No more typing reviews! Try our Samantha, our new voice AI agent.

Microsoft Sentinel vs NetWitness Platform comparison

 

Comparison Buyer's Guide

Executive SummaryUpdated on Jun 3, 2026

Review summaries and opinions

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Categories and Ranking

Microsoft Sentinel
Ranking in Security Information and Event Management (SIEM)
4th
Average Rating
8.2
Reviews Sentiment
6.9
Number of Reviews
108
Ranking in other categories
Security Orchestration Automation and Response (SOAR) (2nd), Microsoft Security Suite (6th), AI-Powered Cybersecurity Platforms (6th)
NetWitness Platform
Ranking in Security Information and Event Management (SIEM)
37th
Average Rating
7.4
Reviews Sentiment
7.4
Number of Reviews
36
Ranking in other categories
Log Management (37th)
 

Mindshare comparison

As of June 2026, in the Security Information and Event Management (SIEM) category, the mindshare of Microsoft Sentinel is 4.0%, down from 7.1% compared to the previous year. The mindshare of NetWitness Platform is 1.0%, up from 0.6% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Security Information and Event Management (SIEM) Mindshare Distribution
ProductMindshare (%)
Microsoft Sentinel4.0%
NetWitness Platform1.0%
Other95.0%
Security Information and Event Management (SIEM)
 

Featured Reviews

Kallamuddin Ansari - PeerSpot reviewer
Cyber Security Consultant at HR Software Solution
Centralized monitoring has improved threat response but cost control still needs refinement
Based on real operations used in our corporate IT environment, the key features include log correlation and incident view. Microsoft Sentinel's biggest strength is how it correlates multiple related alerts into a single incident. This significantly reduces alert noise and helps the SOC focus on real threats instead of isolated events. Another valuable feature is KQL-based threat hunting with Kusto Query Language. The flexibility of this language allows us to build custom hunting queries based on our environment's behavior. This is extremely useful for detecting low and slow threats or hidden threats that default rules may miss. Cloud-native scalability and stability is another important feature. Being cloud-native, Microsoft Sentinel scales well for medium to large corporate environments without infrastructure management. Stability has been solid in day-to-day production. SOAR automation using playbooks is a feature we highly recommend. Microsoft Sentinel's SOAR functionality helps automate repetitive SOC tasks like alert enrichment and notification. This saves analyst time and improves response consistency.
reviewer2256927 - PeerSpot reviewer
Head of Information Security, Cyber Defense and IT Risk Management at HCT. at a transportation company with 201-500 employees
A solid SIEM solution that should improve technical support and online resources to be easier to use
A big problem with the product is that we don't have much professional experience in Israel installing, implementing, and integrating this product. There is not enough of a knowledge base. There is no support for this product in this country, so problems have to be resolved through global technical teams. We like to work locally because of the language, and when the product is only supported outside the country, it's a little difficult to implement and use this product. Moreover, AI is something that must be added immediately. Artificial intelligence is a part of the competitors' products, and it's not been implemented for us.

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"The dashboard that allows me to view all the incidents is the most valuable feature."
"The in-built SOAR of Sentinel is valuable. Kusto Query Language is also valuable for the ease of writing queries and ease of getting insights from the logs. Schedule-based queries within Sentinel are also valuable. I found these three features most useful for my projects."
"Sentinel also enables you to ingest data from your entire ecosystem and not just from the Microsoft ecosystem. It can receive data from third-party vendors' products such firewalls, network devices, and antivirus solutions. It's not only a Microsoft solution, it's for everything."
"Microsoft Sentinel has greatly increased our security."
"The SOAR playbooks are Sentinel's most valuable feature. It gives you a unified toolset for detecting, investigating, and responding to incidents. That's what clearly differentiates Sentinels from its competitors. It's cloud-native, offering end-to-end coverage with more than 120 connectors. All types of data logs can be poured into the system so analysis can happen. That end-to-end visibility gives it the advantage."
"It is quite efficient. It helps our clients in identifying their security issues and respond quickly. Our clients want to automate incident response and all those things."
"I recommend implementing Sentinel because it's certainly the most powerful SIEM tool."
"The analytic rule is the most valuable feature."
"Stability has not been an issue with this product."
"Overall, this is a good solution with suitable features and it very well fits our needs."
"The most valuable features are the packet decoder, log decoder, and concentrator."
"The detection of ransomware in the internal network has benefited my organization."
"The newer 11.5 version that my team is using has found it to have good mapping."
"It gives the capability for the incident response team to correlate logs to identify any kind of problem like malware and incidents in a general sense, both for logs and packets."
"It's fully scalable. There is no limit. Of course, the license limits per day the number of terabytes. In my opinion, it's very flexible."
"The most valuable features are its ingestion of logs and raising of alerts based on those logs."
 

Cons

"Microsoft Sentinel could be improved by making the UI more intuitive, simplifying KQL queries for easier use, improving cost visibility and optimization controls, and enhancing performance and query speed when handling large volumes of data."
"They need to work with other security vendors. For example, we replaced our email gateway with Symantec, but we couldn't collect these logs with Azure Sentinel. Instead of collecting these logs with Azure Sentinel, we are collecting them on Qradar. We couldn't do it with Sentinel, which is a problem for us."
"If you're looking to use canned queries, the interface could be a little more straightforward. It's not immediately intuitive regarding how you use it. You have to take a canned query and paste it into an operational box and then you hit a button... They could improve the ease of deploying these queries."
"If we want to use more features, we have to pay more. There are multiple solutions on the cloud itself, but the pricing model package isn't consistent, which is confusing to clients."
"From an analyst perspective, Sentinel has to evolve more."
"My primary improvement request would be for auxiliary logs, as they represent our biggest need."
"There are certain delays. For example, if an alert has been rated on Microsoft Defender for Endpoint, it might take up to an hour for that alert to reach Sentinel. This should ideally take no more than one or two seconds."
"In terms of improvements, pricing, licensing, and overall cost could be better."
"The initial setup is complex. It requires some knowledge in order to set it up."
"There is no support for this product in this country, so problems have to be resolved through global technical teams."
"The initial setup is complex. There are other solutions that are easier to implement."
"The tool's integration capability isn't so great."
"RSA NetWitness Logs and Packets can improve the threat level aspect, it is lacking compared to other solutions."
"I believe they could improve their support, there are often delays."
"I cannot say that the solution was stable because it tended to crash."
"The product continues to crash. Even with tech support help, it does not resolve itself."
 

