Microsoft SentinelFormerly Azure Sentinel
Overview
What is Microsoft Sentinel?
Microsoft Sentinel (formerly Azure Sentinel) is designed as a birds-eye view across the enterprise. It is presented as a security information and event management (SIEM) solution for proactive threat detection, investigation, and response.
One stop solution for all security needs. Transforming Security with AI and Automation
A cloud and ML powered Sentinel to watch and catch all the suspicious activities!
Microsoft Sentinel Review
Microsoft Sentinel Review
Surpassingly really good tool and a very interactive dashboard
SIEM means Sentinel
Why you should start using Microsoft Sentinel today.
Sentinel: Your one stop SIEM for cloud for Bird's Eyes by MS.
Microsoft Sentinel, the scaleable cloud-native SIEM platform
Unleashing the Power of Data for Seamless Security Investigations
Review of Microsoft Sentinel
Excellent cloud security solution with intelligent analytics and automation offered by Microsoft.
A big SIEM or a little SOAR?
Microsoft Sentinel Review
How Microsoft Sentinel Differs From Its Competitors
Sources
AI and ML
Investigation Tools
Sources
AI and ML
Sources
Microsoft Entra ID
AWS CloudTrail
Cisco AMA
Atlassian Jira
Azure SQL Databases
Forcepoint DLP
Microsoft 365
Microsoft Defender Threat Intelligence
Microsoft Purview Information Protection
Microsoft Defender for Cloud
Windows Firewall
Trend Micro TippingPoint
Service Now
Workday
Threat …
AI and ML
Other prominent use of machine learning comes in detecting user behaviour analytics that defines baseline on user behaviors from the …
Investigation Tools
We also make an efficient use of …
Sources
AI and ML
Sources
Investigation Tools
Sources
AI and ML
Investigation Tools
Sources
Third party products include Workday, Google Workspaces, …
AI and ML
While I have a very limited experience with using Azure Open AI in the incident through playbooks, it surely …
Investigation Tools
Sources
Investigation Tools
Sources
AI and ML
Investigation Tools
Sources
On-Premises Identity events
Azure platform events
Defender and other Microsoft products
On-premises appliances
Linux events
This same counts towards Azure activity, Azure VMs and …
AI and ML
Next to that we use the Fusion rules that will detect multi-stage attack scenarios
Sentinel notebooks are not used a lot at this moment, because of the learning curve
Investigation Tools
Sources
- Microsoft 365 Services: Data from Microsoft 365 services, including Exchange Online, SharePoint, Teams, and Azure Active Directory, were ingested to monitor email, document, and user activities.
- Azure Services: Data …
AI and ML
Investigation Tools
Impact: Analysts quickly retrieved relevant data, which resulted in reducing the time it takes to gather evidence and establish the scope of …
Sources
AI and ML
Investigation Tools
Investigation Tools
Sources
AI and ML
Investigation Tools
Sources
Investigation Tools
Sources
Investigation Tools
Sources
AI and ML
Investigation Tools
Sources
AI and ML
Investigation Tools
Sources
Investigation Tools
Awards
Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards
Popular Features
- Centralized event and log data collection (17)8.383%
- Correlation (17)7.878%
- Event and log normalization/management (17)7.878%
- Custom dashboards and workspaces (17)7.171%
Reviewer Pros & Cons
Pricing
Azure Sentinel
$2.46
100 GB per day
$123.00
200 GB per day
$221.40
Entry-level set up fee?
