Microsoft Sentinel vs ServiceNow Security Operations comparison

Microsoft Sentinel vs. ServiceNow Security Operations

Download the complete report

Helped 879,768 peers since 2012

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Categories and Ranking

Torq

Mindshare comparison

As of January 2026, in the Security Orchestration Automation and Response (SOAR) category, the mindshare of Torq is 4.9%, up from 4.5% compared to the previous year. The mindshare of Microsoft Sentinel is 13.0%, down from 20.5% compared to the previous year. The mindshare of ServiceNow Security Operations is 3.5%, down from 3.9% compared to the previous year. It is calculated based on PeerSpot user engagement data.

Security Orchestration Automation and Response (SOAR) Market Share Distribution
Product	Market Share (%)
Microsoft Sentinel	13.0%
ServiceNow Security Operations	3.5%
Torq	4.9%
Other	78.6%

Security Orchestration Automation and Response (SOAR)

Featured Reviews

reviewer2767650

Senior Consultant at a university with 10,001+ employees

Have found automation to save analyst time but miss more accurate data classification

From our research and testing with the tool, we determined there need to be modifications and changes to train the LLM on the back end. It was able to capture data but was unable to differentiate between the agent hostname we are using and the hostname that resides on the back end of the Internet. It was unable to do that sort of classification. We concluded this tool would be more suitable for initial ticket management rather than security automation. Regarding data handling, I would give preference to Torq. For case management, Cortex and its dashboards prove more useful. Cortex and Palo's solutions do not have as much capability as Torq provides with the same tools. However, Torq's dashboards could be improved, especially on the case management side.

Read full review

Rob Wille

Solutions Architect at a tech vendor with 201-500 employees

Creates value with advanced investigation capabilities while seeking improved integration with varied platforms

My primary improvement request would be for auxiliary logs, as they represent our biggest need. While we have automated deployments now, Microsoft Sentinel is fairly easy to deploy, although we face challenges with integrations related to AWS and GCP, particularly with Google. The integration challenges arise from both sides; Google tends to be noisy, and we find only ten analytic rules out of the box, necessitating the use of Defender for Cloud for alerts, which indicates a need for better documentation during deployment. The story between UEBA and Defender for Identity and Intra needs to be further explored and defined. There's some confusion on what is happening from a user and entity behavior.

Read full review

Kalyan Kothali

Associate Vice President at Wissen infotech

Effectively manages vulnerabilities and reduces false positives

ServiceNow Security Operations provides significant control over vulnerabilities, allowing users to mark false alarms as false positives and ignore them, which is important because many vulnerabilities are not real but appear as such. There are many aspects that we could handle. For certain vulnerabilities, remediation requires spending extra on hardware or OS upgrades, or purchasing new versions, which implies a cost. For that reason, we can take an exception for a couple of months or days, and once that exception expires, that vulnerability automatically reappears. These features help us ensure that everything is under control, and when we discuss vulnerabilities, we can consolidate them into one central category, which means working on one vulnerability automatically resolves the rest, making it efficient with the features provided.

Read full review

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:

Pros

"As an analyst, it has demonstrated potential to reduce workforce requirements and time needed for related activities."

"The most valuable features in my experience are the UEBA, LDAP, the threat scheduler, and integration with third-party straight perform like the MISP."

"We are able to deploy within half an hour and we only require one person to complete the implementation."

"The best feature of Microsoft Sentinel is its ability to unify all dashboards or functions into one modern SecOps dashboard."

"I like the KQL query. It simplifies getting data from the table and seeing the logs. All you need to know are the table names. It's quite easy to build use cases by using KQL."

"Azure Application Gateway makes things a lot easier. You can create dashboards, alert rules, hunting and custom queries, and functions with it."

"Microsoft Sentinel comes preloaded with templates for teaching and analytics rules."

"The scalability is great. You can put unlimited logs in, as long as you can pay for it. There are commitment tiers, up to six terabytes per day, which is nowhere close to what any one of our customers is running."