Pricing and Cost Advice

"It is a consumption-based license model. bands at 100, 200, 400 GB per day etc. Azure Sentinel Pricing | Microsoft Azure"
"I have worked with a lot of SIEMs. We are using Sentinel three to four times more than other SIEMs that we have used. Azure Sentinel's only limitation is its price point. Sentinel costs a lot if your ingestion goes up to a certain point."
"The solution is expensive and there is a daily usage fee."
"From a cost perspective, there are some additional charges in addition to the licensing."
"Sentinel is costly compared to other solutions, but it's fair. SIEM solutions like CrowdStrike charge based on daily log volume. They generally process a set number of logs for free before they start charging. Microsoft's pricing is clearer. It's free under five gigabytes. Some of these logs we ingest have a cost, so they don't hide it. I believe the tenant pays the price, and Microsoft helps create awareness of the cost."
"Good monthly operational cost model for the detection and response outcomes delivered, M365 logs don't count toward the limits which is a good benefit."
"It is consumption-based pricing. It is an affordable solution."
"Sentinel is expensive relative to other products of the class, so it often isn't affordable for small-scale businesses. However, considering the solution has more extensive capabilities than others, the price is not so high. Pricing is based on GBs of ingested daily data, either by a pay-as-you-go or subscription model."
"We have a perpetual license, so the total cost of ownership is not very expensive. It's a good investment."
"Many clients are not able to purchase the packet capability because there is a huge amount of data, and the cost depends on the number of EPS (Events per second), as well as the number of gigabytes of data per day."
"Compared to the competition, the is price is not that high."
"We have yearly licensing costs. The license fee can be based on the volume of EPS. Some organizations may have, as a gentlemanly gesture, 10,000 EPS and get a 3,000 EPS license but actually use 5,000 EPS."
"The product is expensive."
"RSA NetWitness Logs and Packets do not have a subscription model, it's a one-time purchase. There is only a perpetual license."
"There is a licensing fee and the customer can choose whether he wishes this to be subscription-based or perpetual."
"It is cheap."
report
Use our free recommendation engine to learn which Security Information and Event Management (SIEM) solutions are best for your needs.
900,838 professionals have used our research since 2012.
 

Comparison Review

VS
Manager, Enterprise Risk Consulting at a tech company with 1,001-5,000 employees
Feb 26, 2015
HP ArcSight vs. IBM QRadar vs. ​McAfee Nitro vs. Splunk vs. RSA Security vs. LogRhythm
We at Infosecnirvana.com have done several posts on SIEM. After the Dummies Guide on SIEM, we are following it up with a SIEM Product Comparison – 101 deck. So, here it is for your viewing pleasure. Let me know what you think by posting your comments below. The key products compared here are…
 

Top Industries

By visitors reading reviews
Manufacturing Company
11%
Financial Services Firm
11%
Computer Software Company
10%
Government
7%
Financial Services Firm
12%
Construction Company
11%
Comms Service Provider
9%
Outsourcing Company
8%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
By reviewers
Company SizeCount
Small Business44
Midsize Enterprise24
Large Enterprise46
By reviewers
Company SizeCount
Small Business8
Midsize Enterprise7
Large Enterprise20
 

Questions from the Community

Is there a common threat intelligence tool that aggregates multiple threat intelligence sources?
Yes, Azure Sentinel is a SIEM on the Cloud. Multiple data sources can be uploaded and analyzed with Azure Sentinel and its Threat Hunting functionality with AI available as templates or customized ...
What is a better choice, Splunk or Azure Sentinel?
It would really depend on (1) which logs you need to ingest and (2) what are your use cases Splunk is easy for ingestion of anything, but the charge per GB/Day Indexed and it gets expensive as log ...
Which is better - Azure Sentinel or AWS Security Hub?
We like that Azure Sentinel does not require as much maintenance as legacy SIEMs that are on-premises. Azure Sentinel is auto-scaling - you will not have to worry about performance impact, you will...
What is your experience regarding pricing and costs for NetWitness Platform?
The pricing is comparable to others, and I consider the cost to be intermediate. Specific cost details are unknown to me.
What needs improvement with NetWitness Platform?
There is currently no need for improvement in the SIEM ( /categories/security-information-and-event-management-siem ), though there could be potential enhancements by integrating with AI.
What is your primary use case for NetWitness Platform?
I use NetWitness Platform ( /products/netwitness-platform-reviews ) in the financial industry as a good product with excellent capabilities and integration with various devices.
 

Also Known As

Azure Sentinel
RSA Security Analytics
 

Overview

 

Sample Customers

Microsoft Sentinel is trusted by companies of all sizes including ABM, ASOS, Uniper, First West Credit Union, Avanade, and more.
Los Angeles World Airports, Reply
Find out what your peers are saying about Microsoft Sentinel vs. NetWitness Platform and other solutions. Updated: June 2026.
900,838 professionals have used our research since 2012.