- No setup fee
Offerings
- Free Trial
- Free/Freemium Version
- Premium Consulting/Integration Services
Product Demos
Microsoft Sentinel: Monitoring health and integrity of analytics rules
Features
Security Information and Event Management (SIEM)
Security Information and Event Management is a category of security software that allows security analysts to look at a more comprehensive view of security logs and events than would be possible by looking at the log files of individual, point security tools
- 8.3Centralized event and log data collection(17) Ratings
Effectiveness of real-time centralized event and log data collection
- 7.8Correlation(17) Ratings
Correlation of logs and events to pinpoint significant threats
- 7.8Event and log normalization/management(17) Ratings
Ability to normalize event syntax so that logs can be compared and are machine-understandable
- 8.1Deployment flexibility(16) Ratings
Ability to tune system to maximize threat detection and minimize false positives
- 7.8Integration with Identity and Access Management Tools(16) Ratings
Integration with access control tools like Active Directory and LDAP
- 7.1Custom dashboards and workspaces(17) Ratings
dashboards that can be customized to meet the needs of specific groups
- 7.6Host and network-based intrusion detection(13) Ratings
Ability to detect both endpoint intrusion and network ingress detection
- 8.1Data integration/API management(16) Ratings
Ease and quality of data integrations between SIEM and other systems
- 8Behavioral analytics and baselining(15) Ratings
How effectively activity and behavior baselines are established and maintained
- 7.8Rules-based and algorithmic detection thresholds(16) Ratings
Effectiveness of manually-established rules and algorithmically-determined detection thresholds
- 8.2Response orchestration and automation(16) Ratings
Quality of built-in response orchestration and automation in Next-Gen SIEM
- 9Reporting and compliance management(4) Ratings
Ease and quality of reporting and compliance functions
- 7.6Incident indexing/searching(16) Ratings
Effectiveness of searching across structured and unstructured events and incidents within SIEM
Product Details
- About
- Competitors
- Tech Details
- FAQs
What is Microsoft Sentinel?
Helps users to protect the digital estate: Secures the digital estate with scalable, integrated coverage for a hybrid, multicloud, multiplatform business.
Microsoft intelligence to Empower SOC: Optimizes SecOps with advanced AI, security expertise, and threat intelligence.
Detection, investigation and Response: A unified set of tools to monitor, manage, and respond to incidents.
Cost of ownership: A cloud-native SaaS solution to reduce infrastructural costs.
Microsoft Sentinel Features
Security Information and Event Management (SIEM) Features
- Supported: Centralized event and log data collection
- Supported: Correlation
- Supported: Event and log normalization/management
- Supported: Deployment flexibility
- Supported: Integration with Identity and Access Management Tools
- Supported: Custom dashboards and workspaces
- Supported: Host and network-based intrusion detection
- Supported: Log retention
- Supported: Data integration/API management
- Supported: Behavioral analytics and baselining
- Supported: Rules-based and algorithmic detection thresholds
- Supported: Response orchestration and automation
- Supported: Incident indexing/searching
Microsoft Sentinel Screenshots
Microsoft Sentinel Videos
Microsoft Sentinel Competitors
Microsoft Sentinel Technical Details
Deployment Types | Software as a Service (SaaS), Cloud, or Web-Based |
---|---|
Operating Systems | Unspecified |
Mobile Application | No |
Frequently Asked Questions
Comparisons
Compare with
Reviews and Ratings
(73)Attribute Ratings
Reviews
(1-25 of 25)- It detects any suspicious activity very well.
- They have internal MI models that are well-trained to analyze user behavior, such as if a user logs in from different locations multiple times within a short time interval.
- We can set automation rules, e.g., to detect a particular suspicious activity, we can define a set of protocols that it will follow automatically.
- It is very complex to integrate, and it took us three months to incorporate that, too. We first went live with partial services only.
- Understanding curve for new employee is difficult.
- Customizing the sensitivity of alerts is impossible (To the best of my knowledge). Hence, sometimes it gives false alerts.
- Detection of cyber threts, malware, and suspicious activities etc. across whole IT environment.
- Streamlining the process of identifying and responding to security incidents, minimizing their impact
- Real-time monitoring
- Price is on higher side as compared to competitive products
- Process of Onboarding and connecting with system can be simplified
- If software is hosted anywhere else from Azure then integration is bit time taking.
- Difficult to work with KQL. Enhanced support for more standard query languages, like SQL, could be beneficial.
- Sentinel is particularly good at covering a wide variety of use cases for incident detection and threat hunting by using KQL queries. Some of them also works in detecting more than one attack vectors and scanrios.
- Sentinel is one of THE best when it comes to displaying information through dashboards or what we call as 'workbooks'. And if that's not enough, there is a unlimited possibility of creating your own through the extensive customizations available.
- Sentinel is a seamless SOAR platform that allows an interactive UI for creating playbooks that does all the manual and repetitive tasks in response to incidents saving a lot of time for the security analysts and improving the mean time to triage.
