Microsoft Sentinel Reviews

Our organization is a service company, therefore, we are proposing Microsoft Sentinel as an MSSP solution to our clients. Additionally, we are offering other solutions with Microsoft Sentinel. We have integrated Microsoft Sentinel with MISP, an open source intelligence trading platform, to create a deluxe solution. Furthermore, we use the five-year tool in conjunction with Microsoft Sentinel.

We pitched the solution for BFSI, healthcare, and ONG sectors.

The solution can be deployed based on the client's requirements.

Microsoft Sentinel provides visibility into threats by creating alerts, which will generate an instance and notify us. We can also view files and prioritize alerts using Microsoft Sentinel. Additionally, there is a tool with Sentinel that allows us to check alerts, which will help us identify false positives and false negatives, which is very beneficial for analysts.

Microsoft Sentinel helps us prioritize threats across our enterprise.

Microsoft Sentinel's ability to help us prioritize threats is a very important must-have feature for our organization.

Integrating Microsoft Sentinel with additional Microsoft solutions such as Microsoft Security Center is easy because we use a Microsoft agent. There is a default integration available with multiple connectors and we can use the agent to install data into Microsoft Sentinel.

The integrated solutions work natively together to deliver a coordinated detection and response across our environment. We use a playbook for the response process. We also integrated ServiceNow tools and Sentinel for ITSM. We are also designing the playbooks to meet our requirements.

Having the ability to integrate solutions with Microsoft Sentinel is an important feature.

Microsoft Sentinel provides comprehensive protection. 

Our organization has a strong partnership with Microsoft. Most of the services we receive are quite cost-effective. Microsoft provides market listings, allowing us to design our solution and place it on Microsoft's market listings, resulting in mutual benefits for both Microsoft and our organization.

We used Microsoft Defender for Cloud to get to the Azure security center for Sentinel. We wanted to work with a particular server but at the time the requirement was in order to use Defender we had to enable the solution across the subscription and not on one particular server.

Microsoft Sentinel enables us to ingest data from our entire system if we want.

Microsoft Sentinel enables us to investigate and respond to threats from one place. We can control everything from a single pane of glass.

Microsoft's built-in UEBA and threat intelligence capabilities play a major role in our security.

We can automate routine tasks, prioritize alerts using the playbook, and use the analytical rule's default settings when creating an alert. This helps to reduce false positives so that we only receive one alert for each issue.

Microsoft's XDR enabled us to avoid having to view multiple dashboards. We can integrate a variety of tools with Sentinel, allowing us to monitor all relevant information from a single screen.

The integration into one dashboard reduced our analytical work because it reduces the time required to review and respond to threats. 

The solution helped us prepare for potential threats proactively. Microsoft Sentinel helped our organization save money by preventing attacks. The solution helped reduce the threat detection time by up to 40 percent.

The data connectors that Microsoft Sentinel provides are easy to integrate when we work with a Microsoft agent.

The UI design for the investigation portion of Microsoft Sentinel is great.

The alerting of the queries works great and it is easy to develop a query around our requirements using Microsoft Sentinel.

The GUI functionality has room for improvement.

The playbook can sometimes be hefty and has room for improvement.

The troubleshooting has room for improvement.

I have been using the solution for three years.

The solution is stable.

The solution is scalable.

The technical support depends on if we have upgraded our support or not. The basic support has a wait time but the premium support is great.

Positive

We previously used IBM Security QRadar. The data connectors are more complicated and there are more configurations required with IBM Security QRadar compared to Microsoft Sentinel. The alerts are much better with Microsoft Sentinel.

The initial setup is straightforward.

The implementation is completed in-house with Microsoft documentation.

In comparison to other security solutions, Microsoft Sentinel offers a reasonable price for the features included.

I give the solution an eight out of ten.

The maintenance is completed by Microsoft.

I recommend Microsoft Sentinel to others.

Microsoft Defender for Cloud's bi-directional sync capabilities are important in the following way. If you have an issue that shows in Defender for Cloud, an incident on your dashboard, and you look into Sentinel and see the same alert has been triggered, after someone on your team looks into it and fixes it, if bi-directional is not enabled, you will still have the alert showing. If someone is looking at the Defender for Cloud dashboard, that alert will still show as active. That's why it's important to have bi-directional sync. It helps make sure that people work on the right cases.

Sentinel enables you to investigate threats and respond holistically in one place. It gives you a central repository where you can have a historical view and see the access point where something started, where it went, and how things were accessed. For instance, if someone was anomalously accessing keywords, with everything in one place you can see where it started, where it went, who was involved in it, what kind of endpoints were involved, what IP address was involved, and what devices were involved. In this way, you have complete historical data to investigate the root cause.

