We compared Splunk Enterprise Security and Microsoft Sentinel based on our users' reviews using several parameters.
Splunk Enterprise Security is praised for its threat intelligence, analytics, and user-friendly interface. Users mention improvements needed in user-friendliness, search query language, and performance. Pricing is considered high but justified by the value. Microsoft Sentinel is affordable and has a simpler setup process. Users appreciate the advanced threat visibility, integration with other Microsoft products, and machine learning capabilities. Improvement suggestions include a more intuitive interface, better customization options, and enhanced integration with third-party tools. Users find both products valuable with positive impacts on their organization.
Features: Splunk Enterprise Security stands out for its customizable analytics and real-time monitoring, while Microsoft Sentinel excels in advanced threat visibility and machine learning integration. Splunk focuses on scalability and customization, whereas Sentinel emphasizes centralizing alerts and actionable insights.
Pricing and ROI: Splunk Enterprise Security tends to have higher pricing and high setup costs initially, but users find the value and benefits worth the investment. Microsoft Sentinel is noted for its reasonable pricing, minimal setup costs, and flexible licensing options. Splunk Enterprise Security offers improved operational efficiency, threat detection, and incident response, while Microsoft Sentinel provides enhanced security, reduced incident response time, and seamless integration.
Room for Improvement: Splunk Enterprise Security users seek a more user-friendly interface and simplified search query language. They desire enhanced alerting and reporting features to improve performance. Microsoft Sentinel users want a more intuitive platform, better customization options, enhanced integration capabilities, and improved reporting and documentation.
Deployment and customer support: While Splunk Enterprise Security had varying implementation durations, users found Microsoft Sentinel quicker to deploy. However, some noted that Sentinel's setup was more complex compared to Splunk's faster implementation and simpler setup process. Splunk Enterprise Security stands out for its prompt response times and knowledgeable staff, enhancing the overall user experience. Microsoft Sentinel impresses with quick issue resolution and effective, helpful support, leading to positive user experiences.
The summary above is based on 201 interviews we conducted recently with Splunk Enterprise Security and Microsoft Sentinel users. To access the review's full transcripts, download our report.
"We didn't have anything similar. So, it really provides value from the incidents and automation point of view. The overview of the security fabric is most valuable."
"The AI and ML of Azure Sentinel are valuable. We can use machine learning models at the tenant level and within Office 365 and Microsoft stack. We don't need to depend upon any other connectors. It automatically provisions the native Microsoft products."
"It is easy to implement (turn on) - does need a skilled analyst to develop queries and playbooks."
"The SOAR playbooks are Sentinel's most valuable feature. It gives you a unified toolset for detecting, investigating, and responding to incidents. That's what clearly differentiates Sentinels from its competitors. It's cloud-native, offering end-to-end coverage with more than 120 connectors. All types of data logs can be poured into the system so analysis can happen. That end-to-end visibility gives it the advantage."
"Sentinel has features that have helped improve our security poster. It helped us in going ahead and identifying the gaps via analysis and focusing on the key elements."
"Microsoft Sentinel enables you to ingest data from the entire ecosystem and that connection of data helps you to monitor critical resources and to know what's happening in the environment."
"The analytics has a lot of advantages because there are 300 default use cases for rules and we can modify them per our environment. We can create other rules as well. Analytics is a useful feature."
"The solution offers a lot of data on events. It helps us create specific detection strategies."
"It has a rapid response search environment in the event of an incident."
"The dashboard and reporting are very good... It provides very good visibility in a hybrid cloud environment, and you can build custom utilization APIs using Splunk."
"We can automatically suspend or terminate suspicious sessions."
"It's the completeness of the solution that we like the most."
"You can check up on security from the dashboards."
"The correlation capabilities are the first value that our clients say they like with Splunk."
"Splunk has facilitated the correlation of information security logs to look for incidents which could cause damage to the company's infrastructure, as well as financial losses from leaks."
"Integrity with many vendors: This simplifies the implementation and integration with different devices"
"They need to work with other security vendors. For example, we replaced our email gateway with Symantec, but we couldn't collect these logs with Azure Sentinel. Instead of collecting these logs with Azure Sentinel, we are collecting them on Qradar. We couldn't do it with Sentinel, which is a problem for us."
"The built-in SOAR is not really good out-of-the-box. The SOAR relies on logic apps and you almost need to have some kind of developer background to be able to make these logic apps. Most security people cannot develop anything..."
"The playbook is a bit difficult and could be improved."
"The playbook development environment is not as rich as it should be. There are multiple occasions when we face problems while creating the playbook."
"If their UI was a bit more streamlined and easy to find when I need it, then that would be a great improvement."
"Some of the data connectors are outdated, at least the ones that utilize Linux machines for log forwarding. I believe that Microsoft is already working on improving this."
"Sentinel provides decent visibility, but it's sometimes a little cumbersome to get to the information I want because there is so much information. I would also like to see more seamless integration between Sentinel and third-party security products."
"The performance could be improved. If I create 15 to 20 lines for a single-use case in KQL, sometimes it takes more time to execute. If I create use cases within a certain timeline, the result will show in .01 seconds. A complex query takes more time to get results."
"The integration with all our tool sets felt like we were reinventing the wheel, which was a pain point for us."
"Splunk Enterprise Security can provide more details and help CISOs resolve vulnerability situations better. The reason is that the tools we choose for data analysis and log collection cannot collect all the data and logs. Splunk Enterprise Security should help me with this, but it cannot."
"I would like the ability to view logs for specific instances and not have to pull the logs for the entire Cloud environment in Splunk."
"Splunk is query-based, which is not the case with most cybersecurity tools. It is based on search queries and can be difficult to use. It would be good if they can make it easier to understand how to create search queries. They can improve the knowledge base for better understanding. To create your dashboard, you need to have a search query. We have multiple firewalls in our company, and we need a dashboard for them. It would be helpful if a default firewall dashboard is included in Splunk to make monitoring easier. If a dashboard is available for a security device, the operation part will be more efficient. We won't have to follow a manual process for this."
"The presence of multiple layers creates a significant challenge for monitoring across cloud environments."
"It requires a significant amount of relatively complex architecture once you push past the single server instance."
"An area of improvement would be the licensing of the solution. They need a free license, which would allow faster lead times."
"Our two main complaints are about the difficulty of the initial setup and the licensing model."
Microsoft Sentinel is ranked 2nd in Security Information and Event Management (SIEM) with 86 reviews while Splunk Enterprise Security is ranked 1st in Security Information and Event Management (SIEM) with 246 reviews. Microsoft Sentinel is rated 8.2, while Splunk Enterprise Security is rated 8.4. The top reviewer of Microsoft Sentinel writes "Gives a comprehensive and holistic view of the ecosystem and improves visibility and the ability to respond". On the other hand, the top reviewer of Splunk Enterprise Security writes "It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query ". Microsoft Sentinel is most compared with AWS Security Hub, IBM Security QRadar, Microsoft Defender for Cloud, Elastic Security and Wazuh, whereas Splunk Enterprise Security is most compared with Wazuh, IBM Security QRadar, Dynatrace, Elastic Security and Datadog. See our Microsoft Sentinel vs. Splunk Enterprise Security report.
See our list of best Security Information and Event Management (SIEM) vendors.
We monitor all Security Information and Event Management (SIEM) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.