- Sentinel accepts a variety and a large number of connections as data sources that makes it a preferable choice for a SIEM consolidating and analyzing all the data in a central place.
- Sentinel has a lot of work to do in terms of scaling. MSSPs like us around the world are relying on just workarounds for a lot of customer asks and it is high time that Sentinel stops relying on only workbooks when we talk about multi-instance capabilities.
- Sentinel should improve the threat hunting UI and capabilities a bit to be able to accommodate more complex sceanrios.
- Sentinel needs to work on its pricing structure a bit more to become affordable and a sensible option for large enterprises.
Sentinel is well suited for the requirement of a cloud native SIEM+SOAR platform which is easy to deploy and less complex to administrate.
Sentinel is a great choice especially when there are other Microsoft security tools being employed due to its easy and seamless integrations.
Sentinel is well suited for scenarios where automation of security incidents are required with minimal code development.
Microsoft Sentinel Review
- It does normalize data very well and allow us to do very quick searching of it in order to do threat hunting and follow-ups on detections with investigations.
- I think it could be a little easier to use for SOC employees to navigate quicker to information that's necessary in order to expedite an investigation go faster.
Microsoft Sentinel Review
- Office 365 Alerting
- Entra Alerting
- Suspicious FW activity
- More integration for other systems
- Not easy to provide alerting telemetry
- Not clear for FW alerts
Surpassingly really good tool and a very interactive dashboard
- Integration with intune is out of the box
- Integration with Microsoft Defender for End Point
- As we don't use the egress data, but this could be a very expensive cloud cost for other organization out there
- The popularity is increasing but you might be ending up in vendor lock down
For those that are in mixed environment, you might have to think the YoY cost, especially as this is cloud native applications, if the application is being used to consume data, then there will be nothing to worry about, but once the data is being transport for other purposes, this is where the overall cost needs to be calculated meticulously
SIEM means Sentinel
- Sentinel is by far the most efficient tool in supporting the highest number of solutions and products when it comes to data connection (or ingestion) and that too in the least complex manner possible. Most of the data connectors in Sentinel are very easy to configure and deploy.
- Incident Management is undoubtedly one of the main USPs of Sentinel. With an easy-to-use UI, variety of utilities (adding tasks, manual triggering of playbooks, activity logs etc.) and provision of having an investigation map from the incident details page, Sentinel clearly stands out in this area.
- I personally love the feature of integrating 'Threat Intelligence' to Sentinel from a free and one of the most reliable sources, Microsoft itself. This not only saves time for an analyst in checking the reputation of an entity but also allows to take actions on the suspicious entities at earliest.
- 'Notebook' has always been a very hard to use feature for me in Sentinel. From my experience, there have been a very selective use cases for this feature across the industry.
- 'Entity Behavior' has some scope to be improved further since it is a feature that gives some useful insights but needs to be accessed separately. I think it should be re-worked in a way to be used within the incident investigation page.
- I'd like to see a more user-friendly version of the 'Content Hub' menu which was the earlier version! The new UI is somewhat confusing to use and is dependent on a lot of filters being applied which do not even lasts for a single session. With each refresh, we have to apply the filters again.
Sentinel is a very good tool for log analysis and event management purposes as well. With KQL and ASIM parsers, organizations can retrieve invaluable insights even from the most complex data.
And of course, Sentinel is a great choice for automating the incident response process to a very good extent.
Why you should start using Microsoft Sentinel today.
- Correlating Security Data.
- Automated response.
- Threat Intelligence mapping.
- Performance on data ingestion.
- Performance on query data.
- Normalizing data.
Sentinel: Your one stop SIEM for cloud for Bird's Eyes by MS.
- Parsing and Normalization of cloud-based log sources provided by Microsoft
- Cheaper license cost compared to the traditional SIEMs.
- Interactive UI.
- Searching for logs is a little tedious due to scripting commands.
- Creating use cases can be a little bit more friendly.
- Non-Microsoft product pairing can be made a little easier.
Microsoft Sentinel, the scaleable cloud-native SIEM platform
- It has a native integration with all Microsoft products, from Entra to Azure, Microsoft 365
- Being built upon native Azure functionality benefits in automation and infrastructual solutions
- The KQL language is relatively easy to learn and powerful.