"One of the most valuable features is that it creates a kind of a single pane of glass for organizations that already use Microsoft software. So, when they have things like Microsoft 365, it is very easy for them to kind of plug in or enroll those endpoints into the Azure Sentinel service."

More Microsoft Sentinel pros

"ServiceNow Security Operations also takes care of GRC, governance, risk and compliance, enabling it to provide risk assessment."

"It's stable."

"Integration to other security tools allows for a consolidated view of all vulnerabilities, incidents, etc. for all sorts of leverage in a single platform to assess governance risk and compliance as well as an enhanced, enriched intelligence."

"The solution is stable."

"ServiceNow Security Operations collects data from various sources and presents it in a single, respectable format for assessment and action, providing a unified user experience where all work and fixes can be managed from one location."

"The SOAR module of ServiceNow Security Operations is the most valuable feature"

"The "follow" feature is really good. If the user is not responding, there's an option to "follow". Just click on the button, and it will automatically trigger an email to the end user."

"ServiceNow is a convenient platform to raise tickets, and the respective support team will contact us to resolve any issues."

More ServiceNow Security Operations pros

Cons

"It was able to capture data but was unable to differentiate between the agent hostname we are using and the hostname that resides on the back end of the Internet."

"Its documentation is not so simple. It is easy for somebody who is Microsoft certified or more closely attached to Microsoft solutions. It is not easy for those who are working on open-source platforms. There isn't a central point where everything is documented, and there is no specific training or certification."

"From a client perspective, they'd like to see more cost savings."

"Improvement-wise, I would like to see more integration with third-party solutions or old-school antivirus products that have some kind of logging capability. I wouldn't mind having that exposed within Sentinel. We do have situations where certain companies have bought licensing or have made an investment in a product, and that product will be there for the next two or three years. To be able to view information from those legacy products would be great. We can then better leverage the Sentinel solution and its capabilities."

"My primary improvement request would be for auxiliary logs, as they represent our biggest need."

"Sentinel still has some anomalies. For example, sometimes when we write a query for log analysis with KQL, it doesn't give us the data in a proper way... Also, the fields or columns could be improved. Sometimes, it is not giving the desired results and there is a blank field."

"The playbook is a bit difficult and could be improved."

"The integration challenges arise from both sides; Google tends to be noisy, and we find only ten analytic rules out of the box, necessitating the use of Defender for Cloud for alerts, which indicates a need for better documentation during deployment."

"As of now, there have been only benefits. However, I am curious about potential AI integration and whether it will be affordable for us because all the compliance costs are rising with all the new features."

More Microsoft Sentinel cons

"In future releases, I would like to add a follow-up and reminder feature. For the tickets in our queue, we could set reminders. This would help us prioritize older tickets before moving on to new ones."

"An area for improvement I observed in ServiceNow Security Operations is the need to maintain correct CMDB data because if you're unable to do this, you can't perfectly maintain the vulnerability data. CMDB data in ServiceNow Security Operations needs to be accurate. As I've been working on ServiceNow Security Operations for only seven months, I still need more time to try all its modules before I can give recommendations regarding additional features I'd like to see in the solution."

"The threat intelligence module needs a better dashboard."

"Process framework and best practices for ease of integration between IT and security teams via incident, problem, and change."

"The solution needs to make customization easier. You cannot do much customization immediately. It requires an extensive workload. If the customization process was user-friendly, it would be much better."

"It is challenging for the customers to understand the processes for SecOps. It needs to be simplified."

"They should stick to the roadmap and continue to build plugins and integrations with other third parties, enhance the UI, and enhance the reporting. It's all good. They should just continue enhancing the releases."

"Report generation within ServiceNow can take some time. Additionally, there are occasional issues when raising a ticket, which can also consume time."

More ServiceNow Security Operations cons

Pricing and Cost Advice

Information not available

"Pricing is pay-as-you-go with Sentinel, which is good because it all depends on the number of users and the number of devices to which you connect."

