What's Inside Your Microsoft Sentinel

December 6, 2022 | 4 min read

Mona Ghadiri

Senior Director of Product Management

Mona calcite

This year, Gartner reviewed 16 SIEM providers for the 2022 Gartner® Magic Quadrant™ for SIEM™ and Microsoft came in as the highest positioned on the Ability to Execute axis. As Microsoft’s U.S. security partner of the year, BlueVoyant agrees — Microsoft Sentinel has made cloud-native SIEM an operational and integral part of security and incident response programs.

In the report, Gartner noted three important key strengths for Microsoft Sentinel. The report also pointed out that each of the 16 SIEMs they reviewed had unique shortcomings that should be considered.

As an example of how customers are seeing the value of Microsoft’s highly integrated security product strategy, Microsoft reported the number of E5 customers who also purchased Sentinel increased 44% year-over-year in the Microsoft Q1 earnings report. We believe the vision of Microsoft Sentinel, M365 Defender, and Defender for Cloud, working together as the forward-operating bases of your cyber arsenal, maximizes Microsoft value and allows clients to reach their SIEM plus XDR goals — such as reduced time to investigate, extended response actions, and lower false positive rates. Within our clients’ arsenal, more than 70% of them use a combination of Sentinel and other Microsoft security tools like M365 Defender or Defender for Cloud.

A fast-developing roadmap has definitely been a differentiator for BlueVoyant. As one of the first organizations to begin working with Sentinel, the dramatic growth and trajectory of the SIEM platform has happened at lightning pace. BlueVoyant’s strategy has been to heavily invest in Microsoft’s private security community and embrace the change by evolving alongside Sentinel. Writing Microsoft Sentinel’s best practice guide solidified our place and role as platform experts, and we believe this valuable tool helped Microsoft secure its ability to execute.

Another key strength for any SIEM lies in the plenitude and data relevance being consumed, as well as the log detection content effectiveness. If logs feeds are broken and no longer working, missing because you don’t have a connector, or not adequately analyzed for threat relevance, health, or completeness, the data entering your SIEM will be providing a false security sense. A well-managed log strategy will ensure that costs are justified and budgets are efficiently utilized, and that your detections are pressure tested.

What’s more, security is also diminished if your detection rules or correlation analytics are not maintained and continually updated at the speed of fast-moving threats that use zero-days. A cloud-native SIEM program should be able to facilitate new detections implemented weekly, and those for zero-days, within hours. If there are no rules or use cases implemented that identify a threat, there is a higher likelihood it will be missed.

Sophisticated correlations, otherwise known as Risk-Based Analytics, are also a must-have. Many seemingly innocent threats are early indicators of well-orchestrated attacks if entity mapping is being utilized properly. Although Sentinel can perform risk-based incident analytics and multi-signal and multi-log correlation, without a talented security expert team early threat indicators will not be identified. It's also wise to tag detection rules to the MITRE ATT&CK framework and deploy them as code. Sentinel’s MITRE attack MAP inclusion means you don’t have to go elsewhere to see your coverage.

Execution for Sentinel specifically requires a unique skill set. Businesses don't have the resources needed to analyze their SIEM log ingestion strategy, build connectors to include all necessary security logs, or continually maintain and create new detection rules and incident correlations. They may also lack Azure security expertise. As Gartner revealed, SIEMs vary greatly. Without continuous and expert management, we believe they will become more of a liability than an asset.

BlueVoyant Core: MDR™ for SIEM & XDR with Microsoft includes 24x7 monitoring, and detection and response across Microsoft’s stack. BlueVoyant is an expert implementing and maintaining a cost-correct log strategy and providing a continuous stream of new threat detections and correlations, including same-day, zero-day responses. We also do much of our work inside your tenant, so you have control and visibility of everything while avoiding vendor lock-in.

It goes without saying that one of our goals is to ensure you maximize your Microsoft investment every day.

Mona Ghadiri serves as BlueVoyant’s ebullient Director of Product Management.

GARTNER and Magic Quadrant are a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and are used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.