Skip to main content
TrustRadius
Microsoft Sentinel

Microsoft Sentinel
Formerly Azure Sentinel

Overview

What is Microsoft Sentinel?

Microsoft Sentinel (formerly Azure Sentinel) is designed as a birds-eye view across the enterprise. It is presented as a security information and event management (SIEM) solution for proactive threat detection, investigation, and response.

Read more
Recent Reviews

Microsoft Sentinel

8 out of 10
September 12, 2023
Incentivized
So it's a lot around the correlation of different log systems within our customer systems to give us information and threat intelligence …
Continue reading
Read all reviews

How Microsoft Sentinel Differs From Its Competitors

AI and ML

With 'Entity Behavior' and its machine learning capabilities, we have been able to detect many risky users and other entities which saved a lot of time and effort if otherwise done manually.
While I have a very limited experience with using Azure Open AI in the incident through playbooks, it surely …
Continue reading

Investigation Tools

We have been working on establishing a process to reduce the triaging time by using of incident investigation utilities in Sentinel. For example, we have made a good use of automation rules to define which playbooks to run for many critical and/or repetitive incident categories which helps in …
Continue reading

Sources

All Microsoft Cloud products Palo Alto Barracuda Fortigate Cisco Darktrace BeyondTrust Azure DevOps GitHub CheckPoint F5, etc.
For some products, this went flawless, but other connectors are more complex. Especially when working with systems like the Cisco FirePower or solutions that need to be …
Continue reading

Investigation Tools

Microsoft Sentinel is one of the products that are being used in the investigation phases. Depending on the incident, multiple Microsoft Portals are used to retrieve the required information to investigate an incident. The mapping between resources and events is really powerful and gives a …
Continue reading

Sources

Cloud Identities
On-Premises Identity events
Azure platform events
Defender and other Microsoft products
On-premises appliances
Linux events
The native microsoft sources are pretty easy to incorporate with the standard integrated data connectors
This same counts towards Azure activity, Azure VMs and …
Continue reading

AI and ML

We make use of UEBA for the correlation between anomalies, especially on the identity platform.

Next to that we use the Fusion rules that will detect multi-stage attack scenarios
Sentinel notebooks are not used a lot at this moment, because of the learning curve
Continue reading

Investigation Tools

We do not rely too much on the investigation tools. Investigation will primarily be done with investigation with KQL Queries. The investigation dashboard is looked into to identify the entities and a first overview of the timeline. After that we construct our own timeline by using our own queries
Continue reading

Sources

We pull data from On-Premises Sources and also from Custom Data Sources (using API)
When setting up these connectors, the process was relatively straightforward and well-documented. Microsoft Sentinel provides a user-friendly interface within the Azure portal, making it easy to configure data …
Continue reading

AI and ML

I Feel this feature gives Microsoft Sentinel an advantage from competitors. Because of this feature Microsoft Sentinel becomes more expensive than its competitor. We are yet to use this feature widely.
Continue reading

Investigation Tools

Microsoft Sentinel's investigation tools have had a positive impact on our incident investigation process. It made our investigations faster, more accurate, and more proactive, ultimately strengthening our organization's ability to detect threats effectively.
Continue reading

Investigation Tools

We can identify hazards in our environment, create incidents and triage them, monitor threats in real time, and do extensive investigations using AI functions. Cyber-attack mitigation. Information security, along with automation, is something that every organization requires right now, and …
Continue reading

Sources

We gather data from different data connectors such as Firewall, Endpoints, Servers, Amazon Web Services, Hypervisors, and more. There's a comprehensive list in the official documentation that helps to assess the possible integrations that can be made when it comes to deploying the product in the …
Continue reading

AI and ML

Threat detection in Microsoft Sentinel can be enhanced by AI and Machine Learning. It's something mainly based on the User Behaviour Analytics concept when it comes to machine learning, and it's heuristic counterpart helps to detect threats and respond to malicious behavior while correlating …
Continue reading

