SIEM means Sentinel
November 13, 2023
SIEM means Sentinel
Score 9 out of 10
Vetted Review
Verified User
Overall Satisfaction with Microsoft Sentinel
Microsoft Sentinel is being used as the hero product in our MSSP offerings. Our clients use it as a cloud native SIEM (Security Information and Event Management) and SOAR (Security Orchestration and Automated Response) tool. While the mains use case still remains as 'Incident Management', some of our clients also use it as an event management tool to derive actionable insights from the logs ingested.
- Sentinel is by far the most efficient tool in supporting the highest number of solutions and products when it comes to data connection (or ingestion) and that too in the least complex manner possible. Most of the data connectors in Sentinel are very easy to configure and deploy.
- Incident Management is undoubtedly one of the main USPs of Sentinel. With an easy-to-use UI, variety of utilities (adding tasks, manual triggering of playbooks, activity logs etc.) and provision of having an investigation map from the incident details page, Sentinel clearly stands out in this area.
- I personally love the feature of integrating 'Threat Intelligence' to Sentinel from a free and one of the most reliable sources, Microsoft itself. This not only saves time for an analyst in checking the reputation of an entity but also allows to take actions on the suspicious entities at earliest.
- 'Notebook' has always been a very hard to use feature for me in Sentinel. From my experience, there have been a very selective use cases for this feature across the industry.
- 'Entity Behavior' has some scope to be improved further since it is a feature that gives some useful insights but needs to be accessed separately. I think it should be re-worked in a way to be used within the incident investigation page.
- I'd like to see a more user-friendly version of the 'Content Hub' menu which was the earlier version! The new UI is somewhat confusing to use and is dependent on a lot of filters being applied which do not even lasts for a single session. With each refresh, we have to apply the filters again.
- With a breadth of features present to facilitate faster triage and response, many of our clients were able to reduce the incidents by 35% over 6-7 months of usage.
- With the provision of manipulating data in depth, many organizations have been able to get thought provoking misconfiguration in the cloud resources and rectified them in time.
- With such a high number of OOTB playbook templated, many of the clients have been able reduce their MTTR (Mean Time To Respond) by a staggering 65% over the usage of 7-9 months.
Native Microsoft connections include Microsoft Defender for Cloud, Microsoft 365 Defender, Microsoft Entra ID, Azure Activity, Security Events, Key Vaults, SQL Databases, Windows events via AMA, Microsoft Defender Threat Intelligence etc.
Third party products include Workday, Google Workspaces, Cisco ASA, AWS S3 and CloudTrail logs, Zscaler, Carbon Black, Virus Total etc.
Third party products include Workday, Google Workspaces, Cisco ASA, AWS S3 and CloudTrail logs, Zscaler, Carbon Black, Virus Total etc.
Connecting the Microsoft native solutions are the easiest ones. While connecting Azure resources are also easy but a bit lengthy process.
Integration of third party products with Sentinel varies wildly from each other, so in a word, it's doable with a little technical overhead.
Integration of third party products with Sentinel varies wildly from each other, so in a word, it's doable with a little technical overhead.
With 'Entity Behavior' and its machine learning capabilities, we have been able to detect many risky users and other entities which saved a lot of time and effort if otherwise done manually.
While I have a very limited experience with using Azure Open AI in the incident through playbooks, it surely does a very prominent job in summarizing the incident for the L1 analysts and save time on triaging.
While I have a very limited experience with using Azure Open AI in the incident through playbooks, it surely does a very prominent job in summarizing the incident for the L1 analysts and save time on triaging.
We have been working on establishing a process to reduce the triaging time by using of incident investigation utilities in Sentinel. For example, we have made a good use of automation rules to define which playbooks to run for many critical and/or repetitive incident categories which helps in speeding up the process of investigation and response. Also, with the help of playbooks, we have been able to provide the initial set of investigation of steps for many frequently occurring low severity incident handled by L1 analysts.
Sentinel has a huge advantage of being the first cloud native SIEM which prevents a lot of deployment and technical overhead in comparison to the traditional SIEMs which requires a heavy software installation and even agent deployment in some scenarios. Not only this, Sentinel being a part of Microsoft security stack provides an upper hand of getting easily integrated with the other security products through a single click API integration.
Do you think Microsoft Sentinel delivers good value for the price?
Yes
Are you happy with Microsoft Sentinel's feature set?
Yes
Did Microsoft Sentinel live up to sales and marketing promises?
Yes
Did implementation of Microsoft Sentinel go as expected?
Yes
Would you buy Microsoft Sentinel again?
Yes