Microsoft Sentinel, the scaleable cloud-native SIEM platform
October 23, 2023
Microsoft Sentinel, the scaleable cloud-native SIEM platform
Score 8 out of 10
Vetted Review
Verified User
Overall Satisfaction with Microsoft Sentinel
Sentinel is our SIEM solution that is used in our MSSP service where it is used to monitor security incidents for our customers. The integration and native support for all Microsoft products is really beneficial and helps customers with a quick onboarding. It is being used to monitor both cloud as on-premises workloads where different streams of logs are being ingested in the portal. The solution helps to centrally manage all Sentinel instances of customers where standardized solution can be distributed to the customers.
- It has a native integration with all Microsoft products, from Entra to Azure, Microsoft 365
- Being built upon native Azure functionality benefits in automation and infrastructual solutions
- The KQL language is relatively easy to learn and powerful.
- Microsoft is listening very careful to the customers and develops new functionality at a fast pace
- The solution can become very expensive when not used in an effective way
- The SOAR functionality can be more powerful compared to other products
- Ingestions delays are not often clear and have to be taken care of thoroughly
- Less overhead on integration of cloud-native logging
- The KQL language is very helpful since it can be used for security and operational monitoring but as well for workbooks and dashboarding
- A large community developing solutions is very helpful for a quick adoption
Cloud Identities
On-Premises Identity events
Azure platform events
Defender and other Microsoft products
On-premises appliances
Linux events
On-Premises Identity events
Azure platform events
Defender and other Microsoft products
On-premises appliances
Linux events
The native microsoft sources are pretty easy to incorporate with the standard integrated data connectors
This same counts towards Azure activity, Azure VMs and workloads
On-premises workloads will make use of logforwarders (Windows Event Forwarder / Syslog Forwarder) We are moving to Logstash in due time
This same counts towards Azure activity, Azure VMs and workloads
On-premises workloads will make use of logforwarders (Windows Event Forwarder / Syslog Forwarder) We are moving to Logstash in due time
We make use of UEBA for the correlation between anomalies, especially on the identity platform.
Next to that we use the Fusion rules that will detect multi-stage attack scenarios
Sentinel notebooks are not used a lot at this moment, because of the learning curve
Next to that we use the Fusion rules that will detect multi-stage attack scenarios
Sentinel notebooks are not used a lot at this moment, because of the learning curve
We do not rely too much on the investigation tools. Investigation will primarily be done with investigation with KQL Queries. The investigation dashboard is looked into to identify the entities and a first overview of the timeline. After that we construct our own timeline by using our own queries
ArcSight is an on-prem solution that has a different approach than Sentinel.
In a basis this product is more complex to maintain and deploy. The query functionality in Sentinel is more powerful and easier to maintain. ArcSight has a much slower performance and an interface that has a steep learning curve. Being an on-premises solution can sometimes be more cost efficient when looking at storage but also less scalable
In a basis this product is more complex to maintain and deploy. The query functionality in Sentinel is more powerful and easier to maintain. ArcSight has a much slower performance and an interface that has a steep learning curve. Being an on-premises solution can sometimes be more cost efficient when looking at storage but also less scalable
Do you think Microsoft Sentinel delivers good value for the price?
Yes
Are you happy with Microsoft Sentinel's feature set?
Yes
Did Microsoft Sentinel live up to sales and marketing promises?
Yes
Did implementation of Microsoft Sentinel go as expected?
Yes
Would you buy Microsoft Sentinel again?
Yes