products became pretty easy in terms of integration with monitored areas.

Also, the cost of infrastructure is no longer an issue.

The detection layer has also been improved with analytics. Plus, it keeps on getting better in Sentinel. Since 2020, I've seen Sentinel has made a lot more changes in feature improvements and performance. They’re fine-tuning detection and analysis layers.

The analytics rules are excellent. It's pretty easy to create them. It’s all about SQL queries that we need to deploy at the back end.

The search of the logs is easy. Before, there were no archival logs. Now, in recent versions, it’s easy to bring back the logs from the archives. We can research and query the archive of logs very easily.

The visibility is great. It gives good alerts. The way an analyst can go and drill down into more details is simple, The ability to threat hunt has been useful.

Sentinel helps us prioritize threats across the enterprise. With it, we have a single pane for monitoring security logs. As an MSP, they just ingest all the logs into the system, and this actually leads to a hierarchy for our integrations. It’s easy to review the logs for auditing purposes.

We use more than one Microsoft security product. Other team members use Intune, Microsoft CASB, and Microsoft Defender as well. It’s easy to integrate everything. You just need to enable the connector in the back end. It takes one minute. These solutions work natively together to deliver coordinated detection responses across our environment. We just integrated the Microsoft Defender logs into Sentinel. It already has the prebuilt use cases in Sentinel, including threat-hunting playbooks, and automation playbooks. It's pretty easy and ready to use out of the box.

Sentinel enables us to ingest data from our entire ecosystem. That's really the high point for us. The coverage needs to be expanded. The threat landscape is getting wider and wider and so we need to monitor each and every ecosystem in our customer organization's endpoints, including the endpoints or applications for systems or on the servers or network level. It needs to be integrated on all levels, whether it’s on-premises or cloud. It is really important to have a single point of security monitoring, to have everything coordinated.

Sentinel enables us to investigate threats and respond holistically from one place. For that analyst team, the Sentinel page is like a single point of investigation layer for them. Whenever an incident is created, they can just come in and get deeper into a particular investigation incident. They are able to get more information, figure out the indicators, and make recommendations to customers or internal teams to help them take action.

Given its built-in UEBA and threat intelligence capabilities, the comprehensiveness of Sentinel's security protection is really nice. The UEBA can be integrated with only the AD logs. And, since they need to get integrated with the networks and the VPN layers as well, it’s useful to have comprehensive security. It can be integrated into other Microsoft security products as well.

Sentinel pricing is good. The customer doesn't want to worry about the enterprise infrastructure cost in the system. They worry about the enterprise cost and the management, and operation, CAPEX, et cetera. However, in general, the customer simply needs to worry only about the usage, for example, how much data is getting sent into the system. We can still refine the data ingestion layer as well and decide what needs to be monitored and whatnot. That way, we can pay only for what we are monitoring.

Our Microsoft security solution helps automate routine tasks and help automate the finding of high-value alerts. By leveraging Sentinel's automation playbook, we have automated the integrations and triage as well. This has simplified the initial investigation triage, to the point where we do not need to do any initial investigations. It will directly go on into layer two or it directly goes to the customer status.

Our Microsoft security solution helped eliminate having to look at multiple dashboards and gave us one XDR dashboard. The dashboard is pretty cool. We now have a single pane of glass. A lot of customization needs to be done, however, there are predefined dashboards and a content hub. We still leverage those dashboards to get the single view into multiple days, including the log volumes or types of security monitoring or in the operation monitoring system.

Sentinel saves us time. Even just the deployment, it only takes ten minutes for the could. When you have on-premises tasks that are manual, it can take hours or a day to deploy the entire setup. Integrating the log sources used also takes time. By enabling out-of-the-box tools, we can save a lot of time here and there. Also, once you leverage automation, by simply leveraging logic apps in a local kind of environment, you don’t need to know much coding. You just need knowledge of logic at the back end.

The solution has saved us money. While I’m not sure of the exact commercial price, it’s likely saved about 20% to 30%.