Previously, I worked with a number of different tools to pull the data. But having one pane of glass has obviously helped. When you consider the time it takes to go into each and every dashboard and look into alerts, and take the necessary actions, Sentinel saves me a minimum of 15 minutes for each dashboard. If you have three to four dashboards altogether, it saves you around one hour.

And when it comes to automating routine tasks, if you want to notify the right people so that they can look into a P-1 incident, for example, Sentinel can automatically tag the respective SOC or security incident teams through a team chart and they can directly jump into a call.

Another point to consider is multi-stage attack detection. We have a granular view into the incident. We can investigate which IPs, user entities, and endpoints are involved in the alert. If you have to look at multiple, separate points, it could take one hour to see what happened at a particular point in time. With Sentinel, we can directly look into a certain person and points and that saves a lot of time. And then we can take action on the incident.

Among the valuable features of Sentinel are that it 

• has seamless integration with Azure native tools 
• has out-of-the-box data connectors available
• is user-friendly
• is being expanded with more updates.

The visibility into threats that the solution provides is pretty good. We can see a live attack if something is going wrong; we can see the live data in Sentinel.

I work on the complete Azure/Microsoft stack. With Azure native, we can integrate the various products in a few clicks. It doesn't require configuring a server, pulling of logs, or other heavy work. It's very easy, plug-and-play. The data collectors are available with Azure native so you can deploy policies or it will take care of everything in the backend. If various tools have different priorities for issues, monitoring everything is a hectic task. You have to go into each tool and look into the alerts that have been triggered. It's a big task. If you can integrate them into a single pane of glass, that helps you to find out everything you need to know.

And in terms of the comprehensiveness of the threat protection that these products provide, I would give it a 10 out of 10.

Microsoft Sentinel enables you to ingest data from the entire ecosystem and that connection of data helps you to monitor critical resources and to know what's happening in the environment. At a minimum, we should monitor the servers that are critical in the environment.

It also has hunting capabilities so that you can proactively hunt for things, but a different team looks after that in our organization.

In terms of features I would like to see in future releases, I'm interested in a few more use cases around automation. I do believe a lot of automation is available, and more is in progress, but that would be my area of interest.

I have been using Microsoft Sentinel for more than two and a half years.

It's a stable solution.

It's a scalable model but as you scale up you pay for it.

Microsoft technical support is responsive and helpful. And their technical documents are pretty detailed and well-explained.

Positive

The initial deployment was pretty straightforward.

The number of people involved in the deployment is completely dependent upon the environment and the access we have. If there's something to be done with a third-party application—for instance, Cisco Meraki or ASA—for those, we require support from the networking team to open up ports and forwarding of logs from the firewalls to Sentinel. If it is a native Azure environment, we don't need any support.

As for maintenance, if there are any updates they will pop up in your alerts and you can then upgrade to the latest version. It doesn't take much effort and there is no downtime. You simply update and it takes a few seconds. If someone is experienced, that person can handle the maintenance. If the environment is very big and it requires injecting more logs, then it requires some helping hands.

The pricing is fair.

With a traditional SIEM, people are required for SOC operations and investigations and they require licenses. With Sentinel, people in SOC operations are still required to investigate, but we don't need any licenses for them. With a traditional SIEM, you pay a lump sum for licenses. But with Sentinel, it's pay-as-you-go according to the amount of data you inject.

I would recommend Microsoft Sentinel.

It's always good to compare against other tools when it comes to the value, to get an idea of what you are paying for. Compare the market strategies and the new capabilities that are coming out and whether you're able to unlock the full capabilities or not. Double-check that. As for best-of-breed versus one vendor, you should stick with one vendor only and take whatever they gave.

We are a security service provider, and we are using Microsoft Sentinel to provide managed security services to our customers.

The visibility that it provides is very good because Microsoft is a front runner in threat intelligence and cybersecurity operations. They have their own threat intel team that is very active. They are actively covering any new threats that are coming into the landscape. They are adding detections, queries, playbooks, and other things related to new threats. They have out-of-the-box integrations, and the coverage of new threats is very fast in Microsoft Sentinel.

It helps us to prioritize threats across our enterprise. Whenever we onboard new customers, after integrating all of their log sources, we actively check for any latest threats being present in their environment. Microsoft Sentinel is natively integrated with all the latest threat intel available, which makes it very valuable for us. It is a SaaS application. So, it is very easy to deploy this solution for new customers to cover their security needs.