Investigation Tools

Microsoft Sentinel’s investigation tools really enhance the whole analysis process with its timeline bookmarks while not only correlating events just like any other SIEM but also integrating something that comes directly from the SOAR world, which means correlating incidents and highlighting …
Continue reading

Sources

It's a Proofpoint email security then from my Palo Alto firewalls and from a graph and active directly. So all those, I can say network devices and endpoint devices, my XDR solution.
It takes little time because getting the resources in the market is quite challenging. When we started, because it …
Continue reading

Sources

Multiple. We have email ingest, all of the O365 stuff and our firewalls, mainly.
It wasn't that hard. It was just dropping the data and then pipelining it in, so it's not that bad.
Continue reading

AI and ML

Yes, we're using it right now just on the Microsoft stuff, since that's all it does. So if it were to branch out, we'd love it to do more networking and add behavioral and machine learning analytics around all of their data sources, not just Microsoft agnostic. We've successfully deployed it into …
Continue reading

Investigation Tools

They're pretty good. Their workbooks are where they really live up to a lot of their consolidation of data, so it's really good. Definitely made it a little bit easier in some questions, it's been good.
Continue reading

Awards

Products that are considered exceptional by their customers based on a variety of criteria win TrustRadius awards. Learn more about the types of TrustRadius awards to make the best purchase decision. More about TrustRadius Awards

Popular Features

View all 13 features
  • Centralized event and log data collection (14)
    8.6
    86%
  • Correlation (14)
    8.4
    84%
  • Event and log normalization/management (14)
    8.2
    82%
  • Custom dashboards and workspaces (14)
    7.4
    74%

Reviewer Pros & Cons

View all pros & cons
Return to navigation

Pricing

View all pricing

Azure Sentinel

$2.46

Cloud
per GB ingested

100 GB per day

$123.00

Cloud
per day

200 GB per day

$221.40

Cloud
per day

Entry-level set up fee?

  • No setup fee
For the latest information on pricing, visithttps://www.microsoft.com/en…

Offerings

  • Free Trial
  • Free/Freemium Version
  • Premium Consulting/Integration Services
Return to navigation

Product Demos

Microsoft Sentinel: Monitoring health and integrity of analytics rules

YouTube
Return to navigation

Features

Security Information and Event Management (SIEM)

Security Information and Event Management is a category of security software that allows security analysts to look at a more comprehensive view of security logs and events than would be possible by looking at the log files of individual, point security tools

8.4
Avg 7.8
Return to navigation

Product Details

What is Microsoft Sentinel?

Microsoft Sentinel is a security operations center (SOC) solution used to uncover sophisticated threats and respond with a security information and event management (SIEM) solution for proactive threat detection, investigation, and response. It eliminates security infrastructure setup and maintenance, and elastically scales to meet the user's security needs.

Helps users to protect the digital estate: Secures the digital estate with scalable, integrated coverage for a hybrid, multicloud, multiplatform business.

Microsoft intelligence to Empower SOC: Optimizes SecOps with advanced AI, security expertise, and threat intelligence.

Detection, investigation and Response: A unified set of tools to monitor, manage, and respond to incidents.

Cost of ownership: A cloud-native SaaS solution to reduce infrastructural costs.

Microsoft Sentinel Features

Security Information and Event Management (SIEM) Features

  • Supported: Centralized event and log data collection
  • Supported: Correlation
  • Supported: Event and log normalization/management
  • Supported: Deployment flexibility
  • Supported: Integration with Identity and Access Management Tools
  • Supported: Custom dashboards and workspaces
  • Supported: Host and network-based intrusion detection
  • Supported: Log retention
  • Supported: Data integration/API management
  • Supported: Behavioral analytics and baselining
  • Supported: Rules-based and algorithmic detection thresholds
  • Supported: Response orchestration and automation
  • Supported: Incident indexing/searching

Microsoft Sentinel Screenshots

Screenshot of Screenshot of Screenshot of Microsoft Sentinel Capabilities

Microsoft Sentinel Videos

Playlist for Microsoft Sentinel videos
Microsoft Sentinel: Monitoring health and integrity of analytics rules

Microsoft Sentinel Competitors

Microsoft Sentinel Technical Details

Deployment TypesSoftware as a Service (SaaS), Cloud, or Web-Based
Operating SystemsUnspecified
Mobile ApplicationNo

Frequently Asked Questions

Microsoft Sentinel (formerly Azure Sentinel) is designed as a birds-eye view across the enterprise. It is presented as a security information and event management (SIEM) solution for proactive threat detection, investigation, and response.