- Microsoft is listening very careful to the customers and develops new functionality at a fast pace
- The solution can become very expensive when not used in an effective way
- The SOAR functionality can be more powerful compared to other products
- Ingestions delays are not often clear and have to be taken care of thoroughly
When companies have no Microsoft footprint it still can be an excellent product, but it lacks integration and UEBA/Fusion have none or less additional value.
Compared with other SIEM solutions it is a very good product, but keep in mind that using Microsoft products will get you on the right track out of the box
1. Centralized Security Data Collection : Microsoft Sentinel team configured the tool to collect security data from all the different cloud providers, on-premises servers, and security tools used by the organization. Azure Sentinel's extensive connectors and integrations ensured comprehensive data collection.
2. Security Analytics and Threat Detection: The implemented platform used built-in and custom detection rules to analyze the collected data for signs of suspicious or malicious activities. Machine learning algorithms and threat intelligence integration enhanced the organization's ability to identify threats.
3. Incident Investigation and Response: Security analysts used the centralized dashboard to investigate security incidents. Automated playbooks were then created to streamline incident response, allowing the organization to respond to threats more efficiently.
4. Compliance and Reporting: Azure Sentinel provided out-of-the-box compliance reports and templates, which helped the organization demonstrate compliance with industry-specific regulations. Custom reports and queries were also created to address specific compliance requirements.
- Enhanced Threat Visibility: Centralized data collection provided a comprehensive view of security events and incidents across their entire environment, improving threat visibility.
- Rapid Threat Detection and Response: The platform's analytics and automation capabilities enabled the organization to detect and respond to threats more quickly and effectively, reduced the impact of security incidents.
- Improved Compliance: Azure Sentinel's reporting and compliance features assisted the organization in meeting industry-specific compliance requirements, also reduced the risk of regulatory fines and legal consequences.
- Compelxity of the tool's query language
- Unnecessary alerts and false positives
- Rare issues with data ingestion
Review of Microsoft Sentinel
- Threat Detection and faster Analysis
- Security Automation and architecture improvement
- Onboarding and integration with client/our system can be simplified so that it can be used by everyone.
- Integration takes longer if software is hosted outside.
- The logs of softwares hosted in-house has room for improvement
Excellent cloud security solution with intelligent analytics and automation offered by Microsoft.
- It interacts easily with Azure, Active Directory, and log analytics, and it can route data via Sentinel as well as establish alerts and other workflows to respond to possible security concerns.
- It features a highly user-friendly UI that makes it simple to operate the platform, and the kql is simple to use while studying logs.
- It is one of the greatest platforms for totally cloud deployment, which improves productivity. It can evaluate vast amounts of data quickly and is incredibly productive.
- It takes some time to learn how to use and install it properly, and it does not connect effectively with external PaaS systems such as Salesforce CRM, Salesforce Commerce Cloud, and so on.
- Microsoft can simplify the display of the logs to make them easier to study, and the user interface occasionally delays, which can also be enhanced.
A big SIEM or a little SOAR?
- KQL Query language is easy to learn and very powerful once mastered.
- A continuously growing list of connectors allows the integration of hundreds of technologies.
- Microsoft Sentinel provides the best integrations with Microsoft's products.
- Like many Microsoft products, the solution can lose its effectiveness in non-Microsoft environments.
- It's not the most cost-effective solution out there.
- False positives are something that really needs to be addressed when confronting Microsoft Sentinel.
Microsoft Sentinel Review
- It's pretty good. We're working with other Microsoft products for sure. If you got Outlook 365, it worked really well with that. You had the whole Microsoft Suite, if you got a property tuned up, it does pretty good at catching things. It's very intuitive. It's very quick at being able to quarantine assets that might've been compromised in a quick manner without having to go through a whole bunch of red tape and try to find a whole bunch of people or admins to be able to help you do your job or whatnot.
- Making it able to talk with other tools outside of Microsoft would be something that would work really well with it. I know a lot of organizations utilize Splunk and it seems like trying to get the Microsoft product top to Splunk is always a big issue, especially with the Sentinel, the 365 defender, and stuff like that. So having it be able to be able to speak to other vendors' tools would definitely help out because nobody wants to just use one tool suite because one tool suite might miss one thing, then another one might pick up. They all talk to each other and they are all able to be automated would definitely be a big help any security-positive organization.
