A big SIEM or a little SOAR?
September 20, 2023
A big SIEM or a little SOAR?
Score 9 out of 10
Vetted Review
Verified User
Overall Satisfaction with Microsoft Sentinel
Microsoft Sentinel is the SIEM (Security Information and Event Management), according to Microsoft. Entirely cloud-based, Microsoft Sentinel requires little to no effort in terms of on-premise hosting requirements. Very user-friendly and very powerful, Microsoft Sentinel takes an important step from a "simple" SIEM to a SOAR, integrating both SIEM and XDR functionalities in a cloud-based product that is covered by the Microsoft Azure cloud power.
- KQL Query language is easy to learn and very powerful once mastered.
- A continuously growing list of connectors allows the integration of hundreds of technologies.
- Microsoft Sentinel provides the best integrations with Microsoft's products.
- Like many Microsoft products, the solution can lose its effectiveness in non-Microsoft environments.
- It's not the most cost-effective solution out there.
- False positives are something that really needs to be addressed when confronting Microsoft Sentinel.
- Microsoft Sentinel is a good investment, especially when sided with other solutions such as Microsoft 365 Defender, as it provides 360° protection on every level of the infrastructure.
- When deployed on infrastructures that have never had an SIEM, Microsoft Sentinel helps to assess vulnerabilities and misconfigurations.
- As with any other SIEM, Microsoft Sentinel basically eliminates the need to put effort into every single platform (like EDR, NDR, XDR) and converge that effort on a single product that correlates and orchestrates the rest.
We gather data from different data connectors such as Firewall, Endpoints, Servers, Amazon Web Services, Hypervisors, and more. There's a comprehensive list in the official documentation that helps to assess the possible integrations that can be made when it comes to deploying the product in the infrastructure. There's a range of protocols and ways to send data to Microsoft Sentinel, from the simple Syslog to the API-based integrations.
It really depends on the connector and how it is integrated into Microsoft Sentinel. Some integrations can be easy, such as Microsoft Events Logs that can be massively deployed on every endpoint of the infrastructure. Other connectors require a little bit of configuration before they start to work as intended.
Threat detection in Microsoft Sentinel can be enhanced by AI and Machine Learning. It's something mainly based on the User Behaviour Analytics concept when it comes to machine learning, and it's heuristic counterpart helps to detect threats and respond to malicious behavior while correlating events that come from the whole infrastructure.
Microsoft Sentinel’s investigation tools really enhance the whole analysis process with its timeline bookmarks while not only correlating events just like any other SIEM but also integrating something that comes directly from the SOAR world, which means correlating incidents and highlighting similar threats that have previously occurred in the infrastructure.
Microsoft Sentinel really goes the extra mile when it comes to an SIEM that slowly improves toward a proper SOAR, this may be the best selling point of the entire solution. Highly scalable, cloud-based, and nearly perfect when dealing with Microsoft-based infrastructures, Microsoft Sentinel is one of the best SIEM solutions.
Do you think Microsoft Sentinel delivers good value for the price?
Yes
Are you happy with Microsoft Sentinel's feature set?
Yes
Did Microsoft Sentinel live up to sales and marketing promises?
Yes
Did implementation of Microsoft Sentinel go as expected?
Yes
Would you buy Microsoft Sentinel again?
Yes