The solution decreased our time to detect and your time to respond. For time to detect, by leveraging analytic rules, we’ve been able to cut down on time. Everything is happening within minutes. We can begin remediation quickly instead of in hours.

The UEBA part needs improvement. They need to bring other log sources to UEBA. 

The reporting could be more structured. There are no reporting modules or anything. It's only the dashboard. Therefore, when a customer requests a report, you need to manually pull the dashboard and send it to the customer for the reporting. However, if there was a report or template there, it would be easier to schedule and send the weekly reports or monthly executive reports.

The log ingestion could be improved on the connector layer.

I've been using the solution since November of 2020. 

The solution is stable. We had some issues with an automation component. There might have been outages on the back end, however, it's mostly fine.

We have about 25 people using the solution in our organization, including analysts. 

You only need to pay for what you are ingesting and monitoring. It scales well. There are no issues with it. 

Support is okay. We don't have many issues on the platform layers. We might reach out to support for integration questions. Largely, the engineering team would handle support cases. 

Neutral

We do use other solutions. We added this solution as we needed to support cloud-native customers. 

We also use LogRhythm among other solutions.

Each solution has its own pros and cons. There isn't a direct contrast to each. Some have better reporting. However, Sentinel has very good analytical rules and automation. LogRhythm, however, requires more backend work. 

The deployment of the Microsoft bundle is pretty easy. It's fast and saves time. In ten minutes, we can deploy Sentinel to the customer and start monitoring data with the existing rules. You'll have dashboards in thirty minutes. One person can do the deployment. To manage the solution, one can manage the injections, and one can manage the detection layers.

The solution does not require any maintenance. You just have to make sure it's up to date.

We're using it in the automotive and energy industries. 

When we calculated the pricing, we thought it was 10% to 20% less, however, it depends on how much data is being collected. It's not overly expensive. It's fairly priced. 

Security vendors are chosen based on use cases. Those gaps are met by the respective solution. The benefit of a single vendor is that everything is on a single-layer stack. It helps you see everything in one single pane. 

I'd rate the solution eight out of ten. 

We are a Microsoft partner, an MSP. 

As a security engineer, I help onboard with Sentinel. I enable all the connectors and tune the analytics to minimize the number of false positives.

We're a Microsoft house and it provides very good visibility into all the threats a company might be facing. 

The connectivity and analytics are great.

It allows people to connect to different data sources under a single pane of glass.

The visibility is great in terms of having the notebook features. By using the notebook features, people can generate different graphs, which helps create greater visibility on the front end.

We've been able to integrate other products, including Defender. It's super easy to integrate them. All Microsoft products easily connect with each other. They coordinate together to help with detection and response across our network. This is critical. 

This allows me to have better visibility to understand what is happening on each endpoint.

The threat protection is pretty comprehensive across Microsoft products. Having dependable endpoints and other security tools ensures good security overall. In terms of compliance, you have a lot of data that can help ensure comprehensive information is available and transparent. 

We like that it's on the cloud.

Sentinel does allow us to ingest data from our entire ecosystem. This plays an important security role.

We can investigate threats holistically from one place. Having everything centralized makes security easier and helps us better understand what is happening. 

Sentinel's security protection helps us to better identify anomalies or erratic user behavior. It helps me minimize false positives. 

There is good automation. They do an okay job.

Consolidating into one dashboard has made it possible to have a holistic view of security. I can investigate issues and have better visibility.

Overall, the solution has saved me time. I'm not sure if I can quantify it, as I'm on the engineering side. 

The product has helped save the organization money. 

It has decreased our time to detect and time to respond. 

They only classify alerts into three categories: high, medium, and low. So, from the user's point of view, having another critical category would be awesome. That would minimize the level of high alerts and break them down so we understand which are truly critical. We should be able to prioritize more effectively. Right now, this doesn't necessarily help users to prioritize when it comes to the alert or triage.

The bi-directional capabilities are okay. However, sometimes I need to fall back on Defender for cloud.

