Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution that lets you see and stop threats before they cause harm. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs. With Microsoft Sentinel, you can:
According to the reviews, Microsoft Sentinel's most valuable features include its cloud-based and scalable architecture, automation capabilities with custom playbooks, and the flexibility to run custom KQL queries for data analysis.
Users appreciate the easy integration with various data sources through connectors, as well as the comprehensive visibility and effective threat detection capabilities. Sentinel's seamless integration with the Microsoft ecosystem provides a unified security approach. The solution enables data ingestion from both Microsoft and non-Microsoft sources, offering comprehensive monitoring capabilities.
Additionally, Sentinel includes built-in SOAR capabilities for automated incident response, along with threat intelligence and proactive threat hunting features to improve overall security posture.
Key areas for improvement in Microsoft Sentinel include support for on-premises systems, AI capabilities, user access management, GUI usability, query interface, third-party integration, customization options, reporting and analytics, onboarding process, data ingestion, and EDR integration.
Microsoft Sentinel has provided a positive return on investment (ROI) for users. The automation capabilities, integration with other products, and reduction in manual tasks have helped save time and reduce workload.
The solution has also improved security posture, compliance, and revenue generation for companies. Users have mentioned cost savings, reduction in staff, and quicker detection and response to threats.
The pricing for Microsoft Sentinel is described as relatively expensive, confusing, and not straightforward. It is seen as an enterprise-level application, making it cost-effective compared to other products at the same level. The pricing is based on how much is used or consumed, rather than a one-time cost. There are additional costs for service agreements and data storage.
The pricing is reasonable when considering the features included and the ability to integrate with other enterprise technologies. However, it can be costly for small-scale businesses and may require careful cost estimation and planning.
The primary use cases of Microsoft Sentinel include:
1. MSSP and threat detection engineer: Used by a Managed Security Service Provider (MSSP) and threat detection engineer for security monitoring and incident management.
2. Traditional SOC: Replacing multiple products with Microsoft Sentinel to simplify incident and event analysis in a Security Operation Center (SOC), saving time and reducing the need for manpower.
3. Log monitoring and alarm building: Used to monitor logs, build alarms, correlate events, and automate security response in the event of a security incident.
4. MSSP solution and integration with MISP: Proposed as an MSSP solution to clients, integrated with MISP (open source intelligence trading platform) to create a comprehensive solution for various sectors.
5. Complex configurations and threat hunting: Deployed in Government departments for threat hunting and correlation of telemetry data to identify anomalies and potential security threats.
6. Integration with Microsoft Defender products: Integrated with Microsoft Endpoint for Defender, M365 Defender, and Exchange Online to track and analyze security incidents and threats.
7. Automated security management: Utilized to automate security processes, manage events, and provide AI-based predictions and analysis of security threats.
8. SIEM solution for Security Operations Center (SOC): Used as the primary tool in a Security Operations Center (SOC) for security monitoring, incident management, and threat detection.
9. Correlating logs and automating tasks: Used to correlate logs, automate security tasks, and provide a centralized point for log information.
10. Monitoring cloud environments and infrastructure: Used to monitor cloud environments, detect anomalies, and protect against cyber attacks and vulnerabilities.
11. Managed security services: Utilized by a Managed Security Service Provider (MSSP) to offer security services, threat detection, and security incident management to clients.
12. Integration with multiple vendors and environments: Integrated with various third-party vendors and data sources to provide a comprehensive view of security incidents and threats across different environments.
13. Centralized log aggregation and security management: Used for centralized log aggregation, security management, and unified security management across hybrid environments.
14. Security analytics and incident response: Leveraged for security analytics, proactive incident response, and coordination with other Microsoft security products.
15. Security information and event management (SIEM): Used as a SIEM tool to monitor and analyze security events, raise incidents, and enhance security posture.
The customer service and support of Microsoft Sentinel have received mixed reviews. Some customers have had positive experiences, stating that the support is responsive, helpful, and knowledgeable. They appreciate the quick response time and the ability to connect with developers for prompt answers. Upgraded support tiers, such as premium support, are highly regarded for their effectiveness.
However, there are also customers who have faced challenges with support. They mention that basic support may have longer wait times and less knowledgeable technicians, especially in tier-one support. Some customers note they have to pay extra for access to senior technicians with in-depth knowledge.
The initial setup for Microsoft Sentinel is generally straightforward and easy. It can be done within a few minutes to a couple of days, depending on the complexity of the environment and the number of resources being integrated.
Integrating Microsoft security solutions and other connectors are relatively simple, however, customizing rules and alarms may require more expertise. The deployment process is smooth, especially for cloud-based environments, and maintenance is minimal as Microsoft handles updates and server roles.
Some users recommend seeking assistance from service providers or specialists for customization and optimization. There are some users who mention that the setup can be complex, especially when connecting to certain servers or third-party solutions.
Microsoft Sentinel is highly scalable, as it runs on the cloud and can automatically scale up or down based on the needs of the user. It offers a scalable model with options for log retention and data limitation, allowing users to control costs. It can handle large volumes of data without any issues.
Users have reported that Sentinel is capable of handling big data and can adapt to the needs of large organizations with thousands of users. The solution is also praised for its continuous development and introduction of new features based on customer feedback.
Microsoft Sentinel is highly stable according to the reviews. Users have experienced very few or no outages, and any issues that have occurred have been promptly addressed by Microsoft. The stability of Sentinel is attributed to it being a cloud-based solution managed by Microsoft.
Users have also praised the reliability and performance of the solution, with some rating it as highly stable and giving it a nine out of ten for reliability.
- Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds
- Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence from Microsoft
- Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft
- Respond to incidents rapidly with built-in orchestration and automation of common tasks
To learn more about our solution, ask questions, and share feedback, join our Microsoft Security, Compliance and Identity Community.
Microsoft Sentinel was previously known as Azure Sentinel.
Microsoft Sentinel is trusted by companies of all sizes including ABM, ASOS, Uniper, First West Credit Union, Avanade, and more.