We performed a comparison between Microsoft Sentinel and Wazuh based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Features: Microsoft Sentinel effectively identifies threats and integrates seamlessly with other Microsoft solutions. Users say Sentinel makes it easy to find information quickly using KQL queries and praised the solution’s centralized log storage. Wazuh stands out for its effortless integration, excellent log monitoring capabilities, and ELK-based investigation. Microsoft Sentinel could benefit from simplifying documentation, enhancing collaboration with security vendors, and improving data ingestion. Users also want more robust threat intelligence and UEBA features. Wazuh needs improvements in event source coverage, threat intelligence integration, and real-time monitoring of Unix systems.
Service and Support: Some users praised Microsoft’s quick response times and expertise, while others experienced challenges and support delays. Wazuh's customer service is generally deemed satisfactory overall, and many customers noted that they could easily find answers from community forums.
Ease of Deployment: Some users said that deploying Microsoft Sentinel is straightforward, while others consider it to be moderately complex. Some users said that Wazuh’s setup is easy and fast, while others perceived it as complicated and said it required a significant amount of time.
Pricing: Microsoft Sentinel charges customers based on data usage, and it can be expensive for users who need to ingest data from non-cloud sources. Wazuh is a cost-effective option as it is open-source and completely free to acquire.
ROI: Some Sentinel users have seen cost savings, while others have not experienced any financial benefits. Wazuh's MSP program and partnerships offer opportunities to generate revenue from the platform.
Comparison Results: Our users prefer Microsoft Sentinel over Wazuh. Users appreciate its advanced threat-hunting capabilities, automation, and analysis. Microsoft Sentinel also offers seamless integrations with different software platforms and provides a single pane of glass view of security incidents.
"We’ve got process improvement that's happened across multiple different fronts within the organization, within our IT organization based on this tool being in place."
"One of the most valuable features is that it creates a kind of a single pane of glass for organizations that already use Microsoft software. So, when they have things like Microsoft 365, it is very easy for them to kind of plug in or enroll those endpoints into the Azure Sentinel service."
"Its inbuilt Kusto Query Language is a valuable feature. It provides the flexibility needed to leverage advanced data analytics rules and policies and enables us to easily navigate all our security events in a single view. It helps any user easily understand the data or any security lags in their data and applications."
"If you know how to do KQL (kusto query language) queries, which are how you query the log data inside Sentinel, the information is pretty rich. You can get down to a good level of detail regarding event information or notifications."
"The Identity Behavior tab furnishes us with the entire history linked to each IP or domain that has either accessed or attempted to access our system."
"The native integration of the Microsoft security solution has been essential because it helps reduce some false positives, especially with some of the impossible travel rules that may be configured in Microsoft 365. For some organizations, that might be benign because they're using VPNs, etc."
"The analytic rule is the most valuable feature."
"It has basic out-of-the-box integrations with multiple log sources."
"Wazuh offers numerous features, such as the ability to define custom rules for detecting malicious activities and remembering behaviors."
"Wazuh automatically scans the host for CIS benchmarks for the latest updates and vulnerabilities and gives a host score. It provides a percentage of perceived risk due to of non patches or any missing patches on that work."
"Wazuh's logging features integrate seamlessly with AWS cloud-native services. There are also Wazuh agent configurations for different use cases, like vulnerability scanning, host-based intrusion detection, and file integrity monitoring."
"I like that the solution is on top of the Kubernetes stack."
"The deployment is easy and they provide very good documentation."
"It's stable."
"The most valuable feature of Wazuh is the ELK for doing an investigation."
"It is excellent in terms of visualization and indexing services, making it a powerful tool for malware detection."
"They can work on the EDR side of things... Every time we need to onboard these kinds of machines into the EDR, we need to do it with the help of Intune, to sync up the devices, and do the configuration. I'm looking for something on the EDR side that will reduce this kind of work."
"The solution could be more user-friendly; some query languages are required to operate it."
"Its implementation could be simpler. It is not really simple or straightforward. It is in the middle. Sometimes, connectors are a little bit complex."
"We do see continuous improvement all the time, however, I haven't got a specific feature that is lacking or not well designed."
"Currently, the watchlist feature is being utilized, and although there have been improvements, it is still not fully optimized."
"I would like Sentinel to have more out-of-the-box analytics rules. There are already more than 400 rules, but they could add more industry-specific ones. For example, you could have sets of out-of-the-box rules for banking, financial sector, insurance, automotive, etc., so it's easier for people to use it out of the box. Structuring the rules according to industry might help us."
"Sentinel still has some anomalies. For example, sometimes when we write a query for log analysis with KQL, it doesn't give us the data in a proper way... Also, the fields or columns could be improved. Sometimes, it is not giving the desired results and there is a blank field."
"I believe one of the challenges I encountered was the absence of live training sessions, even with the option to pay for them."
"Wazuh could improve the detection, it is not detecting all of the attacks. Additionally, it is lacking features compared to other solutions."
"Since it's an open-source tool, scalability is the main issue."
"The only challenge we faced with Wazuh was the lack of direct support."
"Scalability is a challenge because it is distributed architecture and it uses Elastic DB. Their Elastic DB doesn't allow open source waste application."
"Its configuration process is time-consuming."
"Adding the flexibility to integrate various plug-ins or modules into its core system would enhance functionality."
"A more structured approach, perhaps with modular UI components, to facilitate easier integration and navigation within the Wazuh platform for custom integrations would be beneficial."
"They need to go towards integrating with more cloud applications and not just OS like Windows and Linux."
Microsoft Sentinel is ranked 2nd in Security Information and Event Management (SIEM) with 85 reviews while Wazuh is ranked 3rd in Security Information and Event Management (SIEM) with 38 reviews. Microsoft Sentinel is rated 8.2, while Wazuh is rated 7.4. The top reviewer of Microsoft Sentinel writes "Gives a comprehensive and holistic view of the ecosystem and improves visibility and the ability to respond". On the other hand, the top reviewer of Wazuh writes "It integrates seamlessly with AWS cloud-native services". Microsoft Sentinel is most compared with AWS Security Hub, IBM Security QRadar, Splunk Enterprise Security, Microsoft Defender for Cloud and Google Chronicle Suite, whereas Wazuh is most compared with Elastic Security, Security Onion, Splunk Enterprise Security, AlienVault OSSIM and CrowdStrike Falcon. See our Microsoft Sentinel vs. Wazuh report.
See our list of best Security Information and Event Management (SIEM) vendors.
We monitor all Security Information and Event Management (SIEM) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.