We performed a comparison between Microsoft Sentinel and Splunk based on our users’ reviews in five categories. After reading all of the collected data, you can find our conclusion below.
Comparison Results: Microsoft Azure Sentinel is the winner in this comparison. Compared to Splunk, it is easier to deploy, and has superior artificial intelligence. In addition, Microsoft Azure Sentinel’s price is more attractive than Splunk’s.
"Devo provides a multi-tenant, cloud-native architecture. This is critical for managed service provider environments or multinational organizations who may have subsidiaries globally. It gives organizations a way to consolidate their data in a single accessible location, yet keep the data separate. This allows for global views and/or isolated views restricted by access controls by company or business unit."
"The most powerful feature is the way the data is stored and extracted. The data is always stored in its original format and you can normalize the data after it has been stored."
"One of the biggest features of the UI is that you see the actual code of what you're doing in the graphical user interface, in a little window on the side. Whatever you're doing, you see the code, what's happening. And you can really quickly switch between using the GUI and using the code. That's really useful."
"The user experience [is] well thought out and the workflows are logical. The dashboards are intuitive and highly customizable."
"The thing that Devo does better than other solutions is to give me the ability to write queries that look at multiple data sources and run fast. Most SIEMs don't do that. And I can do that by creating entity-based queries. Let's say I have a table which has Okta, a table which has G Suite, a table which has endpoint telemetry, and I have a table which has DNS telemetry. I can write a query that says, 'Join all these things together on IP, and where the IP matches in all these tables, return to me that subset of data, within these time windows.' I can break it down that way."
"Those 400 days of hot data mean that people can look for trends and at what happened in the past. And they can not only do so from a security point of view, but even for operational use cases. In the past, our operational norm was to keep live data for only 30 days. Our users were constantly asking us for at least 90 days, and we really couldn't even do that. That's one reason that having 400 days of live data is pretty huge. As our users start to use it and adopt this system, we expect people to be able to do those long-term analytics."
"The user interface is really modern. As an end-user, there are a lot of possibilities to tailor the platform to your needs, and that can be done without needing much support from Devo. It's really flexible and modular. The UI is very clean."
"The most useful feature for us, because of some of the issues we had previously, was the simplicity of log integrations. It's much easier with this platform to integrate log sources that might not have standard logging and things like that."
"The most valuable feature is the performance because unlike legacy SIEMs that were on-premises, it does not require as much maintenance."
"It has basic out-of-the-box integrations with multiple log sources."
"If you know how to do KQL (kusto query language) queries, which are how you query the log data inside Sentinel, the information is pretty rich. You can get down to a good level of detail regarding event information or notifications."
"The automation rules and playbooks are the most useful that I've seen. A number of other places segregate the automation and playbook as separate tools, whereas Microsoft is a SIEM and SOAR tool in one."
"The most valuable features in my experience are the UEBA, LDAP, the threat scheduler, and integration with third-party straight perform like the MISP."
"Sentinel's most important feature is the ability to centralize all the logs in one place. There's no need to search multiple systems for information."
"Sentinel has features that have helped improve our security poster. It helped us in going ahead and identifying the gaps via analysis and focusing on the key elements."
"The solution has features that helped improve the security posture of our clients. It provides the ability to correlate a large variety of log sources very cost-effectively, especially for Microsoft sources."
"Splunk works based on parsing log files."
"Easy to deploy and simple to use."
"I have found the installation can be of medium difficulty to very complex depending on the use case."
"It is the best tool if you have a complex environment or if data ingestion is too huge."
"The feature that I have found most valuable with Splunk is the ability to sift through a bunch of data very quickly."
"We can easily configure things as required in relation to our use cases."
"Our clients are easily able to modify and evolve their implementations."
"With good domain knowledge, one can build almost anything. If you throw in Alert Manager or an integration with ServiceNow. Then, you have your own SIEM"
"Some of the documentation could be improved a little bit. A lot of times it doesn't go as deep into some of the critical issues you might run into. They've been really good to shore us up with support, but some of the documentation could be a little bit better."
"There is room for improvement in the ability to parse different log types. I would go as far as to say the product is deficient in its ability to parse multiple, different log types, including logs from major vendors that are supported by competitors. Additionally, the time that it takes to turn around a supported parser for customers and common log source types, which are generally accepted standards in the industry, is not acceptable. This has impacted customer onboarding and customer relationships for us on multiple fronts."
"There's room for improvement within the GUI. There is also some room for improvement within the native parsers they support. But I can say that about pretty much any solution in this space."
"There are some issues from an availability and functionality standpoint, meaning the tool is somewhat slow. There were some slow response periods over the past six to nine months, though it has yet to impact us terribly as we are a relatively small shop. We've noticed it, however, so Devo could improve the responsiveness."
"We only use the core functionality and one of the reasons for this is that their security operation center needs improvement."
"An admin who is trying to audit user activity usually cannot go beyond a day in the UI. I would like to have access to pages and pages of that data, going back as far as the storage we have, so I could look at every command or search or deletion or anything that a user has run. As an admin, that would really help. Going back just a day in the UI is not going to help, and that means I have to find a different way to do that."
"The biggest area with room for improvement in Devo is the Security Operations module that just isn't there yet. That goes back to building out how they're going to do content and larger correlation and aggregation of data across multiple things, as well as natively ingesting CTI to create rule sets."
