|
|
This Presentation date is October 9, 2025 at 9:30-10:00.
Presenters: Tom Hollingsworth
Follow on Twitter using the following hashtags or usernames: #TFDxMSSec25
Microsoft Sentinel Delegate Roundtable Discussion
Watch on YouTube
Watch on Vimeo
In this roundtable discussion, the Field Day delegates discussion the current state of the Microsoft Sentinel. Currently, there is work to do with bringing together multiple portals like Defender, Entra, and Purview, as well as clearing up analysts whose roles span multiple security personas. There is also a need to clarify the licensing requirements and how each of the tools in the overall suite are integrated into workflows. The consensus is that the platform feels like a collection of separate products from different teams rather than a truly unified, integrated solution. This challenge is magnified for organizations with hybrid or multi-cloud environments, where the high cost of ingesting data from non-Microsoft sources like AWS presents a significant barrier to adoption.
The delegates expressed hesitation about making a strategic investment in a platform that seems so early in its development, concerned that future changes could force them to retool their processes. They stressed the need for greater maturity, transparency, and traceability, especially in reporting, as they cannot present “black box” data to senior leadership. For Sentinel to succeed in the real world, the delegates believe Microsoft must demonstrate a stronger commitment to interoperability by adopting open standards like OCSF more quickly and offering more flexibility in data engineering and routing before data enters the Sentinel lake. The feeling is that Microsoft needs to transition from its traditional license-based, “all-or-nothing” approach to prove it can truly function as an open ecosystem partner.
Despite these criticisms, the delegates are optimistic about Sentinel’s potential. The underlying data platform, with its integrated layer of tabular, graph, and vector data, is considered powerful, especially for advanced data science teams. The graph visualizations were particularly praised as an effective way to communicate pre- and post-breach scenarios and risk to business leaders. The delegates concluded that the platform’s greatest current strength is its flexibility. By providing low-code/no-code interfaces and natural language query capabilities, Microsoft empowers customers to build the specific reports and tools they need. This ability for organizations to create their own solutions is seen as a powerful way to bridge the current maturity gap and extract immediate, tailored value from the platform.
Personnel: Tom Hollingsworth