In addition to Microsoft Sentinel, we use the EDR solution from Microsoft, which is Defender for Endpoint. We also use Office 365 for email purposes. We have integrated Microsoft Sentinel with these products. In Microsoft Sentinel, there are connectors specifically for this purpose. All the logs from these products are available in this SIEM tool, and it is easy to manage everything from a single pane of glass.

Even though Microsoft Sentinel is a cloud-native product, by using the connectors, you can easily integrate your on-prem and cloud resources with Microsoft Sentinel. Most of our tools including On-Prem are currently integrated with Microsoft Sentinel.

It is very helpful in automating tasks that otherwise require manual intervention. There are two ways to do automation. One is by using the automation rules, and the other one is through playbooks. Automation rules can be used to automate simple tasks, such as automatically assigning an incident to a particular analyst who should be monitoring the incident. By using automation rules, you can automate various tasks, such as setting the severity of the incident and automatically changing the status of the incident.

Playbooks can be used to automate high-value tasks, such as blocking a malicious IP in the firewall or blocking a particular user in Azure Active Directory. All such tasks can be automated through playbooks.

There are lots of things that we have found valuable in this solution. Mainly, this is a cloud-native product. So, there are zero concerns about managing the whole infrastructure on-premises.

Kusto Query Language that powers Microsoft Sentinel is another valuable feature. It is a very fast and powerful language.

The integration with different ticketing tools like Jira, ServiceNow, etc. is also a great plus point.

Besides that, the addition of new features to the product is very fast. The overall customer experience in terms of using their Cloud Security Private Community and being able to provide our feedback and suggestions is good. They take the feature requests on priority, and whenever possible, they add the new features in the next version of the product.

Currently, SPAN traffic monitoring is not available in Microsoft Sentinel. I have heard that it is available in Defender for Identity, which is a different product. It would be good if  SPAN traffic monitoring is available in Microsoft Sentinel. It would add a lot of value. It is available in some of the competitor products in the market.

Also Reporting feature is missing in Sentinel. Currently, we have to rely on PowerBI for reporting. It would be great if this feature is added. 

We have opted for the pay-as-you-go model, which doesn't come with free support. If some limited free support was available with the pay-as-you-go model, it would be good. 

I have been using this solution for about one year.

There is a great community for Microsoft Security, and we mostly rely on this Microsoft Security community and Microsoft Q&A forums for support. Currently, we are using the pay-as-you-go model which doesn't come with free on-call support. It would be good if some free support was available, even if in a limited way, with the pay-as-you-go model. So, we haven't used their on-call support yet, but their support from the community has been great. Because of that, I would rate their support an eight out of ten.

Positive

Before Microsoft Sentinel, we were not working with any other cloud-native SIEM solution. 

It's important to understand the daily data ingestion required for you or your customer (in case you're an MSSP). There are price tiers starting from 100 GB/day ingestion. But if your ingestion varies too much or your ingestion is lower than 100 GB, you may go for the pay-as-you-go (Per GB) Model. In the case of pay-as-you-go, it is about how closely you monitor the ingestion of each GB of data and how effectively you limit that ingestion. If you don't effectively monitor the ingestion, the price may be too much, and you may not be able to afford it. You should be very clear about your data usage. Sentinel provides great granular visibility into data ingestion. Some of the data might not be relevant to security. For example, basic metrics or other log data might not be very useful for monitoring the security of an enterprise. If you do the right things and limit the ingestion of data, its license plan is perfect, and you can save lots of money.

We considered AlienVault, QRadar, and other solutions, but we didn't try those solutions before opting for Microsoft Sentinel because Sentinel was having fantastic reviews and it was our perfect first choice for our Cloud-Native SIEM tool. So, we decided to first try Microsoft Sentinel. If we had not found it satisfactory, we would have tried other solutions. After doing the trial version for 30 days, we were very happy with Microsoft Sentinel. The addition of new features was also very fast. So, we decided to go ahead with the product.

Microsoft Sentinel is an awesome SIEM/SOAR tool for customers with active Cloud presence. Even for on-prem customers, it is providing great flexibility for integrations. 

I would rate Microsoft Sentinel a nine out of ten.

Sentinel gathers data from the organization's entire ecosystem, not just the local network. I like having the ability to investigate and respond quickly to threats from one place. It's fun to use. Sentinel has an intuitive, user-friendly way to visualize the data properly. It gives me a solid overview of all the logs. We get a more detailed view that I can't get from the other SIEM tools. It has some IP and URL-specific allow listing

Sentinel comes with multiple good playbooks for automation and other valuable things that we use. It automatically gives us alerts in our ticketing platform, ServiceNow. 

