Is Microsoft Sentinel any good?

Security incident and event management (SIEM) solutions are an important tool for making sense of security data.

SIEMs process huge amounts of security log data and turn them into security alerts. These alerts are then prioritised by severity and help analysts detect incidents that may otherwise go unnoticed.

A SIEM platform gathers data from different sources across your network. This data can determine the nature of an attack, its timeline, and its impact on your business.

In this blog, we’re going to be exploring Microsoft Sentinel, Microsoft’s cloud-native solution and a relative newcomer to the SIEM arena.

We’ll examine how it performs across key areas, as well as advantages and features that are unique to Sentinel.

Why use Microsoft Sentinel?

Your security operations centre (SOC) needs a better class of SIEM these days. Traditional SIEMs, especially on-premises solutions, aren’t as agile. They need constant tweaking, extension, and redevelopment to function.

These tweaks are needed to keep up with your organisation’s changing infrastructure and the pace of business in a cloud-based world. Most SIEMs also need updating every time a new threat is uncovered to be able to detect it within an organisation’s network.

In almost every case, traditional SIEM solutions are only capable of ingesting log files from on-premises systems. They can’t monitor assets in the Cloud. For this reason, on-premises SIEMs are becoming obsolete.

Microsoft Sentinel is the first and, to date, the only cloud-native SIEM on the market. This unique status means that it can leverage the power of cloud computing as standard.

It’s able to use powerful artificial intelligence (AI) tools and analytics for better decision-making at speed. This is crucial when it comes to security. Being cloud native, Sentinel is infinitely scalable to your organisation’s needs.

It’s also much more than a SIEM solution. Sentinel is a powerful security orchestration and automation response (SOAR) platform, offering more security and functionality than its legacy SIEM predecessors.

Let’s take a closer look at Sentinel’s core SIEM functions, how it performs as a next-generation SIEM, and the benefits that are exclusive to the Sentinel solution.

Core SIEM functionality

Sentinel has all the expected functionality of a SIEM platform, including:

Threat detection and alerting

Sentinel has a robust threat detection platform. Once you’ve connected your data sources (more on those later), you’ll want to know when an attack or incident occurs.

Sentinel provides out-of-the-box, built-in templates to help you create threat detection rules.

Once it identifies a security event, it sends the IT team a security alert in almost real-time. The team can then investigate the event and determine whether it’s a potential breach for the company.

Compliance reporting

Using the workbooks feature of Microsoft Sentinel, you can see all the data from across your organisation in one place, as well as the regulations that your organisation must adhere to.

Using workbooks, you can view the compliance status of each regulation to see which checks are failing as well as recommended actions to fix them.

This data can then be easily exported to Excel for presentation.

Real-time notifications

Sentinel uses advanced learning algorithms to detect anomalies and present them to analysts.

But what sets Sentinel apart is the speed of its alerts. Microsoft Sentinel operates something known as near-real-time (NRT) rules.

These are designed to run once every minute, capturing events ingested in the preceding minute. This supplies analysts with information that is as up-to-the-minute as possible.

Data aggregation and normalisation

Like its competitors, Sentinel pulls dissimilar data and log files from several disparate sources into one common repository.

However, because Sentinel is cloud-based, it can handle increasingly large amounts of data without suffering storage or processing problems.

Sentinel can perform data normalisation to a high standard, with predictable and consistent storage for all records. Normalising data helps standardise your logs, making it easier to identify anything unusual.

It can index these records for faster searching and sorting of data. Speed is a key factor when investigating an incident.

Next-generation SIEM benefits

So now we know that Sentinel can do everything a legacy SIEM solution can do, let’s explore some of the things you can expect from a next-generation SIEM platform.

Data collection and management

Sentinel has a large number of data sources that it can connect to.

Sentinel has more than 100 data connectors ‘out of the box’, with the ability to create custom sources to meet your organisation’s individual requirements.

As you might expect, Sentinel connects with the wider Microsoft ecosystem easily, but it’s not limited to just Microsoft software and the Azure platform.

Microsoft Sentinel can ingest and collate data from a large range of log sources. These include but aren’t limited to:

• Different cloud platforms like Azure, AWS, and Google Cloud
• On-premises networks and infrastructure
• Multiple software as a service (SaaS) applications

Cloud scaling

One of the biggest problems SIEM platforms face is sifting through the massive amounts of security data that organisations produce daily.

This presents problems with storing, processing, and analysing that data. Traditional on-premises SIEMs struggle with this high volume of data and what to do with it.

However, with Sentinel being entirely cloud-based, this is no longer a problem. There are no data storage silos to manage or protect – everything is done in the Cloud.

This makes Sentinel infinitely scalable for your business.

Experiencing a period of growth? Sentinel will grow alongside your organisation and offer the same high level of protection.

Does your business need to downsize? Again, Sentinel will scale to the size of your organisation with no loss in protection or functionality.

