Skip to content

Microsoft Sentinel

Sentinel is Microsoft's SIEM and SOAR solution, every big player in this space has a detailed breakdown of what that means, but you can essentially think of a SIEM as gathering and analyzing logs and events whereas SOAR is taking automated actions on incidents.

Let's discuss some reasons you would want a SIEM or SOAR

  • SIEM
    • You have third-party security tools
    • You have full Defender XDR and are looking to correlate incidents with other logs such as firewalls, VPNs, or Windows events
    • You are looking for a tool to centrally manage incidents
  • SOAR
    • Reduce time spent remediating incidents
    • Reduce initial response time to incidents
    • Allow analysts to trigger automations based on the incident

Having both of these tools is crucial if you are going to respond to incidents fast. Most attackers are in and out of your environment in less than 2 hours.

While having all of this would be nice, it can also be expensive, however Microsoft will give you some of Sentinel's features for relatively cheap. When evaluating the need for a SIEM or SOAR, consider the cost of your infrastructure going down, data breaches, or similar due to a cyber incident.