"Technical support could be better."
"They should integrate it with many other software-as-a-service providers and make connectors available so that you don't have to do any sort of log normalization."
"Microsoft Defender has a built-in threat expert option that enables you to contact an expert. That feature isn't available in Sentinel because it's a huge product that integrates all the technologies. I would like Microsoft to add the threat expert option so we can contact them. There are a few other features, like threat assessment that the PG team is working on. I expect them to release this feature in the next quarter."
"They should just add more and more out-of-the-box connectors. It is quite a new product, and it has a lot of connectors, and even more would be good."
"There is room for improvement in entity behavior and the integration site."
"If I can use Sentinel offline at home and use it on a local network, it would be great. I'm not sure if I can use Sentinel offline versus the tools I have."
"Multi-tenancy, in my opinion, needs to be improved. I believe it can do better as a managed service provider."
"Azure Sentinel will be directly competing with tools such as Splunk or Qradar. These are very established kinds of a product that have been around for the last seven, eight years or more."
"The product can be improved by reducing the cost to use AI machine learning."
"Over time I will have more requirements and I can foresee the solution could improve the search algorithm to run and output the data faster."
"Its search or filtering capability is nice, but it can be improved. It is currently a bit complicated, and it should be simplified. If we can write the search filter in a more simplified way, it would be better."
"I feel the solution to be too slow."
"The difficult part is related to integration with sources of data that are used to create the logs as this depends on the infrastructure of the client."
"I'd say I am happy with the technical support, not elated. They provide great support, but sometimes they don't have the answers that I need."
"The analytics of Splunk could be improved."
"I would like to see more SIEM functionality and a better ticket tool."
"Queries are not always as easy or straightforward as they might be, so it can be difficult to figure out what you need to look for."
Devo is the only cloud-native logging and security analytics platform that releases the full potential of all your data to empower bold, confident action when it matters most. Only the Devo platform delivers the powerful combination of real-time visibility, high-performance analytics, scalability, multitenancy, and low TCO crucial for monitoring and securing business operations as enterprises accelerate their shift to the cloud.
Microsoft Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution that lets you see and stop threats before they cause harm. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response. Eliminate security infrastructure setup and maintenance, and elastically scale to meet your security needs—while reducing IT costs. With Azure Sentinel, you can:
- Collect data at cloud scale—across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds
- Detect previously uncovered threats and minimize false positives using analytics and unparalleled threat intelligence from Microsoft
- Investigate threats with AI and hunt suspicious activities at scale, tapping into decades of cybersecurity work at Microsoft
- Respond to incidents rapidly with built-in orchestration and automation of common tasks
To learn more about our solution, ask questions, and share feedback, join our Microsoft Security, Compliance and Identity Community.
Splunk is a tool that provides log management, security information, and event management solutions that help organizations easily make their machine data accessible, usable, and valuable for everybody. Splunk utilizes operational intelligence to turn machine data into valuable information by monitoring and to analyze all activities.
Splunk is ideal for data monitoring and searching, since it correlates and indexes large volumes of data into a searchable container. This enables users to create alerts, reports, and visualizations in real time. Splunk provides an in-depth, real-time view of the health and performance of all layers of your tech stack so you can optimize your system’s performance by proactively detecting errors and quickly fixing them.
These days, it is becoming more and more difficult to maintain a strong security posture. Cyber attacks are becoming more and more sophisticated, and attackers have access to more entrance points. By implementing Splunk’s threat intelligence tools, you can modernize your security operations in any setting or framework, making your corporate growth more effective and flexible. The advanced visibility that Splunk provides, allows security teams to quickly detect and remove malicious threats in their environment.
Some of the benefits of using Splunk include:
Reviews from Real Users
Splunk stands out among its competitors for a number of reasons. Two major ones are its flexible search query tools and its strong AI capabilities.
A Solutions Consultant at a tech services company notes, “It provides a lot of analytics with the underlying AI engine, and it is a lot easier than other solutions. There are some products that do automated AI-based detection and drawing up charts, but for network monitoring and all of the monitoring aspects, it is quite a nice tool. It is very convenient for business users because they get more or less a lot of data readily available. If you're familiar with the Splunk query language, you can pretty much do whatever you want.”
See how Devo allows you to free yourself from data management, and make machine data and insights accessible.
Microsoft Sentinel is ranked 3rd in Security Information and Event Management (SIEM) with 47 reviews while Splunk is ranked 1st in Security Information and Event Management (SIEM) with 64 reviews. Microsoft Sentinel is rated 8.2, while Splunk is rated 8.2. The top reviewer of Microsoft Sentinel writes "A straightforward solution that provides comprehensiveness and coverage of multiple different on-prem, and cloud solutions". On the other hand, the top reviewer of Splunk writes "Very versatile for many use cases". Microsoft Sentinel is most compared with AWS Security Hub, IBM QRadar, Elastic Security, Rapid7 InsightIDR and ManageEngine Log360, whereas Splunk is most compared with Elastic Security, Wazuh, Dynatrace, Azure Monitor and AppDynamics. See our Microsoft Sentinel vs. Splunk report.
See our list of best Security Information and Event Management (SIEM) vendors.
We monitor all Security Information and Event Management (SIEM) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.