Sentinel: Your one stop SIEM for cloud for Bird's Eyes by MS.
October 24, 2023
Sentinel: Your one stop SIEM for cloud for Bird's Eyes by MS.
Score 8 out of 10
Vetted Review
Verified User
Overall Satisfaction with Microsoft Sentinel
We were using an in-house SIEM solution in our organization wherein most of our log sources were placed in the cloud. We are using multiple services from Microsoft Cloud. Switching to a cloud-based SIEM provided by Microsoft itself has given us an excellent opportunity to parse and analyze our logs over the cloud itself. Hence, the transition from the traditional in-house SIEM to Sentinel occurred.
- Parsing and Normalization of cloud-based log sources provided by Microsoft
- Cheaper license cost compared to the traditional SIEMs.
- Interactive UI.
- Searching for logs is a little tedious due to scripting commands.
- Creating use cases can be a little bit more friendly.
- Non-Microsoft product pairing can be made a little easier.
- Log Management is a little difficult in-house as everything is situated on the cloud.
- Paying according to the throughput of the data can be costlier for some organizations.
- Excellent integration and log parsing for Microsoft products save many man-hours for the SIEM admin to focus on other things.
Sentinel pretty much supports logs from most of the well-known vendors. The key log sources that we have been using to pull data to Sentinel are 1. O365 and Azure logs. 2. EDR 3. IAM Stack including PAM, IAG, and SSO 4. Windows-based AD logs 5.Network Detection and Response (NDR).
An API integration built by the provider connects with the provider data sources and pushes data into Microsoft Sentinel custom log tables using the Azure Monitor Data Collector API. The process is fairly simple as long as there is troubleshooting involved for active data collection.
Machine Learning at the core of innovation in Microsoft Sentinel. By analyzing your incidents over time and deducing patterns, Microsoft Sentinel can provide you with actionable recommendations and insights to significantly improve the quality of your detections so you can spend less time responding to false alarms. Using these has improved our response action time as the heuristic-based approach.
Just like other SIEM solutions, Sentinel also comes with its perks and features. The incident timeline widget by MS provides a key insight to the analyst about the major progress of the incident helping him to focus on important things. The similar incident widget again helps the analyst to understand the false positives or work on the breach situation wherein multiple solutions are impacted. The Entity tab helps the analyst focus on the IPs, hostnames, and usernames in question.
The key advantage of using Sentinel lies in Microsoft already being a renowned name in cloud services. Hence, the Collection of data at the cloud scale across all users, devices, applications, and infrastructure, both on-premises and especially in the MS Cloud, is super easy. Additionally, leveraging Threat Intel from Microsoft itself gives a sense of security, given their years of experience in the collection of intel. The AI and Machine learning features provided by MS is one of the finest.
Do you think Microsoft Sentinel delivers good value for the price?
Yes
Are you happy with Microsoft Sentinel's feature set?
Yes
Did Microsoft Sentinel live up to sales and marketing promises?
I wasn't involved with the selection/purchase process
Did implementation of Microsoft Sentinel go as expected?
Yes
Would you buy Microsoft Sentinel again?
Yes