We compared Splunk Enterprise Security and Microsoft Sentinel based on our users' reviews using several parameters.
Splunk Enterprise Security is praised for its threat intelligence, analytics, and user-friendly interface. Users mention improvements needed in user-friendliness, search query language, and performance. Pricing is considered high but justified by the value. Microsoft Sentinel is affordable and has a simpler setup process. Users appreciate the advanced threat visibility, integration with other Microsoft products, and machine learning capabilities. Improvement suggestions include a more intuitive interface, better customization options, and enhanced integration with third-party tools. Users find both products valuable with positive impacts on their organization.
Features: Splunk Enterprise Security stands out for its customizable analytics and real-time monitoring, while Microsoft Sentinel excels in advanced threat visibility and machine learning integration. Splunk focuses on scalability and customization, whereas Sentinel emphasizes centralizing alerts and actionable insights.
Pricing and ROI: Splunk Enterprise Security tends to have higher pricing and high setup costs initially, but users find the value and benefits worth the investment. Microsoft Sentinel is noted for its reasonable pricing, minimal setup costs, and flexible licensing options. Splunk Enterprise Security offers improved operational efficiency, threat detection, and incident response, while Microsoft Sentinel provides enhanced security, reduced incident response time, and seamless integration.
Room for Improvement: Splunk Enterprise Security users seek a more user-friendly interface and simplified search query language. They desire enhanced alerting and reporting features to improve performance. Microsoft Sentinel users want a more intuitive platform, better customization options, enhanced integration capabilities, and improved reporting and documentation.
Deployment and customer support: While Splunk Enterprise Security had varying implementation durations, users found Microsoft Sentinel quicker to deploy. However, some noted that Sentinel's setup was more complex compared to Splunk's faster implementation and simpler setup process. Splunk Enterprise Security stands out for its prompt response times and knowledgeable staff, enhancing the overall user experience. Microsoft Sentinel impresses with quick issue resolution and effective, helpful support, leading to positive user experiences.
The summary above is based on 201 interviews we conducted recently with Splunk Enterprise Security and Microsoft Sentinel users. To access the review's full transcripts, download our report.
"If you know how to do KQL (kusto query language) queries, which are how you query the log data inside Sentinel, the information is pretty rich. You can get down to a good level of detail regarding event information or notifications."
"The initial setup is very simple and straightforward."
"The scalability is great. You can put unlimited logs in, as long as you can pay for it. There are commitment tiers, up to six terabytes per day, which is nowhere close to what any one of our customers is running."
"Free ingestion for Azure logs (with E5 licence)"
"Sentinel also enables you to ingest data from your entire ecosystem and not just from the Microsoft ecosystem. It can receive data from third-party vendors' products such firewalls, network devices, and antivirus solutions. It's not only a Microsoft solution, it's for everything."
"Having your logs put all in one place with machine learning working on those logs is a good feature. I don't need to start thinking, "Where are my logs?" My logs are in a centralized repository, like Log Analytics, which is why you can't use Sentinel without Log Analytics. Having all those logs in one place is an advantage."
"The Log analytics are useful."
"The Identity Behavior tab furnishes us with the entire history linked to each IP or domain that has either accessed or attempted to access our system."
"This is a straightforward solution, easy to configure."
"It has a rapid response search environment in the event of an incident."
"The initial setup isn't overly complex."
"You can integrate Splunk with third-party security automation solutions and set rules for automatic response."
"I have not seen any outages in the product in the past two years that it has been running in our company, so I think it is good when it comes to the stability part."
"Splunk has machine learning which is a valuable feature."
"Splunk is extremely flexible, which allows us to create custom visualizations along with other customizations."
"It is very easy to use and integrate. There are connectors for every technology."
"They could use some kind of workbook. There is some limitation doing the editing and creating the workbook."
"The built-in SOAR is not really good out-of-the-box. The SOAR relies on logic apps and you almost need to have some kind of developer background to be able to make these logic apps. Most security people cannot develop anything..."
"The following would be a challenge for any product in the market, but we have some in-house apps in our environment... our apps were built with different parameters and the APIs for them are not present in Sentinel. We are working with Microsoft to build those custom APIs that we require. That is currently in progress."
"Sentinel could improve its ticketing and management. A few customers I have worked with liked to take the data created in Sentinel. You can make some basic efforts around that, but the customers wanted to push it to a third-party system so they could set up a proper ticketing management system, like ServiceNow, Jira, etc."
"If I can use Sentinel offline at home and use it on a local network, it would be great. I'm not sure if I can use Sentinel offline versus the tools I have."
"I think the number one area of improvement for Sentinel would be the cost."
"They should integrate it with many other software-as-a-service providers and make connectors available so that you don't have to do any sort of log normalization."
"It could have a better API to be able to automate many things more extensively and get more extensive data and more expensive deployment possibilities. It can gain some points on the automation part and the integration part. The API is very limited, and I would like to see it extended a bit more."
"While there aren't any major areas where the solution has to be improved, there are certain integrations that are still not available. I would specifically like to see legacy applications integrated."
"The prices are complicated as we operate in a small third-world country."
"Splunk Enterprise Security has not helped reduce our alert volume."
"It would be nice if Splunk reduced the cost of training. Their training sessions are way too costly."
"On the technical side, it would be nice to see aspects of the recent acquisition of Phantom make it into the core Splunk Enterprise, not just become a part of the premium Enterprise Security."
"The initial setup is complex, but this is necessary. We needed to take into consideration how to direct log files from thousands of machines to Splunk, and how to ingest those files."
"You do need a lot of training and certification with this product."
"Many of my clients want to get better at Splunk, but they're afraid of using the tool because they feel it's too complex for them."
Microsoft Sentinel is ranked 2nd in Security Information and Event Management (SIEM) with 85 reviews while Splunk Enterprise Security is ranked 1st in Security Information and Event Management (SIEM) with 240 reviews. Microsoft Sentinel is rated 8.2, while Splunk Enterprise Security is rated 8.4. The top reviewer of Microsoft Sentinel writes "Gives a comprehensive and holistic view of the ecosystem and improves visibility and the ability to respond". On the other hand, the top reviewer of Splunk Enterprise Security writes "It has a drag-and-drop interface, so you don't need to know SQL or Java to construct a query ". Microsoft Sentinel is most compared with AWS Security Hub, IBM Security QRadar, Microsoft Defender for Cloud, Elastic Security and Wazuh, whereas Splunk Enterprise Security is most compared with Wazuh, Dynatrace, IBM Security QRadar, Elastic Security and Datadog. See our Microsoft Sentinel vs. Splunk Enterprise Security report.
See our list of best Security Information and Event Management (SIEM) vendors.
We monitor all Security Information and Event Management (SIEM) reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.