"Microsoft Sentinel can be costly, particularly for data management."

"Good monthly operational cost model for the detection and response outcomes delivered, M365 logs don't count toward the limits which is a good benefit."

"The pricing is fair... With a traditional SIEM, you pay a lump sum for licenses. But with Sentinel, it's pay-as-you-go according to the amount of data you inject."

"Microsoft is costlier. Some organizations may not be able to afford the cost of Sentinel orchestration and the Log Analytics workspace. The transaction hosting cost is also a little bit on the high side, compared to AWS and GCP."

"It varies on a case-by-case basis. It is about $2,000 per month. The cost is very low in comparison to other SIEMs if you are already a Microsoft customer. If you are using the complete Microsoft stack, the cost reduces by almost 42% to 50%. Its cost depends on the number of logs and the type of subscription you have. You need to have an Azure subscription, and there are charges for log ingestion, and there are charges for the connectors."

"Cost-wise, Sentinel is based on the volume of information being ingested, so it can be quite pricey. The ability to use strategies to control what data is being ingested is important."

"Microsoft Sentinel requires an E5 license."

More Microsoft Sentinel pricing and cost advice

"Compared to competitor tools, ServiceNow Security Operations is more affordable"

"The product is more expensive than other solutions."

"The solution is more expensive than BMC Remedy, the other ITSM tool available in the market."

"If you're going to implement it on your own, there would be internal costs. If you're going to implement it through a contractor or consultant, you have to pay for that."

"This product is a good value for the money."

"It is an expensive product."

See which vendors are best for you

Use our free recommendation engine to learn which Security Orchestration Automation and Response (SOAR) solutions are best for your needs.

See recommendations

879,768 professionals have used our research since 2012.

Top Industries

By visitors reading reviews

Financial Services Firm

15%

Computer Software Company

Manufacturing Company

Retailer

Computer Software Company

14%

Financial Services Firm

10%

Manufacturing Company

Government

Financial Services Firm

17%

Manufacturing Company

13%

Computer Software Company

Government

Company Size

By reviewers

Large Enterprise

Midsize Enterprise

Small Business

No data available

By reviewers
Company Size	Count
Small Business	38
Midsize Enterprise	22
Large Enterprise	44

By reviewers
Company Size	Count
Small Business	6
Midsize Enterprise	2
Large Enterprise	15

Questions from the Community

What needs improvement with Torq?

From our research and testing with the tool, we determined there need to be modifications and changes to train the LL...

What is your primary use case for Torq?

I used Torq for conducting one of the proof of evaluations for a vendor we are connected with. I am currently working...

What advice do you have for others considering Torq?

One of our members uses AWS, and we receive their feed. This involves triaging AWS-related logs. While I do not have ...

Is there a common threat intelligence tool that aggregates multiple threat intelligence sources?

Yes, Azure Sentinel is a SIEM on the Cloud. Multiple data sources can be uploaded and analyzed with Azure Sentinel an...

What is a better choice, Splunk or Azure Sentinel?

It would really depend on (1) which logs you need to ingest and (2) what are your use cases Splunk is easy for ingest...

Which is better - Azure Sentinel or AWS Security Hub?

We like that Azure Sentinel does not require as much maintenance as legacy SIEMs that are on-premises. Azure Sentinel...

What is your experience regarding pricing and costs for ServiceNow Security Operations?

It is relatively expensive but manageable.

What needs improvement with ServiceNow Security Operations?

ServiceNow Security Operations is not specifically a vulnerability management or incident tool, but rather a data agg...

What advice do you have for others considering ServiceNow Security Operations?

Initially, acquire basic knowledge about the system and understand how ServiceNow Security Operations operates with o...