If you're using other Microsoft security tools, it's better to use Sentinel instead of other SIEM solutions. It reduces the time spent on threat hunting because it uses an SQL database and SQL custom query language. It helps me analyze the data properly because I can view all the events. Sentinel has helped me multitask. 

The most valuable feature is the integration with other Microsoft security tools. It's an Azure product, so it integrates seamlessly with tools like Microsoft Defender for Endpoint, Defender for Cloud Apps Security, and Defender for Identity. 

It collects all the logs from these solutions and correlates the data well. If I need to check a particular event or log, I can easily review this from one portal, which is something I can't do in another SIEM tool. Sentinel has a graphical view that shows every team the information they need. 

It will easily give us the entities, events, or accounts that are directly involved in any particular security alerts. It has good usability. Sentinel comes with multiple different connectors. We only need to select the log sources, and the connectors automatically load.

We can customize the visibility based on the organization's rules and policies. We establish the desired rules and log sources. Most of them are from Azure-based products, not firewalls or point system-based accounts. Initially, most of the security alerts are false positives, and we need to do some fine-tuning. 

Sentinel can be used in two ways. With other tools like QRadar, I don't need to run queries. Using Sentinel requires users to learn KQL to run technical queries and check things. If they don't know KQL, they can't fully utilize the solution. 

When we're dealing with freelancers and new employees, they often have problems analyzing some things. An expert can realize all of Sentinel's advantages, but most organizations are constantly hiring new staff, who need to learn KQL before they can use this. 

I have used Sentinel for the last two years. 

I've never experienced lag, but it crashes sometimes. One disadvantage is that it collects tons of logs, so when we create reports, it isn't easy to download a month of reports in one day. We have to spread it out across 15 days. 

The scalability is good. You can scale it out by adding other tools.

We haven't needed to contact Microsoft support about Sentinel because we haven't had any significant downtime. Our other SIEM tools sometimes went down and we had to contact support multiple times. Sentinel always provides solid availability, and it's ready to take our logs.

I have used IBM QRadar and Splunk. I prefer Sentinel for threat hunting because the process is more visual. QRadar and Splunk are better for user interaction. 

I rate Microsoft Sentinel eight out of 10. I think a single-vendor strategy makes sense if you're primarily using Microsoft tools. It simplifies things because you only have one support portal, and engineers are easily accessible. If I'm working with security tools from multiple vendors, it can be hectic because the tools are made differently and have different architectures. 

Our use cases range from more complex configurations, looking at things like playbooks, workbooks, and threat-hunting, for which we rolled out architectures in some departments in the Government of Canada, to a more streamlined functionality and looking at things from a correlation perspective. 

We work in tandem with a couple of departments that have products called cloud sensors and those sensors feed telemetry into Sentinel. In its simplest form, we're using it for the ingestion of all that telemetry and looking for anomalies.

The anomalous behavior can include anonymous IPs and geolocation that might indicate bad actors are trying to access a system. If I'm located in Ottawa, Ontario and somebody from Russia is trying to access our tenant, that's going to be pretty suspicious.

Just like the US government has FedRAMP, there is a similar approach, here, for the Government of Canada where the funding for projects takes a cloud-first approach. Most of the departments in the government are now on some kind of cloud journey. When I look at the various projects I've worked on, every single one, to some degree, has an IaaS in Azure environment, and most of those deployments incorporate Sentinel and the log analytics workspace into the solution.

Sentinel helps automate the finding of important alerts as well as routine tasks. When your KQL queries are well-defined, and your threat hunting becomes more routine for parsing through a volume of ingested information, it becomes more of an established process. There would likely be some kind of documentation or procedures for how Sentinel would be managed. The idea is to catch any threat before it actually impacts your organization. Using Sentinel workbooks and playbooks and doing threat-hunting to find things before they actually affect a particular system is the optimal approach. It may depend on the size of the team that is supporting the tool and the knowledge level required to appropriately configure the tool.

I have one department that has quite a mature and robust Sentinel implementation, and they are absolutely doing that. They're using threat-hunting and the ability to create rules to be proactive.