Splunk Enterprise Security (ES), IBM Security QRadar SIEM, and Securonix Next-Generation SIEM are common alternatives for Microsoft Sentinel.

Reviewers rate Deployment flexibility highest, with a score of 9.2.

The most common users of Microsoft Sentinel are from Enterprises (1,001+ employees).
Return to navigation

Comparisons

View all alternatives
Return to navigation

Reviews and Ratings

(66)

Attribute Ratings

Reviews

(1-11 of 11)
Companies can't remove reviews or game the system. Here's why
November 13, 2023

SIEM means Sentinel

Yash Mudaliar | TrustRadius Reviewer
Yash Mudaliar
Associate Lead Security Admin
Atidan (Information Technology & Services, 201-500 employees)
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
Microsoft Sentinel is being used as the hero product in our MSSP offerings. Our clients use it as a cloud native SIEM (Security Information and Event Management) and SOAR (Security Orchestration and Automated Response) tool. While the mains use case still remains as 'Incident Management', some of our clients also use it as an event management tool to derive actionable insights from the logs ingested.
Pros and Cons
  • Sentinel is by far the most efficient tool in supporting the highest number of solutions and products when it comes to data connection (or ingestion) and that too in the least complex manner possible. Most of the data connectors in Sentinel are very easy to configure and deploy.
  • Incident Management is undoubtedly one of the main USPs of Sentinel. With an easy-to-use UI, variety of utilities (adding tasks, manual triggering of playbooks, activity logs etc.) and provision of having an investigation map from the incident details page, Sentinel clearly stands out in this area.
  • I personally love the feature of integrating 'Threat Intelligence' to Sentinel from a free and one of the most reliable sources, Microsoft itself. This not only saves time for an analyst in checking the reputation of an entity but also allows to take actions on the suspicious entities at earliest.
  • 'Notebook' has always been a very hard to use feature for me in Sentinel. From my experience, there have been a very selective use cases for this feature across the industry.
  • 'Entity Behavior' has some scope to be improved further since it is a feature that gives some useful insights but needs to be accessed separately. I think it should be re-worked in a way to be used within the incident investigation page.
  • I'd like to see a more user-friendly version of the 'Content Hub' menu which was the earlier version! The new UI is somewhat confusing to use and is dependent on a lot of filters being applied which do not even lasts for a single session. With each refresh, we have to apply the filters again.
Likelihood to Recommend
Sentinel is the best "cloud-native" in the market yet, so if the organization has a cloud presence (which almost everyone has) then Sentinel is the right choice for having a single pane of glass for all your security monitoring needs.
Sentinel is a very good tool for log analysis and event management purposes as well. With KQL and ASIM parsers, organizations can retrieve invaluable insights even from the most complex data.
And of course, Sentinel is a great choice for automating the incident response process to a very good extent.
October 27, 2023

Why you should start using Microsoft Sentinel today.

Rogier Dijkman | TrustRadius Reviewer
Rogier Dijkman
Principal Consultant Cloud Security
Nedscaper (Information Technology & Services, 51-200 employees)
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
We are using Microsoft Sentinel as our main SIEM solution at Nedscaper for managing out customers that are onboarded to our MXDR service. The main challenge is distributing analytics rules, playbooks, watchlists, and other artifacts at scale without implementing complex deployment pipelines in either GitHub or Azure DevOps. There are several options available, like Azure Lighthouse or using the Microsoft Sentinel Workspace Manager (Preview). Both have their pros and cons on both authentication levels, as scalability and support in artifacts that can be synchronized.
Pros and Cons
  • Correlating Security Data.
  • Automated response.
  • Threat Intelligence mapping.
  • Performance on data ingestion.
  • Performance on query data.
  • Normalizing data.
Likelihood to Recommend
Microsoft Sentinel is a great fit for any environment running Microsoft systems, either on-premises or cloud The integration between the Microsoft SaaS products and Sentinel is great and easy to configure. Nowadays, more and more 3rd solution providers are creating an integration with Microsoft Sentinel to easily onboard their products through the Content Hub.
October 23, 2023