Palo Alto Networks Cortex XSOAR vs Torq

Comparisons

Tines vs Torq

Compared 51% of the time

Splunk SOAR vs Torq

Compared 14% of the time

Blink Ops vs Torq

Compared 13% of the time

Compared 10% of the time

Swimlane vs Torq

Compared 7% of the time

More Torq Competitors

AWS Security Hub vs Microsoft Sentinel

Compared 17% of the time

Cortex XSIAM vs Microsoft Sentinel

Compared 6% of the time

IBM Security QRadar vs Microsoft Sentinel

Compared 5% of the time

Wazuh vs Microsoft Sentinel

Compared 4% of the time

CrowdStrike Falcon vs Microsoft Sentinel

Compared 4% of the time

More Microsoft Sentinel Competitors

Splunk SOAR vs ServiceNow Security Operations

Compared 18% of the time

Palo Alto Networks Cortex XSOAR vs ServiceNow Security Operations

Compared 14% of the time

Tines vs ServiceNow Security Operations

Compared 7% of the time

NetWitness NDR vs ServiceNow Security Operations

Compared 5% of the time

Google Security Operations vs ServiceNow Security Operations

Compared 4% of the time

More ServiceNow Security Operations Competitors

Product Reports

Security Orchestration Automation and Response (SOAR)

Download Torq product report

Microsoft Sentinel

Download Microsoft Sentinel product report

ServiceNow Security Operations

Download ServiceNow Security Operations product report

Also Known As

No data available

Azure Sentinel

No data available

Overview

Torq provides advanced automation capabilities, enabling organizations to streamline operations and enhance efficiency. It's designed to address complex workflows, reducing manual efforts and improving productivity.

Leveraging automation, Torq assists companies in managing intricate processes with agility and precision, making it indispensable for those seeking to optimize their workflows. Its robust platform integrates smoothly into current infrastructures, minimizing disruptions while enhancing operational capacities.

What are Torq's standout features?

Automation Workflows: Streamlines repetitive tasks to enhance efficiency.
Seamless Integration: Connects with existing systems effortlessly.
Scalability: Adapts to growing business demands efficiently.

What benefits should you look for in reviews?

Productivity Gains: Significant improvement in task completion rates.
Cost Reduction: Decreases manual labor costs through automation.
Enhanced Collaboration: Facilitates better communication among teams.

Torq's capabilities are especially beneficial in industries like finance and healthcare where intricate workflows and compliance requirements are common. Automation in these sectors supports better data management and regulatory adherence, providing a decisive edge in operational efficiency.

Torq

Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution that lets you see and stop threats before they cause harm. Microsoft Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs. With Microsoft Sentinel, you can:

- Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds

- Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence from Microsoft

- Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft

- Respond to incidents rapidly with built-in orchestration and automation of common tasks

To learn more about our solution, ask questions, and share feedback, join our Microsoft Security, Compliance and Identity Community.

Microsoft

ServiceNow Security Operations is a cutting-edge security solution designed to elevate organizations' security incident response (SIR) processes through automation and orchestration. Going beyond traditional SOAR, this comprehensive Security Operations Suite integrates seamlessly with other ServiceNow products and offers a wide array of features. Its components include Security Incident Response (SIR), which automates incident workflows and offers pre-built playbooks; Security Configuration Compliance (SCC), continuously scanning and automating compliance tasks; Vulnerability Response (VR), prioritizing and remediating vulnerabilities; Threat Intelligence (TI), aggregating threat data for proactive threat hunting; and additional features like IT Service Management integration, Machine Learning and AI, reporting, and a mobile app. The benefits span improved incident response speed, reduced mean time to resolution, increased security posture, enhanced compliance, collaborative synergy between security and IT teams, and operational cost reductions.

ServiceNow

Sample Customers

Information Not Available

Microsoft Sentinel is trusted by companies of all sizes including ABM, ASOS, Uniper, First West Credit Union, Avanade, and more.

DXC Technology, Freedom Security Alliance, Prime Therapeutics, Seton Hall University, York Risk Services

Microsoft Sentinel vs. ServiceNow Security Operations