I've been using the solution for two or three years now.

The stability is okay. I've only experienced one outage.

We have about 200 staff on the solution. 

The scalability is very good. All I have to do is enable data sources in order to expand. 

I haven't had much contact with technical support. My one experience was okay. 

Neutral

I did not previously use a different solution.

The initial deployment is straightforward. The entire process was as simple as following clear steps. We basically create a workspace and push the pipeline.

As long as a person has relevant access to Azure, one person would be enough in terms of handling the deployment. 

We did a deployment in a single location, not across multiple locations. 

There is a bit of maintenance, in terms of ensuring logs are being digested. The number of people involved depends on the situation. We have two to three people who may check logs or connectors. 

We are consultants for clients. We help SMEs deploy the solution. 

We have witnessed an ROI while using the solution, however, I cannot quantify the amount exactly.

Sentinel charges based on ingestion. If Microsoft would allow us to view the logs before ingesting something we don't want, that would make the pricing better. Sometimes we don't want to pass illegitimate data into Sentinel, yet I don't have a choice. 

It's not cheap. However, it's okay pricing.

I did not evaluate any other options previously.

I'd rate the solution eight out of ten.

I'd tend to go with a single vendor over best of breed. A company like Microsoft allows everything to easily link various products together. 

If you are using Microsoft Sentinel, go for the XDR solutions as well. 

We are using Microsoft Sentinel for our traditional SOC. So previously, we had multiple products, like VM products, log analytics products, and analysts. We are making so much effort to analyze incidents and events in the security operation center., after which we decide whether it's an incident or an event, and we take action. After Sentinel's implementation, it would be much better and much simpler. For instance, we can now save much more time since in Sentinel, there is artificial intelligence, so the system will decide for you instead of a human. The system will learn what kind of thing you should take action on, and it will save some time since you do not need much human power. In traditional SOC systems, there were three or four people. But in Sentinel, it's much easier, and you do not need so many people in the SOC. So you will save time and keep it cost-effective.

Previously, we were incurring a huge cost being paid to a person. But in Sentinel, you do not hire anyone because the system provides system insights through the cloud applications. So you do not need to put effort, or you don't need to hire either of the senior people. So in, in your SOC team, would be mid-level people, and it would be fine. Also, you do not need so many people. So, one or two people left the organization after the central implementation. So we just have an agreement with one company at a professional level since they're also managing Sentinel. We do not need to pay for the maintenance of applications. So that's also a benefit for us. So, in this case, we are only paying Sentinel yearly or annual costs.

Previously, we could not do some automation. So in Sentinel, we create some playbooks, and with some features in the playbooks, we have some capabilities. For example, when a virus enters the system, we will take action to keep the system safe. So, the machine with the virus can be automatically isolated from the network, and this might be a pretty cool feature in the solution currently.

Microsoft Sentinel has improved our entire SOC, like our log system and incident response. So we are able to quickly respond to incidents and take action. Even though Microsoft Sentinel has already improved our system, it should further improve for on-premises systems or traditional systems, especially to get or collect logs from the legacy systems. Also, Microsoft should improve Sentinel, considering that from the legacy systems, it cannot collect logs.

I have been using Microsoft Sentinel for about six months. My company has a partnership with Microsoft.

I have not contacted technical support.

We are using Microsoft Intune. From the mobile device management point of view, it makes work very easy. We are just planning that with Microsoft Intune, we can easily export some logs to Sentinel to analyze them. We are not using this feature right now, but we are planning. If you are using Microsoft applications, it's very easy to integrate them with other Microsoft products.

Defender is something that we are using as an antivirus for Android applications, but we are not using it on the cloud.