Microsoft Sentinel, the scaleable cloud-native SIEM platform

Verified User
Consultant in Information Technology
Information Technology & Services Company, 51-200 employees
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
Sentinel is our SIEM solution that is used in our MSSP service where it is used to monitor security incidents for our customers. The integration and native support for all Microsoft products is really beneficial and helps customers with a quick onboarding. It is being used to monitor both cloud as on-premises workloads where different streams of logs are being ingested in the portal. The solution helps to centrally manage all Sentinel instances of customers where standardized solution can be distributed to the customers.
Pros and Cons
  • It has a native integration with all Microsoft products, from Entra to Azure, Microsoft 365
  • Being built upon native Azure functionality benefits in automation and infrastructual solutions
  • The KQL language is relatively easy to learn and powerful.
  • Microsoft is listening very careful to the customers and develops new functionality at a fast pace
  • The solution can become very expensive when not used in an effective way
  • The SOAR functionality can be more powerful compared to other products
  • Ingestions delays are not often clear and have to be taken care of thoroughly
Likelihood to Recommend
For most customers that have a cloud native workload that is based on Microsoft products it is an excellent product. Because of the integration it can be used pretty cost efficient and it works pretty good across the different products. This is very much the case when Azure AD/Entra is being used for authentication which will benefit with UEBA and Fusion.
When companies have no Microsoft footprint it still can be an excellent product, but it lacks integration and UEBA/Fusion have none or less additional value.
Compared with other SIEM solutions it is a very good product, but keep in mind that using Microsoft products will get you on the right track out of the box
October 02, 2023

Review of Microsoft Sentinel

Verified User
Account Manager in Customer Service
Internet Company, 51-200 employees
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
Microsoft Sentinel is currently being used as our one stop where our team monitors all alerts we get on our Azure resources. Since everything is on a single platform it makes it easier to keep a track and prioritise on the alerts.
Pros and Cons
  • Threat Detection and faster Analysis
  • Security Automation and architecture improvement
  • Onboarding and integration with client/our system can be simplified so that it can be used by everyone.
  • Integration takes longer if software is hosted outside.
  • The logs of softwares hosted in-house has room for improvement
Likelihood to Recommend
It is good for real-time monitoring, detection of cyber threats. Microsoft Sentinel is not very recommended if you have the software hosted outside.
September 20, 2023

Excellent cloud security solution with intelligent analytics and automation offered by Microsoft.

Glenn H. Miller | TrustRadius Reviewer
Glenn H. Miller
Chief Engineer
Helix Energy Solutions Group (Oil & Energy, 1001-5000 employees)
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
It enables us to route security information through a tool and set up alerts to respond to possible concerns; it also connects with analytical tools to track trends, among other things. Provides real-time warnings and threat detection so that the security team can work on occurrences as rapidly as possible. Logs are easy to search and analyze, allowing for quick judgments on key security issues. It supports all sorts of log sources, allowing you to manage all endpoints on a single platform and save a lot of time when dealing with major occurrences so that remedial measures can be made quickly.
Pros and Cons
  • It interacts easily with Azure, Active Directory, and log analytics, and it can route data via Sentinel as well as establish alerts and other workflows to respond to possible security concerns.
  • It features a highly user-friendly UI that makes it simple to operate the platform, and the kql is simple to use while studying logs.
  • It is one of the greatest platforms for totally cloud deployment, which improves productivity. It can evaluate vast amounts of data quickly and is incredibly productive.
  • It takes some time to learn how to use and install it properly, and it does not connect effectively with external PaaS systems such as Salesforce CRM, Salesforce Commerce Cloud, and so on.
  • Microsoft can simplify the display of the logs to make them easier to study, and the user interface occasionally delays, which can also be enhanced.
Likelihood to Recommend
It is an excellent choice for a SIEM since it offers intriguing and intelligent features and functions, and it is extremely strong in terms of cloud information processing. I recommend it to my colleagues since it is simple to set up, configure, and use on a regular basis. It is ideal if you want built-in security and tracking, and it is compatible with various operating systems, but the amount of information and capabilities is limited.
September 20, 2023