A fully functioning Sentinel system configured properly so that you're doing advanced threat-hunting and trying to catch malware and other kinds of attacks before they impact your systems, could result in enormous cost savings if you're able to identify threats before they actually impact you. I'm sure that Sentinel has saved money for most departments in terms of forensic, digital investigations. But it would be hard for me to put a dollar figure on that. As the Government of Canada is becoming more capable of managing this system, the ability to leverage all of the bells and whistles to help to create a better security posture, and to catch things in advance, will absolutely result in dollar savings.

Similarly, for time to detection, a fully deployed Sentinel system that is properly managed and has a good, robust configuration, would absolutely save time in terms of pinpointing systems where a problem may exist, and employing alternative tools to do scans and configure reviews. But specific savings would depend on the department, the size of the team, and the configuration of the tool.

There are some very powerful features in Sentinel, such as the integration of various connectors. We have a lot of departments that use both IaaS and SaaS services, including M365 as well as Azure services. The ability to leverage connectors into these environments allows for large-scale data injection. We can then use KQL (Kusto Query Language) queries. It queries the telemetry for anomalies. The ability to parse out that information and do specific queries on it, and look for very specific things, is quite a valuable function.

The large-scale data ingestion and the ability to use KQL queries to establish connectors into various data sources provide very expansive visibility. With playbooks into which you incorporate rules, you can be very granular or specific about what you're looking for. It provides a great deal of visibility into that telemetry coming in from various services across your tenant.

In terms of data ingestion from an entire ecosystem, there might be some services for which Microsoft has not built a connector yet for Sentinel. But for most of the major services within Azure, including M365, those connectors do exist. That's a critical piece. As a SIEM, the way that it identifies anything anomalous is by correlating all those sources and searching the telemetry for anomalies. It's critical to ensure that you can ingest all that information and correlate it accordingly.

The comprehensiveness of Sentinel's security protection is highly effective and it scales well. It has the ability to do automated responses that are based on rules and on Sentinel's ability to learn more about the environment. The AI piece allows for behavioral and learning processes to take place, but the underlying logic is in the rules that you create via playbooks and workbooks. That whole functionality is highly effective, as long as you have good KQL literacy, how your alerts are configured, and where your alerts are configured. Are they via email or SMS? There are a lot of variables for how you want or expect Sentinel to behave. It's quite a comprehensive architecture to make sure that you've got all those pieces in place. When configured properly, Sentinel is a very powerful tool, and it's very beneficial.

My only complaint about Sentinel has to do with how you leverage queries. If you have good knowledge of KQL, things are fine. But if you're looking to use canned queries, the interface could be a little more straightforward. It's not immediately intuitive regarding how you use it. You have to take a canned query and paste it into an operational box and then you hit a button. Then it does the analysis of the telemetry. If things could be improved anywhere, it might be there. They could improve the ease of deploying these queries.

I have been using Sentinel since 2018.

Sentinel is very good if you have the right support tier in place. If you don't have the right support tier, then it can become quite laborious to find a technician who is knowledgeable, because the tier-one support might be out-of-country. You have to pay for the ability to get to a senior guy who is quite knowledgeable. That's an area of cost that may be impactful to the proper operation of the tool itself. But when you do talk to somebody who's knowledgeable, it's great.

Positive

It's expensive, but it's beneficial.

Because of the way that the Government of Canada allows access to the Azure marketplace, we don't typically employ other cloud SIEMs. However, many departments of the government use on-prem SIEMs. When I consider the licensing and the functionality for those on-prem SIEMs, Sentinel is fairly pricey. That being said, for an Azure tenant, it's really the only game in town, unless you're pulling in information or you're exporting information from Sentinel to a third-party source on-prem for further analysis or storage.

Cost-wise, Sentinel is based on the volume of information being ingested, so it can be quite pricey. The ability to use strategies to control what data is being ingested is important.

Because it's expensive, I've seen other departments that have on-prem SIEMs that reanalyze telemetry that is exported from the Azure cloud. It's not like-for-like, though.

Many organizations leverage the MITRE ATT&CK framework. Within MITRE there are all kinds of tactics that could be brought to bear on any unsuspecting department or target. Or they align with something like OWASP. But with Sentinel, you're able to delineate what categories you want to prioritize. For anything web-based, because everything is based on APIs and is based on a web interface, you might want to prioritize OWASP-based threats. But if you look at things like APTs, advanced, persistent threats, and various bad actors that MITRE categorizes, that gives you a really good source of information in terms of what to prioritize.

There are a lot of Microsoft security products: Defender for Cloud, Security Center, Azure Monitor. On the SaaS side, we leverage Compliance Manager. And within the dashboards for M365, you've got the ability to leverage policies. For some clients I've worked on, we have things like DLP policies, to prevent unauthorized exfiltration of data. But for IaaS, where Azure typically resides, Defender for Cloud is a big one.