From a cost point of view, it is not a cheap product. It's, like, an enterprise-level application. So if you compare it with a low-level application, it's expensive, but if you compare it with the same-level application, it's pretty much cost-effective, I think. Because for other products, you need to purchase them by paying thousands of dollars. In Sentinel, you pay for how much you use, or you just pay for how much you consume storage, log interface, or system. It will not be a one-time cost, but it will be like a continuous rental system, where you subscribe to an application, and then you use it. That's very easy. I think the company got the solution for a long time. If you purchase some products, you need to invest in something, and it increases your investment budgeting. Many enterprises do not like investments. But this is not a one-time cost, to be honest, since continuously, we will pay. This is maybe a negative point of view, but considering from company to company, it entirely depends on a company's strategy.

Previously, it was a little bit difficult to find where an incident came from, including which IP address and which country. So in Sentinel, it's very easy to find where the incident came from since we can easily get the information from the dashboard, after which we take action quickly.

Sentinel does provide me with the ability to set priorities on all the threats across your entire enterprise. So, it is very important because we were previously getting the service from the outside. It would be yes. Sentinel is a next-generation SOC. So, Sentinel also still develops some applications on Sentinel's site, so maybe in the next release, they will introduce a much more effective version for the company. I'm not sure how many companies use it right now. Maybe in the future, more companies will use Sentinel because its features are such that compared to the traditional SOC systems, they are not affected since the system is a cloud-based system. So it's easy to manage. Also, you don't need to care about it from an infrastructure point of view. Additionally, we don't need to take care of products, and we don't need to take care of maintenance. From a product point of view, we do not need to manage since we just need to focus on the incident event.

Right now, we are using very traditional applications, so there is no use of native Microsoft applications right now.

Sentinel enables me to ingest or collect data from my entire ecosystem, but not all of them, because some traditional applications cannot provide some data needed for export. It cannot allow you to get reports or logs from outside. It's a challenging point, so this might be an opportunity for us to change the traditional application. In traditional applications, and sometimes in IT systems, it might be very difficult to get data insight. In some cases, we need to change the application since, in traditional applications, you cannot get support. To fix it, you need to decide something, or maybe you need to decide on the application change. It might be an opportunity for you. But in the next-generation application, there is no problem. With a new application, you can easily integrate with Sentinel. In Sentinel, the negative point is just related to cloud applications. With cloud applications, maybe sometimes you cannot get data from the on-prem application. So if you use a cloud system, like Sentinel, which is a cloud system, then it's very easy. If you are using an on-prem system, Microsoft Sentinel sometimes may not be easy to integrate.

Sentinel allows me to investigate threats and respond quickly and thoroughly from just one place. It accelerates our investigation, especially our event investigation and incident investigation. Using Sentinel, we take quick actions and get quick insights after its standard implementation. So it is time-efficient.

Previously, we had no SOAR applications. In Sentinel, if you want to take action quickly, you need to create playbooks so that if something happens, you can just develop an application like a playbook in Sentinel so that if something happens, you can tell Sentinel to take action. You can freely create your own playbooks since it's very easy. In my opinion, this is the best feature of one product. Normally, you need to purchase two applications or two products. But in Sentinel, they combine everything together. This is the most beautiful feature for me.

Sentinel helps automate routine tasks and help automate the finding of high-value alerts. We do not need to create manual operations like when our system engineers see the incident and they do a system analysis. So after Sentinel, the system analysis is not done by anyone since Sentinel can already make decisions and then take action by itself. So at this point, there's no human power. Sometimes human power is needed, but maybe eighty percent or ninety percent of the time, there is no human power needed. So, it has caused significant improvements in our entire company.

Sentinel has helped eliminate having to look at multiple dashboards and giving us just one XDR dashboard. Previously, we had to check multiple dashboards, especially in relation to whether logs were coming and other things, like incidents and events. In Sentinel, you do not need to check many dashboards. So you are just designing one dashboard, and then, on the entire dashboard, you will see everything. So, it now saves time since previously there were multiple dashboards causing our engineers and our analysts to get confused at times. So they used to ask our managers to understand better. Currently, it is very easy to understand since one needs to check in on one dashboard, and there's no confusion among the engineers. But they do not need to ask anyone to understand. Apart from better understanding, it has improved our systems.

