Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution that lets you see and stop threats before they cause harm. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs. With Microsoft Sentinel, you can:
The most valuable features of Microsoft Sentinel, according to the reviews, are:
- Cloud-based and scalable: The fact that it is cloud-based allows for easy scalability and eliminates the need for on-premise infrastructure upgrades.
- Automation and playbooks: Users can create custom playbooks and automate actions based on specific events, improving efficiency and response time.
- Custom KQL queries: The ability to run custom KQL queries provides flexibility in data analysis and investigation.
- Data connectors: Microsoft Sentinel provides easy integration with various data sources, making it simple to collect and analyze logs from different platforms.
- Visibility and threat detection: Sentinel offers comprehensive visibility into threats, allowing users to prioritize and investigate high-priority alerts first. The threat detection capabilities are highly effective.
- Integration with Microsoft ecosystem: Sentinel seamlessly integrates with other Microsoft security solutions, providing a unified security approach and comprehensive threat detection and response.
- Ease of use and user-friendly interface: The UI design and investigation features of Sentinel are user-friendly and intuitive.
- Data ingestion and ecosystem coverage: Sentinel enables ingestion of data from the entire ecosystem, including both Microsoft and non-Microsoft sources, providing comprehensive visibility and monitoring capabilities.
- SOAR capabilities: Sentinel includes built-in SOAR capabilities, allowing for automated incident response and playbooks.
- Threat intelligence and threat hunting: The solution offers threat intelligence and the ability to proactively hunt for threats, improving overall security posture.
Improvements needed for Microsoft Sentinel include:
- Cost: The product is considered expensive compared to other options on the market.
- On-premises system support: It should improve its capabilities for collecting logs from legacy systems and traditional on-premises systems.
- Additional artificial intelligence capabilities: Users would like to see more AI features to enhance incident investigation.
- User access and permissions: There should be an option to provide limited role-based access to auditing personnel for data and dashboard sharing.
- GUI functionality: The graphical user interface could be more user-friendly and intuitive.
- Query interface: The interface for leveraging queries could be more straightforward, especially for users who are not familiar with KQL.
- Integration with third-party tools: More connectors should be available to improve integration with non-Microsoft products.
- Customization and flexibility: Users want more built-in rules, connectors, and features for customization.
- Reporting and analytics: The reporting functionality needs improvement, along with better compatibility with non-Microsoft products like AWS and GCP.
- Simplified onboarding process: Creating rules and connectors can be time-consuming and complex, requiring multiple clicks.
- Log ingestion: Some users have experienced delays in data ingestion, which could be improved.
- EDR integration: The process of onboarding devices for EDR can be cumbersome, especially for different operating systems.
- Alert enrichment: Users would like more data enrichment in alerts, including information about why an activity is flagged as malicious.
- Dashboard integration: The multiple dashboards and interfaces can be overwhelming, and users would prefer a more streamlined experience.
- Filtering and noise reduction: There is a need for better filtering of irrelevant issues and reducing alert fatigue.
- Documentation and support: Users would like more comprehensive documentation and resources, especially for non-Microsoft platforms and SOAR solutions.
Microsoft Sentinel has provided a positive return on investment (ROI) for users. The automation capabilities, integration with other products, and reduction in manual tasks have helped save time and reduce workload.
The solution has also improved security posture, compliance, and revenue generation for companies. Users have mentioned cost savings, reduction in staff, and quicker detection and response to threats.
The pricing for Microsoft Sentinel is described as relatively expensive, confusing, and not straightforward. It is seen as an enterprise-level application, making it cost-effective compared to other products at the same level. The pricing is based on how much is used or consumed, rather than a one-time cost. There are additional costs for service agreements and data storage.
The pricing is reasonable when considering the features included and the ability to integrate with other enterprise technologies. However, it can be costly for small-scale businesses and may require careful cost estimation and planning.
The primary use cases of Microsoft Sentinel include:
1. MSSP and threat detection engineer: Used by a Managed Security Service Provider (MSSP) and threat detection engineer for security monitoring and incident management.