With the use of connectors, if you're looking to provide data telemetry from various services back into Sentinel to do threat-hunting, it is quite a straightforward process. If you're looking to look at things like logging and auditing and how storage accounts integrate, that's a bit more complex, but it's not rocket science. It's certainly quite feasible.

Because they're all services incorporated into Azure, and into IaaS from a broader perspective, there's fairly straightforward integration. Everything is API driven. As long as you can take advantage of that within your dashboard and your admin center, you can enable them very simply through that. If you're looking for historical data through login auditing, it's a matter of parsing through some of that information to get some of those key nuggets of information. But the broader ability to spin up a bunch of services through Azure and have them communicate and work together to build a better security posture is very straightforward.

Cloud platforms, whether Microsoft or AWS or Google, are always in flux. There are always services coming down the line, as well as updates or upgrades, and refinements to these services. Very rarely do you find a static service. When I look at the comprehensiveness of Sentinel from when I started to use it back in 2018 and through to early 2023, there have been a fair number of changes to the functionality of the tool. There are more connectors coming online all the time. It's evolving to make it more and more comprehensive in terms of what kind of information you can pull into Sentinel. It's more and more comprehensive as time goes on; the tool just improves.

The primary use case of Microsoft Sentinel is for user and entity behaviors, detecting unauthorized access to services, identifying malicious IP addresses, and preventing brute force attacks on services. These are generic security use cases.

The AI-driven analytics of Microsoft Sentinel have significantly improved our customers' incident detection and response. It reduces the workload and decreases the number of tickets and incidents to triage.

The query language of Microsoft Sentinel is easy to understand and use. It allows querying across numerous agents quickly and efficiently. Being cloud-based, it does not require much hardware to utilize.

While I have not used Microsoft Sentinel extensively to suggest specific improvements, there is always room for improvement. The pricing could be improved, as it is considered quite expensive, especially considering the costs for workspace, Sentinel, and storage.

I have been working with Microsoft Sentinel for a good three years.

The stability of Microsoft Sentinel is rated ten out of ten. It is considered highly stable.

Microsoft Sentinel is very scalable because it is a cloud service and does not rely on our own resources. It depends on the payment capacity, however, it is considered very scalable overall.

The customer service and support for Microsoft Sentinel are quite good. They provide numerous articles and training materials and are quick to respond, usually within an SLA of two to three hours.

Neutral

The initial setup of Microsoft Sentinel can be challenging, with a learning curve. Configuring a workspace and adding connectors can be complex, especially for those not familiar with Azure or Microsoft. I would rate the setup around five or six out of ten.

The pricing of Microsoft Sentinel is considered expensive, particularly due to the cloud-related costs for workspace, Sentinel, and storage.

I am still quite new to Microsoft Sentinel, so I can't provide specific advice or recommendations. It is a good product with capabilities that might not be found in other SIEM solutions.

I'd rate the solution eight out of ten.

We are using Microsoft Sentinel for our traditional SOC. So previously, we had multiple products, like VM products, log analytics products, and analysts. We are making so much effort to analyze incidents and events in the security operation center., after which we decide whether it's an incident or an event, and we take action. After Sentinel's implementation, it would be much better and much simpler. For instance, we can now save much more time since in Sentinel, there is artificial intelligence, so the system will decide for you instead of a human. The system will learn what kind of thing you should take action on, and it will save some time since you do not need much human power. In traditional SOC systems, there were three or four people. But in Sentinel, it's much easier, and you do not need so many people in the SOC. So you will save time and keep it cost-effective.

Previously, we were incurring a huge cost being paid to a person. But in Sentinel, you do not hire anyone because the system provides system insights through the cloud applications. So you do not need to put effort, or you don't need to hire either of the senior people. So in, in your SOC team, would be mid-level people, and it would be fine. Also, you do not need so many people. So, one or two people left the organization after the central implementation. So we just have an agreement with one company at a professional level since they're also managing Sentinel. We do not need to pay for the maintenance of applications. So that's also a benefit for us. So, in this case, we are only paying Sentinel yearly or annual costs.

Previously, we could not do some automation. So in Sentinel, we create some playbooks, and with some features in the playbooks, we have some capabilities. For example, when a virus enters the system, we will take action to keep the system safe. So, the machine with the virus can be automatically isolated from the network, and this might be a pretty cool feature in the solution currently.