From a security point of view, you need to go with multiple vendors, but this is a traditional system. But right now, if you want to create a good security system, you need to implement each product with one vendor. Because vendors currently state that, if you want to have a high-level security system. You need to implement each product on a security level from one vendor. Microsoft-level vendors offer many features, but people only just purchase or use one product, and that's all. It's not good for security infrastructure. So, you need to implement all security products from just one vendor. I think one vendor and the needed security products will be enough for a company. Sentinel is our next-generation SOC. Currently, I don't see any competitors at this level.

I rate the overall solution a nine out of ten.

We use Sentinel to monitor logs, build alarms, correlate events, and fire up specific automation boards in the event of a security incident. 

Sentinel creates a focal point for cybersecurity incidents, so it's much easier to correlate logs and incidents to get a more comprehensive view of our security posture. Microsoft provides many educational resources, so onboarding new people is easy. 

It took us about a month to realize the benefits of Sentinel. Integrating all the Microsoft security products into the solution was straightforward. It seamlessly integrates with Microsoft Logic Apps, so it's easy to develop custom playbooks and automate many manual tasks. 

Automation has made us more efficient and effective because we're free to focus on priority alerts. Sentinel has reduced the time spent on menial security tasks by 30-40 percent. Sentinel consolidates our dashboards into a single XDR console, one of our strategic goals. We're moving all of the data into Microsoft Sentinel to create a single point of truth for security incidents.

Microsoft provides some threat intelligence for significant incidents. They provide us with remediation and mitigation controls we can implement to react to these potential threats much faster.

I like the ability to run custom KQL queries. I don't know if that feature is specific to Sentinel. As far as I know, they use technology built into Azure's Log Analytics app. Sentinel integrates with that, and we use this functionality heavily.

Threat prioritization is a crucial feature. It already has them in order, so we know we should investigate high alerts first and move down the line to the less urgent ones. 

We use all of the other Microsoft security solutions in addition to Sentinel. They all can be integrated together seamlessly to deliver comprehensive threat detection and response. 

I would like to see additional artificial intelligence capabilities. They're already working on this with new features like Microsoft Security Copilot. This will help us investigate incidents much faster. 

When we pass KPIs to the governance department, there's no option to provide rights to the data or dashboard to colleagues. We can use Power BI for this, but it isn't easy or convenient. They should just come up with a way to provide limited role-based access to auditing personnel 

I have used Sentinel for two years.

We haven't experienced any downtime, so I think Sentinel is highly stable. 

Sentinel runs on the cloud, so it scales automatically. 

I rate Microsoft's support a 10 out of 10. They can connect you with the developers, and you get answers quickly. 

Positive

I also worked with RSA enVision at my previous company. Sentinel has advantages because of its tight integration with the Microsoft ecosystem. It's effortless to set up because you don't need specific connectors. Sentinel works out of the box. It makes sense for a company that primarily works with Microsoft products to use Sentinel for security monitoring.

Sentinel runs on the Microsoft Azure Cloud, so it was easy to set up. It took about two days to set it up. You start by integrating the Microsoft security solutions using the available connectors and move on to the firewall, SysTalk databases, and application-specific logs. 

It's a bit more complicated to come up with custom rules and alarms, so that's the last part of our implementation strategy. We completed the deployment with two or three people and the help of Microsoft support. Because Sentinel is deployed in the cloud, it doesn't require any maintenance. 

Our ROI comes from automating lots of tasks. 

Microsoft Sentinel is pretty expensive, and they recently announced that they will increase the price of all Microsoft services running in Azure by 11 percent. Luckily, I'm not responsible for the financial side. For one of my clients, the estimated cost is 880,000 euros for one year. There are additional costs for the service agreement. 

I rate Microsoft Sentinel an eight out of ten. I recommend taking advantage of the virtual training before you implement Sentinel. Familiarize yourself with the product, dashboards, features, integration, etc., before you decide to use it. 

A single-vendor strategy is preferable because it's easier to integrate them. Otherwise, it can get complicated.