User and entity behaviour analytics (UEBA)

Other SIEM solutions use user behaviour analytics (or UBA), but Sentinel goes a step further with user and entity behaviour analytics.

Sentinel transforms raw data into meaningful insights to identify advanced attacks, extending UBA beyond users to include other entities.

This means that the analysis doesn’t just look at user behaviour, but also covers things like network devices and servers to give you the whole picture.

Security orchestration, automation, and response (SOAR)

SIEM platforms typically throw out so many security alerts at such high volumes that a security operations centre (SOC) can quickly become overwhelmed.

This can mean that incidents can go ignored or unnoticed, leaving your organisation vulnerable to attacks.

With the extra capability of a security orchestration and automation platform, Sentinel can use powerful machine learning algorithms to automate responses to the huge number of alerts and incidents your SIEM gets every day.

With such powerful automation in place, a fully configured Sentinel platform will reduce the number of false positives coming through the system.

This leaves your SOC free to investigate larger, potentially more dangerous incidents in greater detail.

Automated attack timelines and investigation

Being able to piece together the timeline of an attack or incident is crucial when it comes to investigation and response.

Again, the problem for a lot of legacy SIEMs lies in the massive amounts of data that they have to piece through and investigate.

With Sentinel being a next-generation SIEM platform, this is yet another process that can be automated, leaving your SOC team free to investigate serious incidents more thoroughly.

Sentinel-only benefits

Sentinel isn’t the only next-generation SIEM out on the market. It does, however, have a few Sentinel-exclusive tricks up its sleeve to separate itself from the pack.

Sentinel is cloud native

As we’ve mentioned above, Microsoft Sentinel is currently the only SIEM solution that is entirely cloud-native.

Built in the Cloud, Sentinel can use all the benefits of cloud computing.

Traditional problems such as storage and on-premises architecture aren’t an issue for Sentinel. It’s flexible, scalable, and has no storage restrictions.

Being cloud native, it costs a fraction of an on-premises system as there’s no infrastructure to maintain.

Easily activated extended detection and response (XDR)

Sentinel has a powerful SOAR as standard, automating a lot of functions. This ensures that no alert is missed and frees up time and analytical power for more serious security events.

You can take this even further and activate a comprehensive extended detection and response platform by integrating Microsoft Sentinel with Microsoft 365 Defender.

This provides an additional layer of security and gives you complete coverage. A built-in XDR capability is a benefit that, at the time of writing, is unique to Sentinel.

Holistic integration with the Microsoft 365 technology stack

We’ve already seen that integrating Sentinel with the Microsoft 365 Defender suite can provide some unique security benefits.

However, it’s worth noting that even without enabling the XDR capability, integrating Sentinel with the Microsoft 365 technology stack creates a powerful and secure business platform.

The integration between Microsoft technologies is designed to work together holistically. Another SIEM will work well with the Microsoft 365 tech stack, but not quite as well as Sentinel, and not quite as completely.

Microsoft currently dominates the world market for major office suite technologies, with Office 365 controlling around 48% of the market as of February 2022.

So if you’re using any of Microsoft’s Office 365 technologies, you’re already well positioned to benefit from Sentinel.

Market standing and reception

Since its launch in 2019, Microsoft Sentinel has been making waves in the SIEM community, gathering a lot of fans and industry acclaim.

It’s also garnered a reputation as one of the most complete security solutions that exist today, bundling in a powerful SOAR solution into the platform.

And, as if that wasn’t enough, integration with Microsoft 365 Defender builds an incredibly powerful XDR platform that’s difficult for other companies to keep up with.

It regularly ranks highly as a complete SIEM solution, with Gartner Peer Insights giving it a 4.5-star rating out of five.

Sentinel has cemented itself as a market-leading solution in the short time since its release. With Microsoft continuing to develop the platform, Sentinel is going to remain a major player in the SIEM space.

Conclusion

Microsoft Sentinel is a modern SIEM platform with next-generation SIEM capabilities.

Sentinel outstrips legacy SIEMs by leveraging the Cloud and powerful AI and machine learning algorithms.

It’s designed to work best within the Microsoft ecosystem, and – when paired with other Microsoft technology stacks – provides holistic protection for your whole organisation.

Outside of the Microsoft arena, it still provides incredible protection and is highly compatible with third-party applications, log sources, and other cloud platforms.

In other words, Sentinel plays well at home and with others.

It goes even further, with newer functions and capabilities that reflect the increasing adoption of cloud technology.

Microsoft Sentinel operates at scale and automates many processes to respond at speed. This helps reduce the administration and analysis burden on your SOC team. It aims to eradicate the widespread ‘alert fatigue’ that regularly burns out security analysts.

When it comes to answering the question “is Sentinel any good?” the resounding answer is an easy ‘yes’.

Key takeaways

Next steps

Like this? Don’t forget to share?