Microsoft Sentinel has improved our entire SOC, like our log system and incident response. So we are able to quickly respond to incidents and take action. Even though Microsoft Sentinel has already improved our system, it should further improve for on-premises systems or traditional systems, especially to get or collect logs from the legacy systems. Also, Microsoft should improve Sentinel, considering that from the legacy systems, it cannot collect logs.

I have been using Microsoft Sentinel for about six months. My company has a partnership with Microsoft.

I have not contacted technical support.

We are using Microsoft Intune. From the mobile device management point of view, it makes work very easy. We are just planning that with Microsoft Intune, we can easily export some logs to Sentinel to analyze them. We are not using this feature right now, but we are planning. If you are using Microsoft applications, it's very easy to integrate them with other Microsoft products.

Defender is something that we are using as an antivirus for Android applications, but we are not using it on the cloud.

From a cost point of view, it is not a cheap product. It's, like, an enterprise-level application. So if you compare it with a low-level application, it's expensive, but if you compare it with the same-level application, it's pretty much cost-effective, I think. Because for other products, you need to purchase them by paying thousands of dollars. In Sentinel, you pay for how much you use, or you just pay for how much you consume storage, log interface, or system. It will not be a one-time cost, but it will be like a continuous rental system, where you subscribe to an application, and then you use it. That's very easy. I think the company got the solution for a long time. If you purchase some products, you need to invest in something, and it increases your investment budgeting. Many enterprises do not like investments. But this is not a one-time cost, to be honest, since continuously, we will pay. This is maybe a negative point of view, but considering from company to company, it entirely depends on a company's strategy.

Previously, it was a little bit difficult to find where an incident came from, including which IP address and which country. So in Sentinel, it's very easy to find where the incident came from since we can easily get the information from the dashboard, after which we take action quickly.

Sentinel does provide me with the ability to set priorities on all the threats across your entire enterprise. So, it is very important because we were previously getting the service from the outside. It would be yes. Sentinel is a next-generation SOC. So, Sentinel also still develops some applications on Sentinel's site, so maybe in the next release, they will introduce a much more effective version for the company. I'm not sure how many companies use it right now. Maybe in the future, more companies will use Sentinel because its features are such that compared to the traditional SOC systems, they are not affected since the system is a cloud-based system. So it's easy to manage. Also, you don't need to care about it from an infrastructure point of view. Additionally, we don't need to take care of products, and we don't need to take care of maintenance. From a product point of view, we do not need to manage since we just need to focus on the incident event.

Right now, we are using very traditional applications, so there is no use of native Microsoft applications right now.

Sentinel enables me to ingest or collect data from my entire ecosystem, but not all of them, because some traditional applications cannot provide some data needed for export. It cannot allow you to get reports or logs from outside. It's a challenging point, so this might be an opportunity for us to change the traditional application. In traditional applications, and sometimes in IT systems, it might be very difficult to get data insight. In some cases, we need to change the application since, in traditional applications, you cannot get support. To fix it, you need to decide something, or maybe you need to decide on the application change. It might be an opportunity for you. But in the next-generation application, there is no problem. With a new application, you can easily integrate with Sentinel. In Sentinel, the negative point is just related to cloud applications. With cloud applications, maybe sometimes you cannot get data from the on-prem application. So if you use a cloud system, like Sentinel, which is a cloud system, then it's very easy. If you are using an on-prem system, Microsoft Sentinel sometimes may not be easy to integrate.

Sentinel allows me to investigate threats and respond quickly and thoroughly from just one place. It accelerates our investigation, especially our event investigation and incident investigation. Using Sentinel, we take quick actions and get quick insights after its standard implementation. So it is time-efficient.

Previously, we had no SOAR applications. In Sentinel, if you want to take action quickly, you need to create playbooks so that if something happens, you can just develop an application like a playbook in Sentinel so that if something happens, you can tell Sentinel to take action. You can freely create your own playbooks since it's very easy. In my opinion, this is the best feature of one product. Normally, you need to purchase two applications or two products. But in Sentinel, they combine everything together. This is the most beautiful feature for me.

Sentinel helps automate routine tasks and help automate the finding of high-value alerts. We do not need to create manual operations like when our system engineers see the incident and they do a system analysis. So after Sentinel, the system analysis is not done by anyone since Sentinel can already make decisions and then take action by itself. So at this point, there's no human power. Sometimes human power is needed, but maybe eighty percent or ninety percent of the time, there is no human power needed. So, it has caused significant improvements in our entire company.