A big SIEM or a little SOAR?

Verified User
Analyst in Information Technology
Information Technology & Services Company, 11-50 employees
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
Microsoft Sentinel is the SIEM (Security Information and Event Management), according to Microsoft. Entirely cloud-based, Microsoft Sentinel requires little to no effort in terms of on-premise hosting requirements. Very user-friendly and very powerful, Microsoft Sentinel takes an important step from a "simple" SIEM to a SOAR, integrating both SIEM and XDR functionalities in a cloud-based product that is covered by the Microsoft Azure cloud power.
Pros and Cons
  • KQL Query language is easy to learn and very powerful once mastered.
  • A continuously growing list of connectors allows the integration of hundreds of technologies.
  • Microsoft Sentinel provides the best integrations with Microsoft's products.
  • Like many Microsoft products, the solution can lose its effectiveness in non-Microsoft environments.
  • It's not the most cost-effective solution out there.
  • False positives are something that really needs to be addressed when confronting Microsoft Sentinel.
Likelihood to Recommend
Microsoft Sentinel is a largely scalable product that can suit basically any infrastructure from the smallest to the huge international corporation (costs aside). The Microsoft infrastructure is the field of battle where Microsoft Sentinel can really express itself providing not only a great SIEM that enhances the whole security but also bringing a great tool to correct vulnerabilities and misconfigurations around the environment.
September 13, 2023

Microsoft Sentinel Review

Verified User
Consultant in Information Technology
Information Technology & Services Company, 10,001+ employees
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
We use a centralized sim where we collect all the logs from our Microsoft SaaS products and from our environment network and endpoint. We also use Microsoft Defender 365 and Microsoft Defender Endpoint Security. Through the center we monitor the environment, and we have the rules in, so our security analyst watches the dashboard, and based on the alerts we built FI and incident response from the defender console, Sentinel console.
Pros and Cons
  • It's good in form of the integration with the Microsoft native products like Defender or Office 365 and some of the queue, the complete visibility because if we are using the Microsoft product suite as the operating system on the endpoint and the Microsoft Defender and those things, so its is a complete end to end visibility, not just for as a sim but complete visibility of our identity. We are also having Azure ready. It gives more visibility, the users, the endpoint, and my SaaS services like the teams or I can say Outlook. I get a good visibility and the next good thing is I can mitigate the threat in real time. I can write the playbook and I can do the hunting. One of the good things Defender, I see the hunting in the playbooks. So my form analyst where from one place where I could do the monitoring, triage response, and mitigation.
  • Some of the integration though it provides integration to most of the technologies, but I still think it is a scope of integration, scope for implementing the integration area so that I can integrate all the design sources to the central. Right now I experienced some challenges with my team with that.
Likelihood to Recommend
For example, if some identities are compromised, it works well where I get as I told, it gives me complete visibility of the user of the endpoint and the SaaS exposure. We can say containment time is much less if I'm using this. With the playbook I can automate everything if I have the Microsoft suite of products in, that does pretty well.
September 13, 2023

Microsoft Sentinel Review

Verified User
Analyst in Information Technology
Hospital & Health Care Company, 5001-10,000 employees
Score 8 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
Well, it's our SIEM, so it does all our correlation engines and data gathering, and we do a lot of querying in it.
Pros and Cons
  • It really does do a very good job of collecting end user data or end user and device data to correlate against.
  • Their UEBA really needs to grow out of the Microsoft space.
  • I think they need to be a little bit more friendly using their workbooks, so that's probably where I see it should grow.
Likelihood to Recommend
I think it's well suited for the log collection, but I think it's also lacking in some of its connection or connectors and parsing. But that's pretty much it where I see it.
September 13, 2023

