SIEM (Security Information and Event Management) is one of the essential pieces in the Cyber Defence of any organization. Choosing the right SIEM solution is also equally important. Here we will be discussing our thoughts on why you should choose Sentinel as your SIEM.
What is Microsoft Sentinel?
Microsoft Sentinel is a cloud-native SIEM solution provided by Microsoft. It is designed to provide advanced security analytics and continuous threat detection in the environment. We have a separate blog to help you get a basic understanding of Sentinel here.
Why Microsoft Sentinel?
We surely have a lot of technical perks of using Sentinel. But, we will discuss the non-technical benefits of Microsoft Sentinel instead of the technical ones.
- Ease of use: Sentinel offers many templates that the engineer can use as a starting point and build upon them for the best results. There is very little tool-specific training required to fully use this tool. The limitation is the security knowledge of the engineer using the tool.
- Pricing: Sentinel uses the Pay-as-you-Go model, where you will pay only for the volume of data ingested and the volume of data used for analytics. The price varies from region to region. Detailed pricing can be found here.
- Compatibility: Sentinel is compatible with almost all the market leaders in any service you can imagine. You can find the updated list here. Suppose you have your proprietary kind of logs you want to onboard to Sentinel. You can use the HTTP Data collection API to onboard them into Sentinel.
- Future Scope: SIEM is an enormous investment for any organization. It should serve us for the years to come. Microsoft is continuously improving and expanding its features for the exponentially growing cyber attacks in this digital world.
- Reliability: Microsoft’s ownership and frequent updates ensure that Sentinel’s templates remain reliable in the face of advancing threats. Microsoft uses its wide user base to enhance its Machine learning models for precise detections and alerts.
- No infrastructure requirement: Sentinel was one of the first tools to be a completely cloud-native SIEM solution. Being completely hosted on the cloud, there is very minimal effort required to have the SIEM up and running. Meeting all the prerequisites allows you to spin up Sentinel in less than 10 minutes.
Why not Microsoft Sentinel?
As we are well aware, nothing is perfect, even Microsoft Sentinel has its drawbacks. We have listed the major drawbacks below:
- No completely On-prem version: Sentinel is completely cloud-native, it doesn’t have any on-prem version. This may be required for some organizations who wish to keep all their data with them. Even though there are ways to connect local security monitoring tools like SCOM to Sentinel, it is not built into Sentinel.
- Analytical rules limitation: The number of active analytical rules you can have is limited to 512. Yes, this number is a big number, but for an organization with widespread infrastructure and choosing to have the best security, this is not sufficient. Again, organizations use cross-workspace queries to get around this limitation. Having a higher ceiling would be great.
- Historical logs: Don’t get confused by the term ‘historical logs’. This only applies if you are migrating from an existing SIEM to Sentinel. There is no way to copy your logs in your current SIEM to Sentinel. Even Microsoft recommends storing all the old logs in a storage account or a database and having Azure Data Explorer (ADX) query those logs. Although you can query data in ADX using KQL, it still requires monitoring a different portal.
As discussed above, Microsoft Sentinel has its own strengths and weaknesses, but we still think Sentinel is one of the most potent SIEM in the market. Garner has identified Sentinel as one of the market leaders in SIEM for the year 2023.