It would really depend on (1) which logs you need to ingest and (2) what are your use cases
Splunk is easy for ingestion of anything, but the charge per GB/Day Indexed and it gets expensive as log volume increases. Splunk is good for operations style use cases (NOC), but requires ESS and isn't as easy to use or get data out of for SOC style use cases.
Sentinel is good for endpoint Windows Defender Advanced Edition (extra cost, not the free version), analysis and malware findings, and when the data sources are all Windows events (O365/OneDrive/Email/ADFS), but costs go up substantially if the log sources aren't Microsoft events, and support for non-MSFT log sources is limited.
Neither offers real UEBA capabilities IMO.
Splunk has the add-on (entirely different architecture and systems), for the Caspida UEBA.
MSFT will tout UEBA on Sentinel, but it's endpoint related (not network) and I've yet to see use cases on non-MSFT application data events.
Splunk Enterprise Security and Microsoft Sentinel compete in the SIEM market. Microsoft Sentinel has a slight advantage due to its seamless Microsoft tool integration and lower cost options.Features: Splunk offers robust log management, real-time alerting, and a powerful Search Processing Language (SPL) for in-depth analysis. Its ability to manage large datasets across diverse environments is noteworthy. Microsoft Sentinel features strong AI and user and entity behavior analytics (UEBA),...
It would really depend on (1) which logs you need to ingest and (2) what are your use cases
Splunk is easy for ingestion of anything, but the charge per GB/Day Indexed and it gets expensive as log volume increases. Splunk is good for operations style use cases (NOC), but requires ESS and isn't as easy to use or get data out of for SOC style use cases.
Sentinel is good for endpoint Windows Defender Advanced Edition (extra cost, not the free version), analysis and malware findings, and when the data sources are all Windows events (O365/OneDrive/Email/ADFS), but costs go up substantially if the log sources aren't Microsoft events, and support for non-MSFT log sources is limited.
Neither offers real UEBA capabilities IMO.
Splunk has the add-on (entirely different architecture and systems), for the Caspida UEBA.
MSFT will tout UEBA on Sentinel, but it's endpoint related (not network) and I've yet to see use cases on non-MSFT application data events.