Sentinel has helped eliminate having to look at multiple dashboards and giving us just one XDR dashboard. Previously, we had to check multiple dashboards, especially in relation to whether logs were coming and other things, like incidents and events. In Sentinel, you do not need to check many dashboards. So you are just designing one dashboard, and then, on the entire dashboard, you will see everything. So, it now saves time since previously there were multiple dashboards causing our engineers and our analysts to get confused at times. So they used to ask our managers to understand better. Currently, it is very easy to understand since one needs to check in on one dashboard, and there's no confusion among the engineers. But they do not need to ask anyone to understand. Apart from better understanding, it has improved our systems.

From a security point of view, you need to go with multiple vendors, but this is a traditional system. But right now, if you want to create a good security system, you need to implement each product with one vendor. Because vendors currently state that, if you want to have a high-level security system. You need to implement each product on a security level from one vendor. Microsoft-level vendors offer many features, but people only just purchase or use one product, and that's all. It's not good for security infrastructure. So, you need to implement all security products from just one vendor. I think one vendor and the needed security products will be enough for a company. Sentinel is our next-generation SOC. Currently, I don't see any competitors at this level.

I rate the overall solution a nine out of ten.

We use Sentinel to monitor logs, build alarms, correlate events, and fire up specific automation boards in the event of a security incident. 

Sentinel creates a focal point for cybersecurity incidents, so it's much easier to correlate logs and incidents to get a more comprehensive view of our security posture. Microsoft provides many educational resources, so onboarding new people is easy. 

It took us about a month to realize the benefits of Sentinel. Integrating all the Microsoft security products into the solution was straightforward. It seamlessly integrates with Microsoft Logic Apps, so it's easy to develop custom playbooks and automate many manual tasks. 

Automation has made us more efficient and effective because we're free to focus on priority alerts. Sentinel has reduced the time spent on menial security tasks by 30-40 percent. Sentinel consolidates our dashboards into a single XDR console, one of our strategic goals. We're moving all of the data into Microsoft Sentinel to create a single point of truth for security incidents.

Microsoft provides some threat intelligence for significant incidents. They provide us with remediation and mitigation controls we can implement to react to these potential threats much faster.

I like the ability to run custom KQL queries. I don't know if that feature is specific to Sentinel. As far as I know, they use technology built into Azure's Log Analytics app. Sentinel integrates with that, and we use this functionality heavily.

Threat prioritization is a crucial feature. It already has them in order, so we know we should investigate high alerts first and move down the line to the less urgent ones. 

We use all of the other Microsoft security solutions in addition to Sentinel. They all can be integrated together seamlessly to deliver comprehensive threat detection and response. 

I would like to see additional artificial intelligence capabilities. They're already working on this with new features like Microsoft Security Copilot. This will help us investigate incidents much faster. 

When we pass KPIs to the governance department, there's no option to provide rights to the data or dashboard to colleagues. We can use Power BI for this, but it isn't easy or convenient. They should just come up with a way to provide limited role-based access to auditing personnel 

I have used Sentinel for two years.

We haven't experienced any downtime, so I think Sentinel is highly stable. 

Sentinel runs on the cloud, so it scales automatically. 

I rate Microsoft's support a 10 out of 10. They can connect you with the developers, and you get answers quickly. 

Positive

I also worked with RSA enVision at my previous company. Sentinel has advantages because of its tight integration with the Microsoft ecosystem. It's effortless to set up because you don't need specific connectors. Sentinel works out of the box. It makes sense for a company that primarily works with Microsoft products to use Sentinel for security monitoring.

Sentinel runs on the Microsoft Azure Cloud, so it was easy to set up. It took about two days to set it up. You start by integrating the Microsoft security solutions using the available connectors and move on to the firewall, SysTalk databases, and application-specific logs. 

It's a bit more complicated to come up with custom rules and alarms, so that's the last part of our implementation strategy. We completed the deployment with two or three people and the help of Microsoft support. Because Sentinel is deployed in the cloud, it doesn't require any maintenance. 

Our ROI comes from automating lots of tasks. 

Microsoft Sentinel is pretty expensive, and they recently announced that they will increase the price of all Microsoft services running in Azure by 11 percent. Luckily, I'm not responsible for the financial side. For one of my clients, the estimated cost is 880,000 euros for one year. There are additional costs for the service agreement. 

I rate Microsoft Sentinel an eight out of ten. I recommend taking advantage of the virtual training before you implement Sentinel. Familiarize yourself with the product, dashboards, features, integration, etc., before you decide to use it. 

A single-vendor strategy is preferable because it's easier to integrate them. Otherwise, it can get complicated.