Microsoft Sentinel Review
- It's good in form of the integration with the Microsoft native products like Defender or Office 365 and some of the queue, the complete visibility because if we are using the Microsoft product suite as the operating system on the endpoint and the Microsoft Defender and those things, so its is a complete end to end visibility, not just for as a sim but complete visibility of our identity. We are also having Azure ready. It gives more visibility, the users, the endpoint, and my SaaS services like the teams or I can say Outlook. I get a good visibility and the next good thing is I can mitigate the threat in real time. I can write the playbook and I can do the hunting. One of the good things Defender, I see the hunting in the playbooks. So my form analyst where from one place where I could do the monitoring, triage response, and mitigation.
- Some of the integration though it provides integration to most of the technologies, but I still think it is a scope of integration, scope for implementing the integration area so that I can integrate all the design sources to the central. Right now I experienced some challenges with my team with that.
Microsoft Sentinel Review
- It really does do a very good job of collecting end user data or end user and device data to correlate against.
- Their UEBA really needs to grow out of the Microsoft space.
- I think they need to be a little bit more friendly using their workbooks, so that's probably where I see it should grow.
Microsoft Sentinel Review
- It handles a lot of data. It works fast, it's easy to understand. It's the integrations with all the products, the APIs defender with Office 365 with Azure ad. It's got some great integrations.
- I think that the handling of ingestion delays and time generated, I think that's currently the main issue because you get some data that comes in later, and some data comes way later, so you have to correlate it and it can be a bit of a hassle to make sure to align the right data with each other.
Microsoft Sentinel
- Ability to correlate data in near real-time and then provide that to our SOC team to then take that information and verify whether or not there's an actual active threat within the organization or a customer's organizations. So that's something that does particularly well.
- I think some of it is just around the clarity of the information. Sometimes it's not super specific, so having the ability to get more information from the links provided I think would help.
Microsoft Sentinel Review
- Getting incidents from other applications like Cisco, Meraki, or Umbrella and then ingesting the logs, creating the incident and notification of course, like playbooks.
- Data connectors, for example, Cisco Umbrella. It's either grab all the logs or nothing. We just want to grab certain logs from Umbrella. We can't do it. We have to do a custom data connector. It's just a lot of work for customers.
Microsoft Sentinel Review
- I think what it does the best is the community aspect of it which means it's already integrated in the platform. You can just click and select stuff you like and it is created by other professionals. I think that's what it does the best and it's really easy to integrate into your existing interment.
- I think it has room for improvement in its ease of use. It's not hard to use, but for someone who doesn't even add someone that shows you everything, at first it could be hard because you don't know what some of the names are. If you don't know it, you could get confused like a playbook. If you don't know what the playbook is, you could be mistaken.
- Advanced analytics and machine learning algorithms
- Easy to deploy, manage, and update
- Huge list of out-of-the-box dashboards, reports and automation playbooks
- Query language is quite difficult
- Automation playbooks some times have false positives alerts/responses
1. Network-based intrusion detection - monitoring security events on the company Edge environment (firewalls, VPN gateways) - this is easy to do with built-in content hubs that provide sets of analytics rules (unfortunately, not always), dashboards, and automation playbooks for almost all vendors
2. Host-based intrusion detection - end users desktops monitoring - here we use integration with cloud MS Defender deployment that provides all information from agents on local machines.
Sentinel Has Come A Long Way
- Automated detection and response
- Detailed user/device information
- Part of the MS cloudsphere, so has a familiar feel.
- In the WFH world sometimes it would be nice to have a local client version when speed isn't the best from home
- The ability to alert on a mobile device
- A mobile app to do an investigation while on the move
- Easy to deploy and learn to use.
- Artificial intelligence.
- Analysis of any type of threat, including those that have not yet been discovered.
- Automation to respond to security incidents.
- Reduction of false positives.
- Easy to edit log analysis rules.
- The reporting feature can be improved. I sometimes see problems with exportation, instability and compatibility.
- Dependence on Microsoft Azure software.
- The UI-based analytics are excellent
- Excellent tools for cleaning data, sorting out irrelevant log data, and even fixing log data.
- There's not much that needs improvement, but the on-prem log sources still require a lot of development.