Microsoft Sentinel Review

GC
Gianni Castaldi
Security Consultant
Kustoworks (Information Technology & Services, 1-10 employees)
Score 10 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
I use it to test detections, create detections, make alerts, help other customers use it, ingest data, create alerts, create automation. Almost all the possibilities I use to help myself and other companies.
Pros and Cons
  • It handles a lot of data. It works fast, it's easy to understand. It's the integrations with all the products, the APIs defender with Office 365 with Azure ad. It's got some great integrations.
  • I think that the handling of ingestion delays and time generated, I think that's currently the main issue because you get some data that comes in later, and some data comes way later, so you have to correlate it and it can be a bit of a hassle to make sure to align the right data with each other.
Likelihood to Recommend
I think it can be well suited at all environments. Just if you have really large loads of data, then there are companies who aren't using the data and you can better ingested in a DX. But for the rest, if you want to do detections or ing, then Sentinel is perfect.
July 06, 2023

Excellent solution for attack detection and raising alarms

Verified User
Engineer in Information Technology
Leisure, Travel & Tourism Company, 1001-5000 employees
Score 9 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
Microsoft Sentinel is a cloud-based comprehensive and robust SIEM (Security information and event management) that is used for a variety of company FW/VPN infrastructure security events tracking as well as end-user protection monitoring (it is easily connected to MS Defender). The huge list of built-in connectors for different solutions/hardware eliminates any deployment issues that we had with previous SIEM system deployments. With Microsoft Sentinel, we are able to centralize all the security operations at a single point.
Pros and Cons
  • Advanced analytics and machine learning algorithms
  • Easy to deploy, manage, and update
  • Huge list of out-of-the-box dashboards, reports and automation playbooks
  • Query language is quite difficult
  • Automation playbooks some times have false positives alerts/responses
Likelihood to Recommend
We are using Microsoft Sentinel in two different scenarios:
1. Network-based intrusion detection - monitoring security events on the company Edge environment (firewalls, VPN gateways) - this is easy to do with built-in content hubs that provide sets of analytics rules (unfortunately, not always), dashboards, and automation playbooks for almost all vendors
2. Host-based intrusion detection - end users desktops monitoring - here we use integration with cloud MS Defender deployment that provides all information from agents on local machines.
July 22, 2021

One of the best cloud security solutions with intelligent analytics and automation.

Flavio Pereira | TrustRadius Reviewer
Flavio Pereira
Analista de sistemas
Nestlé (Food & Beverages, 10,001+ employees)
Score 10 out of 10
Vetted Review
Verified User
Incentivized
Use Cases and Deployment Scope
Azure Sentinel has been used by our headquarters as a SIEM solution. Easy to learn, set up and use. Because it is highly scalable and cloud based, it has become ideal for managing events and providing security automation by creating automated SOAR responses to different levels of incidents, from undiscovered, simple to more complex. It has collaborated a lot in making business decisions and providing more security for the team and the organization.
Pros and Cons
  • Easy to deploy and learn to use.
  • Artificial intelligence.
  • Analysis of any type of threat, including those that have not yet been discovered.
  • Automation to respond to security incidents.
  • Reduction of false positives.
  • Easy to edit log analysis rules.
  • The reporting feature can be improved. I sometimes see problems with exportation, instability and compatibility.
  • Dependence on Microsoft Azure software.
Likelihood to Recommend
Azure Sentinel is an excellent option like SIEM. It has cool, smart features and functionality, and is quite powerful in terms of processing information in the cloud. I recommend it to colleagues because it is very easy to deploy and configure, and learn to use it on a daily basis. The panel is super intuitive and rich in details. When opening Sentinel, it is already possible to analyze the indices that happened and those that deserve further attention and treatment.
Return to navigation