2. Traditional SOC: Replacing multiple products with Microsoft Sentinel to simplify incident and event analysis in a Security Operation Center (SOC), saving time and reducing the need for manpower.
3. Log monitoring and alarm building: Used to monitor logs, build alarms, correlate events, and automate security response in the event of a security incident.
4. MSSP solution and integration with MISP: Proposed as an MSSP solution to clients, integrated with MISP (open source intelligence trading platform) to create a comprehensive solution for various sectors.
5. Complex configurations and threat hunting: Deployed in Government departments for threat hunting and correlation of telemetry data to identify anomalies and potential security threats.
6. Integration with Microsoft Defender products: Integrated with Microsoft Endpoint for Defender, M365 Defender, and Exchange Online to track and analyze security incidents and threats.
7. Automated security management: Utilized to automate security processes, manage events, and provide AI-based predictions and analysis of security threats.
8. SIEM solution for Security Operations Center (SOC): Used as the primary tool in a Security Operations Center (SOC) for security monitoring, incident management, and threat detection.
9. Correlating logs and automating tasks: Used to correlate logs, automate security tasks, and provide a centralized point for log information.
10. Monitoring cloud environments and infrastructure: Used to monitor cloud environments, detect anomalies, and protect against cyber attacks and vulnerabilities.
11. Managed security services: Utilized by a Managed Security Service Provider (MSSP) to offer security services, threat detection, and security incident management to clients.
12. Integration with multiple vendors and environments: Integrated with various third-party vendors and data sources to provide a comprehensive view of security incidents and threats across different environments.
13. Centralized log aggregation and security management: Used for centralized log aggregation, security management, and unified security management across hybrid environments.
14. Security analytics and incident response: Leveraged for security analytics, proactive incident response, and coordination with other Microsoft security products.
15. Security information and event management (SIEM): Used as a SIEM tool to monitor and analyze security events, raise incidents, and enhance security posture.
The customer service and support of Microsoft Sentinel have received mixed reviews. Some customers have had positive experiences, stating that the support is responsive, helpful, and knowledgeable. They appreciate the quick response time and the ability to connect with developers for prompt answers. Upgraded support tiers, such as premium support, are highly regarded for their effectiveness.
However, there are also customers who have faced challenges with support. They mention that basic support may have longer wait times and less knowledgeable technicians, especially in tier-one support. Some customers note they have to pay extra for access to senior technicians with in-depth knowledge.
The initial setup for Microsoft Sentinel is generally straightforward and easy. It can be done within a few minutes to a couple of days, depending on the complexity of the environment and the number of resources being integrated.
Integrating Microsoft security solutions and other connectors are relatively simple, however, customizing rules and alarms may require more expertise. The deployment process is smooth, especially for cloud-based environments, and maintenance is minimal as Microsoft handles updates and server roles.
Some users recommend seeking assistance from service providers or specialists for customization and optimization. There are some users who mention that the setup can be complex, especially when connecting to certain servers or third-party solutions.
Microsoft Sentinel is highly scalable, as it runs on the cloud and can automatically scale up or down based on the needs of the user. It offers a scalable model with options for log retention and data limitation, allowing users to control costs. It can handle large volumes of data without any issues.
Users have reported that Sentinel is capable of handling big data and can adapt to the needs of large organizations with thousands of users. The solution is also praised for its continuous development and introduction of new features based on customer feedback.
Microsoft Sentinel is highly stable according to the reviews. Users have experienced very few or no outages, and any issues that have occurred have been promptly addressed by Microsoft. The stability of Sentinel is attributed to it being a cloud-based solution managed by Microsoft.
Users have also praised the reliability and performance of the solution, with some rating it as highly stable and giving it a nine out of ten for reliability.
- Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds
- Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence from Microsoft
- Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft
- Respond to incidents rapidly with built-in orchestration and automation of common tasks
To learn more about our solution, ask questions, and share feedback, join our Microsoft Security, Compliance and Identity Community.
Microsoft Sentinel was previously known as Azure Sentinel.
Microsoft Sentinel is trusted by companies of all sizes including ABM, ASOS, Uniper, First West Credit Union, Avanade, and more.