We compared Splunk Enterprise Security and Microsoft Sentinel based on our users' reviews using several parameters.
Splunk Enterprise Security is praised for its threat intelligence, analytics, and user-friendly interface. Users mention improvements needed in user-friendliness, search query language, and performance. Pricing is considered high but justified by the value. Microsoft Sentinel is affordable and has a simpler setup process. Users appreciate the advanced threat visibility, integration with other Microsoft products, and machine learning capabilities. Improvement suggestions include a more intuitive interface, better customization options, and enhanced integration with third-party tools. Users find both products valuable with positive impacts on their organization.
Features: Splunk Enterprise Security stands out for its customizable analytics and real-time monitoring, while Microsoft Sentinel excels in advanced threat visibility and machine learning integration. Splunk focuses on scalability and customization, whereas Sentinel emphasizes centralizing alerts and actionable insights.
Pricing and ROI: Splunk Enterprise Security tends to have higher pricing and high setup costs initially, but users find the value and benefits worth the investment. Microsoft Sentinel is noted for its reasonable pricing, minimal setup costs, and flexible licensing options. Splunk Enterprise Security offers improved operational efficiency, threat detection, and incident response, while Microsoft Sentinel provides enhanced security, reduced incident response time, and seamless integration.
Room for Improvement: Splunk Enterprise Security users seek a more user-friendly interface and simplified search query language. They desire enhanced alerting and reporting features to improve performance. Microsoft Sentinel users want a more intuitive platform, better customization options, enhanced integration capabilities, and improved reporting and documentation.
Deployment and customer support: While Splunk Enterprise Security had varying implementation durations, users found Microsoft Sentinel quicker to deploy. However, some noted that Sentinel's setup was more complex compared to Splunk's faster implementation and simpler setup process. Splunk Enterprise Security stands out for its prompt response times and knowledgeable staff, enhancing the overall user experience. Microsoft Sentinel impresses with quick issue resolution and effective, helpful support, leading to positive user experiences.
The summary above is based on 201 interviews we conducted recently with Splunk Enterprise Security and Microsoft Sentinel users. To access the review's full transcripts, download our report.
"If you know how to do KQL (kusto query language) queries, which are how you query the log data inside Sentinel, the information is pretty rich. You can get down to a good level of detail regarding event information or notifications."
"There are some very powerful features to Sentinel, such as the integration of various connectors. We have a lot of departments that use both IaaS and SaaS services, including M365 as well as Azure services. The ability to leverage connectors into these environments allows for large-scale data injection."
"Free ingestion for Azure logs (with E5 licence)"
"Azure Application Gateway makes things a lot easier. You can create dashboards, alert rules, hunting and custom queries, and functions with it."
"The pricing of the product is excellent."
"The most valuable feature is the alert notifications, which are categorized by severity levels: informational, low, medium, and high."
"The most valuable feature is the UEBA. It's very easy for a security operations analyst. It has a one-touch analysis where you can search for a particular entity, and you can get a complete overview of that entity or user."
"It has a lot of great features."
"We are using Microsoft 365 and we're using the Exchange Mail Service. It's good for monitoring that in particular."
"From the class that I took this week, being able to create notable events from whatever you find in the data set is pretty useful."
"The most valuable features include agility and Splunk Enterprise Security's ability to quickly search for alerted items, as well as the capacity to create custom alerts using the SQL language employed by Splunk."
"Low barrier to start searching with the ability to normalize data on the fly."
"Splunk setup is easy and straightforward. "
"Splunk has a wide range of features that customers use to find and analyze all kinds of logs."
"Splunk has machine learning which is a valuable feature."
"It's the completeness of the solution that we like the most."
"Microsoft Sentinel is relatively expensive, and its cost should be improved."
"Improvement-wise, I would like to see more integration with third-party solutions or old-school antivirus products that have some kind of logging capability. I wouldn't mind having that exposed within Sentinel. We do have situations where certain companies have bought licensing or have made an investment in a product, and that product will be there for the next two or three years. To be able to view information from those legacy products would be great. We can then better leverage the Sentinel solution and its capabilities."
"The on-prem log sources still require a lot of development."
"They should integrate it with many other software-as-a-service providers and make connectors available so that you don't have to do any sort of log normalization."
"Everyone has their favorites. There is always room for improvement, and everybody will say, "I wish you could do this for me or that for me." It is a personal thing based on how you use the tool. I do not necessarily have those thoughts, and they are probably not really valuable because they are unique to the context of the user, but broadly, where it can continue to improve is by adding more connectors to more systems."
"Sentinel provides decent visibility, but it's sometimes a little cumbersome to get to the information I want because there is so much information. I would also like to see more seamless integration between Sentinel and third-party security products."
"If Azure Sentinel had the ability to ingest Azure services from different tenants into another tenant that was hosting Azure Sentinel, and not lose any metadata, that would be a huge benefit to a lot of companies."
"Microsoft Defender has a built-in threat expert option that enables you to contact an expert. That feature isn't available in Sentinel because it's a huge product that integrates all the technologies. I would like Microsoft to add the threat expert option so we can contact them. There are a few other features, like threat assessment that the PG team is working on. I expect them to release this feature in the next quarter."
"The integration could be a bit better. They charge for certain integrations."
"We'd like to have the number of devices covered under the license to be increased."
"Some of the terminology can be confusing, even for seasoned vets. Renaming components at this point would be a serious undertaking. However, it might be beneficial in the long run."
"The administration of the cluster and app deployment to indexers or search heads can be done only using ssh access and command line, there is no GUI tools for that."
"The glass table feature does not perform as expected."
"The upgrading process could be smoother."
"The case management area of the ES could be improved. The ability to move cases through various stages and states. The ability to close a case would be key improvement."
"On the technical side, it would be nice to see aspects of the recent acquisition of Phantom make it into the core Splunk Enterprise, not just become a part of the premium Enterprise Security."
Microsoft Sentinel is ranked 1st in Security Information and Event Management (SIEM) with 85 reviews while Splunk Enterprise Security is ranked 2nd in Security Information and Event Management (SIEM) with 227 reviews. Microsoft Sentinel is rated 8.2, while Splunk Enterprise Security is rated 8.4. The top reviewer of Microsoft Sentinel writes "Gives a comprehensive and holistic view of the ecosystem and improves visibility and the ability to respond". On the other hand, the top reviewer of Splunk Enterprise Security writes "It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query ". Microsoft Sentinel is most compared with AWS Security Hub, IBM Security QRadar, Microsoft Defender for Cloud, Elastic Security and Wazuh, whereas Splunk Enterprise Security is most compared with Wazuh, Dynatrace, IBM Security QRadar, Elastic Security and Azure Monitor. See our Microsoft Sentinel vs. Splunk Enterprise Security report.
See our list of best Security Information and Event Management (SIEM) vendors.
We monitor all Security Information and Event Management (SIEM) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.