Microsoft Sentinel and the High Cost of “Free”

LogRhythm vs. Microsoft Sentinel

For decades, security executives have faced a key strategic decision. Is it most effective to create an ensemble of the best security products? Or is it better to go all-in with a big vendor that can offer one-stop shopping? 

In our experience, most security teams prefer using the best available tool for each of their critical security needs. But when the economy wavers and budgets tighten, many security leaders face intense pressure to reduce costs through vendor consolidation. 

This road usually leads to one place: Microsoft.  

Microsoft offers a broad set of security capabilities, including many that are bundled into higher-end Microsoft 365 subscription plans. This creates a perception, particularly among executives with cost-cutting on their minds, that Microsoft’s offerings may be “free” alternatives to line items on the security budget. 

We see this regularly in the SIEM/SOAR space, with some organizations taking a fresh look at Microsoft Sentinel. Ultimately, most end up selecting or sticking with a specialized SIEM/SOAR solution like LogRhythm. 

Let’s dive into the reasons why. 

Microsoft Sentinel isn’t actually free 

Unlike many Microsoft security offerings, Microsoft Sentinel is not bundled into a specific Microsoft 365 plan, even at the highest subscription levels. Instead, like most other SIEM/SOAR products, it’s priced based on data consumption. 

Microsoft dangles two big carrots to get customers to bite at Sentinel before they make a conscious purchase decision. The first is that they allow certain types of Microsoft data, such as Azure activity logs, Office 365 audit logs, and Microsoft Defender alerts, to be ingested into Microsoft Sentinel for free at all Microsoft 365 plan levels. 

The second carrot is a “data grant” that is offered to those customers on a Microsoft 365 premium E5 plan (or its industry-specific siblings, A5, F5, and G5). Organizations that are on these plans (or willing to pay to upgrade) gain up to 5MB per user per day of data ingestion from other specific Microsoft sources, such as Azure Activity Directory sign-in and audit logs and additional Microsoft cloud security, information protection, and threat hunting data. 

This seems appealing on the surface, but even if your organization is heavily invested in Microsoft services, you will likely find that this data only represents a very small amount of your overall security monitoring needs. In other words, you may have a belly full of Microsoft carrots before you understand the true cost of the main course you didn’t realize you ordered. 

Customer-first versus Microsoft-first 

There isn’t anything inherently wrong with SIEM/SOAR pricing based on data consumption. The difference is in customer alignment and execution. At LogRhythm, we work with our customers to identify the data signals that best balance cost and security impact. The mix of products you use to secure your environment is entirely your choice. We don’t put our finger on the scale to try to influence you. Instead, we help you unlock the most value possible from the investments you’ve made — and any others you choose to make in the future. At every step, we will partner with you to forecast your spending and avoid any budgetary surprises. 

Contrast this with Microsoft’s playbook:

Step 1: Push you to purchase or upgrade to a Microsoft 365 E5 plan to gain access to their complete set of security offerings and a Sentinel data grant.

It’s worth noting that as of Microsoft’s fiscal year 2022 fourth quarter earnings call, only 12 percent of Microsoft’s commercial customers were on a Microsoft 365 E5 plan.1 In other words, accessing Microsoft’s full slate of security capabilities is not free for the overwhelming majority of customers. 

Step 2: Make E5 stick by convincing you to replace your security products with their “free” equivalents, regardless of whether they are more effective or easier to use.

Let’s say, for example, you’re already invested in Okta for identity and access management and CrowdStrike for endpoint protection. While LogRhythm’s aim will be to help you realize the most value possible from these investments, helping you achieve success with these products will be a last resort for Microsoft. They would much rather push you towards a disruptive switch to Azure Active Directory and Microsoft Defender, using lower Microsoft Sentinel costs as a lever to steer you there. It’s not about what is better for your security. It’s all about maximizing Microsoft 365 average revenue per user. 

Step 3: Borrow a page from the Splunk runaway data charge playbook.

Even if you decide to standardize using Microsoft’s security products as much as possible, you will still be unable to create an effective SIEM/SOAR function with Microsoft Sentinel without making a significant investment in other types of data ingestion. There are major security product categories, including firewalls, where non-Microsoft products will always be required. Most organizations also have critical application workloads in cloud and data center environments outside of the Microsoft Azure world that Sentinel favors.  

Once you arrive in this territory, you’re on your own without any mechanisms to place caps on your spending. If you’ve heard of or experienced examples of runaway data consumption costs using products like Splunk, this will be a familiar experience. 

And if it seems like I’m editorializing a bit here, read what Gartner has to say on this topic in the 2022 Gartner® Magic Quadrant for SIEM.™

Let’s not forget about operational costs 

While licensing is a major driver of SIEM/SOAR cost, operational costs also factor heavily into the total cost of ownership. And this is another area where a specialized solution like LogRhythm offers substantial advantages over Microsoft Sentinel. 

To illustrate this point, here are five critical questions to ask yourself when evaluating the operational impact of deploying Microsoft Sentinel. 

1. What types of non-Microsoft data will I need to ingest into Sentinel? 

One frequent complaint we hear from customers using Microsoft Sentinel is how difficult and time-consuming it is to parse logs. As you might expect, Microsoft does not prioritize non-Microsoft log connectors. This puts the burden on customers to build numerous custom parsers. This can only be done using Microsoft’s Kusto Query Language (KQL). The effort required to do this often leads customers to engage a service provider to do this for them at an additional cost. And while the impact is greatest for non-Microsoft sources, even some Microsoft data, including Azure Firewall logs, requires custom scripts and parsers. 

In contrast, LogRhythm’s sophisticated log collection architecture has out-of-the-box support for over 950 data sources spanning all major security product vendors and IT infrastructure technologies. 

2. How much effort am I willing to put into fine-tuning and false positive reduction? 

Microsoft markets its use of machine learning to improve accuracy and reduce false positives. But the customers we’ve spoken with report that noise is still a major issue and it requires significant manual effort to overcome. When customers have engaged Microsoft support about this, their guidance is often focused on creating manual “exception rules.” These are quite complex to create and come with a great deal of ongoing tuning and administration overhead. 

Contrast this with LogRhythm’s proven success with applying advanced models and machine learning to reduce false positives and spot anomalies that more simplistic analysis approaches miss. 

3. What interfaces will I use to gain insights from my security event data? 

Reporting and data queries are additional areas where customers have reported friction and manual effort with Microsoft Sentinel. The customers we’ve spoken with have found the built-in reports lacking and are often forced to again turn to Microsoft’s complex KQL scripting language to create custom queries. 

LogRhythm sets itself apart in this area by providing a highly visual, timeline-based security narrative that makes it easy to access meaningful insights during the security response process. Security and business analysts can also drill into the finer details quickly and easily to support their threat hunting or audit and compliance efforts. 

4. How important are user and entity behavior analytics and network detection and response to my security strategy? 

User and entity behavior analytics (UEBA) and network detection and response (NDR) are critical elements of a modern security operations function. The Microsoft Sentinel customers we’ve spoken with were disappointed with the maturity of Microsoft UEBA features, many of which are tellingly labeled as feature previews. They’ve also found that Microsoft’s inability to incorporate NDR signals into the Microsoft Sentinel leaves a critical monitoring gap. 

This is another area where LogRhythm sets itself apart with robust UEBA capabilities that help spot anomalies and insider threats and integrated NDR capabilities that analyze network, user, and application host data holistically alongside log-based signals. 

Read what the experts say about selecting the right tools for your SOC 

Hopefully, these questions and perspectives about the trade-offs and pitfalls of using Microsoft Sentinel instead of a specialized SIEM/SOAR platform help to inform your research process. As you continue your research, I invite you to download a free Gartner report that provides some other useful tips for selecting the right tools for your security operations center.  

You can also contact us at any time for more information about LogRhythm’s approach. 

1 Microsoft Fiscal Year 2022 Fourth Quarter Earnings Conference Call, Microsoft, Jul. 26, 2022
2 Magic Quadrant for Security Information and Event Management, Gartner, Oct. 10, 2022